Mobile Device Manager Plus can be used to remotely secure data in the mobile devices even in the event of the device being lost or missing. The following operations can be done using the security commands in MDM.
You can remotely lock the managed mobile device. After a remote lock is performed, the user is prompted to enter the passcode of the mobile device only if you have set a passcode for the device. This feature is supported for Android, iOS, macOS and Windows phones. In devices running iOS 7 or later versions, you can also specify a message and a contact number while locking the device. The device can be unlocked using the existing passcode. However, for macOS devices, you can only specify a message to be displayed, while locking the device. The existing passcode will be rendered invalid, and the device can be unlocked only using the pin set by the admin.
Follow the steps mentioned below to specify a contact number and the message to be displayed on the lock screen of devices running iOS 7 or later:
- On the web console, navigate to Devices.
- Select the device to be locked.
- Under Actions, click on Remote Lock. Enter the contact number and the message to be displayed on the locked screen of the mobile device. You can see the message displayed on the device as shown below.
You can scan the enrolled mobile device to view details about the installed apps, blacklisted apps and restrictions imposed on the device, along with other device details. You can also view the installed apps and the restrictions imposed on the device. The scanning can be performed only when the device is connected to the internet. This feature is supported for Android, iOS and Windows. If Periodic communication mode is chosen, the scanning operation has a 60-minute communication interval with the server. So, scanning takes place only the next time, when the device interacts with the server.
You can trigger an alarm on the mobile device if it is lost or stolen. It sounds an alarm even if the device is in silent mode. The alarm stops ringing only when the device is unlocked. This feature is applicable for Android, iOS and Windows, with iOS requiring Lost Mode to be enabled for Remote Alarm to work. In case of Windows, this feature is supported only for phones.
All the data in the device can be completely wiped, using this command. The device becomes as good as new. You can also wipe all the data from the device's SD card, for Knox devices. This feature is supported for Android, iOS, macOS and Windows. In case of Windows 10 devices (OS version 1809 and above), the enrollment can optionally be retained even after the data is wiped. For other devices, the provisioning package is retained if Windows ICD enrollment is used. The device can be used again by just assigning new users.
Corporate or Selective Wipe:
All the profiles and apps previously installed using Mobile Device Manager Plus are wiped in iOS, macOS and Knox devices. In case of Windows devices and Android devices other than Knox, only profiles are removed and not the apps. The personal data on the device, is not be affected. Also, the device is no longer managed by Mobile Device Manager Plus.
Clearing the passcode:
This command clears the passcode completely. However, the user is prompted to enter a new passcode if a passcode policy was previously associated with the device. Clearing the passcode also clears the biometric-based passcodes in all iOS and Android devices (provisioned as Device Owner) except for Samsung devices running Android 5.0. This feature is not supported for Windows and Android running 11.0 or above..
You can reset the passcode on the managed devices, using this command. If the new passcode does not meet the complexity criteria set for the device or if no passcode was set on the device (using device settings), the user is prompted to set a passcode as per the associated passcode policy. So, it is better to set a password which adheres to the associated passcode policy. This is applicable for Android and Windows devices. For Android devices, you can specify the new passcode to be set on the device and choose to send a notification mail to the user. In case of Windows devices, the new passcode is generated by the device itself. You can then choose to obtain the new passcode of a particular user's device by mail. When this command is executed on Windows devices with no passcode set up, a new passcode is set up on Win 10 devices. For Win 8.1 devices, a one-time passcode is set up, soon after which a new passcode has to be set up.
Note: Passcode set by users can not be removed or reset from Samsung devices running Android 9.0 or above, enrolled via invite. OS-specific details on Clear and Reset passcode commands are provided in the table below.
If a managed device is locked due to incorrect passwords, you can either perform Clear Passcode or generate a Recovery Key to unlock the device. Incase of no network connectivity, you can generate a Recovery Key and unlock your device. It is supported for Android devices enrolled as Device Owner. Once you have exhausted half the maximum number of failed attempts (in passcode policy), you will be redirected to the recovery key page. For example, a value of 6 specifies that the device will be locked after 3 failed login attempts and users can unlock the device using the recovery key. After 6 failed login attempts the data in device will be completely wiped.
Generating a recovery key:
You can generate a recovery key on the MDM console by clicking on Inventory -> Devices (for which passcode has to be reset) -> Summary -> Device Recovery Key. The generated key is time bound and is valid for 30 mins. After applying the key on the device, users are asked to set the passcode once again, with respect to the passcode policy set. If no passcode policy is associated, the users can set up a new passcode, using which the device can be unlocked.
- If you have entered the wrong recovery key for 5 times, you have to wait for 30 mins to retry. On further incorrect attempts, you will be allowed to retry on exponential time. For example: A 30 min timer will run, when you have entered the incorrect recovery key for the first time. On further incorrect attempts, timer will be increased to 1, 2, 4, 8 and 16 hours.
- Recovery key becomes invalid, if the server time is not in sync with device time.
- You cannot execute security commands like recovery key, reset passcode if you have set up passcode using services like Exchange.
