The Mobile Device Management feature of Endpoint Central can be used to remotely secure data in the mobile devices even in the event of the device being lost or missing. The following operations can be done using the security commands in MDM.
You can remotely lock the managed mobile device. After a remote lock is performed, the user is prompted to enter the passcode of the mobile device only if you have set a passcode for the device. This feature is supported for Android, iOS, macOS and Windows phones. In devices running iOS 7 or later versions, you can also specify a message and a contact number while locking the device. The device can be unlocked using the existing passcode. However, for macOS devices, you can only specify a message to be displayed, while locking the device. The existing passcode will be rendered invalid, and the device can be unlocked only using the pin set by the admin.
Follow the steps mentioned below to specify a contact number and the message to be displayed on the lock screen of devices running iOS 7 or later:
You can scan the enrolled mobile device to view details about the installed apps, blacklisted apps and restrictions imposed on the device, along with other device details. You can also view the installed apps and the restrictions imposed on the device. The scanning can be performed only when the device is connected to the internet. This feature is supported for Android, iOS, Windows and ChromeOS. If Periodic communication mode is chosen, the scanning operation has a 60-minute communication interval with the server. So, scanning takes place only the next time, when the device interacts with the server.
You can trigger an alarm on the mobile device if it is lost or stolen. It sounds an alarm even if the device is in silent mode. The alarm stops ringing only when the device is unlocked. This feature is applicable for Android, iOS and Windows, with iOS requiring Lost Mode to be enabled for Remote Alarm to work. In case of Windows, this feature is supported only for phones.
All the data in the device can be completely wiped, using this command. The device becomes as good as new. You can also wipe all the data from the device's SD card, for Knox devices. This feature is supported for Android, iOS, macOS, ChromeOS and Windows. In case of Windows 10 devices (OS version 1809 and above), the enrollment can optionally be retained even after the data is wiped. For other devices, the provisioning package is retained if Windows ICD enrollment is used. The device can be used again by just assigning new users.
All the profiles and apps previously installed using Mobile Device Management . are wiped in iOS, macOS and Knox devices. In case of Windows devices and Android devices other than Knox, only profiles are removed and not the apps. The personal data on the device, is not be affected. Also, the device is no longer managed by Mobile Device Management.
This command clears the passcode completely. However, the user is prompted to enter a new passcode if a passcode policy was previously associated with the device. Clearing the passcode also clears the biometric-based passcodes in all iOS and Android devices (provisioned as Device Owner) except for Samsung devices running Android 5.0. This feature is not supported for Windows and Android running 11.0 or above..
You can reset the passcode on the managed devices, using this command. If the new passcode does not meet the complexity criteria set for the device or if no passcode was set on the device (using device settings), the user is prompted to set a passcode as per the associated passcode policy. So, it is better to set a password which adheres to the associated passcode policy. This is applicable for Android and Windows devices. For Android devices, you can specify the new passcode to be set on the device and choose to send a notification mail to the user. In case of Windows devices, the new passcode is generated by the device itself. You can then choose to obtain the new passcode of a particular user's device by mail. When this command is executed on Windows devices with no passcode set up, a new passcode is set up on Win 10 devices. For Win 8.1 devices, a one-time passcode is set up, soon after which a new passcode has to be set up.
Note: Passcode set by users can not be removed or reset from Samsung devices running Android 9.0 or above, enrolled via invite. OS-specific details on Clear and Reset passcode commands are provided in the table below.
If a managed device is locked due to incorrect passwords, you can either perform Clear Passcode or generate a Recovery Key to unlock the device. Incase of no network connectivity, you can generate a Recovery Key and unlock your device. It is supported for Android devices enrolled as Device Owner. Once you have exhausted half the maximum number of failed attempts (in passcode policy), you will be redirected to the recovery key page. For example, a value of 6 specifies that the device will be locked after 3 failed login attempts and users can unlock the device using the recovery key. After 6 failed login attempts the data in device will be completely wiped.
