In NotifyMDM v3.9.0 and above, the Admin is able to control the features available to end users via the User Self Administration Portals. Therefore, the following would only be necessary for server versions 3.8.1 and older:

NOTE: Configuring your system in this way will prevent the proper operation of the following features in MDM:

1. DEP device management
2. App-less enrollment
3. SAML authentication

If an Admin wants to lock down IIS, making the dashboard and User Self Administration Portals (USAP) unavailable from anywhere except specific machines, the following steps can be taken on a Windows 2008 server:

1. Open IIS Manager
2. Go to “Default Website”
3. At the root level, click “IP Address & Domain Restrictions”.  (If this option is not available, the “IP and Domain Restrictions Role” will need to be installed. See instructions below.)
4. Click “Edit Feature Setting” on the right.
1. Set the value to “Deny”
5. At the screen where you can add exceptions, add the following rules:
1. IP: (the internal IP address of the NotifyMDM Server)
2. IP: 127.0.0.1
3. This will allow those who connect directly to the NotifyMDM Server to use the dashboard or USAPs.
6. While in IIS Manager, click each subdirectory of the Default WebSite and go into “IP Address & Domain Restrictions” and set the “Edit Feature Setting” to Deny.
1. The IP Addresses that you added to the root level should have populated below for the subdirectories.
7. Access to the /sync subdirectory must always be allowed for devices to be able to sync successfully.

NOTE: If you wish to add more IP addresses to have access to the dashboard or USAP, you MUST add these at the root level or Default Website level. Otherwise, it will cause problems, one being that this security implementation will no longer work.

Installing the IP and Domain Restrictions Role

1. Right click Computer.
2. Go into “Roles” and go under the “Web Server (IIS)” section.
3. Click “Add Role Services.”
4. Install the “IP and Domain Restrictions” role under Security in the popup menu.