Maker Checker in Scalefusion

Maker-checker is a fundamental principle of authorization within the information systems such as that of financial institutions. This principle mandates the involvement of a minimum of two individuals in every transaction - one responsible for initiating the transaction and another tasked with validating or authorizing it.

By introducing a maker-checker based flow in the MDM ecosystem, allows IT Admins to implement checks and balances in the system and also provides them with the ability to review crucial changes that may impact the device's operation in the field before they are actually put into effect. This added layer of security and oversight ensures a more thorough and careful approach to managing device operations. 

This article explains how Maker Checker feature is configured on Scalefusion Dashboard and then used to approve or disapprove the actions taken thereon.

Platforms Supported

• Windows, macOS, Android, iOS

Pre-Requisites

1. You should be subscribed to Enterprise 2023 subscription plan
2. Admin with Approver Privileges
3. Enable Maker/Checker for Supported Actions should be enabled on Scalefusion Dashboard (Utilities > Global Settings > General Settings)
   On enabling this setting, note that Maker Checker is available on Scalefusion Dashboard's left panel
   

Actions for Approval

Following types of actions taken by a user from Scalefusion Dashboard can be initiated for approval: 

1. Add/Move Device to a Group
2. Application Publish (Applications can be PFW apps, Apple App Store, Enterprise Apps)
3. Application Unpublish
4. Apply Profile to a Device/Group
5. Unlock Device
6. Delete Device
7. Delete Device Profile
8. Delete Device Group
9. Factory Reset Device
10. IMEI/Serial# Record Updates
11. Remove Device Profile
12. Remove Device/User from a Group

These are configurable, that is, IT admins can select the actions for which they want maker/checker to be enabled.

From where can the actions be initiated?

1. Devices section > Gear icon
2. Devices > Bulk Actions
3. Group Level actions

Overview

There are two individuals involved in the process, viz:

1. Maker: The person who initiates an action (listed above) from Dashboard
2. Checker: The person who reviews and approves/rejects the request. People assigned with any of the following roles can approve/reject requests:
   1. Owner 
   2. Co-account owner 
   3. Approver/Checker: The role can be assigned from Admins & Roles section on Scalefusion Dashboard.
      
   4. Custom role having Approver permission enabled. For a custom role, actions can be assigned/unassigned.
      

• Step 1: Configure actions or policies which require to be reviewed for approval/rejection
• Step 2: Initiate request
• Step 3: Review the request for approval or rejection

These are explained in detail below.

Configure Actions

1. On Scalefusion Dashboard, navigate to Maker Checker > Pending Approval and click on Configure button on the right
   
2. This opens the Configure Maker/Checker Behavior dialog box. In this, configure the following and click Save:
   1. Actions: From the list of actions, select the actions for which approval is required
   2. Send approval requests if impact equals or exceeds (1-200): Here, Admins can configure a count and the approval requests will be sent only if they equal or exceed the given count. That is, the total no. of impacted devices on the requests initiated from dashboard, should be equal to or above the count mentioned here. If the no. of impacted devices is less than the count, then the request is not sent in the process of approval. This count can be anywhere from 1 to 200. Please note, this does not apply on request for Factory Reset and IMEI/Serial # Record Updates
      
      

Initiate Request

1. From Scalefusion Dashboard, admin initiates a request.
2. Add a description for the request. 
3. Once you initiate a request from Dashboard, 
   1. It will be queued for approval and displayed under Maker Checker > My Open Requests. You can view the details of devices which are impacted and also update the description that helps reviewer to understand the context. 
   2. An email notification will be sent to the approver notifying about the request being raised.
      

Review Request 

1. The approver logs in to Scalefusion Dashboard
2. The requests will be displayed under Maker Checker > Pending Approval. 
   Note on the left panel, a badge is displayed next to Maker Checker and count next to Pending approval indicating there are requests pending for approval
3. Click on View Details to view the details like when the request was initiated and by whom, the devices impacted etc. and take appropriate action to approve or reject accordingly.
   
   

Important Points to Note

1. IT admins cannot view their own requests in Pending Approval.
2. Pending Approval will list requests made by other admins. 

Example

The process of initiating and approving a request is explained with the help of an example of unlocking an Android device.

1. Assuming the admin has configured this action for approval, you initiate the action to unlock a device from dashboard.
   
2. At first, you will get the following dialog to enter description which helps the checker to understand the context for unlocking the device. You can choose Add Later and add it later from My Open Requests.
   
3. Once done, note that the approval request is displayed under Maker Checker > My Open Requests with the Status Waiting for Approval and other related details. From here, you can perform the following:
   1. View Devices: Clicking on View Devices will open another window showing the details of device(s) which will get unlocked.
   2. Edit Description: Under actions, clicking on pencil icon will open the dialog where you can edit the description for this action.
      
4. Approver (Checker) View: For the approver, the request will be displayed under Maker Checker > Pending Approval. To review request, click on View Details
   
5. This will display the following:
   1. Action Details: Details of the action in consideration (unlock device in this case), that is, 
      1. who initiated the action
      2. date when request was initiated and its expiry
   2. Click Next button on top
      
      For certain Requests like Application Publish/Unpublish, apply profile to device etc. an additional tab Potential Changes will be there displaying summarized view of more granular details related to the request in consideration.
      
      
   3. Impacted Devices: Lists the device details which will be unlocked. There can be more than one impacted devices.
      
   4. After reviewing, click on Approve or Reject button on top.
      1. Approve: This will approve the action and the device will be unlocked. On clicking Approve, 
         1. A confirmation box will appear where you can provide a note in the text area, for approving and click Confirm
             
         2. This request will get removed from Pending Approval list as well as My Open Requests (on maker's side) 
      2. Reject: This will reject the request and device will not get unlocked. On clicking Reject, a confirmation box will appear where you can provide a reason in the text area, for rejecting, and click Confirm.
         
6. This is how any request can be reviewed, approved or rejected.

Reports

The Account Activity report gives a report of Maker Checker related activities. This report is also available in approver view. 

Frequently Asked Questions

Question 1: What happens if no action (approve or reject) is taken on a request, by the approver?

Answer: If no action (approve or reject) is taken on a request, it automatically expires after 10 days. As a result, the request will be removed from the pending approval list and will get rejected by default. 

Question 2: What about the apps enabled from Device Profile? Will they undergo approval process?

Answer: The apps enabled in Device Profile from Select Apps section, will be pushed to the device only after they have been approved. Here, the approval process will remain the same. This is applicable on Windows (Multi-App Kiosk mode), iOS and Android platforms and the process is known as Silent approval.

Question 3: If you select an application to be put in Single App mode (SAM), how does it work with Maker Checker enabled?

Answer: If you add any application in SAM mode which is not enabled in profile beforehand, it will go through the process of silent approval. However, if the app is already published on profile and we edit profile, add the app in SAM mode then it puts the app in Single App Mode on the device. This applies on Windows, Android and iOS (Supervised devices).

Question 4: If you have applied App Locker Policy on Windows devices, how does it work with Maker Checker enabled?

Answer: If you have applied App Locker Policy, the apps (Allowed or Blocked) will be implemented on devices after going through the process of approval only.