📱 Workspace ONE Mobile Management Tool

Version 1.4.0 released 2025-07-27 — includes RTS Return to Service support, end-user explanations for each script, and minor fixes.

A modular PowerShell-based utility for Workspace ONE, built to streamline mobile device administration across large enterprise environments.

Originally developed in Bash for macOS, this tool is now a robust cross-platform suite for Windows, enabling IT teams to:

• Query device details and installed profiles
• Push or remove apps
• Reboot, wipe, or trigger OS updates
• Toggle Lost Mode and clear passcodes
• Manage tags, Smart Groups, DEP profiles, and more

---

✨ New Script Added: Return to Service (RTS) Wipe

RTS_ReturnToService.ps1 is now included in the Mobile Management Toolset!

This script issues a Return to Service (RTS) wipe via Workspace ONE’s CustomMDMCommand API. It performs a full factory reset on supervised corporate/shared iOS devices and automatically re-enrolls them using an embedded Wi-Fi profile, returning the device directly to the Home Screen.

✅ Highlights:

• Sends Apple’s EraseDevice command with RTS enabled
• Devices auto-connect to Wi-Fi and re-provision using their assigned ADE profile
• Uses the same secure OAuth token cache as all other scripts
• eSIM data is not retained — use with caution on cellular devices

📍 This script is intended for on-premises execution only to ensure proper Wi-Fi connectivity and successful reprovisioning.

---

🧼 New Script Added: Uninstall Uninstall App.ps1 is now included in the Mobile Management Toolset!

This script removes purchased iOS applications (VPP) from Workspace ONE-managed devices using only the device serial number and a simple app selection menu.

✅ Highlights:

• Clean numbered app list — shows only app names for simplicity
• Secure OAuth token authentication
• Uses same trusted token cache as all other scripts
• 404 error handling for apps that are already uninstalled
• Consistent with the toolset’s formatting style

📍Intended for corporate-owned iOS devices only. Apps must be assigned via the Purchased (VPP) section of Workspace ONE.

---

🔄 New Script Added: Sync Device

SyncDevice.ps1 is now included in the Mobile Management Toolset!

This script triggers a Workspace ONE device sync using only the device serial number. It initiates a real-time check-in with the MDM server to pull down the latest configurations, profiles, and commands — no console interaction required.

✅ Highlights:

• Fast serial-based lookup with instant sync trigger
• Secure OAuth token authentication
• Uses the same centralized token cache for seamless integration
• Clean console output with clear success/failure status
• Error handling for invalid or unenrolled devices

📌 Ideal for use when:

• Devices are not checking in as expected
• You’ve made profile or tag changes in WS1 and want them applied immediately
• Apple devices show as overdue or non-compliant

---

🛠️ Included Scripts

Each script is standalone, callable individually or via the menu:

Script	Function
menu.ps1	Interactive CLI menu
Apps.ps1	List assigned apps for a device
Install App.ps1	Push assigned apps to a device
Uninstall App.ps1	Uninstall assigned apps on a device
Install Purchased App.ps1	Deploy VPP apps by serial
Profiles.ps1	Export installed configuration profiles
SyncDevice.ps1	Trigger a sync for a device by serial number
Device Details.ps1	Lookup basic device info
Device Event Log.ps1	Retrieve 1000 recent logs
Restart Device.ps1	Soft reboot device
Device Wipe.ps1	Full or enterprise wipe
RTS_ReturnToService.ps1	RTS wipe with embedded Wi-Fi profile
Update iOS.ps1	Trigger iOS OS update
LostMode.ps1	Enable or disable Lost Mode
Clear Passcode.ps1	Clear passcode from locked device
AddRemove Tag.ps1	Add/remove device tags
Assign or Unassign DEP.ps1	Assign/unassign DEP profile
Delete.ps1	Remove devices from WS1

---

🔐 OAuth 2.0 Security

All scripts authenticate via OAuth 2.0 (client_credentials) with secure shared token cache:

• Stored centrally:
  \\HOST_SERVER\MobileManagementTool\Oauth Token\ws1_token_cache.json
• Scripts do not include client credentials
• Token reuse built-in; expires every 60 minutes
• Users do not need write access to token directory

---

🔁 Token Auto-Renewal (Scheduled Task)

Tokens are auto-renewed hourly via Task Scheduler.

File	Purpose
OauthRenew.ps1	PowerShell token refresh script
Oauth - Renew.bat	Wrapper for scheduled task
WS1 Oauth Token.xml	Task Scheduler config
refresh.log	Optional timestamp log file

🛡️ Production-safe: read-only access required

---

📂 Output & Logs

Most scripts output to Downloads or shared folders:

• device_profiles.csv
• WipedDevices.txt
• EventLog_<date>.log
• installed_apps_<serial>.csv

---

🧠 Intelligent Behavior

• Scripts validate input and exit if missing
• Output is formatted and readable
• Designed for internal use only on trusted IT systems

---

✅ Requirements

• PowerShell 5.1 or later
• Workspace ONE UEM API credentials
• Access to shared script/token folder
• Windows 10/11 machine (domain-joined recommended)

---

🔒 Host Restriction Model

Scripts are designed to run only from trusted internal endpoints with shared folder access (\\HOST_SERVER\MobileManagementTool\).

This protects token integrity and prevents misuse on personal devices.

---

📄 License

MIT License — use, modify, and distribute freely.
No warranties expressed or implied.