Device re-enrolling | Fluid Attacks Help

Device enrolling and re-enrolling

Fluid Attacks establishes security and monitoring controls over all Fluid Attacks devices, including smartphones, used by employees.

Enrolling

These are the steps Fluid Attacks follows when it hands devices to employees:
  1. The employee's credentials are created in Okta by the IT area when requested by the Administrative Director.
  2. Once created, the IT team logs into the account, sets a password and MFA.
  3. When the user is active, the machine is enrolled with those credentials and the right Jamf configurations are verified (disk encryption with its key, the necessary applications, and additionally, that the user cannot format the disk).
    4. Notes
    The IT team temporarily stores the device's local password in 1password (password manager) until it is shared with the employee.
  4. Once the enrollment is finished, the password and MFA in Okta are reset. Then, a temporary password is shared with the Administrative Director, which is for the employee to log in on their own.
  5. The configured device is sent to the employee.
  6. When the device arrives at the employee's remote work location, a virtual meeting is set up to sync Jamf Connect with the new credentials.

Re-enrolling

Fluid Attacks re-enrolls devices when assigning them to a new employee. Before this, however, Fluid Attacks removes the previously installed management profile. A high-level view of the process is shown here:

  1. Sign out of iCloud on the device. 
  2. Erase a managed device remotely by sending an Erase device command.
  3. Erase directly on a device by navigating into the console to Settings > General > Reset.
  4. Choose the Erase All Content and Settings option.
  5. Complete Setup Assistant on the reset device. The device is set up as a new device during the Setup Assistant phase (4).

Fluid Attacks' MDM tool helps the company comply with secure device management with the National Institute of Standards and Technology guidelines described in NIST 800-53 and 800-171. It also has an alignment with hardening frameworks, such as the Center for Internet Security (CIS) and DISA STIG guidelines.

The following image is an example of the Erase device command on the MDM console: