Unlocking the device passcode is supported as follows:

Table 21.  Support for unlocking the device passcode on Android devices

Android Enterprise device

Prior to Android 7.0

Android 7.0 or supported newer versions

Work Managed Devices



Work Profile Devices


Not supported

Work Profile on Company Owned Devices


Not supported

Android (not using Android Enterprise)


Not supported

Unlock is not supported because these versions of Android do not allow a command to change the device passcode.

IMPORTANT: The Unlock command clears passcodes and TouchIDs from the managed device, compromising device security. Never user this feature on lost or stolen devices.


  1. Go to Device & Users > Devices.
  2. Select the check box(es) for the device.
  3. Click Actions > Unlock Device.

Unlock behavior on Android:

  • The Unlock command causes Ivanti Mobile@Work for Android to attempt to remove the existing passcode from an Android device. If the attempt is successful, the user will be able to access the device with the default Swipe.
  • On devices with Ivanti Mobile@Work , the default passcode is always set to 0000. For Ivanti EPMM, administrators can Enter minimum six digit unlock pin. See Setting the unlock PIN for a specific device.
  • If the Administrator forces a password reset, the Ivanti Mobile@Work client itself will try to unlock the device, if possible, or the user can unlock the device using the default password, 0000. The user is forced to change that password to one that conforms to password requirements defined in the Security policy. This applies to devices in:
    • Device Admin or Device Owner modes using an OS older than Android 7 or supported newer versions.
    • Managed Device with Work Profile (COPE) mode (Android versions 8-10 only) and Work Profile on Company Owned Devices mode (Android 11 or supported newer versions.)
    • Profile Owner supporting Work Challenge using Android 6 or supported newer versions. Device user of Android 6 device in Profile Owner without Work Challenge support may unlock with “0000” (the default) password, but is not forced to change the password.
  • The passcode reset flow would only be triggered when the profile/device is locked. If the administrator sends a "Unlock" command and the profile is not locked then Ivanti EPMM will not reset it to 0000 and not bring up the password reset screens. Otherwise, the only time Ivanti EPMM will reset to 0000 and bring up the reset screens would be when the profile or Android device is locked. This is applicable to Ivanti Mobile@Work or supported newer versions and to the following Android Enterprise modes:

    • Device Admin mode (on some devices)

    • Device Owner mode

    • Work Profile mode

    • Managed Device with Work Profile mode

    • Work Profile on Company Owned Device mode

  • Android Enterprise Work Managed mode-registered devices that are in kiosk mode move out of kiosk when you send the UNLOCK command from Ivanti EPMM. This only happens when the password is mandatory as per the Security Policy on Ivanti EPMM.
  • For Android Enterprise devices, see Unlocking an Android Enterprise device.