beem docs

English

Deutsch
Français
Italiano

English

Deutsch
Français
Italiano

Appearance

beem Device Management

beem Device Management is a Unified Endpoint Management (UEM) solution designed to manage, monitor, and secure devices across various operating systems. It ensures that endpoints (mobile phones, tablets, laptops, or desktops) adhere to corporate security policies and are continuously assessed for compliance and posture. This is done by means of a specific device management tenant that utilises telemetry data to enforce device policies and configurations.

This page describes the principles and technicalities of beem Device Management. Use the following links for specific setup guides:


INFO

Currently, beem Device Management is available for Apple (iOS, iPadOS, macOS) and Samsung (Android One UI) devices. Support for other devices and operating systems is in development.

Device Posture Management

Device Posture Management is an important part of UEM, ensuring the security and trustworthiness of client devices before they gain access to network resources or applications. It collects device attributes and uses these to enforce access rules, restricting client devices that do not meet specific security requirements. These device attributes include predetermined information such as the operating system versions and hundreds of other attributes. beem Device Management differentiates between Proactive Device Posture Management and Continuous Device Posture Management.

Proactive Device Posture Management

Proactive Device Posture Management enforces policies based on Device Security Levels. beem offers several security levels for client devices, each with a different strictness of posture enforcement. The choice of Device Security Level depends on how much you prioritize security restrictions over user-friendliness, ranging from Level 1, a basic level of security with minimal restrictions on the end-user, to Level 4, a high level of security with a partially hindered user experience. (Level 0 deactivates beem Device Management.)

The feature-set offered with each Device Security Level varies between devices and operating systems.

Detailed Device Security Level Overview for Apple iOS / iPadOS​ Devices


Device Security Level 1

Policy overview:

  • Devices can be used for both business and personal purposes. ​
  • Existing device fleets can be integrated without a factory reset. Apps and data remain intact.​
  • Partially managed device with minimal restrictions for the user. ​
  • Continuous verification of device properties and security policies before accessing corporate resources. ​
  • Privacy-friendly: Users retain ownership of their personal data and maintain control over the device.

Device configurations:​

  • Update new devices, Software is enforced.
  • Secure app management, blocks unauthorized apps and app stores​
  • Automatic installation of the beem app​.
  • Device PIN is enforced, simple passcode settings and lock policies (Password length, number of login attempts)​.
  • Blocks voice dialing and Siri when the device is locked​.

Available device actions:​

  • Delete device​.
  • Lock device​.
  • Remove device from management.
Device Security Level 2 (default)

Policy overview:

  • Devices can be used for both business and personal purposes. ​
  • Existing device fleets can be integrated without a factory reset, apps and data remain intact.​
  • Partially managed device with minimal restrictions for the user. ​
  • Continuous verification of device properties and security policies before accessing corporate resources. ​
  • Privacy-friendly: Users retain ownership of their personal data and maintain control over the device.

Device configurations:​

  • Update new devices, software update is enforced.
  • Secure app management, blocks unauthorized apps and app stores​.
  • Automatic installation of the beem app​.
  • Advanced passcode settings and lock screen policies (Password length, max. login attempts, max. password age, password history)​.
  • Blocks voice dialing and Siri when the device is locked​.
  • Blocks insecure TLS connections (e.g., websites, servers)​.
  • Blocks access to USB accessories.
  • Fraud alert.
  • Enforce Apple Watch detection.

Available device actions:​

  • Delete device​.
  • Lock device​.
  • Remove device from management.
Device Security Level 3

Policy overview:

  • Devices can be used for both business and personal purposes. ​
  • Existing device fleets can be integrated without a factory reset, apps and data remain intact.​
  • Partially managed device with some restrictions for the user. ​
  • Continuous verification of device properties and security policies before accessing corporate resources. ​
  • Privacy-friendly: Users retain ownership of their personal data and maintain control over the device.

Device configurations:​

  • Update new devices, software update is enforced.​
  • Secure app management, Blocks unauthorized apps and app stores​
  • Automatic installation of the beem app​.
  • Advanced passcode settings and lock screen policies (Password length, max. login attempts, max. password age, password history)​.
  • Blocks voice dialing and Siri when the device is locked​.
  • Blocks insecure TLS connections (e.g., websites, servers)​.
  • Blocks access to USB accessories​.
  • Fraud alert​.
  • Enforce Apple Watch detection.
  • Prevent screenshots and screen recordings.
  • Block access to USB and network drives in the Files app.
  • Prevent pairing with unknown computers.
  • Restrict AirDrop (iCloud Contacts only).
  • Cross-device tasks disabled (Handoff).

