User Profile
GMenzies
Level 2.0: Eclair
Joined 2 years ago
User Widgets
Contributions
Play Integrity Verdicts
Is there a proven method to determine why a device might be failing Play integrity verdicts? From what I can see it appears to be a black box. I'm trying to troubleshoot a BYOD device that is failing the Strong Integrity check and Device Integrity check. We've checked the device is a certified device (Samsung S23 - SM-S911B), Device has Google Play services enabled and is showing as certified in the play store. Bootloader isn't unlocked, the build seems to be an official build (UP1A.231005.007.S911BXXU3ZWJ6) also. Anyone have any experience with this? Thanks.4.1KViews0likes4CommentsRe: OEM Config Policy with Samsung Knox Service Plugin
Unsure if you've resolved this yet or not but sometimes there are pre-req settings that need to be enabled for certain settings to work with KSP. The KSP documentation would be your best bet - Prerequisites | Samsung Knox Documentation4.7KViews3likes1CommentRe: Factory Reset Protection and Captive Portals
Hi Jason, There's not options in KME for this the device only needs to have a profile assigned which this one does but because this happens before the device can communicate with KME I'd still see this issue - Lock and unlock devices | Samsung Knox Documentation Reboot and a factory reset doesn't change the behaviour, it seems to be FRP complaining and not specific to the captive portal itself, I've created a captive portal SSID at home and had the same issue. Thanks for your help. Lizzie any thoughts on this?9.2KViews0likes0CommentsRe: Factory Reset Protection and Captive Portals
Hi Jeremy, We're utilising Knox Mobile Enrolment today as we have Samsung devices, to clarify also our EMM is Intune, we wouldn't disable factory reset as we need a method for users to reset devices on their own if required. I also thought Device recovery mode doesn't let you bypass FRP? Also would we not have the same issue with Zero touch? This issue happens before we even have a network connection. Thanks for your help.9.2KViews0likes5CommentsFactory Reset Protection and Captive Portals
A bit of background on this, we're currently moving to use COPE Enrolment for all of our devices after using BYOD Enrolment for devices purchased by our org. Utilising BYOD we had issues with users signing into their gmail accounts and leaving the business and we were locked out of the device by Factory Reset Protection (We've used Knox Mobile Enrolment to solve this). This all made sense as it was a BYOD device and for consumers etc it makes a lot of sense. The problem we've encountered is even with COPE enroled devices, if a user doesn't remove their gmail account from the personal profile before resetting the device when the device is used again you're unable to use a Captive Portal network for setup again and this error message is received - "Unable to sign in to Wi-Fi AP. An unauthorised factory reset has been performed on this device. the sign-in screen cannot be accessed." Even after enrolling the device using a WPA2/3 Network and signing in with the google account in question and manually removing it then resetting the device we still have this issue, it's as if the FRP flag gets set and isn't being removed for some reason. It seems odd any network and even cellular allows you to continue but a captive portal connection doesn't. Has anyone else encountered this issue? Thanks.Solved9.2KViews0likes12CommentsRe: Understanding Automatic Operating system update behaviour
Hi Lizzie, It probably makes sense for you to make the topic and users can add to the feature requests as it's coming from a Google Community Manager then, possibly adding an update at the top of the page for collated issues so users can see what has already been added as a request etc. Thanks.9KViews0likes1CommentRe: Understanding Automatic Operating system update behaviour
Hey Moombas, You're 100% right, we use COWP and POWP internally as we manage more than just Android and it provides an easy way for everyone to understand what's being discussed but your right that BYOD and COPE are the names used by Android. We use Microsoft Intune so we have some extra settings available for COPE compared to BYOD.9.1KViews0likes1CommentRe: Understanding Automatic Operating system update behaviour
Hi Lizzie, Honestly most of this is small requests and some perhaps need to be managed through Microsoft (Our EMM is Intune) or are just how we manage things today and probably need to change. We're unable to provide our internal Google Workspace users with the ability to add their domain accounts to the devices, we work alongside Google for Chromebook development so having this option for COPE would be beneficial to improve their workflows and the customer experience we provide to these users so they can use their Android Mobile Devices and Chromebooks side by side, I know this is available for POWP (BYOD) devices in Intune today and we've created a DCR with Microsoft for this. Whether it's a requirement from Microsoft or Google is the next question. Our users like to add Work Profile app Widgets to their Home screen, this doesn't seem to be available as a setting for COPE devices (We're working with Microsoft on this to determine if it's available or not for COPE devices, again not sure on who the requirement falls on). We deploy a compliance policy with Intune to block devices that have been rooted for our POWP (BYOD) devices, this setting doesn't seem to be available for COPE devices in Intune today (We were told by Microsoft this would be a requirement for Google to make available), the best we can do is use our Device Security solution and a combination of ensuring Device Integrity with Google Play Protect, if you can confirm if Device Integrity is a suitable to detect rooted devices that would be great - https://developer.android.com/google/play/integrity/verdicts#kotlin:~:text=The%20app%20is%20running%20on%20a%20device%20that%20has%20signs%20of%20attack%20(such%20as%20API%20hooking)%20or%20system%20compromise%20(such%20as%20being%20rooted)%2C%20or%20the%20app%20is%20not%20running%20on%20a%20physical%20device%20(such%20as%20an%20emulator%20that%20does%20not%20pass%20Google%20Play%20integrity%20checks). As I've said these are just a few that we've seen so far and perhaps most fall on Microsoft but I'd love to be able to provide this feedback to Microsoft that they are available and require actions on their end. Thanks for your help, I've found this forum to be very valuable.9.1KViews1like3CommentsRe: Understanding Automatic Operating system update behaviour
Hi, Thanks for your responses Jason and Lizzie. I hadn't found that article so thank you for providing it. I'd like to see an Automatic update policy where it updates when the device isn't in active use for 30 minutes etc, unfortunately our devices are used worldwide 24/7 so we wouldn't be able to deploy a Windowed option for a specific time frame. Also, what's the best method to request new features for COWP? We have a few in mind that we are losing going from POWP and would like to understand alternatives or if they will ever be implemented. Thanks for your help.9.1KViews0likes5CommentsUnderstanding Automatic Operating system update behaviour
I'm hoping to get a better understanding of the SystemUpdateType policy available for COWP devices, we're currently moving from POWP to COWP for our devices (40K) and are looking to benefit from streamlining as much as possible for our end-users. Looking at the documentation for the SystemUpdateType policy it isn't described as to whether the Automatic update option would force an Operating System update even if the device is in active use (User on a call, App open and in use etc). Does anyone have detailed information as to how the Automatic update option works? I'm hoping to get a reply from a google employee on this if possible. Below is the link to the documentation for anyone interested. https://developers.google.com/android/management/reference/rest/v1/enterprises.policies#systemupdate:~:text=accept%20system%20updates.-,AUTOMATIC,Install%20automatically%20as%20soon%20as%20an%20update%20is%20available.,-WINDOWED Thanks for your help.9.2KViews0likes15Comments