Hey! How can we help?

MDM - FAQs & Troubleshooting

This FAQ and troubleshooting guide provides answers to common questions about MDM, its integration with Zoho Mail, and the steps for addressing potential issues. Whether you’re an admin setting up security policies or a user navigating device enrollment, this page serves as a comprehensive resource to ensure a seamless and secure experience. Explore the sections below to find solutions tailored to your needs.

General FAQs

1.What is MDM?

Mobile Device Management (MDM) is a software that allows IT administrators to manage and secure mobile devices used by employees/users within an organization. Zoho Mail uses ManageEngine's Mobile Device Management to protect sensitive data in mobile apps by enforcing security policies and restricting certain actions. It also helps separate work-related data on personal devices. Once MDM is enabled, administrators ensure that only authorized apps are available for download, creating a secure app environment.

2. Which plans support MDM integration?

The MDM feature is currently available only if you have subscribed to one of the paid plans of Zoho Workplace, Zoho Mail Premium plan, or the Zoho Mail Mix and Match / Flexible plans. Reach out to support@zohomail.com for more details.

3. Can we enable the MDM integration in Zoho Mail and also buy a standalone subscription from ManageEngine?

No, an organization can have only one MDM subscription. If your organization already has a standalone MDM subscription from ManageEngine, you cannot use the MDM integration available in Zoho Mail. Similarly, if you are using the MDM integration in Zoho Mail and decide to switch to ManageEngine's standalone MDM service, you can migrate the integration. However, this migration is a one-way process. Once the integration is moved from Zoho Mail to ManageEngine's standalone MDM, it cannot be reverted back. Likewise, if you are using ManageEngine's standalone MDM service, you cannot transfer the configuration to Zoho Mail.

4. Do we need to purchase a paid Google account to configure "Android for Work (AFW)" or "Android Enterprise?

No, you do not need to purchase a paid Google account to configure Android for Work (AFW) or Android Enterprise. You can use either a Google Workspace account (previously G Suite) or a personal Google account to set up and manage Android for Work (AFW).

5. Can we use third-party MDM service providers to manage our organization’s devices?

This integration is designed to work exclusively with ManageEngine's MDM. While organizations can use other MDM solutions to manage their devices and apps, conditional access policies cannot be enforced through third-party MDM services.

That said, Zoho Mail now provides basic integration support with Scalefusion, allowing organizations to manage their devices through Scalefusion while continuing to use Zoho Mail. For detailed instructions on configuring this integration, please refer to this help page.

6. How many devices can an organization enroll in total when MDM integration is enabled?

An organization can enroll an unlimited number of devices in total. However, administrators can impose limits on the number of devices each user is allowed to enroll by configuring device limit settings in Zoho Mail Admin Console. For detailed steps to configure device limits, click here.

7. Is there a helpdesk email address to contact for assistance or report issues?

You can reach out to Zoho Mail support at support@zohomail.com.

MDM Admin Configurations and Actions 

1. Is the use of an allowed IP mandatory for all policies?

No, the allowed IP is not always mandatory. It is only required when configuring Device or IP, and Device and IP security policies. These policies ensure that only specific devices or IP addresses can access the system. However, if you're not using these specific policies, the allowed IP setting is not necessary. To learn about each security policy and how to configure them, click here.

2. Where to add the allowed IP? In the Zoho Mail Admin Console or Zoho Directory?

Allowed IPs can be added in the Zoho Directory.  To set up IP restrictions, navigate to Zoho Directory, click on the created security policy (Device or Allowed IP addresses / Device and Allowed IP addresses ), then go to the Allowed IPs section to set up IP restrictions according to your preferences. For detailed directions, refer here.

3. What happens if the APNs certificate expires?

The APNs (Apple Push Notification Service) certificate must be renewed annually. If the certificate is not renewed, iOS devices will no longer be manageable, and users will be required to re-enroll their devices. This involves generating a new certificate and updating it in your system to ensure that push notifications continue to work seamlessly. As an admin, you can renew the APNs certificate directly from the Admin Console. Learn more.

4. Can we add non-Zoho apps to the MDM app catalog, apart from Zoho Workplace apps?

At the moment, there is no option to add third-party or non-Zoho apps to the MDM app catalog. The catalog is currently limited to Zoho Workplace apps, and administrators can only push these apps to users' devices for installation.

5. How can I change the AFW configuration?

To change the Android for Work (AFW) configuration, please reach out to support@zohomail.com.

6. How do I disable MDM for my organization?

To disable MDM for your organization, please contact our support team at support@zohomail.com, and they will help you through the necessary steps to disable MDM for your organization.

7. How do I manage a lost or stolen device of a user?

If a user's device is lost or stolen, it's essential to act quickly to protect organization data. The user should immediately contact the administrator to report the situation. The administrator can then un-enroll the device from the organization's device management system to ensure that it no longer has access to sensitive data. Learn more.

