Clearing Passcodes

Created: Modified: Knowledge Base

When you are enforcing passcodes in your organization and using GroundControl, there are some considerations to keep in mind, especially when using Check Out Workflows.

Unfortunately, GroundControl cannot automatically connect to passcode-locked devices or clear the device’s passcode. When devices are connected to GroundControl but are simply unlocked, without clearing the passcode, GroundControl cannot be expected to work reliably, and this Workflow is not supported. However, if the device has an active internet connection, GroundControl can use the MDM to clear the passcode over the air.

We can do this in two ways that together address most scenarios.

  • Clear Device Passcode via MDM when device is not pairing with a Launchpad.
  • Perform MDM Command workflow action to clear a device’s passcode.

Both of these methods have some important things to consider:

 Important

  • Your MDM must install a profile on all shared devices to disable USB restricted mode.
  • Clearing passcodes does not work on rebooted iOS devices unless they have a cellular connection, or if they are connected to a Mac and use network tethering. The iOS device must be connected to the Mac it was last provisioned on to utilize network tethering for passcode clearing. For more information, see /blog/3612.
  • Clearing passcode does not work on devices without a Wi-Fi connection.
  • If the passcode is not known, the device must be put into recovery mode and erased.
  • Updating iOS on devices with passcodes is supported only when devices are erased.
  • If enforcing passcode via MDM, Imprivata recommends setting this profile up during check out, not during check in.
Clear Device Passcode via MDM when device is not pairing

When enabled, GroundControl will detect when a device connected to a Launchpad is connected but not pairing. When this condition occurs for 5 seconds, GroundControl  will send an MDM command to clear a device’s passcode.

To enable globally

To enable, navigate to Admin > Launchpads > Clear Device Passcode via MDM — when device is not pairing. The screen displays the MDMs you have set up with API support that also support this feature.

Enable the MDM or multiple MDMs to have GroundControl send the “Clear Passcode” API when devices are connected but not pairing.

GroundControl improves how it handles passcode-locked devices.

  • When devices are not pairing, GroundControl can clear passcodes via MDM, as before.
  • GroundControl will no longer clear passcodes from personal devices. Only devices managed by GroundControl (i.e. with an active or retired GroundControl status) are considered for password clearing.
  • GroundControl waits up to 5 minutes for a passcode to clear, instead of the previous default of 1 minute.
  • If still unpaired after 5 minutes, GroundControl may automate force recovery – erasing and updating devices. This is helpful for Wi-Fi-only devices that are password-locked and have not unlocked since last reboot.

To enable per Launchpad

If you want to only target certain Launchpad or devices, you can also create a Workflow and automate via Rules.

1. Create an over the air (OTA) Workflow that includes a Clear Passcode action.

2. Create an automation rule that targets Unpaired Devices.

 

3. Select the OTA Workflow created in step 1.

4. Save and enable the rule.

Perform MDM Command workflow action to clear passcode

Under certain conditions, devices with passcodes will still pair with GroundControl. For example, your users may connect the device while it is unlocked. You must clear the passcode in your workflow in any of the following cases.

  • You will check in the device for another user.
  • You will update iOS on this device (this feature may brick the device if it has a passcode).
  • You are performing any actions other than Erase.

To clear a passcode without an erase action, you can use the Perform MDM Command Workflow action with supported MDMs to enable a Pre-Enrollment action to clear a device’s Passcode. This action will be run before other Pre-Enrollment actions such as Delete Device from MDM.

If your automated Workflow includes an Erase, you do not need to clear the passcode in the Workflow. Erase will clear the passcode.