Master ownership of Android devices
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2023 05:02 AM - edited 07-20-2023 05:12 AM
Factory Reset Protection / persistence is a powerful tool but it does not yet feel complete, and it is quite frustrating and potentially dangerous in its current state. It is not always apparent whether any given device is persistently linked using ZeroTouch, Intune or even Google Account FRP. While these tools are available to some, they are not a financially viable option for everyone, especially for consumers. There may be documentation describing the intimate intricacies of how all of these tools work and when/where they leave signs of their presence, but I cannot find it. I have not found a PSA from google for consumers saying "if you buy a second hand phone, check x, y and z to make sure it is not locked, otherwise someone can potentially remotely brick it."
As a small company we have various scenarios where we provide phones to employees and also distribute loan/event devices for other small-medium companies, and don't necessarily have the ability to invest in enterprise-grade tools like ZT, InTune or Android Enterprise. If you think, on Windows all you need is to set the BIOS password and the Admin password and User Account Control takes care of the rest. Now take the android example, you add a google account and think it's safe with the user not knowing the password, but there is nothing to stop the user from adding their own personal google account, removing yours (no password required), setting their own PIN, and turning a $1000 phone into a paperweight. If they can unlock the phone, they are the master owner. There did used to be a feature for Multi-User on android but I haven't seen it in a long time, and I think there were performance issues with it as they all had to be loaded at once.
While I may be lacking understanding knowledge and making some assumptions, should a consumer really need to know exactly how Android Enterprise works in depth just to buy a second hand/"refurbished" phone? And I dare anyone to get into a device after it's been factory reset while attached to a personal google account with a PIN set without hacking tools. I know there have been exploits with Talkback in the past but it's been patched now, and again these are not lengths to which consumers should need to go.
If I knew someone's pattern (most common security type and very hard to hide effectively), and had their phone for 2 minutes, I could turn it into a paperweight simply by adding a disposable google account, removing theirs, and setting a PIN. How are we supposed to protect against that as a small business?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2023 05:46 AM
Just to get our conversation here:
The correct usage of an MDM can prevent you from this by disabling abbility of adding (any) other accounts and so on by the user.
And as you asked something about the Zero-Touch portal:
You don't need to purchase Zero-Touch portal but you need to buy your devices from a reseller who has access to it which means the reseller can create a portal for you and upload the devices then to it.
When this is done you can create a config and assign it to your devices (also via batch as csv).
Zero-Touch portal also provides the functionality if device is wiped it always points it to your MDM as long as the IMEI has the relevant config assigned.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2023 06:05 AM - edited 07-20-2023 06:07 AM
The 2nd hand aspect of your concerns does add a little more to consider, but there are still ways and means with a few limitations.
As @Moombas points out, zero-touch is reseller based. It is entirely free to use providing you've purchased the devices new or used from a reseller in the first place. Zero-touch won't alleviate FRP causing issues alone, but it will redirect devices into management any time they're factory reset.
On the subject of management, it's not always expensive. Consider Miradore as an example, they have a basic plan for free with no device limit. Other platforms, such as mambo EMM, Appaloosa or Wizy EMM offer limited/low cost options on a rolling monthly basis, and cover all basics for device management.
When devices are managed, again as @Moombas points out, restrictions on accounts added to the device can be put in place, but more than this, you as the admin can mandate a specific account on the device to enforce FRP, or disable FRP all together, and users with the devices (or those who get hold of them) are powerless to change this, as the management agent enforces the policies. This extends also to mandating medium to strong password requirements, and also the ability to remove a password remotely as the administrator of the managed device.
For consumers and devices that won't be put under enterprise management, well it's no different to any other asset. If you lock your front door with a piece of rope, someone will cut it and gain access, after which they can wreak whatever havoc that comes with accessing a person's home. If you secure your device with a pattern or simple pin code and leave it around for someone to gain access to it, they will. At least with a device, a proof of purchase is normally enough to get FRP removed by the manufacturer on request.
Multi-user is still a thing, by the way, it just needs to be explicitly turned on for most modern handsets.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2023 04:43 PM
My point is that the device user is not always the device owner, and that general consumers shouldn't have such powerful tools available. While ZT is SUPPOSED to be only devices purchased through the reseller, but they can actually onboard any device as we've experienced, but I'm not going in to that now. I can understand a business locking a device, but not some random user, potentially even by accident, and without any sort of special tools. This is about device users not being device owners, something that has never been a problem until FRP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2023 05:06 PM
Sure, technically a reseller can onboard any device, and in some markets they do so with proof of purchase. There's no gotcha there, it's not prohibited in the agreement, it's just not common.
From the other side of this, it used to be possible for me to grab an Android device, recovery reset it and set it back up as my own regardless of device security in place or who owned it. Granted there were vulnerabilities to get around FRP way back when but these are far fewer today.
So I argue that FRP, like the Apple, Samsung, and other equivalents, are a net positive on device security and recovery, not a detractor for consumers. It protects the consumer from losing their device to someone else, and your premise of it being overly simplistic to brick it through physical access to a device with no means of resolving that is exaggerated.
