Forum Discussion
Master ownership of Android devices
Factory Reset Protection / persistence is a powerful tool but it does not yet feel complete, and it is quite frustrating and potentially dangerous in its current state. It is not always apparent whether any given device is persistently linked using ZeroTouch, Intune or even Google Account FRP. While these tools are available to some, they are not a financially viable option for everyone, especially for consumers. There may be documentation describing the intimate intricacies of how all of these tools work and when/where they leave signs of their presence, but I cannot find it. I have not found a PSA from google for consumers saying "if you buy a second hand phone, check x, y and z to make sure it is not locked, otherwise someone can potentially remotely brick it."
As a small company we have various scenarios where we provide phones to employees and also distribute loan/event devices for other small-medium companies, and don't necessarily have the ability to invest in enterprise-grade tools like ZT, InTune or Android Enterprise. If you think, on Windows all you need is to set the BIOS password and the Admin password and User Account Control takes care of the rest. Now take the android example, you add a google account and think it's safe with the user not knowing the password, but there is nothing to stop the user from adding their own personal google account, removing yours (no password required), setting their own PIN, and turning a $1000 phone into a paperweight. If they can unlock the phone, they are the master owner. There did used to be a feature for Multi-User on android but I haven't seen it in a long time, and I think there were performance issues with it as they all had to be loaded at once.
While I may be lacking understanding knowledge and making some assumptions, should a consumer really need to know exactly how Android Enterprise works in depth just to buy a second hand/"refurbished" phone? And I dare anyone to get into a device after it's been factory reset while attached to a personal google account with a PIN set without hacking tools. I know there have been exploits with Talkback in the past but it's been patched now, and again these are not lengths to which consumers should need to go.
If I knew someone's pattern (most common security type and very hard to hide effectively), and had their phone for 2 minutes, I could turn it into a paperweight simply by adding a disposable google account, removing theirs, and setting a PIN. How are we supposed to protect against that as a small business?
- MoombasLevel 4.1: Jelly Bean2 years ago
Just to get our conversation here:
The correct usage of an MDM can prevent you from this by disabling abbility of adding (any) other accounts and so on by the user.
And as you asked something about the Zero-Touch portal:
You don't need to purchase Zero-Touch portal but you need to buy your devices from a reseller who has access to it which means the reseller can create a portal for you and upload the devices then to it.
When this is done you can create a config and assign it to your devices (also via batch as csv).Zero-Touch portal also provides the functionality if device is wiped it always points it to your MDM as long as the IMEI has the relevant config assigned.
- jasonbaytonLevel 4.0: Ice Cream Sandwich2 years ago
The 2nd hand aspect of your concerns does add a little more to consider, but there are still ways and means with a few limitations.
As Moombas points out, zero-touch is reseller based. It is entirely free to use providing you've purchased the devices new or used from a reseller in the first place. Zero-touch won't alleviate FRP causing issues alone, but it will redirect devices into management any time they're factory reset.
On the subject of management, it's not always expensive. Consider Miradore as an example, they have a basic plan for free with no device limit. Other platforms, such as mambo EMM, Appaloosa or Wizy EMM offer limited/low cost options on a rolling monthly basis, and cover all basics for device management.
When devices are managed, again as Moombas points out, restrictions on accounts added to the device can be put in place, but more than this, you as the admin can mandate a specific account on the device to enforce FRP, or disable FRP all together, and users with the devices (or those who get hold of them) are powerless to change this, as the management agent enforces the policies. This extends also to mandating medium to strong password requirements, and also the ability to remove a password remotely as the administrator of the managed device.
For consumers and devices that won't be put under enterprise management, well it's no different to any other asset. If you lock your front door with a piece of rope, someone will cut it and gain access, after which they can wreak whatever havoc that comes with accessing a person's home. If you secure your device with a pattern or simple pin code and leave it around for someone to gain access to it, they will. At least with a device, a proof of purchase is normally enough to get FRP removed by the manufacturer on request.
Multi-user is still a thing, by the way, it just needs to be explicitly turned on for most modern handsets.
- JoshLevel 1.6: Donut2 years ago
My point is that the device user is not always the device owner, and that general consumers shouldn't have such powerful tools available. While ZT is SUPPOSED to be only devices purchased through the reseller, but they can actually onboard any device as we've experienced, but I'm not going in to that now. I can understand a business locking a device, but not some random user, potentially even by accident, and without any sort of special tools. This is about device users not being device owners, something that has never been a problem until FRP.
- jasonbaytonLevel 4.0: Ice Cream Sandwich2 years ago
Sure, technically a reseller can onboard any device, and in some markets they do so with proof of purchase. There's no gotcha there, it's not prohibited in the agreement, it's just not common.
From the other side of this, it used to be possible for me to grab an Android device, recovery reset it and set it back up as my own regardless of device security in place or who owned it. Granted there were vulnerabilities to get around FRP way back when but these are far fewer today.
So I argue that FRP, like the Apple, Samsung, and other equivalents, are a net positive on device security and recovery, not a detractor for consumers. It protects the consumer from losing their device to someone else, and your premise of it being overly simplistic to brick it through physical access to a device with no means of resolving that is exaggerated.
I've managed devices before FRP control was a thing, and I've been through the process of sending devices off to an OEM facility quarterly to wipe the FRP bit on corporate owned devices. From Android 6.0 it stopped being a problem for managed devices since admins gained control either over FRP being enabled, or the account used to recover it.
It's now only a problem for organisations today who choose not to manage (enforce their ownership over) their estate, and since there's many options available to do this for all budgets, there's no reason not to manage devices.
If devices are being handed out for the user to set up and look after, they are the owner on a system level. If those devices are put into management, they're owned by the company pushing the policies. That's the distinction for ownership.
- MoombasLevel 4.1: Jelly Bean2 years ago
Ah i missed that Multi user thing ^^ I know it's possible from the MDM we use and I'm pretty sure others can as well.
- LizzieGoogle Community Manager2 years ago
Great to see an in-depth discussion on this here. Thank you Josh for starting this conversation and Moombas and jasonbayton for your responses.
Reading this, I know it's difficult to understand the complete picture of how your process works here Josh, so some assumptions have had to be made on the possible options suggested here.
Based on the information you shared it does appear that the best option would be to explore using an EMM, I know you mentioned this isn't a current option, but this would help you to get the experience you are wanting.
If any other workarounds or suggestions arise, I will be sure to let you know.
Reading the latest comments, I do think that we have fully explored the options and we are starting to get off track, so I'm going to close this discussion now for new replies. Please keep in mind that we all trying to support each other here and want to find a good solution.
Thanks for your time.
Lizzie