A Mobile Device Management (MDM) command is a message sent to an Apple device via the Apple Push Notification Service (APNS). This message informs the device that it has pending commands to fetch and execute. If communication is interrupted, the device will not perform the fetch action, resulting in an incomplete command and the desired action not occurring. The diagram below illustrates the interaction between MDM, Apple, and the device when a command is triggered from Mobile Guardian.
MDM Command Flow
- Command Triggered:
- An MDM command is initiated from Mobile Guardian and sent to Apple via an APNS message. The status is set to SENT.
- It's a common misconception that Mobile Guardian sends commands directly to the device, but Apple's involvement adds an extra step and complexity.
- Command Pushed:
- If the device successfully receives the APNS message, the status changes to PUSHED, indicating the device has responded and is ready to fetch the command from Mobile Guardian.
- Command Not Processed (NOT NOW):
- If the device does not receive the APNS message and cannot act on the command, the status changes to NOTNOW. This means the device is currently unable to process requests but will do so when it can.
- Common causes for a NOTNOW response include the device being locked with a passcode or having Data Protection enabled.
- Mobile Guardian provides a "Poke" feature to send the APNS message again once the device is unlocked and active.
- Command Acknowledged:
- The device fetches the command from Mobile Guardian and responds with a success message. The status is set to ACKNOWLEDGED, which is the desired outcome.
- Command Error:
- If the device cannot acknowledge the information fetched from Mobile Guardian, it will report an error. The status changes to ERROR.
- Understanding these statuses helps support staff or super administrators identify and troubleshoot issues.
Identifying Incomplete MDM Commands
On the Dashboard
- In the Devices table, the LAST SEEN column includes an indicator for the number of incomplete MDM commands associated with a device.
- Clicking on the indicator provides more detailed information about where errors occurred and their nature.
MDM History Tab
- A new tab called MDM History shows all MDM commands, their statuses, and timestamps.
- Clickable commands allow users to view detailed technical information, such as error numbers and messages, profile restriction IDs applied, profile certificates installed, and more.
By understanding how MDM commands work and the different statuses they can have, administrators can better manage their device fleets and troubleshoot any issues that arise. The Mobile Guardian dashboard provides tools to monitor and resolve MDM command issues effectively.
Please let us know if you found this helpful!
Thanks for reading! 🙂