Clearing Passcodes

Created: Modified: Knowledge Base

When you are enforcing passcodes in your organization and using Mobile Access Management, there are some considerations to keep in mind, especially when using Check Out Workflows.

Unfortunately, Mobile Access Management cannot automatically connect to passcode-locked devices or clear the device’s passcode. When devices are connected to Mobile Access Management but are simply unlocked, without clearing the passcode, Mobile Access Management cannot be expected to work reliably, and this Workflow is not supported. However, if the device has an active internet connection, Mobile Access Management can use the MDM to clear the passcode over the air.

We can do this in two ways that together address most scenarios.

  • Clear Device Passcode via MDM when device is not pairing with a Launchpad.
  • Perform MDM Command workflow action to clear a device’s passcode.

Both of these methods have some important things to consider:

 Important

  • Your MDM must install a profile on all shared devices to disable USB restricted mode.
  • Clearing passcodes does not work on rebooted iOS devices unless they have a cellular connection, or if they are connected to a Mac and use network tethering. The iOS device must be connected to the Launchpad it was last provisioned on to utilize network tethering for passcode clearing. For more information, see /blog/3612.
  • Clearing passcode does not work on devices without a Wi-Fi connection.
  • If the passcode is not known, the iOS device must be put into recovery mode and erased.
  • Updating iOS on devices with passcodes is supported only when devices are erased.
  • If enforcing passcode via MDM, Imprivata recommends setting this profile up during check out, not during check in.
Clear Device Passcode via MDM when device is not pairing

When enabled, Mobile Access Management detects when a device is connected to a Launchpad but is not pairing. When this condition occurs for 5 seconds, Mobile Access Management will send an MDM command to clear a device’s passcode.

Enable Globally

To enable globally:

  1. In the MAM console, navigate to Admin > Launchpads > Clear Device Passcode via MDM — when device is not pairing. The page displays the MDMs you have set up with API support that also support this feature.
  2. Enable the MDM or multiple MDMs to have GroundControl send the “Clear Passcode” API when devices are connected but not pairing.

Mobile Access Management improves how it handles passcode-locked devices.

  • When devices are not pairing, Mobile Access Management can clear passcodes via MDM, as before.
  • Mobile Access Management will no longer clear passcodes from personal devices. Only devices managed by Mobile Access Management (i.e. with an active or retired Mobile Access Management status) are considered for password clearing.
  • Mobile Access Management now waits up to 5 minutes for a passcode to clear, instead of the previous default of 1 minute.
  • If still unpaired after 5 minutes, Mobile Access Management may automate force recovery – erasing and updating devices. This is helpful for Wi-Fi only devices that are password-locked and have not unlocked since last reboot.

Enable Per Launchpad

To only target certain Launchpad or devices, create a Workflow and automate via Rules.

1. Create an over the air (OTA) Workflow that includes a Clear Passcode action.


2. Create an automation rule that targets Unpaired Devices.

 

3. Select the OTA Workflow created in step 1.

4. Save and enable the rule.

Perform MDM Command Workflow Action to Clear Passcode

Under certain conditions, devices with passcodes will still pair with Mobile Access Management.

For example, the user may connect the device while it is unlocked.

You must clear the passcode in your Workflow in any of the following cases:

  • You will check in the device for another user.
  • You will update iOS on this device (this feature may brick the device if it has a passcode).
  • You are performing any actions other than Erase.

To clear a passcode without an erase action, you can use the Perform MDM Command Workflow action with supported MDMs to enable a Pre-Enrollment action to clear a device’s Passcode. This action will be run before other Pre-Enrollment actions such as Delete Device from MDM.

If your automated Workflow includes an Erase action, you do not need to clear the passcode in the Workflow. Erase will clear the passcode.