# Security Management

The **Mobile Device Management** feature of Endpoint Central can be used to remotely secure data in mobile devices even in the event of the device being lost or missing. The following operations can be done using the security commands in MDM.

## Remote Lock

You can remotely lock the managed mobile device. After a remote lock is performed, the user is prompted to enter the passcode of the mobile device only if you have [set a passcode](https://www.manageengine.com/mobile-device-management/help/profile_management/android/mdm_android_passcode.html) for the device.

This feature is supported for **Android, iOS, macOS and Windows phones.**

In devices running **iOS 7 or later versions**, you can also specify a **message and a contact number** while locking the device. The device can be unlocked using the existing passcode. However, for macOS devices, you can only specify a message to be displayed while locking the device. The existing passcode will be rendered invalid, and the device can be unlocked only using the pin set by the admin.

Follow the steps mentioned below to specify a contact number and the message to be displayed on the lock screen of devices running iOS 7 or later:

1. Login to the Endpoint Central web console and navigate to **Mobile Device Management** tab --> **Inventory** --> **Devices**
2. Select the device to be locked.
3. Under **Actions**, click on **Remote Lock**. Enter the contact number and the message to be displayed on the locked screen of the mobile device.

![device_lock](https://www.manageengine.com/mobile-device-management/help/images/lock-screen.png)

## Scan now

You can scan the enrolled mobile device to view details about the installed apps, blacklisted apps, restrictions imposed on the device, and other device details. Scanning can be performed only when the device is connected to the internet.

**This feature is supported for Android, iOS, Windows and ChromeOS.**

If [Periodic communication mode](https://www.manageengine.com/mobile-device-management/help/enrollment/customize_me_mdm_app.html#Configure_Mode_of_Communication) is chosen, the scanning operation has a 60-minute communication interval with the server. So, scanning takes place only the next time the device interacts with the server.

## Remote Alarm

You can trigger an alarm on the mobile device if it is lost or stolen. It sounds an alarm even if the device is in silent mode. The alarm stops ringing only when the device is unlocked.

This feature is applicable for **Android, iOS and Windows**, with **iOS requiring [Lost Mode](https://www.manageengine.com/mobile-device-management/help/security_management/location_tracking.html#Lost_Mode_iOS) to be enabled for Remote Alarm** to work. In case of Windows, this feature is supported only for phones.

## Complete Wipe

All the data in the device can be completely wiped using this command. The device becomes as good as new. You can also wipe all the data from the device's SD card for Knox devices.

This feature is supported for **Android, iOS, macOS, ChromeOS and Windows.** In case of Windows 10 devices (OS version 1809 and above), the enrollment can optionally be retained even after the data is wiped.

For other devices, the provisioning package is retained if [Windows ICD enrollment](https://www.manageengine.com/mobile-device-management/help/enrollment/enroll_windows_devices_using_admin_enrollment_tool.html) is used. The device can be used again by just assigning new users.

## Corporate or Selective Wipe

All the profiles and apps previously installed using Mobile Device Management are wiped in **iOS, macOS and Knox devices.**

In case of Windows devices and Android devices other than Knox, only profiles are removed and not the apps. The personal data on the device is not affected. Also, the device is no longer managed by Mobile Device Management.

## Clearing the passcode

This command clears the passcode completely. However, the user is prompted to enter a new passcode if a passcode policy was previously associated with the device. Clearing the passcode also clears the biometric-based passcodes in all **iOS and Android devices (provisioned as Device Owner) except for Samsung devices running Android 5.0.**

**This feature is not supported for Windows and Android running 11.0 or above.**

## Reset Passcode

You can reset the passcode on managed devices using this command. If the new passcode does not meet the complexity criteria set for the device, or if no passcode was set on the device (using device settings), the user is prompted to set a passcode as per the associated passcode policy.

**This is applicable for Android and Windows devices.**

- For Android devices, you can specify the new passcode to be set on the device and choose to send a notification mail to the user.
- For Windows devices, the new passcode is generated by the device itself. You can then choose to obtain the new passcode of a particular user's device by mail.

