Is there a way to force users to reset passcode without admin needing to give a temporary password.

Go to solution
Prathik
Level 2.0: Eclair

‎11-17-2023 12:21 PM

Hi,

We have a requirement to force few users to reset passcode. I have tried with https://developers.google.com/android/management/reference/rest/v1/enterprises.devices/issueCommand#... and it works fine when we mention the new passcode. I am wondering if there is a way to force users to change passcode without us having to give and store temp passcodes for each user.
I am aware that we can do this with password restrictions as part of policy https://developers.google.com/android/management/reference/rest/v1/PasswordRequirements, but is it possible with a one time issue command.

 

Thank you

1 ACCEPTED SOLUTION

Go to solution
Prathik
Level 2.0: Eclair

‎11-20-2023 02:14 PM

Okay thank you. We will go ahead with the following approach.
1. Set Password Policy
2. Set Policy enforcement rule for `passwordRequirement` with blockAction set to 0 days.

3. Send Reset password command with empty/static password which is not compliant with passwordRequirement.

 

That should block the user until they reset password.

View solution in original post

0 Kudos
8 REPLIES 8

Go to solution
Lizzie
Google Community Manager
Google Community Manager

‎11-20-2023 12:17 PM

Good question, @Prathik and great to see you again.

 

Not sure which devices you are using, but an OEM config option for this might be a good thing to explore. For example, I've seen that Samsung Knox have a password policy, so perhaps other OEMs do too. 

 

It's a nice feature request though, I will create a FR for this as well. 😀

 

It would be great to hear how you get on, if you can. 


Thanks,

Lizzie


Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

0 Kudos

Go to solution
jasonbayton
Level 4.0: Ice Cream Sandwich

‎11-20-2023 01:50 PM

I may be wrong, but I do believe that command can be sent without inputting a new password. Have you tried this?

0 Kudos

Go to solution
Prathik
Level 2.0: Eclair

‎11-20-2023 01:53 PM

Hey Jason, yes the command can be sent without input and that clears the password completely, which is not ideal or secure.

0 Kudos

Go to solution
jasonbayton
Level 4.0: Ice Cream Sandwich

‎11-20-2023 01:58 PM

Combine it with the password requirements in-policy and users will be asked to set up a new password shortly after it's wiped.

0 Kudos

Go to solution
Prathik
Level 2.0: Eclair
In response to jasonbayton

‎11-28-2023 10:10 AM - edited ‎11-28-2023 10:30 AM

Hey Jason, I'm running into some issues when trying this out. I'm able to reset password with or without input initially. But once the password restriction is setup in the policy. The reset command fails with any password that is not compliant with the password restriction(even empty password doesnt go through).

After this any RESET_PASSWORD command i send (even compliant one) doesn't go through. When I do the GET operation command i get a response without the `done` or the `error` fields.

{
    "name": "enterprises/LC02otg***/devices/3e4aa95e4274***/operations/1701193847359",
    "metadata":  {
        "@type": "type.googleapis.com/google.android.devicemanagement.v1.Command",
        "type": "RESET_PASSWORD",
        "createTime": "2023-11-28T17:50:47.359Z",
        "duration": "600s",
        "newPassword": "222222",
        "resetPasswordFlags":  [
            "LOCK_NOW" 
        ],
        "userName": "enterprises/LC02ot***/users/107504099415296****" 
    }
}
0 Kudos

Go to solution
Prathik
Level 2.0: Eclair

‎11-20-2023 02:01 PM

Yes I have tried this and it works. The concern is that, in the period between when the password is wiped and legit user gets the chance to set a new password, any one who gets access to the device will be able to unlock witout password and set their own password.

Go to solution
jasonbayton
Level 4.0: Ice Cream Sandwich
In response to Prathik

‎11-20-2023 02:08 PM

You can solve for this with appropriate communication with the affected users, and back the password policy up with a compliance action that blocks access to work data until a password is re-set, preventing users from working with corp data until they set a password. That should spur them on and encourage them to not leave password unset long enough to have the device taken from them by a bad actor.

Go to solution
Prathik
Level 2.0: Eclair

‎11-20-2023 02:14 PM

Okay thank you. We will go ahead with the following approach.
1. Set Password Policy
2. Set Policy enforcement rule for `passwordRequirement` with blockAction set to 0 days.

3. Send Reset password command with empty/static password which is not compliant with passwordRequirement.

 

That should block the user until they reset password.

0 Kudos