New tool: Remote Mobile Device Manager

This blog post will be about a new tool, written in PowerShell, to remotely manage mobile devices. This tool is based on the ConfigMgr SDK and contains all the available options for remotely managing mobile devices. That means it can retire, wipe, lock and pin reset mobile devices. Basically, it’s a version 2.0 of the tool I made a couple of months ago. That tool is limited to the ConfigMgr 2012 R2 functionality, of wipe and retire, and this new tool also contains the ConfigMgr 2012 R2 SP1 functionality, of lock and pin reset.

The use case for this tool is still the same. In most cases the service desk is responsible for helping end-users with their mobile devices. What if the company rather not provides the ConfigMgr console to the service desk? What if the company wants to prevent the service desk from wiping a mobile device? Well, that’s were this tool comes in place. This tool provides the possibility to remotely manage mobile devices without using the ConfigMgr console and it also provides the possibility to prevent the usage of the wipe functionality.

>> Available via download here on the TechNet Galleries! <<

Overview

RMDM_Overview_v10Now lets start with a good overview of this tool. The interface is pretty straight forward. It provides a textbox to provide a username. This textbox has a tooltip to provide information about the required information. After providing a username the Get Mobile Devices button can be used to get the registered (primary) mobile devices of the specified user.

The mobile devices, of the specified user, will be shown in the datagridview. After selecting a mobile device, in the datagridview, the Reset Passcode, the View Passcode State, the Remote Lock, the View Remote Lock State, the Retire and the Wipe buttons will enable, if applicable and if allowed. The Wipe and Reset Passcode functionality are not applicable for Windows (RT) devices. Also, the Wipe functionality needs to be specifically enabled via the AllowWipe switch.

Messages

This tool provides a lot of messages based on the actions performed by the administrative user. Based on the action the following messages can show.

RMDM_UseVerVal_v10The error message Please provide a valid username. will show when no username was specified. Together with this error message, also the error message Please verify the username will show next to the textbox.
RMDM_UseVerExi_v10The error message Please provide an existing username. will show when a wrong, not existing, username was specified. Together with this error message, also the error message Please verify the username will show next to the textbox.
RMDM_UseVerPri_v10The error message Please provide an user with a primary mobile device. will show when the specified username has no (primary) mobile device(s) configured. Together with this error message, also the error message Please verify the username will show next to the textbox.

RMDM_UseVerCon_v10The error message Please verify the connection with the specified site server. will show when something else went wrong. Based on the second part of the error message it can be determined at which stage this happened.

In most cases these error messages will be prevented already because of the check at the startup of the tool. During the startup it will try to get the SiteCode based on the specified SiteServer. When this action fails, the tool won’t start and it will show the error message Unable to connect to the SMS Provider location on <SiteServer>..

RMDM_PinStaInf_No_v10The informational message There is no PINRESET state information available for the mobile device named <Name>. will show when the View Passcode State button is used and no PINRESET state information is available.
RMDM_PinVer_v10The verification message Are you sure that you want to PINRESET the mobile device named <Name>? will show when the Reset Passcode button is used.
RMDM_PinNot_v10The informational message The action to PINRESET the mobile device named <Name> is successful initiated. will show when the action to PINRESET the device is successful initiated.
RMDM_PinStaInf_v10The information message about the PINRESET state information will show when the View Passcode State button is used and PINRESET state information is available.
RMDM_LocStaInf_No_v10The informational message There is no LOCK state information available for the mobile device named <Name>. will show when the View Remote Lock State button is used and no LOCK state information is available
RMDM_LocVer_v10The verification message Are you sure that you want to LOCK the mobile device named <Name>? will show when the Remote Lock button is used.
RMDM_LocNot_v10The informational message The action to LOCK the mobile device named <Name> is successful initiated. will show when the action to LOCK the device is successful initiated.
RMDM_LocStaInf_v10The informational message about the LOCK state information will show when the View Remote Lock State button is used and LOCK state information is available.
RMDM_RetVer_v10The verification message Are you sure that you want to RETIRE the mobile device named <Name>? will show when the Retire button is used.
RMDM_RetNot_v10The informational message The action to RETIRE the mobile device named <Name> is successful initiated. will show when the action to RETIRE the device is successful initiated.
RMDM_WipVer_v10The verification message Are you sure that you want to WIPE the mobile device named <Name>? will show when the Wipe button is used.
RMDM_WipNot_v10The informational message The action to WIPE the mobile device named <Name> is successful initiated. will show when the action to WIPE the device is successful initiated.

Usage

Before this tool can be used, the administrative user, or service account, used to start this tool, requires at least the permissions as described in this post and the permissions to read user device affinities (User Device Affinities > Read). Besides those permissions, there are no special requirements for using this tool. I also didn’t use the ConfigMgr cmdlets, which completely removes the dependency to install the ConfigMgr console, or to do something creative with the ConfigMgr cmdlets.

To start this tool the following parameters are available.

  • SiteServer: This parameter is mandatory and should point to a server containing the SMS provider;
  • AllowWipe: This switch is optional and enables the button to wipe a mobile device.

All these parameters together will make a complete example look like this.

.\Manage-MobileDevice_v10.ps1 -SiteServer CLDSRV02 -AllowWipe

Thanks

A special thanks goes to everybody that volunteered to do some beta testing of this tool. Thank you Nickolaj, John, Jörgen, Stefan, Kim and Tom!

8 thoughts on “New tool: Remote Mobile Device Manager”

  1. Great tool many thanks, my PowerShell skills would never have been u to coming up with this kind of thing.

    Can I make one suggestion however? Where you have the Device to user WQL query you might want to consider changing it from ResourceName to ResourceID for the join.

    e.g. to this:

    -Query “SELECT r.* FROM SMS_CM_RES_COLL_SMSDM001 r inner JOIN SMS_UserMachineRelationship m ON r.ResourceID=m.ResourceID WHERE m.UniqueUserName=’$User’ AND m.Types = 1″

    Instead of what you had: SELECT r.* FROM SMS_CM_RES_COLL_SMSDM001 r inner JOIN SMS_UserMachineRelationship m ON r.Name=m.ResourceName WHERE m.UniqueUserName=’$User’ AND m.Types = 1”

    The reason for this is that Apple in particular have an annoying habit of having a default name of a device as iPad or iPhone and with your original version of the query you will get multiple wrong devices along with the right device displayed for a user if you have multiple enrolled devices with the same name on the device at the time of enrolment. With corporate devices it tends to be less of an issue because we for example will use the Apple configurator to generate unique device names but if you allow people to enrol personal devices then many people simply never bother to change the default name.

    End result is we had someone on the service desk accidentally retire 9 iPads because they thought they were all incorrectly enrolled by a user previously and never retired when in fact they were devices owned by other people. If they had used some common sense they should have realised something was fishy because the last activity was the same day on all of them… oh well. 🙂

    Reply
  2. Nice work here. I hate to give my support desk console access if it isn’t truly needed and this could be the solution. I just need to figure out how to add an extra step to do a wildcard search then select a user, then display the devices.

    Reply
  3. I’d really like to see an option for searching across all data – for example, userid, imei, serial, phone number, device OS – basically all static columns the tool returns. This would help, for example, if someone has not completed their job correctly and placed a user to a serial in our stock list, so we have a rogue serial sitting in the stock but no name associated with it. I’m looking into the script now myself but i’m pretty much a hack at coding, see how I go!

    Reply

Leave a Reply to Peter van der Woude Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.