Mobile Device Manager Plus can be used to remotely secure data in the mobile devices even in the event of the device being lost or missing. The following operations can be done using the security commands in MDM.
You can remotely lock the managed mobile device. After a remote lock is performed, the user is prompted to enter the passcode of the mobile device only if you have set a passcode for the device. This feature is supported for Android, iOS, macOS and Windows phones. In devices running iOS 7 or later versions, you can also specify a message and a contact number while locking the device. The device can be unlocked using the existing passcode. However, for macOS devices, you can only specify a message to be displayed, while locking the device. The existing passcode will be rendered invalid, and the device can be unlocked only using the pin set by the admin.
Follow the steps mentioned below to specify a contact number and the message to be displayed on the lock screen of devices running iOS 7 or later:
- On the web console, navigate to Devices.
- Select the device to be locked.
- Under Actions, click on Remote Lock. Enter the contact number and the message to be displayed on the locked screen of the mobile device. You can see the message displayed on the device as shown below.
You can scan the enrolled mobile device to view details about the installed apps, blacklisted apps and restrictions imposed on the device, along with other device details. You can also view the installed apps and the restrictions imposed on the device. The scanning can be performed only when the device is connected to the internet. This feature is supported for Android, iOS and Windows. If Periodic communication mode is chosen, the scanning operation has a 60-minute communication interval with the server. So, scanning takes place only the next time, when the device interacts with the server.
You can trigger an alarm on the mobile device if it is lost or stolen. It sounds an alarm even if the device is in silent mode. The alarm stops ringing only when the device is unlocked. This feature is applicable for Android, iOS and Windows, with iOS requiring Lost Mode to be enabled for Remote Alarm to work. In case of Windows, this feature is supported only for phones.
All the data in the device can be completely wiped, using this command. The device becomes as good as new. You can also wipe all the data from the device's SD card, for Knox devices. This feature is supported for Android, iOS, macOS and Windows. In case of Windows 10 devices (OS version 1809 and above), the enrollment can optionally be retained even after the data is wiped. For other devices, the provisioning package is retained if Windows ICD enrollment is used. The device can be used again by just assigning new users.
Corporate or Selective Wipe:
All the profiles and apps previously installed using Mobile Device Manager Plus are wiped in iOS, macOS and Knox devices. In case of Windows devices and Android devices other than Knox, only profiles are removed and not the apps. The personal data on the device, is not be affected. Also, the device is no longer managed by Mobile Device Manager Plus.
Clearing the passcode:
This command clears the passcode completely. However, the user is prompted to enter a new passcode if a passcode policy was previously associated with the device. Clearing the passcode also clears the biometric-based passcodes in all iOS and Android devices (provisioned as Device Owner) except for Samsung devices running Android 5.0. This feature is not supported for Windows and Android running 11.0 or above..
You can reset the passcode on the managed devices, using this command. If the new passcode does not meet the complexity criteria set for the device or if no passcode was set on the device (using device settings), the user is prompted to set a passcode as per the associated passcode policy. So, it is better to set a password which adheres to the associated passcode policy. This is applicable for Android and Windows devices. For Android devices, you can specify the new passcode to be set on the device and choose to send a notification mail to the user. In case of Windows devices, the new passcode is generated by the device itself. You can then choose to obtain the new passcode of a particular user's device by mail. When this command is executed on Windows devices with no passcode set up, a new passcode is set up on Win 10 devices. For Win 8.1 devices, a one-time passcode is set up, soon after which a new passcode has to be set up.
Note: Passcode set by users can not be removed or reset from Samsung devices running Android 9.0 or above, enrolled via invite. OS-specific details on Clear and Reset passcode commands are provided in the table below.
If an Android device with no network connectivity is locked after five failed login attempts, users can use the device recovery key to reset the passcode and unlock the device. To generate the recovery key, navigate to Inventory -> Devices -> Summary -> Device Recovery Key. This recovery key is time bound and will expire in 30 minutes from the generated time. Once the device is unlocked users will be prompted to reset the passcode as per the associated passcode policy. If no passcode policy is associated, the users can set up a new passcode, using which the device can be unlocked. Supported for Android devices enrolled as Device Owner. Admins can use the Passcode policy to customize the default account lockout threshold using the field Maximum number of failed passcode attempts.
Note: If a limit is set for the number of failed login attempts allowed, the device will be locked out at half the value set and will be wiped once the maximum number specified is reached. For example, a value of 6 specifies that the device will be locked out after 3 failed login attempts and users can unlock the device using the recovery key. After 6 failed login attempts the device will be completely wiped.
Passcode-based security commands cannot be executed if the passcode has been set up using other services such as Exchange. In such cases, remove the passcode applied through Exchange and set up a new passcode using MDM. When the passcode is set up through MDM, all the passcode-based commands can be executed.
