This blog post will be about a new tool, written in PowerShell, to remotely manage mobile devices. This tool is based on the ConfigMgr SDK and contains all the available options for remotely managing mobile devices. That means it can retire, wipe, lock and pin reset mobile devices. Basically, it’s a version 2.0 of the tool I made a couple of months ago. That tool is limited to the ConfigMgr 2012 R2 functionality, of wipe and retire, and this new tool also contains the ConfigMgr 2012 R2 SP1 functionality, of lock and pin reset.
The use case for this tool is still the same. In most cases the service desk is responsible for helping end-users with their mobile devices. What if the company rather not provides the ConfigMgr console to the service desk? What if the company wants to prevent the service desk from wiping a mobile device? Well, that’s were this tool comes in place. This tool provides the possibility to remotely manage mobile devices without using the ConfigMgr console and it also provides the possibility to prevent the usage of the wipe functionality.
>> Available via download here on the TechNet Galleries! <<
Overview
Now lets start with a good overview of this tool. The interface is pretty straight forward. It provides a textbox to provide a username. This textbox has a tooltip to provide information about the required information. After providing a username the Get Mobile Devices button can be used to get the registered (primary) mobile devices of the specified user.
The mobile devices, of the specified user, will be shown in the datagridview. After selecting a mobile device, in the datagridview, the Reset Passcode, the View Passcode State, the Remote Lock, the View Remote Lock State, the Retire and the Wipe buttons will enable, if applicable and if allowed. The Wipe and Reset Passcode functionality are not applicable for Windows (RT) devices. Also, the Wipe functionality needs to be specifically enabled via the AllowWipe switch.
Messages
This tool provides a lot of messages based on the actions performed by the administrative user. Based on the action the following messages can show.
Usage
Before this tool can be used, the administrative user, or service account, used to start this tool, requires at least the permissions as described in this post and the permissions to read user device affinities (User Device Affinities > Read). Besides those permissions, there are no special requirements for using this tool. I also didn’t use the ConfigMgr cmdlets, which completely removes the dependency to install the ConfigMgr console, or to do something creative with the ConfigMgr cmdlets.
To start this tool the following parameters are available.
- SiteServer: This parameter is mandatory and should point to a server containing the SMS provider;
- AllowWipe: This switch is optional and enables the button to wipe a mobile device.
All these parameters together will make a complete example look like this.
.\Manage-MobileDevice_v10.ps1 -SiteServer CLDSRV02 -AllowWipe
Thanks
A special thanks goes to everybody that volunteered to do some beta testing of this tool. Thank you Nickolaj, John, Jörgen, Stefan, Kim and Tom!
Great tool many thanks, my PowerShell skills would never have been u to coming up with this kind of thing.
Can I make one suggestion however? Where you have the Device to user WQL query you might want to consider changing it from ResourceName to ResourceID for the join.
e.g. to this:
-Query “SELECT r.* FROM SMS_CM_RES_COLL_SMSDM001 r inner JOIN SMS_UserMachineRelationship m ON r.ResourceID=m.ResourceID WHERE m.UniqueUserName=’$User’ AND m.Types = 1″
Instead of what you had: SELECT r.* FROM SMS_CM_RES_COLL_SMSDM001 r inner JOIN SMS_UserMachineRelationship m ON r.Name=m.ResourceName WHERE m.UniqueUserName=’$User’ AND m.Types = 1”
The reason for this is that Apple in particular have an annoying habit of having a default name of a device as iPad or iPhone and with your original version of the query you will get multiple wrong devices along with the right device displayed for a user if you have multiple enrolled devices with the same name on the device at the time of enrolment. With corporate devices it tends to be less of an issue because we for example will use the Apple configurator to generate unique device names but if you allow people to enrol personal devices then many people simply never bother to change the default name.
End result is we had someone on the service desk accidentally retire 9 iPads because they thought they were all incorrectly enrolled by a user previously and never retired when in fact they were devices owned by other people. If they had used some common sense they should have realised something was fishy because the last activity was the same day on all of them… oh well. 🙂
Thank you! Great suggestion and I’ll put it on my todo list.
Nice work here. I hate to give my support desk console access if it isn’t truly needed and this could be the solution. I just need to figure out how to add an extra step to do a wildcard search then select a user, then display the devices.
Thank you! You should be able to adjust a couple of queries and make that requirement work with this code.
I’d really like to see an option for searching across all data – for example, userid, imei, serial, phone number, device OS – basically all static columns the tool returns. This would help, for example, if someone has not completed their job correctly and placed a user to a serial in our stock list, so we have a rogue serial sitting in the stock but no name associated with it. I’m looking into the script now myself but i’m pretty much a hack at coding, see how I go!
Thank you for the feedback. I’ll put it with the other ideas for the tool.