Forum Discussion

M-T-T's avatar
M-T-T
Level 1.6: Donut
6 months ago

Skip Passcode Setup

Is it possible to bypass the PIN setup during Google Zero Touch provisioning for new devices to allow Intune to configure the Lock Screen instead? Currently, test users are prompted to create a PIN d...
Moombas's avatar
Moombas
Level 4.1: Jelly Bean
6 months ago

Hi Michel

regarding "The procedure explained should be the same for COPE as for fully managed. Unless a device is enrolled as BYOD (when it does not have zero touch configured correctly for example). ", is that really the case?

For me it's long time ago i made such enrollment but my guess would be that even on COPE the user can/should set a pin him-/herself during the enrollment and later the policies of the MDM (no matter which one) takes place and may ask to reset the pin because the previously chosen one was not secure enough (compared to what the admin has set up as a requirement).

Just did a test on one of my test devices and you get prompted to define a pin (after the MDM agent was installed), not sure if admin policy already takes place here regarding how secure it has to be.

 

But be aware that on COPE you have 3 passwords to be set:

- admin password

- device pin

- work profile pin

Both pins can be enforced by the MDM to match defined requirements which can cause the device also re-requesting for example device pin to be set if the one chosen from the enduser before was too less secure.

Or you maybe struggle that the end user needs to set a pin for device (during enrollment) and later also for  the work profile later as well.

Michel's avatar
Michel
Level 3.0: Honeycomb
6 months ago

Hi Moombas , its when looking at the passcode, yes. If you configure Intune with a password policy for the whole device, not just the work profile, it will ask you to set the pin before the personal settings of cope are shown. The rest of the enrollment process is different between fully managed and cope ofcourse. 

 

But you're comment got me thinking, and I've found this article from MS: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/assign-password-setting-android-fully-managed

 

It seems that you are able to configure it both ways, we always configure it via the recommended way:

Recommendation

Because of the OS limitation on Android Enterprise fully managed devices, we recommend that you assign the device restrictions profile that includes password settings to the devices before enrollment.




This might very well be the issue that M-T-T is experiencing. But I have absolutely no idea how to apply a profile after enrollment ðŸ˜…. The way we work:

Create a user, user is part of a group, assign policies and apps to that group, enroll the device and login with the user during the enrollment proces. My first interpretation would be that Microsoft means applying a policy to an operational device when talking about " after enrollment" but i'm not sure. 

  • Moombas's avatar
    Moombas
    Level 4.1: Jelly Bean
    6 months ago

    Again, i don't use Intune and not sure how/where it works different.

    For me it's other way around: I don't know how to apply it before enrollment. In Soti you deploy a COPE profile with authentication but this takes place after the device is enrolled.

    And you even can't before as you enroll a device using an enrollment ID and not with logging in with a user to the device (similar to fully managed enrollment).