Device Commands

Owned by Kari Mattsson
Last updated: 2020-05-25 by Miika Vesti
10 min read

Selecting one or more devices in the Devices→Inventory and clicking Execute on selected devices launches the device control window. Notice that if device management (DM) is disabled for the device, device management operations are not visible in the window.

If you selected multiple devices, only commands that are meaningful for all of them are shown in the window. Some of the commands depend on the platform and are only visible if the selected device or devices have the particular platform.

The commands are described in the sub-sections below:

Provisioning

Send initial settings to device

You have the following options to send the installation code:

  • By email (if the user has one)
  • By SMS (if the device has a phone number)
  • Enter the installation code manually
  • Read the QR code from the window

The user needs to give the installation code in the setup screen of the client application.

Sending Settings by Email or SMS

  1. Check that the Transmission method is either the Email address (with a valid email address) or SMS Device (with a valid phone number)
    1. Click Advanced options to enable the settings if you need to change them
  2. Click Send settings

Now, if the message was sent by SMS message, the user needs to tap In an SMS message to receive it. If the user received the installation code in email, he or she needs to click I will enter it manually and type it in.

Using the QR Code

If you have the device at hand, you can click In a QR code image in the device and point it at the screen. This is definitely the quickest way to start provisioning a device.

End of Service

Wipe device to factory settings

Wipes the device to factory settings, deleting all data, applications, settings, user accounts, and owner identity.

Warning

This removes all the data, settings, and installed applications in the device, including enterprise AND personal data. It is generally not to be used for BYOD devices without owner approval.

Warning

If an Android device has Factory Reset Protection (FRP) enabled, it will not be entirely reset, but will remain to be bound to the Google account. After reset, the device owner needs to login to the same account. This prevents reusing a stolen device. However, the protection can cause problems if you are wiping the device for other reasons, and if you have changed your Google password recently. See Wiping an Android Device for more details.

If in doubt and learning how this feature functions, please manually remove all Google accounts before using this feature.


  1. Click Wipe device to factory settings.
  2. A confirmation dialog opens.
  3. Select Only add task to queue, don't execute it right away if you want to queue the task. It can nevertheless be executed right away in the task queue.
  4. Click Execute to wipe the device immediately or Cancel to exit without executing the command

Remove device management

Sends a command to remove device management (DM) settings from the device. The device is not removed from the service, but if device management is reinstalled, the device has to be provisioned again. This is different from simply disabling device management from device settings, which simply disallows the device to contact the service, but does not made changes to the device itself.

  1. Click Remove device management.
    A confirmation dialog opens.
  2. Select Device management has already been removed from device if it has been manually removed from the device in some way. In that case, no connection is made to the device and device management is simply marked as disabled.
  3. Click Execute to enterprise wipe the device immediately or Cancel to exit without executing the command

Notice that removing device management does not remove the EMM client application that manages it.

Enterprise wipe

Enterprise wipe means removing all enterprise settings and data, while keeping all personal data in BYOD devices. The device will not be fully wiped and the user can continue using it.

The command will attempt to remove attempts to remove all organisation policies, as well as applications that were installed through the service. Finally, device management will be removed. However, notice that it may not be possible to remove all enterprise data or settings, depending on the type of the device and version of the management client.

Configure device

Activate all device policies

Activates all policies made in the device configuration for the selected devices.

Activate some device policies

As above, but lets you first select which policies to activate.

Checking the Activate all device policies activates all the listed policy sections. It also does some actions that are would not be done by selecting all individual policy sections.

Reset device profile

Running this command resets the device profile. The original device profile will be deleted and another one is created. Most of the configuration options from the original device profile will be copied to the new one.

This can be useful when a device has been reset or replaced with an identical one, and simply sending the initial settings doesn't cause expected results. For example, the selected device template may contain some settings that are no longer in the device profile.

Update WSDM authentication secret

WSDM clients change their secret key regularly and independently for increased security. This task allows for immediate change of that secret.

Applications

Application management

With this command, you can:

  • Install new applications to the device. The applications must be configured in Applications.
  • View applications installed in the device and uninstall them
  • Manage application certificates

Clicking the command opens the application management window. It has tabs to install or update applications, manage installed applications, and manage certificates.

Install

The Install tab allows installing new applications or updating or uninstalling installed applications.

Installed

The Installed tab allows uninstalling apps installed in the device. It lists all the installed apps, including apps installed manually in the device, as well as system applications.

To uninstall an app, select one and click Uninstall. The uninstall command is executed immediately when you click the button.

You can search for apps by entering a search filter in the Search field. Click Filter options to select options for filtering according to the search text.

Certificates

The Certificates tab allows configuring certificates installed on the device or devices.

The certificates must first be configured in Device Certificates.

Retrieve information

Fetch device diagnostics information

This command immediately fetches the most recent diagnostic information and then allows viewing it on server, just like you can with the Diagnostics button in the Inventory view. See Device Diagnostics for a description of the diagnostics.

