Working with commands for mobile devices

This section contains information about commands for managing mobile devices supported by the application. The section provides instructions on how to send commands to mobile devices, as well as how to view the execution statuses of commands in the command log.

Commands for mobile device management

Kaspersky Security Center supports commands for mobile device management.

Such commands are used for remote mobile device management. For example, if your mobile device is lost, you can delete corporate data from the device by using a command.

You can use commands for the following types of managed mobile devices:

• iOS MDM devices
• Kaspersky Endpoint Security (KES) devices
• EAS devices

Each device type supports a dedicated set of commands.

Special considerations for certain commands

• For all types of devices, if the Reset to factory settings command is successfully executed, all data is deleted from the device, and the device settings are rolled back to their factory values.
• After successful execution of the Wipe corporate data command on an iOS MDM device, all installed configuration profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile check box has been selected are removed from the device.
• If the Wipe corporate data command is successfully executed on a KES device, all corporate data, entries in Contacts, the SMS history, the call log, the calendar, the internet connection settings, and the user accounts, except for the Google account, will be deleted from the device. For a KES device, all data from the memory card will also be deleted.
• Before sending the Locate command to a KES device, you will have to confirm that you are using this command for an authorized search for a lost device that belongs to your organization or to one of your employees. When using Kaspersky Security Center Service Pack 2 Maintenance Release 1 or earlier versions, a mobile device that receives the Locate command is locked. Starting from Kaspersky Security Center 10 Service Pack 3, the device is not locked.

List of commands for mobile devices

The following table shows sets of commands for iOS MDM devices.

Supported commands for mobile device management: iOS MDM devices

The following table shows sets of commands for KES devices.

Supported commands for mobile device management: KES devices

The following table shows the commands for EAS devices.

Supported commands for mobile device management: EAS devices

Using Google Firebase Cloud Messaging

To ensure timely delivery of commands to KES devices managed by the Android operating system, Kaspersky Security Center uses the mechanism of push notifications. Push notifications are exchanged between KES devices and Administration Server through Google Firebase Cloud Messaging. In Kaspersky Security Center Administration Console, you can specify the Google Firebase Cloud Messaging settings to connect KES devices to the service.

To retrieve the settings of Google Firebase Cloud Messaging, you must have a Google account.

To configure Google Firebase Cloud Messaging:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
2. In the context menu of the Mobile devices folder, select Properties.

   This opens the properties window of the Mobile devices folder.

3. Select the Google Firebase Cloud Messaging settings section.
4. In the Sender ID field, specify the number of a Google API project that you have received when creating one in the Google Developer Console.
5. In the Server key field, enter a common server key that you have created in the Google Developer Console.

At the next synchronization with Administration Server, KES devices managed by Android operating systems will be connected to Google Firebase Cloud Messaging.

You can edit the Google Firebase Cloud Messaging settings by clicking the Reset settings button.

Sending commands

To send a command to the user's mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. Select the user's mobile device to which you need to send a command.
3. In the context menu of the mobile device, select Show command log.
4. In the Mobile device management commands window, proceed to the section with the name of the command that you need to send to the mobile device, then click the Send command button.

   Depending on the command that you have selected, clicking the Send command button may open the window of advanced settings of the application. For example, when you send the command for deleting a provisioning profile from a mobile device, the application prompts you to select the provisioning profile that must be deleted from the mobile device. Define the advanced settings of the command in that window and confirm your selection. After that, the command will be sent to the mobile device.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

5. Click OK to close the Mobile device management commands window.

Viewing the statuses of commands in the command log

The application saves to the command log information about all commands that have been sent to mobile devices. The command log contains information about the time and date that each command was sent to the mobile device, their respective statuses, and detailed descriptions of command execution results. For example, in case execution of a command is unsuccessful, the log displays the cause of the error. Records are stored in the command log for 30 days maximum.

Commands sent to mobile devices can have the following statuses:

• Running—The command has been sent to the mobile device.
• Completed—The command execution has successfully completed.
• Completed with error—The command execution has failed.
• Deleting—The command is being removed from the queue of commands sent to the mobile device.
• Deleted—The command has been successfully removed from the queue of commands sent to the mobile device.
• Error deleting—The command could not be removed from the queue of commands sent to the mobile device.

The application maintains a command log for each mobile device.

To view the log of commands sent to a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the list of mobile devices, select the one for which you want to view the command log.
3. In the context menu of the mobile device, select Show command log.

   The Mobile device management commands window opens. The sections of the Mobile device management commands window correspond to the commands that can be sent to the mobile device.

4. Select sections containing the necessary commands and view information about how the commands are sent and executed in the Command log section.

In the Command log section, you can view the list of commands that have been sent to the mobile device and details about those commands. The Show commands filter allows you to display in the list only commands with the selected status.