Forum Discussion
Re-enrollment after deprovision
Hello,
I am wondering if there is any way to re-enroll a unit automatically after it's been deprovisioned from the Google Admin console.
I believe the answer is no, but I would like to confirm, as this would save time if possible. I would also like to know if the answer is the same for units that used zero-touch enrollment.
Thank you!
tttech Thanks for your question.
Correct, it is not possible to automate enterprise enrollment with a device that is deprovisioned as it is no longer managed. Someone would need to manually enroll it again.
Hope this clarifies things.
Please continue to input and share within the community - it's great to have you aboard.
13 Replies
tttech Thanks for your question.
Correct, it is not possible to automate enterprise enrollment with a device that is deprovisioned as it is no longer managed. Someone would need to manually enroll it again.
Hope this clarifies things.
Please continue to input and share within the community - it's great to have you aboard.
Thanks, Lynda
However, I've encountered an issue
Chromebook is enrolled, with forced re-enrollment turned off
After powerwash, the CB appears like a non-enrolled device as expected (can log in as regular user, no policy, dev mode unblocked)
In Google admin console, the device still appears as provisioned and can still be locked
Does this mean a device can be bought and appear like a normal device, then suddenly get locked by an old admin, and lock after resetting?
Is there no way to check if a device is still provisioned with FER disabled?
Attached are images of the same device
Hi tttech
It looks like you need to deprovision the device from the admin console still.
After that it will no longer show up in the Admin Console.
Here is a resource outlining this step: https://support.google.com/chrome/a/answer/3523633?hl=en
This is expected behavior. And a further reason that you should force auto re-enrolment for security reasons and always deprovision devices that you no longer want to manage.
We hope this helps,
Lynda
Thanks Lynda but I understand that this needs deprovisioned from the console - my concern here is the following:
How does one know that a device or motherboard they purchase is not provisioned to another domain with FRE turned off? A non-enterprise user could be using a device for a long period, need to power wash or recover, then their device could be locked because the former admin still has that ability because they didn't deprovision before selling the device.
Is there no way to determine if your device is still provisioned in someone's admin console?
Hi tttech
From my testing, a device that has forced re-enrolment disabled and has been powerwashed by a user is not enrolled anymore and cannot be manage by an admin (expected behavior as shared by Lynda ). If the device is not deprovisioned from the Google admin console and the admin decides to disable the device, then the devices would only become disabled if it's re-enrolled in the same domain. So if an admin has disabled force re-enrolment, powerwashed the devices, sold them, but forget to deprovision them from the Google admin console, it should not have any impact on the devices.
If you don't see any policies on the device, it means it's not managed, hence the admin should not have any remote capabilities on this device, even if it still shows as 'provisioned' in the admin console.
I've been able to confirm this by testing it to make sure that's how it works. Please let me know if you experienced anything different during your tests.
I hope this helps.
Thanks nicolas for the above insights. I also wanted to mention that you can validate whether a device is no longer managed by opening up chrome browser on the device in question and entering "chrome://policy" in the search bar and if you check the "Managed by:" line item under Device policies; it will be blank.
Thanks a lot nicolas and Lynda . I was able to replicate on my end. I just realized I re-enrolled it to the same domain the time it automatically locked after powerwashing.
My last question is, does that mean another organization can enroll that device? So even though the device shows up as provisioned in another domain, could a second domain enroll it since FER is off and it's been powerwashed?
EDIT: please see my most recent reply, as the device is now locked
tttech thanks for providing more info. I was able to reproduce this behavior on my side as well.
From what I can see, if the device is disabled from the Google admin console, everytime the device goes through the initial verification during OOBE, it will lock the device. If the device is disabled by the admin after the device passed this initial verification phase, it will not be disabled. If you powerwash the devices again, it goes through the initial verification phase and get disabled.
This re-enforces our recommendation to always set the policy to forced re-enloment, it's actually the default configuration in the admin console, and always deprovision devices that you don't manage.
