Performing remote operations on managed mobile devices

As an IT administrator, you can perform remote operations on managed mobile devices. The following BMC Client Management video (2:56 min) provides information about performing remote operations for iOS devices using commands:

https://youtu.be/AHHYgxuwOdU

Using commands, you can remotely perform the following operations on mobile devices:

Update information about the device, security, restrictions, applications, certificates, and profiles (collect inventory)
Install or remove configuration profiles (manage profiles)
Install or remove managed applications (manage applications)
Lock or wipe (factory reset) mobile device (data security)
Clear passcode (data security)

Using the Repeat Frequency option in the commands, you can collect inventories at regular intervals, and if a required application is no longer installed (for example, the user might have removed it), you could automatically reinstall it.

You can also use commands to ensure that the enterprise data stored on the mobile device is accessed only by the authorized user. If the mobile device is stolen or misplaced, you use the Wipe or Lock command to ensure that your data is not accessible to unauthorized users. If the user forgets the passcode, you can remotely clear the passcode allowing seamless data access to your users.

The following screenshot shows the list of commands, the objects assigned to the command, and its General tab:

(Android only) The Change Profile command supports the parameter:

Profile (mandatory): The profile to set on the devices. In case case, the rules enforced by the previous management profile are removed and those configured in the new profile are applied. For each device, the operation will fail if the new and replaced profiles do not belong to the same enterprise.

(Android only) The Clear Application Data command makes it possible to clear the cached data for the supplied application identifier. The following parameter is supported:

Application Package Name (mandatory): The identifier of the application for which data must be cleared, for example: org.mozilla.firefox

To create and assign a mobile command

In the left pane, select Mobile Device Management.
Right-click Commands, and select Create Mobile Command .
The Command Wizard window is displayed.
Tip

You can create multiple folders under Commands to organize your mobile commands.
In the Command page, specify the details as required, and click Next.
The Command Options page is displayed. Depending on the command type on the preceding page, different command options are displayed. For a detailed list of available command options, see Examples of remote operations.
Note

Depending on the command type, parameters (optional or mandatory) may be available. Some commands also offer parameters for Apple or Android devices only. If the command does not have any parameters, the Command Assignment page is displayed.
Set the command options, and click Next.
The Command Assignment page is displayed.
Assign the command to the target devices, device groups, users, or user groups, and click Finish.
The command is created and assigned to the target mobile devices.

To view the status of a mobile command

After you assign the command to the target mobile devices, you can view the command status by navigating to the following locations in the left pane:

Mobile Device Management > Commands > mobileCommandName > Assigned Objects > Devices
Mobile Device Management > Mobile Devices > Managed Mobile Devices > mobileDeviceName > Assigned Objects > Commands

In the right pane, all of the commands that were assigned to the mobile device are displayed with their status.

If the command is assigned to the mobile device for the first time, the sequence of the command status is as follows:
Assignment Waiting > Assignment Notified > Assignment Sent > Executed/Execution Failed/Not Notified.
If the command is already assigned to the mobile device and the user initiates command reassignment, the sequence of the command status is as follows:
Reassignment waiting > Update notified > Update sent > Executed/Execution Failed/Not Notified.

The following table describes different command status:

Command Status	Description
Assignment Waiting (Reassignment Waiting)	The command was assigned (or reassigned) to the target mobile device in the console, but the mobile device manager is yet to assign (or reassign) the command to the target mobile device (for Apple devices), or to the Google Cloud (for Android devices).
Assignment Notified (Update Notified) For Apple devices only.	The command (or command update) was assigned to the target mobile device in the console and the mobile device manager has notified the Apple notification server about the command assignment. The Apple notification server will send the notification to the mobile device. There can be a delay in sending the command from the Apple notification server to target mobile device due to connectivity and other dependencies.
Assignment Sent (Update Sent)	The command (or command update) was sent to the target mobile device (for Apple devices), or to the Google Cloud (for Android devices).
Executed	The command (or command update) was run on the target mobile device.
Execution Failed	The command (or command update) on the target mobile device failed. You can view more information in the Error Details column.
Not notified For Apple devices only.	The command (or command update) was sent to the target mobile device, but the target mobile device has not sent the status back to the mobile device manager.

To use a direct access command to clear a pass code or to wipe or lock a mobile device

The following are security-related commands that are accessible as direct access options for managed mobile devices:

Clear Passcode (Android only) supports the following optional parameters:
- New Password: Set a new password on the device. This must respect the passcode policy if a passcode policy is applied. If the new password does not respect this, the command fails.
- Require Entry: Do not permit other administrators to change the password again until the user has entered it.
- Do not ask credentials: Do not ask for user credentials on device boot.
- Lock Now: Lock the device after password reset.
Wipe Mobile Device:
- - For Apple and Corporate-Owned Android devices, the Wipe Mobile Device command resets the device to factory settings. The user is not informed about the mobile device being reset to factory settings.
- For Personally-Owned Android devices, the Wipe Mobile Device command simply removes the professional workspace and all the linked information. The user is informed of this operation.