**When this command is executed on Windows devices with no passcode set up, a new passcode is set up on Win 10 devices. For Win 8.1 devices, a one-time passcode is set up, soon after which a new passcode has to be set up.**

**Note:** Passcodes set by users cannot be removed or reset from Samsung devices running Android 9.0 or above, enrolled via invite. OS-specific details on Clear and Reset passcode commands are provided in the table below.

## Recovery Key

If a managed device is locked due to incorrect passwords, you can either perform **Clear Passcode** or generate a **Recovery Key** to unlock the device. In case of no network connectivity, you can generate a **Recovery Key** and unlock your device.

It is supported for Android devices enrolled as **Device Owner**. Once you have exhausted half the maximum number of failed attempts (in [passcode policy](https://www.manageengine.com/mobile-device-management/help/profile_management/android/mdm_android_passcode.html)), you will be redirected to the recovery key page.

For example, a value of 6 specifies that the device will be locked after 3 failed login attempts and users can unlock the device using the recovery key. After 6 failed login attempts, the data in the device will be completely wiped.

### Generating a recovery key

You can generate a recovery key on the MDM console by clicking on **Inventory -> Devices (for which passcode has to be reset) -> Summary -> Device Recovery Key**.

The generated key is time bound and is valid for 30 minutes. After applying the key on the device, users are asked to set the passcode again with respect to the passcode policy set. If no passcode policy is associated, users can set up a new passcode using which the device can be unlocked.

**Note:**

- If you have entered the wrong recovery key 5 times, you have to wait for 30 minutes to retry. On further incorrect attempts, you will be allowed to retry on exponential time (1, 2, 4, 8 and 16 hours).
- The recovery key becomes invalid if the server time is not in sync with device time.
- You cannot execute security commands like recovery key or reset passcode if you have set up a passcode using services like Exchange.

## Pause Kiosk

The Pause command lets you pause Kiosk on devices that have been previously provisioned with Kiosk. This command is usually used when devices are facing issues and the IT admin needs to troubleshoot.

You can choose to have the Kiosk automatically resumed after some time by specifying the same using the [Resume Kiosk](#resume-kiosk) command. You can also pause Kiosk using other methods as [listed here](https://www.manageengine.com/mobile-device-management/help/profile_management/android/android_kiosk.html#Temporarily_Disabling_Kiosk).

**This is currently supported only for Android devices.**

## Resume Kiosk

If a device provisioned as Kiosk is paused, the Resume command can be executed to restore the device to Kiosk. Similar to Pause Kiosk, you can resume Kiosk using other methods as [listed here](https://www.manageengine.com/mobile-device-management/help/profile_management/android/android_kiosk.html#Temporarily_Disabling_Kiosk).

**This is currently supported only for Android devices.**

MDM supports pausing and resuming Kiosk using different methods. For example, you can pause Kiosk using remote chat commands and resume it using security commands.

## Enable Lost Mode

This command is used to mark devices as lost and initiate [Lost Mode](https://www.manageengine.com/mobile-device-management/help/security_management/location_tracking.html#Lost_Mode) on the devices.

**Lost Mode is available on [Professional, Free, and Trial editions of MDM](https://www.manageengine.com/mobile-device-management/edition-comparison-matrix.html).**

## Restart

Remote Restart is applicable only for the following devices:

- Supervised iOS devices running iOS 10.3 or above
- Samsung or non-Samsung devices running 7.0 or later, provisioned as Device Owner
- macOS devices
- Windows devices
- Chrome OS devices provisioned in Kiosk Mode

**Note:**

- **Remote Restart and Remote Shutdown can also be scheduled** on devices by choosing a specific date and time.
- On Windows devices, the command is implemented only after 5 minutes from the time the command was acknowledged by the device.
- On Chrome devices, the command will expire if the device does not contact the MDM server within 10 minutes of initiating the command.
- On Apple devices (iOS and macOS), a password-protected device must be unlocked after executing a Remote Restart to ensure it can connect to Wi-Fi.
- macOS devices provide an option to notify the user to restart the device.

## Wipe Users

This command is used to wipe out all users and user profiles from the device.

**Applicable only for Chrome devices.**

## Take Screenshot

You can execute the "Take Screenshot" command to take a screenshot on **Chrome devices provisioned in Kiosk mode.** This command will expire if the device does not contact the MDM server within 10 minutes.