I've managed devices before FRP control was a thing, and I've been through the process of sending devices off to an OEM facility quarterly to wipe the FRP bit on corporate owned devices. From Android 6.0 it stopped being a problem for managed devices since admins gained control either over FRP being enabled, or the account used to recover it.
It's now only a problem for organisations today who choose not to manage (enforce their ownership over) their estate, and since there's many options available to do this for all budgets, there's no reason not to manage devices.
If devices are being handed out for the user to set up and look after, they are the owner on a system level. If those devices are put into management, they're owned by the company pushing the policies. That's the distinction for ownership.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2023 11:08 PM - edited 07-20-2023 11:09 PM
The problem you describe has nothing to do with FRP, it's more likely a problem devices get stolen and resold.
A reseller has to ensure that their devices are not managed before selling them if they don't or sell them even they are managed, they are not resellers to trust. And as a consumer, i would startup every such device online (using SIM or Wifi) until request of entering the google account is arrived and not pay before.
We had several cases where devices which got stolen and someone tried to re-enroll they all ignored all the messages saying "your device is not private" and so on and then wondering why the device is locked into a kiosk screen and not useable or if they are already shipped far away just ran into a useless mode even without FRP.
This doesn't prevent us from stolen devices but hopefully shows the thiefs at some point that it doesn't make sense to steal such devices and try to resell them online or on a flea market.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2023 02:52 AM
I do not think you read my post.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2023 02:49 AM
I am also concerned about this, I've been looking for details everywhere. We loan out phones all the time and FRP is a big problem for us when users change the pin.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2023 03:00 AM
Thanks for the response Genero, please let me know if you find out anything useful. I guess what it comes down to is that there is no "User" role on androids, the user is the Admin, which didn't used to be a problem until FRP came along.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2023 03:04 AM
Exactly, which is a big problem when your business model is based on being able to Factory Reset phones, to undo all the mess users make on them. We have lost the ability to loan out phones without an MDM solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2023 03:13 AM
Actually that's the crux of it, the introduction of FRP has made Android Enterprise mandatory where it wasn't before, as well as all the other MDM bits or whatever to make it impossible to remove accounts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2023 03:48 AM
No, you haven't, you could force users to unlock and wipe those devices first if you don'T want to use an MDM but this would require that they always stay in front of you in person and not send them via package or similar.
And you have this behavior not only on Android devices, you have the same on Apple devices as well. And if devices got "connected" to an account (Google account/ Apple ID) also, they need to be removed from that as well.
If handing out "free to use" devices to employees, you always need to take care of that or need to manage them to ensure entire access and ability to reset it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2023 03:52 AM
Let's not compare to Apple eh? We have higher standards than that. I wouldn't call anything made by Apple a "business device". Also "force users to stand in front of you", what world are you living in?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2023 04:03 AM
It was an example just showing that not only Android (Google) has gone this way for security reasons.
I also only showed you a (yes: bad but only other possible) example how to do it without the need of MDM when FRP is active.
Should i ask you the same stupid question "in which world you are living in" when just looking at your situation where you are not able to wipe a device because you don't know the pin set by a user?
If you buy a used phone would you just take and pay for it without verifying it's working first (not locked not booting etc.) or would you check that before? That's the same when you get a "free to use" device back from an employee -> ensure it's functional which includes not locked anymore.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2023 03:08 AM
Thats not correct, if you have a fully managed device, there is an admin role (already described above) and user role. The only thing is you need to set it up correctly or force users to wipe the device when taking back the device (i know that this is most often very complicated).
And FRP i would only use on fully managed devices, not on work profile or BYOD or anything else otherwise you need to send such devices to repair (as @jasonbayton mentioned before as well) to get them back working again for which you may got charged, depending on your error description.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2023 03:04 AM
If the device is fully managed you may can disable the ability to change the pin (or enter the settings in general) if it's just "set up manually" without any restriction (like a normal consumer device) than i can just point to the reply from @jasonbayton and sorry to say but the problem is made yourself then.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2023 06:30 AM
Ah i missed that Multi user thing ^^ I know it's possible from the MDM we use and I'm pretty sure others can as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2023 04:09 AM
Great to see an in-depth discussion on this here. Thank you @Josh for starting this conversation and @Moombas and @jasonbayton for your responses.
Reading this, I know it's difficult to understand the complete picture of how your process works here Josh, so some assumptions have had to be made on the possible options suggested here.
Based on the information you shared it does appear that the best option would be to explore using an EMM, I know you mentioned this isn't a current option, but this would help you to get the experience you are wanting.
If any other workarounds or suggestions arise, I will be sure to let you know.
Reading the latest comments, I do think that we have fully explored the options and we are starting to get off track, so I'm going to close this discussion now for new replies. Please keep in mind that we all trying to support each other here and want to find a good solution.
Thanks for your time.
Lizzie
- Automatically Skip Google Account during Zero Touch Enrollment with Intune? in Admin discussions
- Unlinking Zero-Touch from MDM provider in Admin discussions
- Basic WiFi-profiles (configuration profiles) do not deploy into Device in Admin discussions
- Google assistant with work account in Admin discussions
- Oemconfig for motorola Edge in Admin discussions