Skip Passcode Setup

M-T-T
Level 1.5: Cupcake

Is it possible to bypass the PIN setup during Google Zero Touch provisioning for new devices to allow Intune to configure the Lock Screen instead? Currently, test users are prompted to create a PIN during setup, which interferes with Intune’s Lock Screen configuration.

12 REPLIES 12

Moombas
Level 4.1: Jelly Bean

Afaik there's no confirguration option to disable it.

What kind of enrollment are you talking about COPE or fully managed?

I try to remember, so on fully managed i would expect it not to ask for that, but i guess you talk about COPE.

M-T-T
Level 1.5: Cupcake

It is corporate owned fully managed user devices. If I use QR instead of zero touch, I don’t get the initial PIN setup.

Moombas
Level 4.1: Jelly Bean

A "corporate owned fully managed user device" doesn't exist.

Do you have COPE (Company Owned Privately Enabled (with user profile and work profile)) or fully managed device (no seperate profiles)?

M-T-T
Level 1.5: Cupcake

Currently, test users are prompted to create a PIN during setup, when they setup a PIN, the Lock Screen never shows up. But if they skip it, the Lock Screen shows up with the right 6 digit PIN.

 

IMG_8242.jpeg

 

IMG_8243.jpeg

Moombas
Level 4.1: Jelly Bean

As said a bit down below, i see the same behavior (setting a pin is requested during enrollment) but the lockscreen not showing up if done so, sounds very like an Intune issue.

M-T-T
Level 1.5: Cupcake

Spoke to a Google representative today. This behavior started with Android 14 and there is no way to skip the initial prompt PIN

M-T-T
Level 1.5: Cupcake

IMG_8245.jpeg

Moombas
Level 4.1: Jelly Bean

Strange name from MS as COPE devices are never fully managed 😄 but accept that the "naming issue" does come from MS, not from you.

 

I just did another test enrollment with COPE in Soti, set the pin during enrollment (and have a pin policy for the device in place as well), the lockscreen works perfect.

Michel
Level 2.2: Froyo

Intune is the one asking to set a pin, Google zero touch does not do that and if you configured everything correctly, the steps should roughly be:

 

  1. Turn on device
  2. Press next
  3. Configure wifi or mobile network connection
  4. Device pulls configuration from Intune via zero touch enrollment (either google zero touch or Knox Mobile Enrollment)
  5. Intune apps are installed
  6. User is asked to login
  7. configuration from intune is pulled based on user details
  8. Pin settings are required to proceed to next steps

 

You could replace the zero touch with a QR code enrollment (pressing the first white welcome screen a few times untill the camera shows). 

 

What moombas indeed points out, you are combining two profiles in your sentence so that does not make sense. Which one do you use? 

 

And can you share a screenshot of the pincode settings in Intune? 

 

The procedure explained should be the same for COPE as for fully managed. Unless a device is enrolled as BYOD (when it does not have zero touch configured correctly for example). 

 

Moombas
Level 4.1: Jelly Bean

Hi @Michel

regarding "The procedure explained should be the same for COPE as for fully managed. Unless a device is enrolled as BYOD (when it does not have zero touch configured correctly for example). ", is that really the case?

For me it's long time ago i made such enrollment but my guess would be that even on COPE the user can/should set a pin him-/herself during the enrollment and later the policies of the MDM (no matter which one) takes place and may ask to reset the pin because the previously chosen one was not secure enough (compared to what the admin has set up as a requirement).

Just did a test on one of my test devices and you get prompted to define a pin (after the MDM agent was installed), not sure if admin policy already takes place here regarding how secure it has to be.

 

But be aware that on COPE you have 3 passwords to be set:

- admin password

- device pin

- work profile pin

Both pins can be enforced by the MDM to match defined requirements which can cause the device also re-requesting for example device pin to be set if the one chosen from the enduser before was too less secure.

Or you maybe struggle that the end user needs to set a pin for device (during enrollment) and later also for  the work profile later as well.

Michel
Level 2.2: Froyo

Hi @Moombas , its when looking at the passcode, yes. If you configure Intune with a password policy for the whole device, not just the work profile, it will ask you to set the pin before the personal settings of cope are shown. The rest of the enrollment process is different between fully managed and cope ofcourse. 

 

But you're comment got me thinking, and I've found this article from MS: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/assign-password-setti...

 

It seems that you are able to configure it both ways, we always configure it via the recommended way:

Recommendation

Because of the OS limitation on Android Enterprise fully managed devices, we recommend that you assign the device restrictions profile that includes password settings to the devices before enrollment.




This might very well be the issue that @M-T-T is experiencing. But I have absolutely no idea how to apply a profile after enrollment 😅. The way we work:

Create a user, user is part of a group, assign policies and apps to that group, enroll the device and login with the user during the enrollment proces. My first interpretation would be that Microsoft means applying a policy to an operational device when talking about " after enrollment" but i'm not sure. 

Moombas
Level 4.1: Jelly Bean

Again, i don't use Intune and not sure how/where it works different.

For me it's other way around: I don't know how to apply it before enrollment. In Soti you deploy a COPE profile with authentication but this takes place after the device is enrolled.

And you even can't before as you enroll a device using an enrollment ID and not with logging in with a user to the device (similar to fully managed enrollment).