Performing remote operations on managed mobile devices
The IT administrators can perform the remote operations on the managed iOS mobile devices.
The following BMC Client Management video (2:56 min) provides information about performing remote operations using commands:
Using commands, you can remotely perform the following operations on mobile devices:
- Update information about the device, security, restrictions, applications, certificates, and profiles (collect inventory)
- Install or remove configuration profiles (manage profiles)
- Install or remove managed applications (manage applications)
- Lock or wipe (factory reset) mobile device (data security)
- Clear passcode (data security)
Using the Repeat Frequency option in the commands, you can:
- Collect inventories at regular intervals. For example, you might want to run a command to collect security inventory every seven days, installed applications inventory every 15 days, and device information inventory every 30 days.
- Ensure that users have important applications installed all the time. For example, you can create a command to install Outlook and set the Repeat Frequency option to one day. So, even if the user removes Outlook application from the mobile device, the command installs it again the next day.
You can also use commands to ensure that the enterprise data stored on the mobile device is accessed only by the authorized user. If the mobile device is stolen or misplaced, you use the Wipe or Lock command to ensure that your data is not accessible to unauthorized users. If the user forgets the passcode, you can remotely clear the passcode allowing seamless data access to your users.
The following screenshot shows the list of commands, the objects assigned to the command, and its General tab:
The following topics are provided:
To create and assign a mobile command
- In the left pane, select Mobile Device Management.
Right-click Commands, and select Create Mobile Command .
The Command Wizard window is displayed.
You can create multiple folders under Commands to organize your mobile commands.
In the Command page, specify the details as required, and click Next.
The Command Options page is displayed. Depending on the command type on the preceding page, different command options are displayed. For a detailed list of available command options, see Examples of remote operations.
If the selected command type is an update command (Update xxxx), Clear Passcode, or Wipe Mobile Device, the Command Options page is not available and the Command Assignment page is displayed.
Set the command options, and click Next.
The Command Assignment page is displayed.
Assign the command to the target devices, device groups, users, or user groups, and click Finish.
The command is created and assigned to the target mobile devices.
To view the status of a mobile command
After you assign the command to the target mobile devices, you can view the command status by navigating to the following locations in the left pane:
Mobile Device Management > Commands > mobileCommandName > Assigned Objects > Devices
Mobile Device Management > Mobile Devices > Managed Mobile Devices > mobileDeviceName > Assigned Objects > Commands
In the right pane, all of the commands that were assigned to the mobile device are displayed with their status.
- If the command is assigned to the mobile device for the first time, the sequence of the command status is as follows:
Assignment Waiting > Assignment Notified > Assignment Sent > Executed/Execution Failed/Not Notified.
- If the command is already assigned to the mobile device and the user initiates command reassignment, the sequence of the command status is as follows:
Reassignment waiting > Update notified > Update sent > Executed/Execution Failed/Not Notified.
The following table describes different command status:
|Assignment Waiting (Reassignment Waiting)
|The command was assigned (or reassigned) to the target mobile device in the console, but the mobile device manager is yet to assign (or reassign) the command to the target mobile device.
|Assignment Notified (Update Notified)
The command (or command update) was assigned to the target mobile device in the console and the mobile device manager has notified the Apple notification server about the command assignment. The Apple notification server will send the notification to the mobile device. There can be a delay in sending the command from the Apple notification server to target mobile device due to connectivity and other dependencies.
|Assignment Sent (Update Sent)
|The command (or command update) was sent to the target mobile device.
|The command (or command update) was run on the target mobile device.
|The command (or command update) on the target mobile device failed. You can view more information in the Error Details column.
|The command (or command update) was sent to the target mobile device, but the target mobile device has not sent the status back to the mobile device manager.
To use a direct access command to clear a pass code or to wipe or lock a mobile device
The following are security-related commands that are accessible as direct access options for managed mobile devices:
- Clear Passcode
- Wipe Mobile Device
- Lock Mobile Device
If you are using the Wipe Mobile Device command, the user is not informed about the mobile device being reset to factory settings.
