Reconciling Google MDM and Casper BYOD.

sunny_marie
New Contributor

We use Google Apps at my company and the current setup involves users being approved by us after installing a Google MDM profile. We already use Casper for managing our macs, and I'm in the process of setting up Casper BYOD for a number of reasons. For the most part it's going smoothly, except for the fact that Google profiles and Casper profiles will not coexist on devices. Before you jump to the, "why the hell are you still using Google MDM," conclusion, let me explain.

I want Google to be responsible for passcode enforcement because, with Google MDM, a user cannot access their email without setting a passcode. As far as I know, this isn't possible with Casper. I want Casper to enforce everything else. I was hoping that the issue was that both Google and Casper were trying to enforce the same settings (passcode, wifi credentials, etc.), but even after adjusting those, the profile won't install.

Anyone out there using/managing devices with Google Apps with Casper BYOD successfully? Secondarily, anyone successfully gotten Google mail set up to the point that the user only needs to enter their username/password?

5 REPLIES 5

mm2270
Legendary Contributor III

A device can only be managed by one MDM system at a time. You can have as many individual configuration profiles on it you want, but only one overall management profile. That's pretty much how its always been since MDM was introduced, and I'm sure for good reason.

As for enforcing a passcode, I'm confused. I though it was possible to set a Config Profile to enforce a passcode on a device if one isn't already set. I believe there is a grace period where the device can be used without one, but once that period expires the device will only open to a passcode set screen and the user can't use the device at all without setting a passcode that meets the specific requirements you set in the profile.
Is that what you're looking for, or does the one Google's MDM set operate in some other way?

sunny_marie
New Contributor

@mm2270 OK, I had sort of assumed that only one MDM system could be used at a time. It was my next logical conclusion.

The one reason (and one reason only) that Google MDM is superior when managing devices using Google Apps is the ability to control email profiles in both the Mail app and the Gmail app. What I mean by that is this: you cannot access your email or calendar in any app if the device does not meet Google's management criteria (i.e. passcode). I can absolutely set a passcode using Casper, that much is not disputed. I can also set up the gmail account using the personal device profile, but only in Mail. Using Casper MDM, if the user downloads the Gmail app and sets up their account, there's no good way for me to manage it.

Ultimately, it seems it's going to come down with what functions most reliably even if we don't have full control of Google. That is to say, Casper.

chad_jannusch
New Contributor II

I'm facing the same issue. We have a mixed user base with some users using BYOD devices, some having BYOD and company owned and some just having company owned devices. I like enforcing the passcode requirement through Google MDM since that ensures all users that have setup their devices to get email are required to secure it. However that limits the policies we can put in place since some policies wouldn't/shouldn't apply to BYOD devices. Ideally I'd like to just put all company owned devices in Casper but that would then allow the user to not secure email on their own device.

nvandam
Contributor II

Just started at a new company and we have this issue. We are enforcing the passcode with Google MDM, so anyone getting email on their BYOD device is required to install the Google MDM profile and set a passcode before they can access anything, Gmail, Drive, Docs, etc. This is great for what it's doing, but we have about 1,500 iOS devices being managed by JAMF that can't access Gmail, Drive, Docs, etc. because an iOS device can only have one MDM profile at a time. I'd like to hear if anyone has come up with a good solution.

joeyk
New Contributor II

If you have access to the G Suite Feature Idea submission forum, please upvote this post so we can see Management (basic vs. advanced) determined based on ownership (Company vs. user): https://www.cloudconnectcommunity.com/ccc/ls/community/g-suite-chrome-feature-ideas/post/5839401249800192