- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2023 12:21 PM
Hi,
We have a requirement to force few users to reset passcode. I have tried with https://developers.google.com/android/management/reference/rest/v1/enterprises.devices/issueCommand#... and it works fine when we mention the new passcode. I am wondering if there is a way to force users to change passcode without us having to give and store temp passcodes for each user.
I am aware that we can do this with password restrictions as part of policy https://developers.google.com/android/management/reference/rest/v1/PasswordRequirements, but is it possible with a one time issue command.
Thank you
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2023 02:14 PM
Okay thank you. We will go ahead with the following approach.
1. Set Password Policy
2. Set Policy enforcement rule for `passwordRequirement` with blockAction set to 0 days.
3. Send Reset password command with empty/static password which is not compliant with passwordRequirement.
That should block the user until they reset password.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2023 12:17 PM
Good question, @Prathik and great to see you again.
Not sure which devices you are using, but an OEM config option for this might be a good thing to explore. For example, I've seen that Samsung Knox have a password policy, so perhaps other OEMs do too.
It's a nice feature request though, I will create a FR for this as well. 😀
It would be great to hear how you get on, if you can.
Thanks,
Lizzie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2023 01:50 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2023 01:53 PM
Hey Jason, yes the command can be sent without input and that clears the password completely, which is not ideal or secure.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2023 01:58 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-28-2023 10:10 AM - edited 11-28-2023 10:30 AM
Hey Jason, I'm running into some issues when trying this out. I'm able to reset password with or without input initially. But once the password restriction is setup in the policy. The reset command fails with any password that is not compliant with the password restriction(even empty password doesnt go through).
After this any RESET_PASSWORD command i send (even compliant one) doesn't go through. When I do the GET operation command i get a response without the `done` or the `error` fields.
{
"name": "enterprises/LC02otg***/devices/3e4aa95e4274***/operations/1701193847359",
"metadata": {
"@type": "type.googleapis.com/google.android.devicemanagement.v1.Command",
"type": "RESET_PASSWORD",
"createTime": "2023-11-28T17:50:47.359Z",
"duration": "600s",
"newPassword": "222222",
"resetPasswordFlags": [
"LOCK_NOW"
],
"userName": "enterprises/LC02ot***/users/107504099415296****"
}
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2023 02:01 PM
Yes I have tried this and it works. The concern is that, in the period between when the password is wiped and legit user gets the chance to set a new password, any one who gets access to the device will be able to unlock witout password and set their own password.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2023 02:08 PM
You can solve for this with appropriate communication with the affected users, and back the password policy up with a compliance action that blocks access to work data until a password is re-set, preventing users from working with corp data until they set a password. That should spur them on and encourage them to not leave password unset long enough to have the device taken from them by a bad actor.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2023 02:14 PM
Okay thank you. We will go ahead with the following approach.
1. Set Password Policy
2. Set Policy enforcement rule for `passwordRequirement` with blockAction set to 0 days.
3. Send Reset password command with empty/static password which is not compliant with passwordRequirement.
That should block the user until they reset password.