Forum Discussion
Zero Touch phones randomly wipe themselves
Hello,
We are a large corporate and mostly use Samsung phones as Android devices. Enrolment is being done via ZT portal to a default profile which is Corporate Owned Work Profile provided via Microsoft Intune.
We are noticing an increased amount of cases where users set up their phones (no QR code, no text token) with default configuration added using DPC extras and within first few hours they would reset to a factory default state without any notice.
This has become a real issue as it is affecting more and more people.
Devices enrolled without ZT do not suffer from this issue, even though they are using the exact same enrolment profile.
I saw many posts like this here and elsewhere on the internet, but no actual solution.
What is the problem here and is it being actively looked by Google?
30 Replies
Emilie_B do you have an update for us?
We are a large corporate and this issue is now being noticed more often. People are really frustrated that they spend much time setting things up and the phones wipe themself off in the first few hours of usage.
We are not confident we want to use Android phones anymore.The profile here has nothing to do with the behaviour, we are using COWP, nobody is scanning any QRs or entering tokens, the ZT has the token set as default.
What is being done about this issue please?
And no, Moombas just provided an opinion which is not based on any technical argument. So not really helpful in this case.Andrius Not sure what you meant about this one (i don't see my post from the past here) but i would really like to know if someone complains on my experiences or trying to help as such an "opinion".
It's a fact that Android devices registered into the ZTP and enrolled without being able to contact the ZTP correctly ((partially) limited wifi,...) but later can, the device triggers a device wipe (default set to 2 hours) because it thinks it wasn't enrolled as it should.
Ofc devices enrolled without registered in ZT don't have this (security) behavior.That doesn't mean that this is the case here but it means that something is issuing that this doesn't get detected correctly but the config provided.
Do the devices use always the same network (the issuing ones) and did you try if you see the same using mobile data during enrollment instead?Yes, they always do use same network. In fact, that happens in multiple countries.
When do we expect this to get resolved?
Hi Andrius and welcome to the Android Enterprise Customer Community 👋
It's lovely to have you join our corner of the internet!
Firstly, I wanted to let you know that I've merged your other replies to older posts into this post so we can keep the conversation in one place.
I'm sorry to hear you're experiencing an issue with your devices - I have raised this with our internal team and I should have an answer for you soon; it might take a little bit of time as they need to try and reproduce the same issue.
Could I ask when you've noticed the issue? Is this something you have flagged to Microsoft and/or InTune and/or your reseller?
Emilie
Hi, yes, we did flag it for Microsoft, but not much they can tell since the wipe isn't initiated from Intune. The device just decides to do it.
Also does not seem to be related to a reseller, happens at least in 3 different countries.
Thank you for sharing more information Andrius - it's useful to know where the issue is happening!
Could I ask what Microsoft said?
It might be a good idea to reach out to your reseller(s) and ask if this is happening to anyone else; could you let us know which countries have seen this issue as well?
Hi Andrius ,
I think you should really investigate what Moombas is explaining. A device which is not enrolled via ZTE correctly will indeed perform a factory reset as soon as it sees a profile registration. I have enrolled thousands of devices over hundreds of customer enviromnents and have never heard this issue, except in a way Moombas is explaining.
Another thing that might be worth testing:
I believe you currently enroll via Android zero touch, correct? If so, have you considered Knox for your Samsung devices?
The free Knox Mobile Enrollment platform does the exact same, but also checks some security features to see if a device has been tampered with. By setting the DPC extra's you are also able to skip one step in your enrollment process
Hello and happy Monday Andrius!
I've heard back from the team - please see below:
Based on the behaviour you described - that devices wipe themselves "within the first few hours" after a successful setup - this is likely not a random error but a specific conflict between the Zero Touch (ZT) provisioning and the InTune enrolment token.
When a device is assigned a profile in the Zero Touch portal but receives a conflicting enrolment token during setup (via DPC extras or manual entry), Android Enterprise security mechanisms can trigger a "protection" wipe to prevent unauthorised takeovers.
If a device is registered in the Zero Touch portal with one configuration but the DPC Extras JSON pushes a different enrolment token (or a token meant for a different management mode), the device may enrol initially but then realise the mismatch.
Check your DPC Extras JSON in the Zero Touch portal. Ensure it is not hardcoding a token that conflicts with the one InTune expects for that specific profile (COPE).
(You may find information regarding the JSON here: https://developers.google.com/android/management/provision-device#zero-touch_enrollment)
If you have linked your Zero Touch account directly inside the InTune Console (Tenant Administration > Connectors and tokens), InTune automatically creates a "Default" configuration that overrides manual configurations in the Google ZT portal. Ensure you aren't effectively assigning two different profiles (one from Intune's auto-link, one you manually built in the ZT portal).
There’s one more possibility: It is possible that the devices are enroling, checking in with InTune, failing a specific compliance check immediately, and triggering a compliance action. Ensure that no action is set to "Wipe" or "Retire" immediately (0 days) for common issues.
It might be interesting to check InTune Audit Logs for one of the devices that wiped. (Does it show a "Wipe" command issued by "System" or "InTune"?)
Hopefully, this helps you resolve your issue 🙂
Please let us know how you get on and if there's anything else you might need a hand with!
And thank you Michel and Moombas for your help - you were both on the right track 🚀
Looking forward to hear from you Andrius
Yeah and also added some small learnings to me as some of these possible behaviors/reasons i haven't had in mind to be honest.
Good to know for future.
Interesting other options, thanks for sharing!
Hello,
Token is added as DPC extra, most of devices do not suffer from this issue, so I don't believe it is a configuration problem. We use COWP profile, not COPE. We do not intend to use Knox as it is a paid service and can only support one manufacturer.
Our retire policy for non-compliant devices is 30 days.
Emilie_B I am sorry, but the post marked as a solution did not provide me with a solution.
Can someone explain where this behaviour is documented?
Right now we are in a position where we are not sure if we can utilize ZT further, because that is the only difference that causes the irrational device behaviour.
