Passcode Enabled Devices and Dead Batteries

Created: Knowledge Base

Applies to iOS devices.

The following article details a device-disabling behavior that is encountered when passcode-enabled devices are returned without a network connection.

The most common occurrence of this behavior is when users attempt to check in devices that are powered off. Devices that turned off due to a dead battery are included in these situations.

The Issue

Passcode enabled devices without a network connection cannot check in.

Why does this happen?

Devices without a network connection cannot receive network delivered commands from the Mobile Device Management (MDM) system when they are not connected to the network. The only way Imprivata Mobile Access Management can reliably communicate with devices over USB is when devices do not have a passcode on them. Because of this, a valid network connection at the iOS device is required for the device to process the request of the MDM to clear the passcode before MAM can check the device in.

Why can’t the device communicate to the MDM after turning back on? 

When an iOS device is off and turns back on, it will not communicate to wireless networks or computer-based hosts until the current passcode is entered on the device. This is an iOS security feature that cannot be disabled or altered.

What is the end result for devices in this state?

Devices in this state cannot communicate with their MDM or with MAM. This means they cannot be checked in or sent commands from the MDM – such as clear passcode, erase, or enable Lost Mode. Devices in this state will not be able to return to the pool of available devices and will also still show as assigned to the user who checked the device out.

How to prevent this behavior from occurring
    • Best method – Solid end user training can accomplish the same end results at the below options, which typically cost money.
      Training your users in accordance with our training video below is ideal, with users understanding that they cannot let devices fall into a dead-battery state and expect them to check in as expected.
    • Visual method – Adding a Launchpad Display for End Users to your Smart Hub can help tremendously with users understanding if they’ve returned a device correctly or not.
      Using the visual cue of the display can be a simple way for users to know if the system counts their device as “returned” or not.
    • Cheapest method – Technicians or Rounding Users with access to the MAM Dashboard can utilize the Unpaired Devices tabs to locate devices that are likely in this state.
      By equipping a Lightning-To-Ethernet converter* to the device in question, and an active Ethernet connection, for approximately 10 seconds, the device likely will have regained network connectivity and removed its passcode.
      Technicians can confirm whether the passcode is removed automatically due to the presence (or lack of presence) of the passcode when they attempt to unlock the device. If the passcode is not automatically removed from the device, the MDM may require a new command to clear the passcode.
      * USB-C iPhones will require a USB-C-To-Ethernet adapter.
      ** While Apple does not make an official adapter/converter, nearly any style will work. In some rare situations, some more secure networks may require the converter to have its own MAC Address built in. If you are struggling to find an adapter/converter that works, reach out to the Imprivata Customer Success Team.
  • Deployment method – If you deploy Mac Launchpads, you can enable Network Tethering. This is not recommended if your organization is not used to managing enterprise Macs.
    Imprivata does not recommend switching from Windows to Mac just for this feature, if you have already deployed Windows launchpads. This feature is not available on Windows and is not in Imprivata’s control for its availability.
    NOTE: Sometimes, devices will not tether to a Launchpad even with Network Tethering enabled. If a device is not tethering, you may need to tell the Mac Launchpad to enable tethering for that device. This requires:

    1. Remoting into the Mac Launchpad and navigating to System Settings > General > Sharing > Internet Sharing.
    2. Turn OFF Content Caching and Internet Sharing.
    3. Click the “i” button for more information next to Internet Sharing.
    4. Ensure any devices labeled “iPhone USB” or iPad USB” have their radio signals set to ON.
    5. Click Done in the bottom right of the Internet Sharing box.
    6. Set the Internet Sharing and Content Caching settings back to the way they were when you remoted into the Mac Launchpad.
  • Invisible Method – Devices equipped with cellular connection do not experience this behavior, as they are always connected to a network. The same security iOS feature does not apply to cellular networks. While typically an expensive method, many organizations deploy cellular via T-Mobile, ATT, Verizon, FirstNet, or other wireless carrier providers. This endeavor is often an executive decision made during initial deployment, and may not always be a viable option.
What else should I know?

If you are not actively implementing one of the above features, you should not enable Lost Mode via the MAM overdue device policy.

Does Imprivata offer any materials to assist with end user training?

Yes, Imprivata has several resources for end user training: