I ran into my first glitch using Cisco MDM with iOS devices and it's a genuine concern.
I had an iPhone 12 device deployed for an employee that was let go this week and attempted to do a passcode reset to essentially lock the user out of the device. After nearly an hour hold time on the phone, a rep for Cisco informed me that you are only able to "clear passcode" for iOS devices and then you physically need the device in front of you to setup a new passcode. Obviously this wasn't an option for me with the device being hours away in the field. With all my Android enrolled devices, I'm able to reset the passcode and then check-in the device.
I opted to do a "Selective Wipe" for the device, in addition to locking the user out of logging into work related cloud apps. Is the selective wipe my only option going forward for iOS devices if I don't have the device physically returned on the same day?
Thanks for the reply. I just got the device back and noticed the Selective Wipe never took. I also wasn't able to get "Lost Mode" to successfully fire off either. This is pretty frustrating if a sudden change needs to be implemented.
That is deeply troubling, especially for those of us with large remote deployments in play.... I've also had a couple of issues with commands not processing, profiles not installing, and some weird "undefined command" messages in my logs lately....
If you figure out why the commands aren't being processed I'd be very interested to hear about it.
Question: is any of your iOS devices being listed as "Supervised" under the Management area if you click into the device? I'm discovering I never fully did the Apple DEP enrollment and that could be preventing me from having more control. I'm going to dig into the issue deeper.
There are 3 ways to enroll iOS device in MDM. Company owned devices should ideally be enrolled via DEP, device enrollment is a decent alternative for BYOD and user enrollment is a joke and a pain to set up and manage.
1. There isn't a passcode "reset" for iOS, there is only a "clear" passcode. As far as I can see, this doesn't need a supervised device, if Apple's website is to be believed, but it certainly WON'T work for a User Enrolled Device. An my colleague in support is correct: You can't systematically set a new passcode on the device remotely. That's an Apple restriction
2. It would be useful to know the connectivity of the device during the period that you needed to perform the reset: If the device was offline, no amount of coercing would achieve your requirements. Something that I've seen in the past
So, what could you have done? If the requirements was to lock the user out of the device, you could have placed the device into kiosk mode with some completely unrelated application. Notes, for example. This would have prevented the user from using the device whilst keeping the device online.
The other alternative would have been to have completely wiped the device (if the device was in DEP). The user would have been forced to have enrolled the device. The only downside to this is that you'd have lost visibility of the device.
Thank you for taking the time to reply and explain a lot of this, it's much appreciated!
1. Thank you for clearing up the passcode situation. I was revisiting my prior steps with Apple Business to get DEP going to get the phone in "Supervised" mode. But based on what you are saying, it doesn't appear that will even be worth it if I'm unable to truly lock down the phone beyond clearing out the existing passcode?
2. Definitely understand the situation involving the device being offline (I learned that the hard way with an Android devices that need to be fully unlocked before you can reset a passcode).
While I did review kiosk mode, is that something that could get kicked off remotely or is that again a situation where you need the device in-hand?
Right now it appears my best option is to continue turning off access to work-related apps installed on the iOS device. Locking the device through the "Find My iPhone" is a 50/50 solution as they can easily gain access to the device again using the existing passcode.
Sounds like I'm going to be facing limitations on both Android and iOS regardless.