Here’s how an administrator can un-enroll the device:

1. Log in to Zoho Mail Admin Console.
2. Select Security & Compliance on the left pane.
3. Navigate to Enrolled Devices under the Mobile Device Management section.
4. Search for the user’s email associated with the lost or stolen device using the search bar.
5. In the search results, locate the device and click on the Un-enroll option.

Un-enrolling the device revokes its access to organization data, helping to secure sensitive information. Always report a lost or stolen device to the administrator immediately to prevent any unauthorized access.

8. How to restrict the user from logging in with other email accounts? 

Add user email to the conditional access policy associated group. So, the user will not be able to login to the blocked device.

9. How can I restrict a user from accessing their account on any device other than the enrolled device?

To prevent a user from accessing their account on any device other than their enrolled device, you need to add their account to the conditional access policy's associated group in Admin Console. This ensures that the user can log in only from their designated device and will be blocked from accessing their account on any other device. For more information, click here.

10. What should I do when a user needs to switch to a new device for work?

When a user requests to switch to a new device, follow these steps:

1. Un-enroll the current device: Remove the user's current device from the organization's device listing and associated conditional access policy groups.
2. Provide the self-enrollment link: Share the self-enrollment link with the user for enrolling their new device.
3. Re-add the user to groups: Once the user has successfully enrolled their new device, re-add them to the appropriate conditional access policy groups to restore their access and permissions.

These steps help ensure a secure transition for the user’s new device.

11. How can I prevent users from accessing multiple email accounts on the same enrolled device?

To prevent organization users from accessing their email accounts from the same enrolled device using different email accounts, you can enable the app restriction titled "Restrict login with different email accounts." This setting ensures that the user can only log in to the app with their authorized email account, blocking any attempts to sign in with other accounts. For detailed instructions on how to enable this app restriction, refer here.

12. Can I restrict users from enrolling multiple devices?

Yes, administrators can configure a limit on the number of mobile devices a user can enroll. To set this limit, go to Mobile Device Management > Settings > General > Device Limit in the Admin Console. Here, you can specify a Device Limit ranging from 1 to 10 for each user. A user cannot enroll more devices than the specified limit. If no limit is set, users can enroll an unlimited number of devices. For detailed steps to configure device limits, click here.

13. Why do all iOS devices under the enrolled devices section display as "iPhone," and how can I fix it?

By default, iOS devices do not display their actual names and will instead appear as "iPhone" in Admin Console. To ensure the actual device names are visible, follow the steps outlined here. It is important to configure these settings in the MDM console before applying app restriction configurations in the Zoho Mail Admin Console. Once the MDM configuration is complete, these changes cannot be made.

Device Enrollment

1. What is device enrollment?

Device enrollment is the process by which users in an organization register their mobile devices with the Mobile Device Management (MDM) system. This device enrollment process is crucial for ensuring that the MDM settings, including app restrictions and security policies, are properly applied to each user's device. If you would like to learn more about device enrollment and the steps to complete it, click here.

2. What are my benefits for enrolling the device?

Enrolling your device ensures that your work and personal apps and data are kept separate. It also simplifies access to your official apps by providing an organized App Catalog, making it more convenient for you to manage and use the apps necessary for work. This separation helps protect sensitive work-related information while offering a streamlined, secure experience on your device.

3. What is App Catalog?

The App Catalog is a curated repository of applications provided by your organization administrator for your use. It serves as a centralized platform where you can easily find and install the apps you need for work. However, only the applications approved and allowed by your administrator will be available in the App Catalog. This ensures that all apps meet the organization’s security and usage policies, providing a streamlined and secure way to manage work-related applications on your devices.

4. How do I know if my iOS phone or tablet is supported for device enrollment?

Most devices running Android 5.0+ and iOS 5.0+ are supported. You can learn more about supported devices for Android and iOS here.

5. How can I check if my device is currently enrolled in MDM?

To determine if your device is enrolled in Mobile Device Management (MDM), follow these steps based on your device type:

• For Android Devices: Go to your device's Settings, then navigate to Accounts. Look for a Work Profile listed among your accounts. The presence of a Work Profile indicates that your device is enrolled in MDM.
• For iOS Devices: Open the Settings app, go to General, and select VPN & Device Management. If you see an MDM profile listed, your device is enrolled in MDM.

These steps will help you confirm whether your device is under MDM management.

6. Is it possible to enroll the device if clone apps or Dual Space are installed on the mobile?

No, it is not possible to enroll the device if clone apps or Dual Space are installed on the mobile.

7. Can the same device be enrolled after a factory reset?

Yes, but the installed MDM profile and work apps will be removed. Additionally, your device will be removed from the list of enrolled devices from your organization’s MDM setup. You will need to re-enroll your device and reinstall your official work applications. Please reach out to your organization's administrator if you need assistance.

