Skip to main content
M
M-T-T
Level 1.5: Cupcake
November 27, 2024
Question

Skip Passcode Setup

  • November 27, 2024
  • 3 replies
  • 5 views

Is it possible to bypass the PIN setup during Google Zero Touch provisioning for new devices to allow Intune to configure the Lock Screen instead? Currently, test users are prompted to create a PIN during setup, which interferes with Intune’s Lock Screen configuration.

    3 replies

    Moombas
    Moombas
    Level 4.4: KitKat
    November 28, 2024

    Afaik there's no confirguration option to disable it.

    What kind of enrollment are you talking about COPE or fully managed?

    I try to remember, so on fully managed i would expect it not to ask for that, but i guess you talk about COPE.

    M
    M-T-TAuthor
    Level 1.5: Cupcake
    November 28, 2024

    It is corporate owned fully managed user devices. If I use QR instead of zero touch, I don’t get the initial PIN setup.

    Moombas
    Moombas
    Level 4.4: KitKat
    November 29, 2024

    A "corporate owned fully managed user device" doesn't exist.

    Do you have COPE (Company Owned Privately Enabled (with user profile and work profile)) or fully managed device (no seperate profiles)?

    M
    M-T-TAuthor
    Level 1.5: Cupcake
    November 29, 2024

    Currently, test users are prompted to create a PIN during setup, when they setup a PIN, the Lock Screen never shows up. But if they skip it, the Lock Screen shows up with the right 6 digit PIN.

     

     

    Moombas
    Moombas
    Level 4.4: KitKat
    November 29, 2024

    As said a bit down below, i see the same behavior (setting a pin is requested during enrollment) but the lockscreen not showing up if done so, sounds very like an Intune issue.

    M
    Michel
    Level 4.0: Ice cream sandwich
    November 29, 2024

    Intune is the one asking to set a pin, Google zero touch does not do that and if you configured everything correctly, the steps should roughly be:

     

    1. Turn on device
    2. Press next
    3. Configure wifi or mobile network connection
    4. Device pulls configuration from Intune via zero touch enrollment (either google zero touch or Knox Mobile Enrollment)
    5. Intune apps are installed
    6. User is asked to login
    7. configuration from intune is pulled based on user details
    8. Pin settings are required to proceed to next steps

     

    You could replace the zero touch with a QR code enrollment (pressing the first white welcome screen a few times untill the camera shows). 

     

    What moombas indeed points out, you are combining two profiles in your sentence so that does not make sense. Which one do you use? 

     

    And can you share a screenshot of the pincode settings in Intune? 

     

    The procedure explained should be the same for COPE as for fully managed. Unless a device is enrolled as BYOD (when it does not have zero touch configured correctly for example). 

     

    Moombas
    Moombas
    Level 4.4: KitKat
    November 29, 2024

    Hi @Michel

    regarding "The procedure explained should be the same for COPE as for fully managed. Unless a device is enrolled as BYOD (when it does not have zero touch configured correctly for example). ", is that really the case?

    For me it's long time ago i made such enrollment but my guess would be that even on COPE the user can/should set a pin him-/herself during the enrollment and later the policies of the MDM (no matter which one) takes place and may ask to reset the pin because the previously chosen one was not secure enough (compared to what the admin has set up as a requirement).

    Just did a test on one of my test devices and you get prompted to define a pin (after the MDM agent was installed), not sure if admin policy already takes place here regarding how secure it has to be.

     

    But be aware that on COPE you have 3 passwords to be set:

    - admin password

    - device pin

    - work profile pin

    Both pins can be enforced by the MDM to match defined requirements which can cause the device also re-requesting for example device pin to be set if the one chosen from the enduser before was too less secure.

    Or you maybe struggle that the end user needs to set a pin for device (during enrollment) and later also for  the work profile later as well.

    M
    Michel
    Level 4.0: Ice cream sandwich
    November 29, 2024

    Hi @Moombas , its when looking at the passcode, yes. If you configure Intune with a password policy for the whole device, not just the work profile, it will ask you to set the pin before the personal settings of cope are shown. The rest of the enrollment process is different between fully managed and cope ofcourse. 

     

    But you're comment got me thinking, and I've found this article from MS: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/assign-password-setting-android-fully-managed

     

    It seems that you are able to configure it both ways, we always configure it via the recommended way:

    Recommendation

    Because of the OS limitation on Android Enterprise fully managed devices, we recommend that you assign the device restrictions profile that includes password settings to the devices before enrollment.




    This might very well be the issue that @M-T-T is experiencing. But I have absolutely no idea how to apply a profile after enrollment 😅. The way we work:

    Create a user, user is part of a group, assign policies and apps to that group, enroll the device and login with the user during the enrollment proces. My first interpretation would be that Microsoft means applying a policy to an operational device when talking about " after enrollment" but i'm not sure. 

    Terms & ConditionsCookie settingsAccessibility statement