Use device management commands

The following tables list the commands you can send to devices from the Identity Administration portal and Active Directory Users and Computers. The commands available vary depending upon the device type, your Device Management permissions (see Identity Administration portal administrative rights), and the device’s state (enrolled, unenrolled, unreachable). For example, the only command available for unenrolled devices is “Delete.” In addition, if you are using CyberArk Identity for single sign-on only, the only commands available are Delete, SSO Enable, and SSO Disable.

You can issue the commands from the device and user properties in Active Directory Users and Computers when you use Active Directory Group Policy Management for device policy management (see Select the policy service for device management). If you are using CyberArk Cloud Directory policy service, you can invoke the commands from the Identity Administration portal alone.

If you are using Active Directory Group Policy Management for device policy management, you can also use the Active Directory Disable Account command to unenroll a device.

Users can invoke many of the same commands from the User Portal. The Availability column in the following tables indicates on which devices the commands are available and where they can be called from.

Device Management	Availability	What command does
Administrative Lock	Identity Administration portal	Locks the CyberArk Identity mobile app on the device and only the administrator can unlock it. Users can not access any functionality on the CyberArk Identity mobile app on the device.
Send Notifications	All devices Active Directory Users and Computers, the Identity Administration portal	Sends a message that you create to the selected enrolled devices. The message can contain a total of 255 characters. You can select multiple enrolled endpoints to send the message to a group of devices.
Email Device Log	All devices Active Directory Users and Computers, the Identity Administration portal, User Portal	Sends the device log file in the device to the specified email address. You specify the email address when you click the command. Logs will be sent only when the endpoint has an active internet connection either via mobile data or Wi-Fi (depends on the option selected when performing the action).
Delete	All devices Active Directory Users and Computers, the Identity Administration portal, User Portal	Delete the device record from CyberArk Identity, Active Directory Users and Computers, and CyberArk Cloud Directory. This removes the device listing from the Identity Administration portal and the User Portal too. Notes If you delete an enrolled device, the device is unenrolled. The user is prompted to enter his credentials the next time he opens the CyberArk Identity mobile app to re-enroll the device. In Active Directory Users and Computers, the Delete command is offered separately from the All Tasks commands.
Device Lockout	Active Directory Users and Computers, the Identity Administration portal, and User Portal This command is not available to administrators with the Device Management (Limited) role permission.	Lock down the device. This command lets you define a passcode that must be entered to unlock the device. In addition, the command lets you specify a lockout message that is displayed on the device.
Fetch Device Log	Android and iOS devices Identity Administration portal only	Send the audit log file in the device to an email address. Set the Common Settings > Mobile Settings > Enable debug logging policy to get richer debug information. You specify the email address when you click the command. You can also set an option to send the log file when the device is on Wi-Fi only. Only iOS version 7.0 and later are supported, and iOS devices do not support Wi-Fi only.
Fetch Audit Log	Android and iOS devices Active Directory Users and Computers only	Send the audit log file from the device to an email address. Set the Common Settings > Mobile Settings > Enable debug logging policy to get richer debug information. You specify the email address when you click the command. You can also set an option to send the log file when the device is on Wi-Fi only. Note: Only iOS version 7.0 and later are supported, and iOS devices do not support Wi-Fi only.
Force Password Change	Active Directory Users and Computers, the Identity Administration portal, and User Portal	Force user to create a new password. Users are first prompted to enter their current password. If this fails, the user cannot create a new password. If the device is on, the prompt is displayed as soon as the command is received. If the device is off, the prompt is displayed the next time it’s turned on.
Lock Screen	All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal	Closes the screen. To restore the screen, the user must enter the passcode. Note: On OS X devices, the Lock command only works if the version of OS X running has a recovery partition. If there is no recovery partition, these commands are not executed.
Lock Client App	iOS and Android devices only Identity Administration portal and User Portal	Locks the CyberArk Identity mobile app on the device.
Reset Client App PIN	iOS and Android devices only Active Directory Users and Computers, the Identity Administration portal, and User Portal	Resets the passcode for the client application on the device. This command is useful when users forget their passcodes.
Ping	All devices Active Directory Users and Computers and the Identity Administration portal only	Send a message to the device and update the device’s “last seen” timestamp. Use this command to determine if an enrolled device in the Unreachable state is back in communication with CyberArk Identity. If the device acknowledges the message, CyberArk Identity updates the timestamp used to determine whether or not the device is still in use. After you send the ping command, refresh the browser page to update the device’s status.
Power Off Device	Active Directory Users and Computers, the Identity Administration portal, and User Portal	Turn off the device.
Reapply Policies	All devices Active Directory Users and Computers and the Identity Administration portal only	Install all of the current group policy profiles (rather than only the updated policies) on the device. Group policies are not installed on devices for users with accounts in CyberArk Cloud Directory alone.
Reboot Device	Active Directory Users and Computers only	Forces the device to reboot.
Reset Password	iOS devices; Active Directory Users and Computers, the Identity Administration portal, and User Portal.	Forces user to create a new passcode. This command prompts the user to create a new password. (Use Force password change if you want to authenticate the user before the passcode can be changed.) For Android devices version 8.0 and higher, this command allows admins to set a generated password. The user's device should be in Device Owner Mode or Profile Owner Mode in order to use this feature. If the device is on, the prompt is displayed as soon as the command is received. If the device is off, the prompt is displayed the next time it’s turned on. This command does not undo a lock command
Unenroll Device	All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal This command is not available to administrators with the Device Management (Limited) role permission.	Suspend the device from CyberArk Identity. This removes all mobile device policy profiles installed on the device. It does not, however, remove the CyberArk Identity mobile app. To use CyberArk Identity again, the user must enroll the device again. You can set a policy that prevents users from unenrolling a device. See Common Mobile Settings.
Update Policies	All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal	Pushes the current mobile device policies for installation on the device. This command ensures that the device has the latest mobile device policy settings.
Update Mobile Client	Devices in kiosk mode	Updates the CyberArk mobile client on demand for devices in kiosk mode. This command is independent of any auto updates that have been configured.
Wipe Device	All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal This command is not available to administrators with the Device Management (Limited) role permission.	Remove all user data and restore the device to its shipping default state. Notes: You can set a policy that prevents users from wiping a device. See Common Mobile Settings. On OS X devices, the Remote Wipe command only works if the version of OS X running has a recovery partition. If there is no recovery partition, these commands are not executed.
Show FileVault Recovery Key	OS X devices (10.9 or later) Identity Administration portal	Retrieve a device’s FileVault recovery key. FileVault recovery keys are only available after the FileVault policy is pushed to a device and applied (triggered by an administrator login after the policy is pushed). This key is stored permanently in the Identity Administration portal, even if the FileVault encryption policy is disabled on the Policy page, or the device is unenrolled. Refer to OS X Settings for more information about enabling the FileVault encryption policy.

