Corporate Owned Enrollment - Successful enrollment despite modification of data in the primary user

Alex_Muc
Level 2.0: Eclair

a month ago

Hey!

 

We have encountered a potential problem with a few devices. The devices use automatic enrollment. Users have to continue in the setup wizard and enroll the device against the MDM before it can be used.
For some devices, we have found a way to break out of the setup wizard. Without a restriction payload, apps can be sideloaded and data can be modified in the main user. Although the navigation bar, app drawer and some other features are restricted, this is sufficient for manipulation.
If you go back in the navigation bar, you end up back in the setup wizard and the device looks like it has just come off the production line.


My expectation with COPE enrollment was that the enrollment would fail because data had already been changed in user0. However, the enrollment could be completed without any problems and the previous adjustments were retained.


Does anyone know when CO enrollment is no longer possible? Does this restriction depend solely on whether the setup wizard has already been successfully completed?

0 Kudos
3 REPLIES 3

Moombas
Level 4.0: Ice Cream Sandwich

a month ago

Never seen comething like this.

Can you describe it in detail (maybe via PM) as i would like to test this as well if possible (and i get time for it).

It can also be related to your device(s) OEM, so did you tested on different models/manufacturers (if available)?

Alex_Muc
Level 2.0: Eclair

3 weeks ago

As far as I understand it from the documentation, only the Setup Wizard must not be completed for a company-owned scenario, respectively the enrollment must be started from the Setup Wizard.
To be fair, it must be said that some functions are not fully usable until the Setup Wizard has been completed. For example, you cannot activate any developer options. Unfortunately, it is possible to install apps from unknown sources if you can exit the setup wizard.

 

I originally thought that the device would reset itself during the enrollment attempt if data was changed in the primary user outside of the setup wizard. I probably mixed this up with a few scenarios during automatic enrollment. (Device is configured for automatic enrollment, setup wizard is completed offline and the device then gets internet access)

 

A note: The original question is about when corporately-owned enrollment can no longer take place or needs a factory reset. I will not describe publicly how and for which devices you can break out of a setup wizard. 🙂

0 Kudos

jasonbayton
Level 4.0: Ice Cream Sandwich

3 weeks ago

I think it depends on when you break out, because indeed it's possible to do so during the process. As long as no accounts have been added, it'll function fine if DO hasn't been set at the point of breakout. If after DO and you modify accounts .. you're adding additional accounts. 

 

The user data doesn't really come into it, so download what you want, adjust apps, whatever. No issue. It's the same requirement for setting DO via ADB after setup completes. 

 

The EMM should account for this, for example AMAPI removing any user-installed apps that aren't permitted by policy in the policy-managed areas, but there's going to be more flexibility with COPE since the DPC won't be actively maintaining inventory there beyond some explicit, by-packagename policies applied to the parent.. that said global blocking of sideloading and such can happen by policy to prevent further issues.. 

 

But it happens.. I can break out of fully managed enrolment on some devices also, though default policies are restrictive 🙂