We often get asked by customers about how they can manage non-admin users using MDM. This blog provides information to address this question.
Windows 8.1 MDM capabilities was extended to allow management of standard users by introducing a new protocol, which provides solution for IT adminstrators to enroll-on-behalf-of(EOBO) standard users. Prior to this change, only adminstrators could enroll their own devices (BYOD).
EOBO is a new protocol where a System Integrator can enroll a device into management for a standard user, during the provisioning process.
What are the steps required to enroll\manage standard user?
Following are the steps to enroll-on-behalf of Standard users.
1.System Integrator should create a standard user local account on the device.
2. System Integrator needs to set the following registry keys, where the UPN is the email address of the user and the SID belongs to their local account.
3.The SI then needs to use the PC Settings UI (under Network->Workplace) to enroll into management.
If the registry keys have been populated correctly, the protocol initiated by the client is specific to EOBO.
It indicates to the service that a ‘bulk enrollment’ account has been used for authentication and includes this token, as well as the UPN of the standard user. Here is a sample of the EOBO SOAP request:
What happens after enrollment?
A.) MDMAgent is launched , normally with maintenance mode, if enrolled user is logged on.
B.) If MDMAgent is launched and the enrolled user is not logged on, it runs in machine mode, which indicates to the service that only machine policy should be processed.
If MDM Agent has to process applications or certificates, it will impersonate the logged on enrolled user as appropriate, and revert at the end of the operation.
Follow the Windows Store Developer Solutions team on Twitter @wsdevsol.