Forum Discussion
How to Set Device Owner on Company-Owned Android Device Without Factory Reset
Hello community,
I’m facing a situation where we need to set Device Owner (DO) mode on several company-owned Android devices that are already in use and have a Google account logged in.
Constraints:
- The devices are company property.
- Factory reset is not an option due to important data stored on the devices.
- We want to enforce MDM policies via Device Owner for security and compliance.
Questions:
Is it possible to set Device Owner mode on an Android device without wiping or resetting, when a Google account is already signed in?
Are there any known solutions or MDM platforms/tools that can claim an already-used device into Device Owner mode without data loss?
I would really appreciate any guidance, proven methods, or official references. Our goal is to maintain data integrity while ensuring the devices are properly managed.
Thanks in advance!
It is not possible to do what you are asking to do and that is due to the fundamental nature of the design of the Android Enterprise Device Owner system.
When AE was established as the next generation of management to replace legacy Device Administrator based management a decision was made to fork the management concepts into Fully Managed and Work Profile use cases. The naming convention has evolved and changed over time but effectively the split was between Device Owner and Profile Owner. This distinction was intentional as it solved one of the core issues of Device Administrator which is the fact that it could be abused as an elevated privilege by any app on the Play Store. An malicious actor could disguise an innocuous looking app like a flashlight, calculator, or game and request the Device Admin privilege. Google realized that many end users were not reading the permission granting prompts fully or at least not understanding the level of privilege (full device control) that they were granting to an app that they thought was just a flashlight. Device Administrator was fundamentally flawed in this way, since it was a permission that could be granted at any time to any app. There also was the issue of the possibility of there being multiple DA's running on the same device.
In order to correct for these fundamental flaws in the DA system Google made a series of strategic decisions around the newly formed DO and PO concepts. Relative to your issues they designed the system such that in order for a DPC to be granted Device Owner privileges it would need to be granted while the device was in a factory reset, out of box state. This way there would be no way for the permission to be accidentally granted by an unknowing end user to a malicious app since there had to be intention behind the enrollment and DO permission granting during the initial device set up process. Since your devices have already been set up and have broken their out of box seal of sorts, they can never be assigned the Device Owner privilege without first being factory reset.These are fundamental principals to Android Enterprise device management that have existed for many years. These principals apply across all Android Enterprise device management environments, regardless of what MDM, EMM, UEM, or other tools that you are using. These are very much core concepts that should have been understood and considered PRIOR to any initial device configuration work.
4 Replies
It is not possible to do what you are asking to do and that is due to the fundamental nature of the design of the Android Enterprise Device Owner system.
When AE was established as the next generation of management to replace legacy Device Administrator based management a decision was made to fork the management concepts into Fully Managed and Work Profile use cases. The naming convention has evolved and changed over time but effectively the split was between Device Owner and Profile Owner. This distinction was intentional as it solved one of the core issues of Device Administrator which is the fact that it could be abused as an elevated privilege by any app on the Play Store. An malicious actor could disguise an innocuous looking app like a flashlight, calculator, or game and request the Device Admin privilege. Google realized that many end users were not reading the permission granting prompts fully or at least not understanding the level of privilege (full device control) that they were granting to an app that they thought was just a flashlight. Device Administrator was fundamentally flawed in this way, since it was a permission that could be granted at any time to any app. There also was the issue of the possibility of there being multiple DA's running on the same device.
In order to correct for these fundamental flaws in the DA system Google made a series of strategic decisions around the newly formed DO and PO concepts. Relative to your issues they designed the system such that in order for a DPC to be granted Device Owner privileges it would need to be granted while the device was in a factory reset, out of box state. This way there would be no way for the permission to be accidentally granted by an unknowing end user to a malicious app since there had to be intention behind the enrollment and DO permission granting during the initial device set up process. Since your devices have already been set up and have broken their out of box seal of sorts, they can never be assigned the Device Owner privilege without first being factory reset.These are fundamental principals to Android Enterprise device management that have existed for many years. These principals apply across all Android Enterprise device management environments, regardless of what MDM, EMM, UEM, or other tools that you are using. These are very much core concepts that should have been understood and considered PRIOR to any initial device configuration work.
What's the current enrollment type?
But no, it's not possible. Enrollment type is set on starting up a new device except for BYOD.
Hi mhfaruk
I've found this article that might be helpful - let me know if that was helpful. If not, I'm sure we can find you a solution 🙂
Thanks for your reply. But for your information it is not serve my purposes. Let me clarifying my requirements by an example- A user has already logged in his device by a gmail and now I want to make an app to set device owner for some management reason in company owned devices. How could I do that ? If it is not possible then how to smoothly logged out from the device ? here is a challange such that some user might have forgot their account password so if I remove account some user will not be able to login again. another problem is if I want to change password some users might have not set authentication number or mail. So this is the scenerio .Could you please suggest a smooth way to do that.
waiting for a response.