All screenshots will be recorded under Device Files (Inventory > Devices > System Activity). To view these screenshot files, you must sign in to the Google Admin Console.

## Set Volume

This command is used to set the volume level on kiosk devices remotely. The command will expire if the device does not contact the MDM server within 10 minutes.

**Applicable only for Chrome devices.**

## Unlock User Account

When a device is locked after exceeding the **maximum number of failed attempts in [Passcode](https://www.manageengine.com/mobile-device-management/help/profile_management/mac/mdm_mac_passcode.html#overview)** (varies according to the configuration of the associated profile), the user gets locked out of the account.

The account can be remotely unlocked by selecting **Unlock User Account** and entering the user account details.

Supported for **macOS 10.13 and above.**

Only devices running Android 5.0 or above can be provisioned as [Profile Owner](https://www.manageengine.com/mobile-device-management/help/android_for_work/mdm_android_for_work_introduction.html#Profile_Owner) or [Device Owner](https://www.manageengine.com/mobile-device-management/help/android_for_work/mdm_android_for_work_introduction.html#Device_Owner).

## Android OS-Specific Details for Clear and Reset Passcode

| ANDROID OS VERSION | DESCRIPTION | SAMSUNG (Invites) | PROFILE OWNER (Invites) | CORE ANDROID (Invites) | DEVICE OWNER USING ADMIN ENROLLMENT |
|---|---|---|---|---|---|
| **Clear Passcode** |  |  |  |  |  |
| Below Android 5.0 | Passcode applied to the work profile in a Profile Owner provisioned device and the device passcode in a Device Owner provisioned device cannot be cleared. | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) |
| Android 5.0 and 6.0 | Passcode applied to the work profile in a Profile Owner provisioned device cannot be cleared. | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) |
| Android 7.0 | Passcode applied to a device provisioned as Device Owner and the work profile passcode in a Profile Owner provisioned device cannot be cleared. | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) |
| Android 8.0 and above | Passcode cannot be cleared in Samsung devices and devices provisioned as Device Owner. Passcode applied to the work profile in Profile Owner provisioned devices can be cleared. | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) | Applicable only for container | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) |
| **Reset Passcode** |  |  |  |  |  |
| Below Android 5.0 | Passcode applied to the work profile in a Profile Owner provisioned device and the device passcode in a Device Owner provisioned device cannot be reset. | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) |
| Android 5.0 and 6.0 | Passcode applied to the work profile in a Profile Owner provisioned device cannot be reset. | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) |
| Android 7.0 | Passcode applied to a device provisioned as Device Owner cannot be reset. The work profile passcode in a Profile Owner provisioned device can be reset. | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) | Applicable only for container | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) |
| Android 8.0 and above | Passcode applied to a Samsung device and the work profile passcode in a Profile Owner provisioned device can be reset. This cannot be done in a device provisioned as Device Owner. | Applicable if no passcode is set on device | ![failured](https://www.manageengine.com/mobile-device-management/help/images/failured.gif) | Applicable only for container | ![success](https://www.manageengine.com/mobile-device-management/help/images/success.png) |

## Knox Remote Actions

For Knox, security commands can be executed separately for the device and the container. The container-specific security commands are explained below:

- **Create Container:** You can distribute a Knox License and create a Knox Container within a Knox-supported device for advanced management activities.
- **Remove Container:** The Knox Container created in the device can be removed by executing this command. This also revokes the Knox license distributed to the device.
- **Lock Container:** You can lock the Knox Container and restrict the user's entry into the container for security reasons.
- **Unlock Container:** You can unlock the already locked container, permitting users to access the Knox Container.
- **Clear Passcode:** You can clear the passcode of the Knox Container using this command. The user is then prompted to set a new passcode adhering to the complexity criteria set for the container.

## Using Security Commands

Follow the steps mentioned below to use security commands using Mobile Device Management:

1. Login to the Endpoint Central web console and navigate to **Mobile Device Management** tab --> **Inventory** --> **Devices**
2. Click on the specific device under **Device Name**.
3. Click on the **Action Button** located on the right side and select the action to be performed. You will be prompted to enter your password to authenticate the action.
4. The specified security command is executed and the status is reported under **Device Details**.