Retire or wipe mobile devices via PowerShell

This blog post will be about a new tool, written in PowerShell, to retire and/ or wipe a mobile device. Let’s start with the fact that I know that it’s possible to retire and/ or wipe a mobile device through the ConfigMgr console, but that didn’t stop me from creating this tool. The reason for that is related to how mobile devices are managed and who is usually responsible.

In most cases the service desk is responsible for helping end-users with their mobile devices. Now what if a company rather not provides the ConfigMgr console to the service desk, or a company wants to prevent the service desk from wiping a mobile device? That’s were this tool comes in place.

>> Available via download here on the TechNet Galleries! <<

Overview

RW_Overview

Now lets start with a quick overview of this tool. The interface is pretty straight forward. It provides a textbox to provide a username. This textbox has a tooltip to provide information about the required information. After providing a username the Get button can be used to get the registered mobile devices of the specified user. The mobile devices, of the specified user, will be shown in the datagridview. After selecting a mobile device, in the datagridview, the Retire and/or Wipe buttons will enable, if applicable. Wiping a mobile device is not applicable for Windows (RT) devices.

Messages

This tool provides a few messages based on the actions performed by the administrative user. The following message can show, based on the provided input.

RW_ValidUsernameThe message Please provide a valid username will show when the textbox was left empty and the Get button was used already.

Together with this message, also the error message Please verify the username will show next to the textbox.

RW_ExistingUsernameThe message Please provide an existing username will show when a wrong username was specified.

Together with this error message, also the error message Please verify the username will show next to the textbox.

RW_DeviceUsernameThe message Please provide an user with a primary mobile device will show when an username was specified that doesn’t have a (primary) mobile device configured.

Together with this message, also the error message Please verify the username will show next to the textbox.

RW_GenericIssueThe message Please verify the connection with the specified site server will show when anything else will go wrong. In most cases that will be an issue with the provided information for starting the tool.
RW_VerificationRetireThe message Are you sure that you want to retire the mobile device with the ResourceId <ResourceId> will show when a mobile device was selected and the Retire button was used.
RW_InitiatedRetireThe message The action to retire the mobile device is successful initiated will show when the action to retire the mobile device was successfully initiated.
RW_VerificationWipeThe message Are you sure that you want to wipe the mobile device with the ResourceId <ResourceId> will show when a mobile device was selected and the Wipe button was used.
RW_InitiatedWipeThe message The action to wipe the mobile device is successful initiated will show when the action to wipe the mobile device was successfully initiated.

Usage

Before this tool can be used, the user, or service account, used to start this tool, requires at least the permissions as described in this post. Besides those permissions, there are no special requirements for using this tool. I also didn’t use the ConfigMgr cmdlets, which completely removes the dependency to install the ConfigMgr console (or do something creative with the cmdlets).

To start this tool the following parameters are available.

  • SiteServer: This parameter is mandatory and should point to a server containing the SMS provider;
  • SiteCode: This parameter is mandatory and should be the (primary) site code of the mobile devices;
  • AllowWipe: This switch is optional and enables an additional button to wipe a mobile device.

All these parameters together will make a complete example look like this.

.\Retire-MobileDevice.ps1 -SiteServer CLDSRV02 -SiteCode PCP -AllowWipe

Permissions required to use Retire/Wipe in ConfigMgr 2012

The idea of this blog post is similar to my blog posts about the permissions required to use Edit Primary Users/Devices and my blog post about the permissions required to use Resultant Client Settings that I both did a couple of months ago. The difference this time is that the permissions, for using the Retire/Wipe option, are not that weird, but it might be good to know what the results will be of providing an administrative user with the required permissions. Also, I’ve seen some questions around the web lately regarding the possibilities to differentiate in the permissions for using the Retire/Wipe option. In the results of this blog post I’ll provide some information about the impact of these required permissions.

Introduction

In this blog post I’ll explain the permissions that are required to use the Retire/Wipe option and, while I’m touching the subject anyway, the permissions required to use the Cancel Retire/Wipe option. These options are only available for mobile devices enrolled via Microsoft Intune and allow the administrator to retire/wipe a mobile device and to cancel the retire/wipe of a mobile device. I’ll explain this by going through the required permissions and providing information about the impact of a specific permissions.  

Permissions

Now the key thing of this blog post, the minimal permissions required to use the Retire/Wipe option and the Cancel Retire/Wipe option. There is nothing really special between the required permissions, which, on itself, might make it a bit special. To provide an administrator with the minimal rights required for using these options, use the following list of permissions:

  • imageCollection;
    • Read – The Read permission provide access to the collections;
    • Read Resource – The Read Resource permission provides access to the detailed information about the resource, like the targeted deployments and the inventory information;
    • Modify Resource – The Modify Resource permission provides access to make modifications to a the resource, like installing a client and canceling a retire/wipe action;
    • Delete Resource – The Delete Resource permission provides access to delete the resource and by that the Retire/Wipe action.

Note: This also really means that without the Modify Resource permission the administrative user will not have the Cancel Retire/Wipe option and without the Delete Resource permission the administrative user will not have the Retire/Wipe option

Result

The fact that there is nothing more required than the Read, Read Resource, Modify Resource, Delete Resource permissions make it a bit special. These permissions together provides the administrative user with the following available actions on a mobile device (see screenshot).

Retire_Wipe_Device_Result

This means that an administrative user, that has the permissions to delete a resource, also has the permission to retire/wipe a mobile device. That makes sense as both actions eventually delete a device. To add-on to that, even if the administrative user could not retire/wipe a mobile device the administrative user could still directly delete the mobile device. In case not every administrative user is allowed to retire/wipe a mobile device, simply use a collection to scope the administrative users to everything but mobile devices.

imageThe last thing I would like to mention is that this also means that it’s currently not possible to allow an administrative user to only use the Wipe company content and retire the mobile device from Configuration Manager option. If an administrative user has the permissions to retire/wipe a mobile device, the administrative user can use the Wipe company content and retire the mobile device from Configuration Manager option AND the Wipe the mobile device and retire it from Configuration Manager option.