Lock Mobile Device

Right-click the mobile device to which you want to assign the command, and select Direct Access Tools.
Select the command you want to use.
Click OK to confirm.
The command is sent to the target mobile device.

To collect inventories

Depending on the type of the inventory you want to collect, you can use the following command types:

Update Device Information
Update Security Information
Update Device Restrictions (for Apple devices only)
Update Installed Applications
Update Configuration Profiles (for Apple devices only)
Update Certificates (for Apple devices only)

When a mobile device is audited (using the Audit Now option), the following three mobile commands are assigned to the mobile device:

Update Device Information
Update Device Security
Update Installed Applications

You can also set a command to regularly collect inventory using the Repeat Frequency option. This is helpful if regular inventory audits are part of your organization's compliance policy or a statutory requirement.

To install mobile applications on Apple devices

Using commands, you can install mobile applications on the target mobile devices. For more information about installing application added to the Mobile Applications list, see To install an application from the Mobile Applications list to a target mobile device.

To install applications that are not listed in the Mobile Applications list, you need to have either of the following identifiers:

Application bundle identifier
Application iTunes identifier

For more information about finding these numbers, see To search and add an application to the Mobile Applications list.

For example, you may get a request from users to have a public email service client (such as Gmail) installed on their managed mobile device. You may not have this application in your mobile application list, as this is not either an approved application or a restricted application as per your organization's policy.

Create a command using the command type Install Application. For more information, see To create and assign a mobile command.
On the Command Options page, in the Application to install list, select either the Application bundle identifier or Application iTunes identifier option, and specify the corresponding value.
Assign the command to the target mobile devices.
When the command is executed on the mobile device:
- If the mobile device is supervised, the application is installed on the target mobile device.
- If the mobile device is not supervised, the user receives a notification to install the application. The user can either install the application or ignore the notification.
Tip

If your mobile device is supervised, a message is displayed below the screen lock. For example, This iPad is managed by your organization.

To install mobile applications on Android devices

The Applications tab of the Android Profile configuration panel shows the applications that may or may not be installed on the device. Depending on the enrollment type the applications may concern the entire device, or the work environment only. For Apple devices, you can install applications using commands, this is not possible with Android devices. Rather, this operation must be done using management profiles; that is, the Applications payload of Android management profiles.

To install an application

Currently, the API does not provide a simple search mechanism to search for the applications. Rather, you need to find the Application Identifier manually:
1. Go to Google PlayStore.
2. Search for the application you are interested in.
3. Select and copy the Application Identifier from the URL. For example: com.spotify.music.
In the BMC Client Management java console, go to Mobile Device Management > Profiles > New Mobile Profile> Configuration > Applications.
Enter your Application identifier to the Package name section.
Select one of the Installation types:
- Application is automatically installed and can be removed by the user
- Application is automatically installed and can't be removed by the user
- Application is blocked and can't be installed. Well be uninstalled if installed under a previous policy
- Application is available to install
  - Application is automatically installed in kiosk mode
Save the profile.
The profile is updated for Google Cloud. You can see your applications available in your work PlayStore, or even already installed to the device if you selected relevant installation type.

To remove an application by using a command from Apple devices

You can also remove applications using commands. For example, when an employee, who had enrolled a personal mobile device, leaves the organization. You had installed business-specific applications (such as BMC MyIT) on the employee's mobile device. As the employee is leaving the organization, you want to remove those applications from the employee's mobile device.

Note

You can remove only those applications that were installed by using mobile device management. You cannot remove applications that were installed by the user.

Create a command using the command type Remove Application. For more information, see To create and assign a mobile command.
On the the Command Options page, in the Application to remove list, select one of the following options:
- If the application to remove is listed under Mobile Applications, select the Application from list option, and then browse and select the application that you want to remove.
- If the application to remove is not listed in under Mobile Applications, select the Select bundle identifier option, and specify the value. For more information about finding the bundle identifier, see To search and add an application to the Mobile Applications list.
Assign the command to the target mobile devices.
The application is removed when the command is run on the target mobile device.

To remove an application from Android devices

As application management in Android is performed using management profiles, it is possible to remove an application by simply updating Android management profiles.

For example, Spotify can be automatically installed, or made available in the corporate PlayStore, by adding it to the Application payload in the management profile. By removing the same entry, the Spotify application can be automatically uninstalled, or removed from the corporate PlayStore.

Depending on the enrollment type (Corporate or Personally-Owned), the application management may vary.