SSO Management	Availability	To do this
Disable SSO	All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal	Disable single sign-on for web applications listed in the CyberArk Identity mobile app. You would use this command, for example, if the device is misplaced or stolen. After this command is sent, an error message is displayed when the user opens the application indicating that SSO is disabled. The user cannot open any application on the selected device that uses SSO until the Enable SSO command is sent.
Enable SSO	All devices Active Directory Users and Computers, the Identity Administration portal, and User Portal	Enable single sign-on for the web applications listed in the CyberArk Identity mobile app. By default SSO is enabled. This command is provided so you can enable single sign-on again for a device that previously had it disabled.

SSO Management

Availability

To do this

Disable SSO

All devices

Active Directory Users and Computers, the Identity Administration portal, and User Portal

Disable single sign-on for web applications listed in the CyberArk Identity mobile app.

You would use this command, for example, if the device is misplaced or stolen.

After this command is sent, an error message is displayed when the user opens the application indicating that SSO is disabled. The user cannot open any application on the selected device that uses SSO until the Enable SSO command is sent.

Enable SSO

All devices

Active Directory Users and Computers, the Identity Administration portal, and User Portal

Enable single sign-on for the web applications listed in the CyberArk Identity mobile app.

By default SSO is enabled. This command is provided so you can enable single sign-on again for a device that previously had it disabled.

Call Log Management	Availability	To do this
Reset Call Counts	Active Directory Users and Computers, the Identity Administration portal, and User Portal	Reset the call counts.
Reset Data Usage Count	Active Directory Users and Computers, the Identity Administration portal, and User Portal	Reset the count of cellular data network bytes received and sent.