You can generate a recovery key on the MDM console by clicking on Inventory -> Devices (for which passcode has to be reset) -> Summary -> Device Recovery Key. The generated key is time bound and is valid for 30 mins. After applying the key on the device, users are asked to set the passcode once again, with respect to the passcode policy set. If no passcode policy is associated, the users can set up a new passcode, using which the device can be unlocked.
Note:
The Pause command lets you pause Kiosk on devices which have been previously provisioned with Kiosk. This command is usually used on devices facing issues and the IT admin needs to troubleshoot the same. You can choose to have the Kiosk automatically resumed after some time by specifying the same. This can be done using the Resume Kiosk command. You can also pause Kiosk using other methods as listed here. This is currently supported only for Android devices.
If a device provisioned as Kiosk is paused, the Resume command can be executed to restore the device to Kiosk. Similar to Pause Kiosk, you can choose to resume Kiosk using other methods as listed here. This is currently supported only for Android devices.
MDM supports pausing Kiosk and resuming Kiosk using different methods. For example, you can pause Kiosk using remote chat commands and resume it using security commands.
This command is used to mark devices as lost and initiate Lost Mode on the devices. Lost Mode is available on Professional, Free, and Trial editions of MDM.
Remote Restart is applicable only for the following devices.
NOTE:
This command is used to wipe out all the users and user profiles from the device. Applicable only for Chrome devices.
You can execute 'Take Screenshot' command to take a screenshot on Chrome devices provisioned in Kiosk mode. This command will expire if the device didn't contact the MDM server within 10 minutes. All the screenshots will be recorded under Device Files (Inventory > Devices > System Activity). To view these screenshot file, you have to sign in to the Google Admin Console.
This command is used to set the volume level on the kiosk devices remotely. This command will expire if the device didn't contact the MDM server in 10 minutes. Applicable only for Chrome devices.
When a device is locked after exceeding maximum number of failed attempts in Passcode (varies according to the configuration of associated profile), the user gets locked out of the account. Then, the account can be remotely unlocked by selecting Unlock User Account and entering the user account details, so that user can try logging in again. Supported by MDM for macOS 10.13 and above.
Only devices running Android 5.0 or above can be provisioned as Profile Owner or Device Owner.
ANDROID OS VERSION | DESCRIPTION |
ENROLLED USING INVITES
| DEVICE OWNER USING ADMIN ENROLLMENT | ||
---|---|---|---|---|---|
SAMSUNG | PROFILE OWNER | CORE ANDROID | |||
Clear Passcode | |||||
Below Android 5.0 | Passcode applied to the work profile in a Profile Owner provisioned device and the device passcode in a Device Owner provisioned device cannot be cleared. | ||||
Android 5.0 and 6.0 | Passcode applied to the work profile in a Profile Owner provisioned device cannot be cleared. | ||||
Android 7.0 | Passcode applied to a device provisioned as Device Owner and the work profile passcode in a Profile Owner provisioned device cannot be cleared. | ||||
Android 8.0 and above | Passcode cannot be cleared in Samsung devices and devices provisioned as Device Owner. Passcode applied to the work profile in Profile Owner provisioned devices can be cleared. | Applicable only for container | |||
Reset Passcode | |||||
Below Android 5.0 | Passcode applied to the work profile in a Profile Owner provisioned device and the device passcode in a Device Owner provisioned device cannot be reset. | ||||
Android 5.0 and 6.0 | Passcode applied to the work profile in a Profile Owner provisioned device cannot be reset. | ||||
Android 7.0 | Passcode applied to a device provisioned as Device Owner cannot be reset.The work profile passcode in a Profile Owner provisioned device can be reset. | Applicable only for container | |||
Android 8.0 and above | Passcode applied to a Samsung device and the work profile passcode in a Profile Owner provisioned device, can be reset. This cannot be done in a device provisioned as Device Owner. | Applicable if no passcode is set on device | Applicable only for container |
For Knox, security commands can be executed separately for the device and the container. The container-specific security commands are explained below:
Follow the steps mentioned below to use security commands using Mobile Device Management .