Overview

For a while the Mobile Guardian team has been the only team with access to diagnose issues relating to incomplete MDM commands. It seems the next logical step is to open up these tools for our partners to use and support their customers as best they can. This will also help when logging issues with Mobile Guardian 3rd-line technical support team to get any issues understood and resolved in good time.

It is important to note that this tool is technical in nature and will only be available to a Super User (“the user”) who has logged in on behalf of an Administrator. Exposing all of this technical jargon and implied knowledge to the Administrator user in it’s current form may be overwhelming and result in more questions than answers. We will look to improve this in time with simplified message descriptions and ease of use so that it can be viewed by the Administrator user as a troubleshooting tool.

What is a MDM command and how does it work?

A MDM command is a message sent via Apple (APNS) to the device letting the device know that there are commands for it to fetch and then perform. If there is a break in this communication (for whatever reason) then the device does not know that it needs to perform the fetch action. This would then mean that the this command was incomplete and the desired action will not occur. The below diagram shows the interactions between the MDM, Apple and the Device when a command is triggered from Mobile Guardian.

The flow can be explained as follows:

• A MDM command is triggered from Mobile Guardian and this is sent to Apple via an APNS message. Status is SENT.
  There is the misunderstanding that Mobile Guardian sends this directly to the device, but there is the Apple interaction which adds an additional step and therefore additional complexity.
• If the Device has successfully received the APNS message then the Status changes to PUSHED, meaning that the device has responded to receiving the APNS message letting it know that it should fetch the command from Mobile Guardian.  
• If the Device has not received the APNS message and therefore, cannot action the command, the status changes to NOTNOW. NOTNOW means that the Device is unable to process requests at this time, it also means that when the Device is eventually able to process commands, it will.
  The most common cause for a NOTNOW response is that the device is locked with a passcode or the device is locked and has Data Protection enabled. Mobile Guardian has added the ability for the user to “Poke” a device once they know it is unlocked and active, this sends the APNS message.
  

• The Device then fetches the command from Mobile Guardian and responds with a success message meaning the Device has successfully acknowledged the information fetched. Status is ACKNOWLEDGED and this is the desired status for the happy-day scenario.
• If the Device has not been able to acknowledge the information fetched from Mobile Guardian it will inform us of an error. Status is ERROR.

Knowing the different statuses helps the support staff or super administrator know exactly where the issue is, if an issue were to occur. Mobile Guardian sends additional detail of any unsuccessful interactions if it is available.

Where to find it on the Dashboard

On the Devices table, there will be an indicator in the LAST SEEN column for the Super Administrator to easily identify if there are any incomplete MDM commands sent to a particular device.

The number indicates how many incomplete MDM messages are associated with that device.

The user can then drill down into more information if they want to find out where the errors may have occurred as well as what they might have been. This can be found on the Device Detail page:

A new tab has been added called “MDM History” and it will show all the MDM commands as described in the sections above as well as their statuses and times.

The commands also have detail behind them and the clickable ones allow the user to view the technical detail at a lower level. Example: Error numbers and messages, profile restriction ID applied, profile certificates installed, etc.

Detailed message examples:

Please let us know if you found this helpful! 

Thanks for reading :)