Advanced MDM
Advanced MDM features provide enhanced device compliance verification and management capabilities beyond standard MDM deployment.
Overview
Advanced MDM enables:
- Device compliance verification
- OS version requirements
- MDM enrollment checks
- Security posture assessment
- Conditional access policies
Standard vs Advanced MDM
| Feature | Standard MDM | Advanced MDM |
|---|---|---|
| Extension deployment | ✓ | ✓ |
| Configuration push | ✓ | ✓ |
| Enrollment verification | ✗ | ✓ |
| Compliance status | ✗ | ✓ |
| OS version requirements | ✗ | ✓ |
| Security policy checks | ✗ | ✓ |
| Conditional enforcement | ✗ | ✓ |
Compliance Verification
MDM Enrollment Check
Verify devices are MDM-managed:
- Enable Require MDM Enrollment in Settings
- Extension checks device enrollment status
- Non-enrolled devices:
- Show warning banner
- Limited functionality
- Or blocked entirely (configurable)
Compliance Status
Check device compliance against MDM policies:
| Check | Description |
|---|---|
| Enrollment | Device enrolled in MDM |
| Compliance | Passes MDM compliance policies |
| Last check-in | Recent MDM communication |
| Security | Meets security requirements |
OS Version Requirements
Set minimum OS versions:
Windows:
Minimum: "10.0.19044" # Windows 10 21H2
Recommended: "10.0.22621" # Windows 11 22H2
macOS:
Minimum: "12.0" # Monterey
Recommended: "14.0" # Sonoma
Supported MDM Platforms
Microsoft Intune
Full integration including:
- Enrollment verification
- Compliance policy status
- Device health attestation
- Conditional access
Jamf Pro
macOS/iOS management:
- Enrollment verification
- Smart group membership
- Extension attributes
- Compliance status
VMware Workspace ONE
Cross-platform support:
- Enrollment status
- Compliance engine results
- Device health metrics
Google Workspace
Chromebook management:
- Chrome enrollment
- Policy compliance
- Organizational unit
Configuration
Enabling Advanced MDM
- Go to Settings > Enterprise > Advanced MDM
- Select your MDM platform
- Configure integration credentials
- Set compliance requirements
- Test with pilot devices
- Enable enforcement
Integration Settings
Intune Integration
Intune Configuration:
Tenant ID: "your-tenant-id"
Client ID: "app-client-id"
Client Secret: "app-secret"
Compliance Requirements:
- Device must be enrolled
- Device must be compliant
- Last check-in: < 24 hours
Jamf Integration
Jamf Configuration:
Server URL: "https://your-jamf.jamfcloud.com"
API User: "api-user"
API Password: "api-password"
Requirements:
- Check smart group membership
- Verify enrollment
- Extension attribute checks
Compliance Policies
Define what compliance means for your org:
Compliance Policy:
Name: "Standard Device Policy"
Requirements:
- mdm_enrolled: true
- compliance_status: "compliant"
- os_version: ">= minimum"
- last_sync: "< 24 hours"
Actions:
Non-Compliant:
- action: "warn"
message: "Device not compliant"
- action: "restrict"
policies: ["high-sensitivity"]
Conditional Enforcement
Policy by Compliance
Vary enforcement based on compliance:
Compliant Devices
- Full access
- Standard policies
- All AI platforms
Non-Compliant Devices
- Restricted access
- Stricter policies
- Limited platforms
Configuration Example
Conditional Policies:
Compliant:
- SSN Detection: warn
- API Keys: block
Non-Compliant:
- SSN Detection: block
- API Keys: block
- All External AI: block
User Experience
Compliant Devices
- Extension works normally
- No additional prompts
- Status shows "Compliant"
Non-Compliant Devices
User sees:
- Warning banner explaining non-compliance
- Instructions to remediate
- Limited functionality (if configured)
- Link to IT support
Remediation
Guide users to fix compliance:
- Show specific issue
- Link to MDM portal
- Provide IT contact
- Auto-recheck after change
Monitoring
Compliance Dashboard
View compliance metrics:
- % of devices compliant
- Non-compliance reasons
- Trend over time
- Risk distribution
Alerts
Configure alerts for:
- High non-compliance rate
- Specific device issues
- Compliance degradation
- Enrollment problems
Reports
Generate compliance reports:
- Device compliance summary
- Non-compliant device list
- Compliance trends
- Risk assessment
Troubleshooting
MDM Check Failing
-
Verify device enrollment
- Check device in MDM console
- Re-enroll if needed
-
Check connectivity
- Device can reach MDM
- No certificate issues
-
Verify integration
- API credentials valid
- Permissions correct
Compliance Not Updating
-
Force MDM sync
- Manual sync from device
- Wait for check interval
-
Check MDM policies
- Device meets requirements?
- Policy recently changed?
False Compliance Failures
-
Review requirements
- Too strict?
- OS version achievable?
-
Check MDM accuracy
- MDM reporting correctly?
- Data freshness issues?
Best Practices
Rollout
- Start with reporting only
- Pilot with IT team
- Gradual enforcement
- Clear communication
Requirements
- Set achievable minimums
- Allow time for updates
- Provide remediation help
- Review regularly
Monitoring
- Watch compliance rates
- Track common issues
- Adjust as needed
- Report to stakeholders
Related Topics
- MDM Integration - Basic MDM setup
- Device Tracking - Device management
- Policy Configuration - Policy settings