Factory Reset Protection and Captive Portals

GMenzies
Level 2.0: Eclair

A bit of background on this, we're currently moving to use COPE Enrolment for all of our devices after using BYOD Enrolment for devices purchased by our org.

 

Utilising BYOD we had issues with users signing into their gmail accounts and leaving the business and we were locked out of the device by Factory Reset Protection (We've used Knox Mobile Enrolment to solve this). This all made sense as it was a BYOD device and for consumers etc it makes a lot of sense.

 

The problem we've encountered is even with COPE enroled devices, if a user doesn't remove their gmail account from the personal profile before resetting the device when the device is used again you're unable to use a Captive Portal network for setup again and this error message is received - "Unable to sign in to Wi-Fi AP. An unauthorised factory reset has been performed on this device. the sign-in screen cannot be accessed." 

 

Even after enrolling the device using a WPA2/3 Network and signing in with the google account in question and manually removing it then resetting the device we still have this issue, it's as if the FRP flag gets set and isn't being removed for some reason.

 

It seems odd any network and even cellular allows you to continue but a captive portal connection doesn't.

 

Has anyone else encountered this issue?

 

Thanks.

1 ACCEPTED SOLUTION

GMenzies
Level 2.0: Eclair

In case anyone else sees this, this has been resolved with Android 14.

 

Knox Mobile Enrollment 23.12 release notes | Samsung Knox Documentation

View solution in original post

12 REPLIES 12

jeremy
Level 2.3: Gingerbread

Have you considered using a combination of Zero Touch + disabling factory reset on these devices?

Zero Touch will force enrolment into your EMM, and disabling factory reset will only let user reset using the device recovery mode.

 

It should be easier than having to manage FRP.

GMenzies
Level 2.0: Eclair

Hi Jeremy,

 

We're utilising Knox Mobile Enrolment today as we have Samsung devices, to clarify also our EMM is Intune, we wouldn't disable factory reset as we need a method for users to reset devices on their own if required. I also thought Device recovery mode doesn't let you bypass FRP?

 

Also would we not have the same issue with Zero touch? This issue happens before we even have a network connection.

 

Thanks for your help.

jeremy
Level 2.3: Gingerbread

Zero Touch will prevent device use if the device is not enrolled with an EMM.

For example, if you setup your device offline, as soon as the device connects to internet, it will force the user to wipe the device and start again.

 

Regarding Device recovery mode and FRP, it won't let you bypass FRP you're correct.

GMenzies
Level 2.0: Eclair

That's not the problem we have unfortunately.

 

Thanks for your help.

jasonbayton
Level 3.0: Honeycomb

KME & ZT offer the same thing, but KME with Samsung devices allows you to clear the FRP bit on KME-enrolled devices. Can you validate your KME configurations have this set?

 

If it's set, can you try to get to the point of connecting, and captive portal complaining, then rebooting and seeing if the behaviour changes?

Hi Jason,

 

There's not options in KME for this the device only needs to have a profile assigned which this one does but because this happens before the device can communicate with KME I'd still see this issue - Lock and unlock devices | Samsung Knox Documentation

 

Reboot and a factory reset doesn't change the behaviour, it seems to be FRP complaining and not specific to the captive portal itself, I've created a captive portal SSID at home and had the same issue.

 

Thanks for your help.

 

@Lizzie any thoughts on this?

Problem 

jeremy
Level 2.3: Gingerbread

You should probably escalate through Intune & KME, that will be the proper channel to get support with your issue and escalate through Samsung, Intune and Google.

Subrataonly
Level 1.5: Cupcake

Can't make calls 

GMenzies
Level 2.0: Eclair

In case anyone else sees this, this has been resolved with Android 14.

 

Knox Mobile Enrollment 23.12 release notes | Samsung Knox Documentation

Lennith
Level 1.5: Cupcake

This is invasion of privacy!

Gwapoako18
Level 1.5: Cupcake

How to solve this problem if my another Samsung is like that problem how to remove this and how to sign in on my device?