Enterprise Mobile
SCMDM 2008 SP1 PIN Reset or Password Recovery Feature
31 Jan
Posted by mnielsen in SCMDM, Windows Mobile, security
This is a brand new feature of SP1 of great interest in an enterprise implementation. This mimics the similar Exchange and Windows Mobile device functionality, but without the need for any Exchange requirements. With this feature end users who have forgotten their device password or PIN, can recover (without wiping the device) and set a new device password or PIN. In this posting I will dive a little deeper and show how this all works on both the server and client side.
Overview
As nicely stated in the MDM Password Reset Client v1.0 download overview:
“MDM Password Reset Client provides a .cab file that you install on Windows Mobile 6.1 devices enrolled in MDM so that users can use the password reset feature in MDM. Password reset in MDM 2008 Service Pack 1 (SP1) enables a user who has forgotten his or her Windows Mobile device password to reset it by using MDM.
Password reset is supported on Windows Mobile 6.1 devices, starting with version 6.1.4. To use the feature, you must install the .cab file on the user’s Windows Mobile device as well as enable the feature in MDM by using Group Policy.
To reset the device password, the user chooses the password reset option, resets the device password, and then enters a one-time recovery password on the device to complete the process. The recovery password is stored on MDM servers and retrieved by the user when she or he has forgotten the device password.”
What is required?
Even though the client patch description mentioned above states it is first supported on Windows Mobile 6.1.4 or above device, the patch appears to install on some of my 6.1.1 devices. But “your mileage may vary” (YMMY) as they say.. The patch, available here, can be manually installed, but with MDM handy why not deploy it it out directly! Please note the installation failures on the devices that are below the 6.1.1 levels.
You also need the SCMDM 2008 SP1 installation on the back-end. Especially the changes on the DM server, SQL tables, and Self Service Portal (SSP) if you wish to use that for retrieving the reset password.
How it works:
After the client patch on the devices is installed and the device locked with a PIN, triggers a local generation of a password reset key. After 2 cycles of traffic to and from the Device Management server, that recovery password will have uploaded to the SCMDM side and be available for use. This can be verified with a cmdlet or on the MDM console by seeing that the “Display Recovery Password” action is no longer grayed out on the right hand side of the screen when a managed device is selected:
More details can also be found here on the overall user experience of this feature: http://technet.microsoft.com/en-us/library/dd252841.aspx
Client Functionality
These are actual screen-shots of a managed device that has the client patched installed.
In a locked state, the “Reset Password” option is no longer grayed out. Suggesting that the password reset key has been uploaded and ready to use:
After the “Reset Password” option is selected, a confirmation that the user can indeed retrieve the recovery password from an administrator or help desk.
It will then let the user create a new password. Using the same requirements that might have been enforced to the device.
Now the user must contact the administrator or help desk. In this example the administrator clicks on the “Display Recovery Password” in the MDM console and is shown the 20 digit Recovery Password that the device has uploaded into the MDM database.
The user must type in the 20 digit recovery password to validate the new password.
If there is a match with the recovery password stored on the device, the new password is granted and the device is unlocked!
Instead of the MDM console, the MDM Self Service Portal (SSP) could have been used. It also has a “Display Recovery Password” button at the bottom which will display the 20 digit recovery password:
The Password Recovery feature in the SSP is selectable by the administrator to be made available on the web site just as the Device Wipe and Device Enrollment features. Please see more information available here: http://technet.microsoft.com/en-us/library/dd261796.aspx.
Password Recovery References
SCMDM Cmdlets: http://technet.microsoft.com/en-us/library/dd261726.aspx
SCMDM User Experience: http://technet.microsoft.com/en-us/library/dd252841.aspx
Windows Mobile 6.x AKUs: http://myitforum.com/cs2/blogs/mnielsen/archive/2009/01/31/windows-mobile-6-x-akus.aspx
Windows Mobile 6.1.x Upgrades and Build Levels: http://myitforum.com/cs2/blogs/mnielsen/archive/2009/01/24/windows-mobile-6-1-x-upgrades-now-available.aspx
|\\arco..
mnielsen (at) enterprisemobile.com
2 Responses
Agus Gunawan
24|Feb|2009 1Dear mnielsen,
I have Dopod U1000 (HTC Advantage X7500) with windows mobile 5 then upgraded to windows mobile 6 by the seller. I used the windows password, and worked okay for the last 1.5 years. Unfortunately, for some reasons, the device does NOT recognise my password anymore, and keep telling “you type the incorrect password’. I type many times the correct password and the device rejected it. Now the device on stage according to page 92 on manual book:
“Each time a wrong password is entered, the device response time gets longer until the device appears to be not responding.” (now already more than 20 hours not responding time)
“If you forget your password, you must follow the instructions in this user manual to clear the memory before you can access your device.”
I can not do HARD RESET as ALL data will be lost, and I do not have back up, as the shop told me, the data will never lost even baterry flat.
I really need help. Please help me. as I will lost all data if I do hard reset.
I also do not understand your posting as I am not good in computing. Just a normal user. Thanks.
Agus Gunawan
Mobile: +61 412 684 943
csaintamant
24|Feb|2009 2@Agus: If you have your device connected to ActiveSync in Exchange 2007 or enrolled in an SCMDM domain, you can reset your PIN. SCMDM instructions are above, and you can find instructions for PIN recovery with Exchange 2007 OWA here.
If you do not have your device connected to one of these systems, you may be out of luck for unlocking your device.
Leave a reply