Examples of remote operations

The following table lists the examples of remote operations that you can perform, the type of mobile commands that you can use, and available command options:

Keyword	Explanation	Options	Comment
UpdateDeviceInfo	Update Device Information	None	Update the device information and device based inventories.
UndateSecurityInfo	Update Security Information	None	Update the security based inventories
UpdateRestrictionInfo	Update Restriction Information	None	Update the restrictions based inventories. For Android, these restrictions are part of a security inventory.
UpdateInstalledApplications	Update Installed Applications	None	Update the list of installed applications, also known as software inventory.
UpdateConfigurationProfiles	Update Configuration Profiles	None	Update the list of installed configuration profiles. For Android, this command is useless because a device is managed by a single configuration profile set at enrollment time and possibly changed using the ChangeProfile command.
UpdateCertificates	Update Certificates	None	Update the list of installed certificates. For Android, this information is managed through the profile directly.
InstallConfigurationProfile	Install Configuration Profile	Select the mobile profile to be installed.	Install a new configuration profile. For Android, this command is useless because a device is managed by a single configuration profile set at enrollment time and possibly changed using the ChangeProfile command.
RemoveConfigurationProfile	Remove Configuration Profile	Select the mobile profile to be removed.	Remove an installed configuration profile. For Android, this command is useless because a device is managed by a single configuration profile set at enrollment time and possibly changed using the ChangeProfile command.
DeviceLock	Lock Mobile Device	Message Phone number	Lock the device. For Android, lock operation can be applied on the entire device or the work profile, based on the enrollment type (personally-owned or corporate-owned).
ClearPasscode	Clear Passcode	None	Clear the passcode. For Android, it is possible to set a new password at the same time. Note that depending on the applied policy, this command may fail. For example when trying to clear the passcode on a device that should have a passcode set.
EraseDevice	Wipe Mobile Device	None	Wipe the device. For Android, this may result on a real wipe operation or a removal of the work profile, based on the enrollment type (personally-owned or corporate-owned).
InstallApplication	Install Application	Install an application that is on the list of Managed Applications in BMC Client Management. These applications must be installed on all managed mobile devices. Application to install Application from list: Select the application from the list. Remove on unroll: Select the check box to remove application when the user withdraws enrollment. Prevent backup: Select the check box to prevent application data back up.	Install a new application. For Android, this operation is managed through the profile directly.
InstallApplication	Install Application	Install an application that is not on the list of Managed Applications in BMC Client Management. Application to install Application bundle identifier: Specify the bundle identifier, or Application iTune identifier: Specify the iTune identifier. Remove on unroll: Select the check box to remove application when the user withdraws enrollment. Prevent backup: Select the check box to prevent application data back up.	Install a new application. For Android, this operation is managed through the profile directly.
RemoveApplication	Remove Application	Application to remove Application from list: Select the application from the list. Application bundle identifier: Specify the bundle identifier.	Remove an installed application. For Android, this operation is managed through the profile directly.
UpdatePowerManagementEvents	Update Power Management Events		Update the power management events inventory.
RebootDevice	Reboot Device		Reboot the device. Only supported on fully managed devices running Android 7.0 (API level 24) or higher.
RelinquishOwnership	Relinquish Ownership		Removes the work profile and all policies from a company-owned Android 8.0+ device, relinquishing the device for personal use. Apps and data associated with the personal profile(s) are preserved. The device will be deleted from the server after it acknowledges the command.
ChangeProfile	Change Profile		Change the management profile. All the policies from the old profile would be removed, replaced by the policies of the new profile.
ClearAppData	Clear Application Data		Clears the application data of specified apps. This is supported on Android 9 and above.

Remote operation example	Command type	Command options
The company policy requires a compliance audit on the seventh day of each month. The inventory must be collected at least once a month.	Update Device Information	Not available
	Update Security Information
	Update Restriction Information
	Update Installed Applications
	Update Configuration Profiles
	Update Certificates
Each managed mobile device must at all times be configured with settings in a company-defined profile.	Install Configuration Profile	Select the mobile profile to be installed.
The user is going for a vacation. The configuration profile, which enforces restrictions on the mobile device, needs to be removed from the user's managed mobile device.	Remove Configuration Profile	Select the mobile profile to be removed.
The user has forgotten the passcode. The passcode of the managed mobile device needs to be removed.	Clear Passcode	Not available
The user's managed mobile device is stolen. The sensitive enterprise data on the mobile device must be removed.	Wipe Mobile Device	Not available
The user has misplaced the mobile device within the office. The mobile device needs to be locked to avoid unauthorized data access by other employees.	Lock Mobile Device	Message Phone number
There is a list of Managed Applications set in BMC Client Management. These applications must be installed on all managed mobile devices.	Install Application	Application to install Application from list: Select the application from the list. Remove on unroll: Select the check box to remove application when the user withdraws enrollment. Prevent backup: Select the check box to prevent application data back up.
The user has requested to have some additional applications installed. These applications are not in the Managed Applications list.	Install Application	Application to install Application bundle identifier: Specify the bundle identifier, or Application iTune identifier: Specify the iTune identifier. Remove on unroll: Select the check box to remove application when the user withdraws enrollment. Prevent backup: Select the check box to prevent application data back up.
The user no longer requires an application that was installed by using mobile commands.	Remove application	Application to remove Application from list: Select the application from the list. Application bundle identifier: Specify the bundle identifier.