Forum Discussion
Question to Enterprise Factory Reset Protection
Hello,
we have a question to EFRP:
If you specify a google account which can unlock FRP on this device in the future, does this google account have any other special permissions on that device or is it just like any other google account if logged in?
Our Security Office wants to know that to be sure there is no other security concerns with configuring central EFRP accounts. If you have any technical references or KB articles to this topic, it would be highly appreciated. :)
Thank you in advance
2 Replies
There are no other special permissions with this account. It will only be asked when the device is reset. To unlock the device you will need to enter the account password physically on the device, so keep that in mind when enabling this feature. If you need to wipe an existing device you will need to get it back first to make sure that someone can login into this account to unlock the device.
We had a few discussions about the EFRP. I can't think of any KB articles specifically related to the changes in Android 15 at the moment.
problematic re-enrollment following smartphone reset under Android 15 | Android Enterprise and ChromeOS Customer Communities - 12217All accounts must be Google accounts, but no additional rights are required in the accounts. If FRP is triggered, you must log in locally on the device with one of the accounts to unlock it.
You can specify multiple accounts. How/how many accounts you configure the FRP policy depends on your workflows.
You can definitely use secure passwords and 2FA for your accounts. But remember: you have to log in to your accounts directly on the device. If you frequently use devices with FRP enabled, extremely long passwords could become a pain.
