--- title: Configuring Mobile Device Management (MDM) description: This section describes the steps to configure PingID's MDM integration, which verifies that devices connected through the PingID mobile app are managed by the organization's MDM infrastructure. component: pingid page_id: pingid:pingid_service_management:pid_configuring_mobile_device_management canonical_url: http://docs.pingidentity.com/pingid/pingid_service_management/pid_configuring_mobile_device_management.html revdate: January 26, 2024 section_ids: flow: Flow ongoing-maintenance: Ongoing maintenance setting-up-mdm-configuration-in-pingid-for-the-first-time: Setting up MDM configuration in PingID for the first time steps: Steps result: Result: next-steps: Next steps adding-a-new-mdm-token: Adding a new MDM token about-this-task: About this task steps-2: Steps revoking-an-mdm-token: Revoking an MDM token steps-3: Steps rotating-mdm-tokens: Rotating MDM tokens about-this-task-2: About this task steps-4: Steps --- # Configuring Mobile Device Management (MDM) This section describes the steps to configure PingID's MDM integration, which verifies that devices connected through the PingID mobile app are managed by the organization's MDM infrastructure. MDM is the administration of mobile devices, such as smartphones, tablet computers, and laptops. It can also be applied to desktop computers. Organizations can control activities of their employees by implementing MDM products or services. MDM primarily deals with corporate data segregation, securing emails and corporate documents on mobile devices. MDM enforces corporate policies, and supports the integration and management of mobile devices including laptops and handhelds of various categories. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * The PingID MDM feature can only be used when the organization integrates with an MDM system. * Two MDM systems cannot manage the same mobile device. * This solution should work with any MDM system from the major vendors. PingID is officially supported with the following MDM solutions: * MobileIron * Workspace ONE UEM (formerly known as AirWatch) * Microsoft Intune | ## Flow The basic flow comprises the following stages: 1. In the PingID admin portal, generate a token for MDM or manually enter or edit a token. * See [Setting up MDM configuration in PingID for the first time](pid_setting_up_mdm_configuration_for_the_first_time.html). 2. Configure the third-party MDM system for PingID integration: 1. Generate and configure an APNS certificate for iOS in the MDM system. For examples see: * [Installing an APNs certificate for iOS in Workspace ONE UEM](pid_installing_apns_certificate_ios_workspace_one_uem.html) * [Installing an APNs certificate for iOS in MobileIron](pid_installing_apns_certificate_ios_mobieiron.html) * [Installing an APNs certificate for iOS in Microsoft Intune](pid_installing_apns_certificate_for_ios_microsoft_intune.html) 2. Configure Android for Work in the MDM system so that the PingID app configuration can be pushed to managed phone sets. For examples, see: * [Configuring Android for Work for Workspace ONE UEM](pid_configuring_android_work_for_workspace_one_uem.html) * [Configuring Android for Work for MobileIron](pid_configuring_android_for_work_mobilelron.html) * [Configuring Android for Work for Microsoft Intune](pid_configuring_android_for_work_microsoft_intune.html) 3. In the organization's MDM system, add PingID as a managed app and configure the token that was generated in the PingID admin portal. For examples, see: * [Configuring Workspace ONE UEM for PingID MDM integration](pid_configuring_workspace_one_uem_for_mdm_integration.html) * [Configuring MobileIron for PingID MDM integration](pid_configuring_mobileron_mdm_integration.html) * For Microsoft Intune, see [Adding the PingID app for iOS in Microsoft Intune](pid_adding_pid_app_ios_in_microsoft_intune.html) and [Adding the PingID app for Android in Microsoft Intune](pid_adding_app_for_android_in_microsott_intune.html) 3. After configuration, the MDM system distributes the token to its managed devices. 4. At pairing and authentication time, the PingID server compares the user's token with current active tokens. PingID permits administrators to define more than one active token. * If there is no match between the user's token with PingID's current active tokens, the pairing or authentication flow is halted. * If the user's token matches a current active token on the PingID server, the pairing or authentication flow will progress. ## Ongoing maintenance As part of periodic MDM maintenance activities, you can generate new tokens for the PingID app and revoke old tokens. For more information, see the following topics: * For PingID: * [Adding a new MDM token](pid_adding_new_mdm_token.html) * [Revoking an MDM token](pid_revoking_an_mdm_token.html) * [Rotating MDM tokens](pid_rotating_mdm_tokens.html) * For the supported MDM systems: * [Updating a PingID token in Workspace ONE UEM](pid_updating_token_workspace_one_uem.html) * [Updating a PingID token in MobileIron](pid_updating_token_in_mobileiron.html) * [Updating a PingID token in Microsoft Intune](pid_updating_token_in_microsoft_intune.html) ## Setting up MDM configuration in PingID for the first time Set up the initial MDM configuration for PingID for the organization's MDM to operate with PingID multi-factor authentication (MFA). ### Steps 1. In the admin console, go to **Setup → PingID → DEVICE & PAIRING**. ![Screen capture of the Device & Pairing tab showing the Device Requirements section.](_images/fov1564020701514.png) 2. In the **DEVICE REQUIREMENTS** section, click **+Add**. 