Report location

It is possible to locate the device. When locating, please remember to obey the law. It varies a lot in different geographies, so we are not giving any specific instructions on that.

There are two parameters which are set for locationing: a short locationing period (time allowed for the device to get location fix), and a count how many times the device is located.

In addition, you can configure scheduled location tracking policy in device configuration. That would allow for continuous locationing.

See device owner documentation for Locating a Device.

Commands

Sending commands to a device requires that it is connected to the Internet. If it is not, the commands will be executed once it is.

Lock device

A device can be locked to prevent using it in case of theft or loss. All the information in the device is kept untouched and you can later unlock it remotely. As with all commands, locking a device requires that it is connected to the Internet. If it is not, it will be locked once it connects. It is possible to prevent locking a device, such as by removing the device management client, unless removing it is prevented in device settings.

You can lock your device as follows:

  1. Navigate to the My device view
  2. Select the device to lock
  3. Click Lock device
  4. You will be asked to confirm the action.

    Select the options if necessary

    Only add task to queue, don't execute it right away

    Normally, the lock command is executed immediately. With this option, it is added to command queue, where it is executed in turn with other commands. If the queue is empty, it will be executed immediately.

    Use random code

    Normally, a random lock code is used. The code is stored in the service, where you can again unlock the device. If you need to unlock the device manually, you can find the code in Device diagnostics. Unchecking the option makes the window as for New lock code, which you can use more easily to unlock the device manually.

    You can use the lock code to unlock the device in its lock screen, as well as manually remove the password protection in Android device settings.

  5. Click Lock to lock the device


Warning

Do not remove a device from the service while it is locked. If you do not have the lock code stored elsewhere, removing a locked device will make it impossible to unlock it again.

Unlock device

You can unlock a previously unlocked device in the service as follows:

  1. Navigate to the My device view
  2. Select the device to lock
  3. Click Unlock device
  4. You will be asked to confirm the action.
  5. Click Unlock to unlock it.

Enable lost mode

Enable lost mode on device. This is only supported on iOS devices. This command locks the device so that even the user can not unlock it. You can set message, phone number and footnote to be shown on the device lock screen. Either message or phone number must be set.

After the lost mode has been enabled, it is possible to locate the device.

Disable lost mode

Disables lost mode on device. This command should be executed after the lost mode has been enabled and the device is found. There is no other way to unlock the device when lost mode is enabled.

Execute arbitrary command

This is an advanced feature not meant for normal administrators. This feature is slated to be removed.

Open direct WSDM session

The command opens a WSDM session, or closes a session previously left alive. The window that opens allows running various commands requiring a WSDM session. The command can be used for quicker operation of different WSDM functionalities, such as for finding problems with connectivity.

  1. Click Open direct WSDM session
  2. A window opens to ask to open a new session or close a previously opened session

    Click Open session to open it and the control window.
  3. Session control window opens
  4. Run any of the commands:

    Lock

    Locks the device, as described above in Lock device. You will be asked for a lock code that you can use to unlock the device manually.

    Unlock

    Unlocks a previously locked device, as described above in Unlock device.

    Report status

    Asks for a status report.

    File browser

    Opens the file browser to browse the file system of the device, as described below in File browser (WSDM session).

    End session (client)

    Ends the session immediately. You need to reconnect to perform further commands.

    Reconnect

    Reconnects to the client in case you have ended the session.

  5. Click the close × button in the top-right corner of the window to close the session.
  6. If the session is still open, you will be asked whether to close it or leave open.

    Click End session to end it or Keep session alive to leave it open.

File browser (WSDM session)

This tool enables almost real-time access into the file system of the selected client device. The device must:

  • be powered,
  • have internet connectivity, and
  • not be in any deep sleep mode.

You can use the functionality to browse practically all user and system data in the device. You can also send files to the device.

On the left, you can browser any folders in the device. Notice that it may take a few seconds or more to get folder listings from the device.

On the right, you can select a file to download or delete.

Custom task

Allows running a command with custom protocol and state. You can schedule the task to run after a given time.

Note

This is an advanced feature not meant for normal administrators. This feature is slated to be removed.

Clicking the command opens the task settings window:

Once done, click Add to task queue. You will be asked whether the task should be run immediately.

Clicking Notify device now executes the task immediately. If you choose No, it will simply be placed in the task queue, where you can execute it manually.

Send messages

Ring an alarm

You can remotely make a device make an audible alarm. A sticky notification will be shown in the lock screen, which allows ending the alarm.

Warning

Notice that if the user has disabled notifications from the EMM client, he or she will be unable to shut down the alarm, which can be displeasing.

Send free form SMS

Click the link to enter an SMS message and send it to the device.

The functionality requires that the device has a mobile phone number.

Send sync account info SMS

The SyncML (OMA DS) feature of EMM platform uses separate credentials for synchronising contacts, calendar, notes, etc. This rarely used feature allows for sending valid credentials via SMS.