Available device actions:​

  • Delete device​.
  • Lock device​.
  • Remove device from management.
Device Security Level 4

Device Security Level 4 is in development, coming soon.

Detailed Device Security Level Overview for Apple macOS​ Devices


Device Security Level 1

Policy overview:

  • Devices can be used for both business and personal purposes. ​
  • Existing device fleets can be integrated without a factory reset, apps and data remain intact.​
  • Partially managed device with minimal restrictions for the user. ​
  • Continuous verification of device properties and security policies before accessing corporate resources. ​
  • Privacy-friendly: Users retain ownership of their personal data and maintain control over the device.

Device configurations:​

  • Update new devices, software is enforced. ​
  • Automatic installation of the beem app​.
  • Device PIN is enforced, simple passcode settings and lock policies (Password length, number of login attempts)​.
  • Allows synchronization with the iCloud Password Manager​.
  • Allows incoming connections through the firewall.

Available device actions:​

  • Delete device​.
  • Lock device​.
  • Remove device from management.
Device Security Level 2

Policy overview:

  • Devices can be used for both business and personal purposes. ​
  • Existing device fleets can be integrated without a factory reset, apps and data remain intact.​
  • Partially managed device with minimal restrictions for the user. ​
  • Continuous verification of device properties and security policies before accessing corporate resources. ​
  • Privacy-friendly: Users retain ownership of their personal data and maintain control over the device.

Device configurations:​

  • Update new devices, software is enforced.
  • Automatic installation of the beem app​.
  • Advanced passcode settings and lock policies (Password length, number of login attempts, maximum password age, password history).​
  • Blocks insecure TLS connections (e.g., websites, servers).
  • Allows synchronization with the iCloud Password Manager.
  • Allows incoming connections through the firewall.
  • Basic Safari restrictions.
  • Enforces data encryption on the Mac.

Available device actions:​

  • Delete device​.
  • Lock device​.
  • Remove device from management.
Device Security Level 3 (default)

Policy overview:

  • Devices can be used for both business and personal purposes. ​
  • Existing device fleets can be integrated without a factory reset, apps and data remain intact.​
  • Partially managed device with some restrictions for the user. ​
  • Continuous verification of device properties and security policies before accessing corporate resources. ​
  • Privacy-friendly: Users retain ownership of their personal data and maintain control over the device.

Device configurations:​

  • Update new devices, software is enforced.
  • Automatic installation of the beem app​.
  • Advanced passcode settings and lock policies (Password length, number of login attempts, maximum password age, password history, complex alphanumeric password)​.
  • Blocks insecure TLS connections (e.g., websites, servers)​.
  • Allows synchronization with the iCloud Password Manager​.
  • Allows incoming connections through the firewall​.
  • Advanced Safari restrictions​.
  • Enforces data encryption on the Mac​.
  • File and folder-level security​.
  • Restrict AirDrop (iCloud Contacts only)​.
  • Disable personalized ads.
  • Enforce the Gatekeeper security feature (verifies downloaded software)​.
  • Prevents screen mirroring from iPhone to Mac.

Available device actions:​

  • Delete device​.
  • Lock device​.
  • Remove device from management.
Device Security Level 4

Device Security Level 4 is in development, coming soon.

Detailed Device Security Level Overview for Samsung Android​ Devices


Device Security Level 1

Policy overview:

  • Devices can be used for both business and personal purposes. ​
  • Existing device fleets can be integrated without a factory reset. Apps and data remain intact.​
  • Partially managed device with minimal restrictions for the user. ​
  • Continuous verification of device properties and security policies before accessing corporate resources. ​
  • Privacy-friendly: Users retain ownership of their personal data and maintain control over the device.

Device configurations:​

  • Update enforcement for new devices, software updates are mandatory.
  • Secure app management blocks unauthorized apps and app stores.
  • Enforces data encryption on the device.
  • Detects and blocks access from devices with jailbreak or root access to corporate resources.
  • Automatic installation of the beem app.
  • Screen lock and device PIN enforcement, simple passcode settings and lock policies (password length, number of login attempts).
  • Biometric methods and trusted unlock options (Smart Lock) allowed.
  • Hide or restrict content in lock-screen notifications.