3. From the **Select a Condition** list, select **Mobile Device Management**. #### Result: The **Mobile Device Management** section is displayed. ![Screen capture of the Mobile Device Management Required section.](_images/ejb1564020704340.png) * The generated **SHARED TOKEN** key is in UUID format. * The key value is editable. Administrators can use their own key value. 4. From the **EFFECTIVE DATE** list, select a future date. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This will allow time to distribute the token to all managed devices, before the MDM requirement takes effect. If the effective date is not a future date, all users will be blocked until the token is distributed by the MDM system to managed devices. | 5. Click **Save**. ### Next steps Configure the organization's MDM system. For more information, see [Third-party MDM system configuration for PingID integration](pid_third_party_mdm_system_configuration_pid_integration.html). ## Adding a new MDM token Add a new MDM token in PingID. ### About this task Multiple keys can coexist, for example, for allowing time for rotating keys and the time it takes to phase in new keys and retire old ones. PingID checks all listed keys to verify a match with the key submitted in the authentication request. | | | | - | ----------------------------------------------------------------------------------------------------------------- | | | The MDM does not retain multiple values for the same token. Support for multiple keys is provided through PingID. | ### Steps 1. Go to **Setup → PingID → DEVICE & PAIRING**. 2. In the **DEVICE REQUIREMENTS** section, click **+Add**. ![Screen capture of the PingID admin console showing the Device & Pairing tab after clicking +Add.](_images/fov1564020701514.png) 3. From the **Select a Condition** list, select **Mobile Device Management**. 4. Click the **Expand** icon for **MOBILE DEVICE MANAGEMENT REQUIRED**. 5. Click **[icon: plus, set=fa]Generate New Token** to create a new PingID key for MDM. ![Screen capture of the expanded Mobile Device Management Required section.](_images/zon1564020719034.png) | | | | - | ------------------------------------------------------------------------------------ | | | The generated date following each token indicates the date and time of its creation. | 6. Click **Save**. 7. Copy the value of the new **SHARED TOKEN** key. 8. Update the token key in the MDM system: 1. Sign on to the MDM system, and go to the app configuration settings page. 2. Update the `PINGID_MDM_TOKEN` token key. 3. Delete the existing key value. In its place, paste the value of the new **SHARED TOKEN** key that you copied from the PingID admin portal. See the following examples for the supported MDM systems: * [Updating a PingID token in Workspace ONE UEM](pid_updating_token_workspace_one_uem.html) * [Updating a PingID token in MobileIron](pid_updating_token_in_mobileiron.html) * [Updating a PingID token in Microsoft Intune](pid_updating_token_in_microsoft_intune.html) ## Revoking an MDM token Organizational security policies might require periodic revocation of retired or obsolete tokens to prevent use of old tokens for authentication. ### Steps 1. Go to **Setup → PingID → DEVICE & PAIRING**. 2. Click the **Expand** icon for **DEVICE REQUIREMENTS**. 3. Click the **Expand** icon for **MOBILE DEVICE MANAGEMENT REQUIRED** to expand the section. 4. Scroll the list of tokens to identify and locate the old token to be revoked. | | | | - | ------------------------------------------------------------------------------------ | | | The generated date following each token indicates the date and time of its creation. | ![Screen capture of the expanded Mobile Device Management Required section](_images/zon1564020719034.png) 5. Click **Revoke** to remove the associated key. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | A minimum of one token must be retained. When there is only one token, clicking **Revoke** will offer the option to replace the existing token with a new generated token. | ![Screen capture showing the Revoke option.](_images/tsh1564020729781.png) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If a new token was generated as the result of revoking the single listed token, all devices will be prevented from authenticating until the new token value is both updated in the MDM, and distributed to all devices. Consider setting the **EFFECTIVE DATE** to a future date to permit time for distribution of the new token to all devices. | 6. Click **Save**. ## Rotating MDM tokens Organizational security policies might require periodic rotation of MDM tokens to prevent use of old tokens for authentication. ### About this task Rotation is implemented by adding a new token, distributing it to all managed devices, and then removing (revoking) the old token. | | | | - | ------------------------------------------------------------------------------------------------------- | | | More than one token should coexist to permit token rotation without blocking users from authentication. | ### Steps 1. In the admin console, go to **Setup → PingID → Device & Pairing**.![Screen capture of the PingID admin console showing the Device & Pairing tab.](_images/fov1564020701514.png) Identify and locate the old token to be revoked. | | | | - | ------------------------------------------------------------------------------------ | | | The generated date following each token indicates the date and time of its creation. | ![Screen capture of the expanded Mobile Device Management Required section.](_images/zon1564020719034.png)