I was just looking through the current list of scripting options and noticed there is a script agent_mode that will help out in this situation. I verified that I could send this script to a group of devices and get a report back as to what status each device was in within the group level logs:

If you're worried about some devices being in Admin mode couldn't you just send a script to all devices to force them into User mode? There is no harm in redundantly scripting a device in User Mode to enter User Mode so why not just send it to the whole inventory?

thank you, but I would like to check if there is a password leak...so if I see which devices are in admin mode I can understand what is going on.

You could inspect the logs at the Group level to see if any devices are entering Admin mode based on this log snippet:

Thank you Matt.

This is really useful but I need something that can be easier checked since when you are managing 300 devices it is not possible to check all logs for such entries. 

Best regards 

Hello,

may i ask you a question ..

What is it admin mode and user mode ?

thanks for your explication

Kios on / off

Remotely change your device administrator password regularly if are worried about password leak.

Please also note that turning on device administrator mode has much much more security impact than just turning off the kiosk model.   I explained about that in some earlier posts many months ago.   So, do NOT develop the habit/work-flow of casually entering device administrator password to get into such mode in front of the device end-users while supporting them on the field.  Personally, I only do that to debug recalled devices that cannot be wirelessly controlled via MobiControl web-console.

Dear Raymond,

you are right on this, but since more than one person is involved on that process, there is a risk that someone provides the password for support reason. So i need to check somehow if enything is left .

I do not now if there is any custom sttribute in the reports I could use to get this info.

Best regards

Hi Fotis,

Thank you for posting on SOTI Central.

Ultimately, what you are asking is currently not possible since the Agent mode is not a data set which is recorded on the Web Console. We already have some Feature Requests open for this so I encourage you to contact SOTI Support (support@soti.net) to open another one in order for us to track the demand of this Feature.

Apart from that, the difficulty for your end-user's reaching Admin mode will depend on the strength of your Authentication policy. From a Lockdown perspective it is not expected that your end-users are able to access Admin mode so if it requires updating the password on a regular basis as Raymond suggested, then it will be worthwhile.

Matt's suggestion also wouldn't hurt to do; you could even have the script run when triggered by an Out of Contact policy.

Kind regards,

this is great! thanks a lot

Hi Fotis,

To add to this discussion, you can utilize our Javascript Scripting to check the agent mode. Then you can tell the agent to go back into the lockdown and log it as a warning. Then within your DS Logs section, you can see the warning.

Script example:

var agentMode = mobicontrol.agent.getMode();

switch (agentMode) {

   case mobicontrol.agent.Mode.ADMIN_MODE:

      mobicontrol.log.warn("Device was in Admin Mode: " + mobicontrol.device.id);

      mobicontrol.agent.enterUserMode();

      break;

   case mobicontrol.agent.Mode.USER_MODE:

      mobicontrol.log.info("The agent is in User mode");

      break;

   default:

      mobicontrol.log.error("Unexpected mode: " + agentMode);

}

 

 

 

On top of that, you can use the Task Scheduler profile configuration to periodically run the script and log it. 

 

 

Reference: https://www.soti.net/mc/help/javascriptapi/en/index.html

 

 

Hope this helps.

 

Regards,