Available device actions:​

  • Delete device​.
  • Lock device​.
  • Remove device from management.
Device Security Level 2 (default)

Policy overview:

  • Devices can be used for both business and personal purposes. ​
  • Existing device fleets can be integrated without a factory reset, apps and data remain intact.​
  • Partially managed device with minimal restrictions for the user. ​
  • Continuous verification of device properties and security policies before accessing corporate resources. ​
  • Privacy-friendly: Users retain ownership of their personal data and maintain control over the device.

Device configurations:​

  • Update enforcement for new devices, software updates are mandatory.
  • Secure app management, blocks unauthorized apps and app stores.
  • Enforces data encryption on the device.
  • Detects and blocks access from devices with jailbreak or root access to corporate resources.
  • Automatic installation of the beem app.
  • Screen lock and device PIN enforcement, advanced passcode and lock policies (password length, number of login attempts, maximum password age, password history).
  • Biometric unlocking (Smart Lock) allowed.
  • Trusted unlock mechanisms (Smart Lock) disabled.
  • Hide or restrict content in lock-screen notifications.
  • Prevent changes to user accounts.

Available device actions:​

  • Delete device​.
  • Lock device​.
  • Remove device from management.
Device Security Level 3

Policy overview:

  • Devices can be used for both business and personal purposes. ​
  • Existing device fleets can be integrated without a factory reset, apps and data remain intact.​
  • Partially managed device with some restrictions for the user. ​
  • Continuous verification of device properties and security policies before accessing corporate resources. ​
  • Privacy-friendly: Users retain ownership of their personal data and maintain control over the device.

Device configurations:​

  • Update of new devices, software updates are enforced.
  • Secure app handling blocks unauthorized apps and app stores.
  • Enforces data encryption on the device.
  • Detects and blocks access from devices with jailbreak or root access to corporate resources.
  • Automatic installation of the beem app.
  • Screen lock and device PIN are enforced, advanced passcode settings and lock policies (password length, number of sign-in attempts, maximum password age, password history).
  • Biometric unlocking (Smart Lock) is allowed.
  • Trusted unlocking mechanisms (Smart Lock) are disabled.
  • Face and iris unlocking are disabled (fingerprint allowed).
  • Hide or conceal lock screen notifications.
  • Prevent changes to user accounts.
  • Screenshots and screen recordings are blocked.
  • Autofill, printing, NFC (Android Beam), and location sharing are disabled.
  • Caller ID is disabled.
  • Contact search is disabled (no app access to contacts).

Available device actions:​

  • Delete device​.
  • Lock device​.
  • Remove device from management.
Device Security Level 4

Device Security Level 4 is in development, coming soon.

Compliance Configurations and Integration

Generally, one Device Security Level can be set per client operating system. For example, if you manage multiple Apple devices (e.g., iPhone, iPad, and Mac), the selected level applies to all of them simultaneously. Changing the Device Security Level in the beem Hub updates all managed Apple devices at once.

The beem Device Management compliance status can also be checked and configured in Concerto to control and enable a device's access to corporate resources. For more details, please refer to the specific Concerto documentation.

beem offers the possibility to integrate customer's own UEM Solution with Concerto. In this case, beem Device Mananagement must not be activated.

Continuous Device Posture Management

Continuous Device Posture Management offers real-time monitoring of a device's health and configuration status. This is done by using Endpoint Information Profiles (EIP), which provide status information about client devices; for instance, whether the latest security patches and antivirus updates are installed.

EIP are used as parameters to check if a device adheres to the required security standards and is allowed network access. Additionally, EIP integration with various Endpoint Protection Platforms (EPP) is supported for the following providers of antivirus or anti-malware tools:

  • Avast
  • Carbon Black
  • crowdstrike
  • eset
  • kaspersky
  • McAfee
  • panda
  • SentinelOne
  • Symantec
  • Trend Micros
  • Windows Defender

Beware that beem Device Management currently does not include its own EPP module but relies on third-party solutions. We therefore recommend the integration with third-party EPPs, such as:

  • Bitdefender
  • CrowdStrike
  • Microsoft Defender
  • Sophos
  • Trend Micro

Configurations to Continuous Device Posture Management can be made in Concerto. For more details, please refer to the specific Concerto documentation.


TIP

Devices running on Windows or macOS offer many parameters that can be used for EIP. However, devices operating on iOS, iPadOS, or Android share fewer parameters suitable for EIP. Security wise, it's therefore recommended to set the Device Security Levels of these (mobile) devices as high as feasible.