Factory Reset Protection

This is the eighth in a series of blog posts looking at the considerations around adopting a GMS deployment in the enterprise.  Each post features a summary along with recommendations. For other posts in this series please see the links below:

• Preventing unattended application updates initiated via the Play Store
• Understanding Google’s terms of service and privacy policy
• The managed Google Play Store
• Application deltas between Android GMS and AOSP
• GMS Location services and tracking
• Distributing private apps in the Managed Play Store
• Data usage of GMS applications and services
• Factory Reset Protection
• The setup wizard and how to bypass it

Summary

Factory Reset Protection (FRP) is a security feature added by Google into all GMS devices running Android version 5.1 and above which is automatically activated when you add an unmanaged Google account to your device.  When activated, FRP will require the unmanaged account credentials to be entered following any untrusted reset.

The primary use case of FRP is to lessen the value of a stolen device and whilst primarily designed with consumer users in mind, it remains in effect on Zebra enterprise devices.

The advice contained in this post is aimed at external partners, developers and administrators.

What is Factory Reset Protection?

The following preconditions must apply for factory reset protection to be in effect:

• Enable OEM unlock is disabled in the Developer Options
• The device has a Google account associated with it.  See Note 3 below for a discussion on Pin/Password requirements.

Note this does not include managed Google accounts

When the device undergoes an untrusted reset, you will be required to associate the device to WiFi and enter the previously associated Google email and password to complete the set-up wizard.

Set up wizard with FRP following an untrusted reset: Note that there is no option to skip the WiFi menu

After entering your WiFi credentials you will be presented with the following prompt to verify your account:

Set up wizard with FRP following an untrusted reset: Note that there is no option to skip entering your account information

An untrusted reset is one of the following:

• Applying a Factory reset package downloaded from the Zebra support portal
• Applying an Enterprise reset package downloaded from the Zebra support portal .
• Performing a Factory or Enterprise Reset via the MX Power Manager.
• Using Google’s Find My Device to erase your device.

Note 1: Applying a Full Package Update will not usually require you to navigate past the set-up wizard but in some instances you may be required to perform a factory or enterprise reset after the update for example when downgrading or converting from AOSP to GMS.  Consult the update release notes for more information.

Note 2: MX 7.1 introduced a new parameter to the MX Power Manager, Setup Wizard Bypass.  Note that setup wizard bypass can NOT be used to bypass the device’s factory reset protection.

Note 3: Google slightly changed the behaviour of Factory Reset Protection from Android Pie onwards.  Previously, performing an untrusted reset on a device with a Google account that did not have a Pin/Pattern/Password set would cause the user to be asked to enter their Google credentials.  This has changed and the new behaviour is to NOT prompt the user for their Google credentials after an untrusted reset so long as a Pin/Pattern/Password was not set. 

A trusted reset is one of the following:

• Resetting the device via Settings --> Backup & reset --> Factory or Enterprise data reset (requires any set device PIN or password to be entered)
• Pressing and holding the power key and selecting ‘reboot’.

Further, a device owner can initiate a reset via the wipeData API under DevicePolicyManager.  The WIPE_RESET_PROTECTION_DATA flag can be provided to that API to clear or retain factory reset protection across the reset.  Since this API is restricted to the device owner however it is only available to EMM client applications.

Best Practice for Factory Reset Protection

If you are planning on using unmanaged Google accounts (for example if your end users make use of G Suite services) or allowing users to add their personal accounts to the device you are at risk of FRP preventing access to your device if the password associated with the Google account is not known; one way to mitigate against the risk is to install a common admin account on each of your devices as part of the provisioning process so that a recovery option is available. Since a device locked by FRP can be unlocked with any previously registered Google account, the common admin account credentials can be used to regain access to the device if required.

For clarity, Factory Reset Protection does not apply to managed Google accounts, typical of devices running in Device Owner mode

Removing Factory Reset Protection

You can remove factory reset protection at any time by removing the associated Google account from the device.  Take care, before sending your device to any maintenance facility who will need to reset your device you should first remove any unmanaged accounts.

If you are locked out of your device due to FRP and do not remember your Google username / password the device cannot be used and there is no utility available from Zebra to remove FRP.

Your options to bypass FRP are as follows:

• If multiple Google accounts were associated with the device prior to it being reset, any of these previously associated credentials can be entered during the Start-up wizard to bypass FRP
• If you have multiple Google accounts and cannot remember which account the device is associated with you can visit https://www.google.com/android/devicemanager, log in with your credentials and check the list of devices associated with the account.  Repeat that process for each suspected Google account until you find the device in that account’s device list.
• If you know your Google username but have forgotten the password you can reset it either on the device using Google account recovery or via www.google.com.  It can take up to 24 hours for a new password to sync with all registered devices so try logging in with the new password after that time has elapsed.
• If none of the above options will work for you then it will be necessary to return the device to your supplier for repair.

The best official documentation from Google on FRP is the following Nexus support article.

Recommendations

All GMS Zebra devices will ship with the Factory Reset Protection feature enabled, to avoid locking yourself out of your device(s) it is recommended to never perform an untrusted reset on a device which has an unmanaged Google account:

• If sending out demo units, consider provisioning a common ‘unlock’ account on the devices if you suspect users may add their personal details.
  
  • Remove any personal accounts from devices returned to the demo pool.
• Prohibit the user from adding personal accounts, either by using an EMM that supports this feature or by prohibiting access to device Settings.