Re-issuing Zero Touch enrolled devices to other users

JustinBerry
Level 1.5: Cupcake

Hello,

 

We've just started testing Zero Touch and one of our AZT early adopter device users recently left the company. We're trying to give his device to another tester however after a wipe of the device it's prompting to verify identify and asking for the previous users PIN / Google account (which we don't have) before the AZT assigned MDM enrollment kicks in...

 

We were not expecting Zero Touch enrolled devices to be locked to previous users at all. Expected this to be similar to Apple DEP enrolled devices where we can easily wipe and re-issue those without any hooks to the previous users apple ID.

Is this expected behavior for Zero Touch that a Corporate Device registered in Zero Touch is still hooked in to a users Google account and we cannot wipe and reissue the Corporate Device to a different user?

3 REPLIES 3

Moombas
Level 4.0: Ice Cream Sandwich

This can only happen if the user was allowed to add their own private account (maybe because of COPE?). Or was it unassigned from ZT and used as a BYOD/customer device?

 

JustinBerry
Level 1.5: Cupcake

Interesting...Yes it's still registered in ZT pointing to our MDM. Our standard Android Corp model is a COPE one so the user would/could have logged in to the the Personal Profile with his own Google account.  While we know we still can't do device PIN resets for example we expected that ZT would give us that flexibility to wipe and re-use the device without it being FRP locked to the previous user.

Looks like we could set an FRP admin email in our MDM Corp device config...we could still allow users to wipe the device themselves (or we block that as well) from system settings which would disable FRP however if a Corp device is reset through recovery mode we would have the associated FRP google email address to be able to set the device back up for someone else. I guess the downside is users who have to reset the device through recovery mode due to forgotten PIN would need our direct involvement...but if that means we can reuse all devices that's probably a good tradeoff...though I expect we'd need the device in hand or give the use the current google account creds which is not great...

 

Do I have that right? 🙂

Moombas
Level 4.0: Ice Cream Sandwich

Not worked so deep with COPE yet (as we don't use it right now) but i see in our MDM i can setup accounts being allowed for factory reset:

Moombas_0-1717767287761.png

Which i guess would mean that those accounts can always being used to wipe the devices for reuse but never tested/used yet.