8. What should I do if I need to switch to a new device for work?

If you need to switch to a new device for work, you should first contact your organization administrator to inform them about the change. The admin will un-enroll your current device to ensure it is no longer authorized. Once this is done, you’ll need to re-enroll your new device using a self-enrollment link provided by the admin. After enrolling the new device, wait for the admin to re-add you to the necessary groups, so you can regain the appropriate access and permissions.

9. Does device enrollment affect battery life or device performance?

No, device enrollment is designed to operate efficiently with minimal resource usage, ensuring there is no noticeable impact on your device's battery life or overall performance. The primary purpose of enrolling your device is to enhance security by adding a protective layer for your work-related apps and data. This ensures that your device remains secure without compromising its usability or functionality.

10. What should I do if I lose my mobile device?

If you lose your mobile device, it’s crucial to act quickly to protect your sensitive data. First, confirm that your device is indeed lost or stolen. Once you are certain, immediately report the situation to your organization administrator. The administrator can then take action to un-enroll your device from the organization’s device listing, which ensures that it is no longer authorized to access work-related data or resources. This process helps prevent unauthorized access and keeps your data secure.

11. How many mobile devices can I enroll?

The number of mobile devices you can enroll depends on the device limit restriction set by your organization administrator. If no device limit is configured, you can enroll multiple devices. However, to ensure secure access, it's important to follow any guidelines provided by your organization regarding device enrollment.

12. Why can't I search for or add apps from the Play Store in my work profile?

The Play Store in your device's work profile is configured to show only the apps that have been approved and added by your organization's admin. As a result, the full list of apps available in general Play Store will not be visible or accessible within the work container. If you can't find or add a particular app, it may not have been included by the admin. Please reach out to your organization admin for more details.

13. Are there any restrictions on using certain features or apps on my device while enrolled in MDM?

No, there will be no restrictions on your device when it comes to personal apps outside of the official ones. All applied restrictions will only affect your official applications. You can continue installing apps for personal purposes as usual. On an enrolled Android device, personal apps can be installed under the Personal tab. For iOS devices, personal apps can be downloaded from the App Store using your personal iCloud account, just like before.

14. What happens if I delete work apps from my device?

If you delete work apps from your device, you can reinstall them from the MDM app catalog at any time. However, if you have removed the MDM app itself, you may need to re-enroll your device to access the app catalog again. It is recommended not to delete work apps from your device unless specifically instructed by your organization’s administrator. Please reach out to your organization administrator for assistance.

15. Where should I scan the QR code?

The QR code has to be scanned through the ME MDM app. 

16. What should I do if a blank screen appears in the MDM app while enrolling my mobile device?

If you encounter a blank screen while trying to enroll your mobile device in the MDM app, it's important to reach out to MDM support at support@zohomail.com for assistance. They will guide you through the necessary steps to complete the enrollment process successfully.

17. What does the "Untrusted device" error mean on my mobile device?

The "Untrusted device" error occurs when you try to log in from a mobile device that hasn’t been enrolled in your organization’s Mobile Device Management (MDM) system. To access organizational resources securely, your device must be enrolled and trusted. Contact your administrator if you believe your device should be authorized for assistance.

18. What does the "Untrusted device" error mean on my laptop?

If you see the "Untrusted device" error on your laptop, it may be due to the following:

• Device-only and Device & IP policies: These policies restrict login to only enrolled mobile devices. If you try to log in without using an enrolled device, the error will appear.
• Device or IP policy: If you are logging in from a network that is not allowed by your organization's security policy, this error will be triggered.

For more details, contact your organization administrator for assistance.

19. What should I do if I encounter difficulties with the work apps, such as it closing or crashing on its own?

If the Work apps on your mobile device is closing or crashing unexpectedly, follow these steps:

• Ensure that your device has sufficient free storage space. Lack of space can cause apps to malfunction.
• Go to your device's settings to check for and install any available software updates.
• Access the MDM app catalog in your Android Work profile and check for any available updates for the Gov Mail app. If updates are available, make sure to install them.

If you still encounter issues after following these steps, contact Zoho Mail support at support@zohomail.com for further assistance.

20. What should I do if I encounter difficulties installing MDM on my mobile device?

First, verify that your mobile device has a stable internet connection and sufficient network coverage. A poor network coverage or intermittent connection can hinder the installation process. To ensure a reliable connection, connect to a strong and stable network, and try installing MDM again. If possible, move to an area with better network reception before attempting to install MDM again. If you still face issues, please reach out to support at support@zohomail.com.

21. My Work Profile is not visible on my Android device, what should I do?

If you are facing any issues locating the installed work profile on your Android device, try checking your settings. For most Android devices, the downloaded work profile can be found by navigating to device's settings > Accounts. Look for a Work Profile listed among your accounts. For specific instructions regarding the work profile on your particular device, please refer to the help documentation provided by your device manufacturer. This will offer detailed guidance tailored to your device model and its unique settings.