- Right-click the mobile device to which you want to assign the command, and select Direct Access Tools.
- Select the command you want to use.
- Click OK to confirm.
The command is sent to the target mobile device.
To collect inventories
Depending on the type of the inventory you want to collect, you can use the following command types:
- Update Device Information
- Update Security Information
- Update Device Restrictions
- Update Installed Applications
- Update Configuration Profiles
- Update Certificates
When a mobile device is audited (using the Audit Now option), the following three mobile commands are assigned to the mobile device:
- Update Device Information
- Update Device Security
- Update Installed Applications
You can also set a command to regularly collect inventory using the Repeat Frequency option. This is helpful if regular inventory audits are part of your organization's compliance policy or a statutory requirement.
To install an application that is not in your Mobile Applications list
Using commands, you can install mobile applications on the target mobile devices. For more information about installing application added to the Mobile Applications list, see To install an application from the Mobile Applications list to a target mobile device.
To install applications that are not listed in the Mobile Applications list, you need to have either of the following identifiers:
- Application bundle identifier
- Application iTunes identifier
For more information about finding these numbers, see To search and add an application to the Mobile Applications list.
For example, you may get a request from users to have a public email service client (such as Gmail) installed on their managed mobile device. You may not have this application in your mobile application list, as this is not either an approved application or a restricted application as per your organization's policy.
- Create a command using the command type Install Application. For more information, see To create and assign a mobile command.
- On the Command Options page, in the Application to install list, select either the Application bundle identifier or Application iTunes identifier option, and specify the corresponding value.
Assign the command to the target mobile devices.
When the command is executed on the mobile device:
- If the mobile device is supervised, the application is installed on the target mobile device.
- If the mobile device is not supervised, the user receives a notification to install the application. The user can either install the application or ignore the notification.
If your mobile device is supervised, a message is displayed below the screen lock. For example, This iPad is managed by your organization.
To remove an application by using a command
You can also remove applications using commands. For example, when an employee, who had enrolled a personal mobile device, leaves the organization. You had installed business-specific applications (such as BMC MyIT) on the employee's mobile device. As the employee is leaving the organization, you want to remove those applications from the employee's mobile device.
You can remove only those applications that were installed by using mobile device management. You cannot remove applications that were installed by the user.
- Create a command using the command type Remove Application. For more information, see To create and assign a mobile command.
- On the the Command Options page, in the Application to remove list, select one of the following options:
- If the application to remove is listed under Mobile Applications, select the Application from list option, and then browse and select the application that you want to remove.
- If the application to remove is not listed in under Mobile Applications, select the Select bundle identifier option, and specify the value. For more information about finding the bundle identifier, see To search and add an application to the Mobile Applications list.
- Assign the command to the target mobile devices.
The application is removed when the command is run on the target mobile device.
Examples of remote operations
The following table lists the examples of remote operations that you can perform, the type of mobile commands that you can use, and available command options:
|Remote operation example
|The company policy requires a compliance audit on the seventh day of each month. The inventory must be collected at least once a month.
Update Device Information
Update Security Information
Update Restriction Information
Update Installed Applications
Update Configuration Profiles
|Each managed mobile device must at all times be configured with settings in a company-defined profile.
|Install Configuration Profile
Select the mobile profile to be installed.
|The user is going for a vacation. The configuration profile, which enforces restrictions on the mobile device, needs to be removed from the user's managed mobile device.
|Remove Configuration Profile
|Select the mobile profile to be removed.
The user has forgotten the passcode. The passcode of the managed mobile device needs to be removed.
|The user's managed mobile device is stolen. The sensitive enterprise data on the mobile device must be removed.
|Wipe Mobile Device
|The user has misplaced the mobile device within the office. The mobile device needs to be locked to avoid unauthorized data access by other employees.
|Lock Mobile Device
|There is a list of Managed Applications set in BMC Client Management. These applications must be installed on all managed mobile devices.
|The user has requested to have some additional applications installed. These applications are not in the Managed Applications list.
|The user no longer requires an application that was installed by using mobile commands.
|Application to remove