Category Filter

How to find lost iOS devices with MDM

Retrieving a stolen iOS device that is efficiently managed is very simple. Enrolling in MDM is one thing, but if there is any other way to simplify the process, it is DEP – Device Enrollment Program.

How does DEP make management easy?

Long story short, DEP enables MDM profile to be installed in the device during the initial set up and also supervise devices over the air. Once you install an MDM profile from the DEP profile, the MDM profile becomes non-removable. Thus, even if the culprits reset the device, MDM features to find the device can be employed. It includes Remote Ring, Wipe, Lock and enabling Lost Mode.

Note:


You have to uncheck the box corresponding to “Allow MDM profile removal” in the DEP policy (Admin > Apple Business/School Manager > Apple DEP > DEP Configuration Profiles > Configure DEP Profile / Default DEP profile) to make the profile non-removable.


Managed or unmanaged, a device can be retrieved if Find My iPhone is enabled.

Finding an iOS supervised device that is managed by MDM

Actions such as Lock Device, Wipe Device and Scan Device Location can be used to aid in the process of finding a lost/stolen device. Apart from these actions, Activation Lock can also be enabled through policy.

How to track device location using Scan Device Location

The IT admins can also scan the current device location to find the device location.

    1. Go to Policies on the Hexnode portal.
    2. Click on New Policy and double click on New Blank Policy.
    3. Add the Policy name and Description and go to the General Settings tab.
    4. Click on Location Tracking and configure that policy.
    5. Go to Policy Targets and add the iOS device whose location has to be tracked.
    6. Click on Save and Ok on the next pop-up tab.

    1. Now, go to the Manage tab.
    2. Select the device which is to be tracked.
    3. Click on Actions.
    4. Select Scan Device Location.
    5. Go to the Location History tab to get the location details.


Find lost iOS devices with Hexnode MDM using Scan Device Location
You can also lock or wipe the device or enable lost mode to prevent confidential data leaks, or can enable remote ring to find the device.

How to Lock/Wipe/Enable Lost Mode/Enable Remote Ring?

Locking a password-protected device disables its further usage. Wiping the device will entirely erase the devices’ data and settings, which prevents data leaks. Enabling the remote ring would help in finding the device that is lost in the proximity.

  1. On the Hexnode portal, go to Manage
  2. Select the stolen device.
  3. Click on Actions and select Lock Device/Wipe Device/Enable Lost Mode/Remote Ring.

The admin will have to disable the Lost Mode for the device to be reused.

Warning:

Restarting a device that is in lost mode will cause it to lose its Wi-Fi connection. Lost mode can be disabled from the portal only if the device has network connectivity. A complete loss of network connectivity locks down the device indefinitely.

How to enable Activation Lock?

Once a device is stolen, the culprit usually tries to use it as his personal device by reactivating it or tries to sell it. The Activation Lock is a feature provided by Apple to protect devices from being sold or reused illegally. It will prevent unauthorized entities from erasing, resetting or disabling Find my iPhone on one’s device by protecting it with Apple ID. One should sign in with the same Apple ID that has been linked to the device to make it usable. In iOS 7 and later, the Activation Lock gets enabled when Find my iPhone is turned on. There is an option to enable Activation Lock, and bypass/disable the Activation Lock from the Hexnode console. To activate Activation Lock:

  1. Go to Policies on the Hexnode portal.
  2. Click on New Policy and double click on New Blank Policy.
  3. Add the Policy Name and Description and go to the Advanced Restrictions tab.
  4. Go to Allow Security and Privacy Settings and check the option Activation Lock.
  5. Go to Policy Target and add the iOS device.
  6. Click on Save and save the policy.
Notes:


After the policy is successfully pushed from the portal, disable Find My iPhone manually on the device and enable it again for the policy to get applied on the device.

Finding devices that are managed but not supervised

If the device is not supervised but managed, it can be tracked, locked and wiped from the MDM console.

  1. Go to Manage.
  2. Select the device and click on Manage.
  3. Select Lock Device, Wipe Device, Scan Device Location as per your requirement.
Notes:

Finding an unsupervised, unmanaged device

Finding a lost, unsupervised and unmanaged device cannot be done using MDM, but Apple has it’s own Find My iPhone application dedicated for this purpose.

    1. Sign in to your iCloud account.
    2. Select Find iPhone.
    3. If there is more than one device, select the device from the All Devices list.
    4. Choose Locate your device.
Note:


You can only locate your device if:

      • Find my iPhone is enabled on the device that you want to locate.
      • The iOS device is online.

  1. When the device is located on the map, choose Play Sound, Use Lost Mode, Activation Lock or Erase your device option according to your requirement.

Note:


For an iOS 5 device, you can apply actions like lock and locate, but it is not possible to track the device.


If you have misplaced your device, playing a sound will help you retrieve it. If your device is stolen, you can activate Lost Mode to lock your device with a passcode and display a message.

How to disable Lost Mode?

Once the device has been found, Lost Mode can be disabled from the portal or from the device end. Simply entering the device password on the device disables Lost Mode. To disable Lost Mode from the portal:-

    1. On the Hexnode portal, go to Manage.
    2. Select the device.
    3. Click on Actions and select Disable Lost Mode.
Note:


If an admin disenrolls a device on which Lost Mode was enabled from the portal, then the device exits Lost Mode. This is because the action Disable Lost Mode is also pushed to the device when the admin initiates disenrollment.