The Pause command lets you pause Kiosk on devices which have been previously provisioned with Kiosk. This command is usually used on devices facing issues and the IT admin needs to troubleshoot the same. You can choose to have the Kiosk automatically resumed after some time by specifying the same. This can be done using the Resume Kiosk command. You can also pause Kiosk using other methods as listed here. This is currently supported only for Android devices.
If a device provisioned as Kiosk is paused, the Resume command can be executed to restore the device to Kiosk. Similar to Pause Kiosk, you can choose to resume Kiosk using other methods as listed here. This is currently supported only for Android devices.
MDM supports pausing Kiosk and resuming Kiosk using different methods. For example, you can pause Kiosk using remote chat commands and resume it using security commands.
Enable Lost Mode:
This command is used to mark devices as lost and initiate Lost Mode on the devices. Lost Mode is available on Professional, Free, and Trial editions of MDM.
Remote Restart is applicable only for the following devices.
- Supervised iOS devices running on iOS 10.3 or above
- Samsung or non-Samsung devices running 7.0 or later, provisioned as Device Owner
- macOS devices
- Windows devices
- Chrome OS devices provisioned in Kiosk Mode.
Points to note:
- Remote Restart and Remote Shutdown can also be scheduled on devices. Admins can choose a date and time and which these actions should take place on the devices. Especially for environments with kiosk or unattended devices, scheduling these actions simplifies device maintenance for admins. Watch this video to learn how to schedule device actions.
- On Windows devices, the command is implemented only after 5 minutes from the time the command was acknowledged by the device.
- On Chrome devices, the command will expire if the device does not contact the MDM server within 10 minutes of initiating the command on the device.
- In case of Apple devices (iOS and macOS), a password-protected device must be unlocked after successfully executing a Remote Restart command to ensure the device can connect to a Wi-Fi network. This is essential to ensure continued management of the device upon restarting it.
- macOS devices also provide an option to notify the user to restart the device.
- For detailed steps on on how to configure a schedule for Remote Restart and Remote Shutdown, refer to this document.
This command lets you switch off the device remotely. In case of passcode protected devices, device must be unlocked at least once after switching it on, for MDM to contact and manage the device. Applicable only for Supervised iOS devices running iOS 10.3 and above and macOS.
Unlock User Account:
When a device is locked after exceeding maximum number of failed attempts (varies according to the configuration of associated profile), the user gets locked out of the account. Then, the account can be remotely unlocked by selecting Unlock User Account and entering the user account details, so that user can try logging in again. Supported by MDM for macOS 10.13 and above.
Only devices running Android 5.0 or above can be provisioned as Profile Owner or Device Owner.
|ANDROID OS VERSION||DESCRIPTION||
ENROLLED USING INVITES
|DEVICE OWNER USING ADMIN ENROLLMENT|
|SAMSUNG||PROFILE OWNER||CORE ANDROID|
|Below Android 5.0||Passcode applied to the work profile in a Profile Owner provisioned device and the device passcode in a Device Owner provisioned device cannot be cleared.|
|Android 5.0 and 6.0||Passcode applied to the work profile in a Profile Owner provisioned device cannot be cleared.|
|Android 7.0||Passcode applied to a device provisioned as Device Owner and the work profile passcode in a Profile Owner provisioned device cannot be cleared.|
|Android 8.0 and above||Passcode cannot be cleared in Samsung devices and devices provisioned as Device Owner. Passcode applied to the work profile in Profile Owner provisioned devices can be cleared.||Applicable only for container|
|Below Android 5.0||Passcode applied to the work profile in a Profile Owner provisioned device and the device passcode in a Device Owner provisioned device cannot be reset.|
|Android 5.0 and 6.0||Passcode applied to the work profile in a Profile Owner provisioned device cannot be reset.|
|Android 7.0||Passcode applied to a device provisioned as Device Owner cannot be reset.The work profile passcode in a Profile Owner provisioned device can be reset.||Applicable only for container|
|Android 8.0 and above||Passcode applied to a Samsung device and the work profile passcode in a Profile Owner provisioned device, can be reset. This cannot be done in a device provisioned as Device Owner.||Applicable if no passcode is set on device||Applicable only for container|
For Knox, security commands can be executed separately for the device and the container. The container-specific security commands are explained below:
- Create Container: You can select this command to distribute Knox License and create a Knox Container within a Knox supported device for advanced management activities.
- Remove Container: The Knox Container created in the device can be removed by executing this command. This also revokes the Knox license distributed to the device.
- Lock Container: You can lock the Knox Container and restrict the user's entry into the container for security reasons.
- Unlock Container: You can execute this command to unlock the already locked container. This permits users to access the Knox Container.
- Clear Passcode: You can clear the passcode of the Knox Container, using this command. The user is then prompted to set a new passcode, adhering to the complexity criteria set for the container.
Follow the steps mentioned below to use security commands using Mobile Device Manager Plus.
- On the web console, navigate to Devices under the Inventory tab.
- Click on the specific device under Device Name.
- Click on the Action Button which is located on the right side, and select the action to be performed. Due to security reasons, you are prompted to enter your password to authenticate the action to be performed.
- Specified Security command is executed and the status is reported under Device Details.