Auto-quarantine restricts newly enrolled devices from receiving any subsequent configuration profiles or apps without authorization from a Systems Manager (SM) network administrator. Auto-quarantine is disabled by default, but can be enabled on a per-SM network basis. Until authorized by a SM network administrator, Quarantined devices will not gain access to any sensitive network resources, including WiFi credentials, VPN settings, and paid iOS apps. Enabling this feature is an especially good idea if configuration profiles or apps are set to automatically deploy to all enrolled devices. This article describes how to enable Auto-quarantine and how to authorize a quarantined client.
To enable Auto-quarantine:
Note: Auto-quarantine only applies to newly enrolled devices. If a device is already listed on the Monitor > Clients page, and it re-enrolls, the device will not be quarantined upon re-enrollment. In this situation, the device would need to be removed from the Clients list before a new enrollment will auto-quarantine the device.
Authorizing a Quarantined Client:
An administrator can authorize a quarantined client to receive targeted configuration profiles and managed apps from either the Monitor > Clients page or the Client's details page.
Option 1: Authorize from the Monitor > Clients page
Option 2: Authorize from client's details page
Enabling Auto-quarantine allows a device to enroll in a SM network, but still be restricted from receiving any subsequent configuration profiles or apps until the device is authorized by an admin. Auto-quarantine further strengthens network security by preventing unauthorized devices from accessing any sensitive network information.