The Pause command lets you pause Kiosk on devices which have been previously provisioned with Kiosk. This command is usually used on devices facing issues and the IT admin needs to troubleshoot the same. You can choose to have the Kiosk automatically resumed after some time by specifying the same. This can be done using the Resume Kiosk command. You can also pause Kiosk using other methods as listed here. This is currently supported only for Android devices.
If a device provisioned as Kiosk is paused, the Resume command can be executed to restore the device to Kiosk. Similar to Pause Kiosk, you can choose to resume Kiosk using other methods as listed here. This is currently supported only for Android devices.
MDM supports pausing Kiosk and resuming Kiosk using different methods. For example, you can pause Kiosk using remote chat commands and resume it using security commands.
Enable Lost Mode:
This command lets you restart the device. Applicable only for the following devices:
- Supervised iOS devices running 10.3 or above
- Samsung or non-Samsung devices running 7.0 or later, provisioned as Device Owner
- macOS devices
- Windows devices
- Chrome OS devices provisioned in Kiosk Mode.
- On Windows devices, the command is implemented only after 5 minutes from the time the command was acknowledged by the device.
- On Chrome devices, the command will expire if the device does not contact the MDM server within 10 minutes of initiating the command on the device.
- In case of Apple devices (iOS and macOS), a password-protected device must be unlocked after successfully executing a Remote Restart command to ensure the device can connect to a Wi-Fi network. This is essential to ensure continued management of the device upon restarting it.
- macOS devices also provide an option to notify the user to restart the device.
- Remote Restart and Remote Shutdown can be scheduled to be executed on devices in bulk. For more information on how to setup a schedule for these remote commands, refer this.
This command lets you switch off the device. In case of passcode protected devices, device must be unlocked at least once after switching it on, for MDM to contact and manage the device. Applicable only for Supervised iOS devices running iOS 10.3 and above and macOS.
Unlock User Account:
When a device is locked after exceeding maximum number of failed attempts (varies according to the configuration of associated profile), the user gets locked out of the account. Then, the account can be remotely unlocked by selecting Unlock User Account and entering the user account details, so that user can try logging in again. Supported by MDM for macOS 10.13 and above.
|ANDROID OS VERSION||DESCRIPTION||
ENROLLED USING INVITES
|DEVICE OWNER USING ADMIN ENROLLMENT|
|SAMSUNG||PROFILE OWNER||CORE ANDROID|
|Below Android 5.0||Passcode applied to the work profile in a Profile Owner provisioned device and the device passcode in a Device Owner provisioned device cannot be cleared.|
|Android 5.0 and 6.0||Passcode applied to the work profile in a Profile Owner provisioned device cannot be cleared.|
|Android 7.0||Passcode applied to a device provisioned as Device Owner and the work profile passcode in a Profile Owner provisioned device cannot be cleared.|
|Android 8.0 and above||Passcode cannot be cleared in Samsung devices and devices provisioned as Device Owner. Passcode applied to the work profile in Profile Owner provisioned devices can be cleared.||Applicable only for container|
|Below Android 5.0||Passcode applied to the work profile in a Profile Owner provisioned device and the device passcode in a Device Owner provisioned device cannot be reset.|
|Android 5.0 and 6.0||Passcode applied to the work profile in a Profile Owner provisioned device cannot be reset.|
|Android 7.0||Passcode applied to a device provisioned as Device Owner cannot be reset.The work profile passcode in a Profile Owner provisioned device can be reset.||Applicable only for container|
|Android 8.0 and above||Passcode applied to a Samsung device and the work profile passcode in a Profile Owner provisioned device, can be reset. This cannot be done in a device provisioned as Device Owner.||Applicable if no passcode is set on device||Applicable only for container|
For Knox, security commands can be executed separately for the device and the container. The container-specific security commands are explained below:
- Create Container: You can select this command to distribute Knox License and create a Knox Container within a Knox supported device for advanced management activities.
- Remove Container: The Knox Container created in the device can be removed by executing this command. This also revokes the Knox license distributed to the device.
- Lock Container: You can lock the Knox Container and restrict the user's entry into the container for security reasons.
- Unlock Container: You can execute this command to unlock the already locked container. This permits users to access the Knox Container.
- Clear Passcode: You can clear the passcode of the Knox Container, using this command. The user is then prompted to set a new passcode, adhering to the complexity criteria set for the container.
Follow the steps mentioned below to use security commands using Mobile Device Manager Plus.
- On the web console, navigate to Devices under the Inventory tab.
- Click on the specific device under Device Name.
- Click on the Action Button which is located on the right side, and select the action to be performed. Due to security reasons, you are prompted to enter your password to authenticate the action to be performed.
- Specified Security command is executed and the status is reported under Device Details.