Use device management commands
The following tables list the commands you can send to devices from the Identity Administration portal and Active Directory Users and Computers. The commands available vary depending upon the device type, your Device Management permissions (see Identity Administration portal administrative rights), and the device’s state (enrolled, unenrolled, unreachable). For example, the only command available for unenrolled devices is “Delete.” In addition, if you are using CyberArk Identity for single sign-on only, the only commands available are Delete, SSO Enable, and SSO Disable.
You can issue the commands from the device and user properties in Active Directory Users and Computers when you use Active Directory Group Policy Management for device policy management (see Select the policy service for device management). If you are using CyberArk Cloud Directory policy service, you can invoke the commands from the Identity Administration portal alone.
Users can invoke many of the same commands from the User Portal. The Availability column in the following tables indicates on which devices the commands are available and where they can be called from.
Device Management |
Availability |
What command does |
Administrative Lock |
Identity Administration portal |
Locks the CyberArk Identity mobile app on the device and only the administrator can unlock it. Users can not access any functionality on the CyberArk Identity mobile app on the device. |
Send Notifications |
All devices Active Directory Users and Computers, the Identity Administration portal |
Sends a message that you create to the selected enrolled devices. The message can contain a total of 255 characters. You can select multiple enrolled endpoints to send the message to a group of devices. |
Email Device Log |
All devices Active Directory Users and Computers, the Identity Administration portal, User Portal |
Sends the device log file in the device to the specified email address. You specify the email address when you click the command. Logs will be sent only when the endpoint has an active internet connection either via mobile data or Wi-Fi (depends on the option selected when performing the action). |
Delete |
All devices Active Directory Users and Computers, the Identity Administration portal, User Portal |
Delete the device record from CyberArk Identity, Active Directory Users and Computers, and CyberArk Cloud Directory. This removes the device listing from the Identity Administration portal and the User Portal too. Notes
|
Device Lockout |
Active Directory Users and Computers, the Identity Administration portal, and User Portal This command is not available to administrators with the Device Management (Limited) role permission. |
Lock down the device. This command lets you define a passcode that must be entered to unlock the device. In addition, the command lets you specify a lockout message that is displayed on the device. |
Fetch Device Log
|
Android and iOS devices Identity Administration portal only
|
Send the audit log file in the device to an email address. Set the Common Settings > Mobile Settings > Enable debug logging policy to get richer debug information.
You specify the email address when you click the command. You can also set an option to send the log file when the device is on Wi-Fi only. |
Fetch Audit Log |
Android and iOS devices Active Directory Users and Computers only
|
Send the audit log file from the device to an email address. Set the Common Settings > Mobile Settings > Enable debug logging policy to get richer debug information.
You specify the email address when you click the command. You can also set an option to send the log file when the device is on Wi-Fi only.
|
Force Password Change |
Active Directory Users and Computers, the Identity Administration portal, and User Portal |
Force user to create a new password. Users are first prompted to enter their current password. If this fails, the user cannot create a new password. If the device is on, the prompt is displayed as soon as the command is received. If the device is off, the prompt is displayed the next time it’s turned on. |
Lock Screen |
All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal |
Closes the screen. To restore the screen, the user must enter the passcode.
|
Lock Client App |
iOS and Android devices only Identity Administration portal and User Portal |
Locks the CyberArk Identity mobile app on the device. |
Reset Client App PIN |
iOS and Android devices only Active Directory Users and Computers, the Identity Administration portal, and User Portal |
Resets the passcode for the client application on the device. This command is useful when users forget their passcodes. |
Ping |
All devices Active Directory Users and Computers and the Identity Administration portal only |
Send a message to the device and update the device’s “last seen” timestamp. Use this command to determine if an enrolled device in the Unreachable state is back in communication with CyberArk Identity. If the device acknowledges the message, CyberArk Identity updates the timestamp used to determine whether or not the device is still in use. After you send the ping command, refresh the browser page to update the device’s status.
|
Power Off Device |
Active Directory Users and Computers, the Identity Administration portal, and User Portal |
Turn off the device. |
Reapply Policies |
All devices Active Directory Users and Computers and the Identity Administration portal only |
Install all of the current group policy profiles (rather than only the updated policies) on the device. Group policies are not installed on devices for users with accounts in CyberArk Cloud Directory alone.
|
Reboot Device |
Active Directory Users and Computers only |
Forces the device to reboot. |
Reset Password |
iOS devices; Active Directory Users and Computers, the Identity Administration portal, and User Portal. |
Forces user to create a new passcode. This command prompts the user to create a new password. (Use Force password change if you want to authenticate the user before the passcode can be changed.) For Android devices version 8.0 and higher, this command allows admins to set a generated password. The user's device should be in Device Owner Mode or Profile Owner Mode in order to use this feature. If the device is on, the prompt is displayed as soon as the command is received. If the device is off, the prompt is displayed the next time it’s turned on. This command does not undo a lock command
|
Unenroll Device |
All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal This command is not available to administrators with the Device Management (Limited) role permission. |
Suspend the device from CyberArk Identity. This removes all mobile device policy profiles installed on the device. It does not, however, remove the CyberArk Identity mobile app. To use CyberArk Identity again, the user must enroll the device again. You can set a policy that prevents users from unenrolling a device. See Common Mobile Settings.
|
Update Policies |
All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal |
Pushes the current mobile device policies for installation on the device. This command ensures that the device has the latest mobile device policy settings. |
Update Mobile Client |
Devices in kiosk mode |
Updates the CyberArk mobile client on demand for devices in kiosk mode. This command is independent of any auto updates that have been configured. |
Wipe Device |
All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal This command is not available to administrators with the Device Management (Limited) role permission. |
Remove all user data and restore the device to its shipping default state. Notes:
|
Show FileVault Recovery Key |
OS X devices (10.9 or later) Identity Administration portal |
Retrieve a device’s FileVault recovery key. FileVault recovery keys are only available after the FileVault policy is pushed to a device and applied (triggered by an administrator login after the policy is pushed). This key is stored permanently in the Identity Administration portal, even if the FileVault encryption policy is disabled on the Policy page, or the device is unenrolled. Refer to OS X Settings for more information about enabling the FileVault encryption policy. |
SSO Management |
Availability |
To do this |
Disable SSO |
All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal |
Disable single sign-on for web applications listed in the CyberArk Identity mobile app. You would use this command, for example, if the device is misplaced or stolen. After this command is sent, an error message is displayed when the user opens the application indicating that SSO is disabled. The user cannot open any application on the selected device that uses SSO until the Enable SSO command is sent. |
Enable SSO |
All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal |
Enable single sign-on for the web applications listed in the CyberArk Identity mobile app. By default SSO is enabled. This command is provided so you can enable single sign-on again for a device that previously had it disabled. |
Call Log Management |
Availability |
To do this |
Reset Call Counts |
Active Directory Users and Computers, the Identity Administration portal, and User Portal |
Reset the call counts. |
Reset Data Usage Count |
Active Directory Users and Computers, the Identity Administration portal, and User Portal |
Reset the count of cellular data network bytes received and sent. |