Is there a way to force users to reset passcode without admin needing to give a temporary password.

Prathik
Level 2.0: Eclair

Hi,

We have a requirement to force few users to reset passcode. I have tried with https://developers.google.com/android/management/reference/rest/v1/enterprises.devices/issueCommand#... and it works fine when we mention the new passcode. I am wondering if there is a way to force users to change passcode without us having to give and store temp passcodes for each user.
I am aware that we can do this with password restrictions as part of policy https://developers.google.com/android/management/reference/rest/v1/PasswordRequirements, but is it possible with a one time issue command.

 

Thank you

1 ACCEPTED SOLUTION

Prathik
Level 2.0: Eclair

Okay thank you. We will go ahead with the following approach.
1. Set Password Policy
2. Set Policy enforcement rule for `passwordRequirement` with blockAction set to 0 days.

3. Send Reset password command with empty/static password which is not compliant with passwordRequirement.

 

That should block the user until they reset password.

View solution in original post

8 REPLIES 8

Lizzie
Google Community Manager
Google Community Manager

Good question, @Prathik and great to see you again.

 

Not sure which devices you are using, but an OEM config option for this might be a good thing to explore. For example, I've seen that Samsung Knox have a password policy, so perhaps other OEMs do too. 

 

It's a nice feature request though, I will create a FR for this as well. 😀

 

It would be great to hear how you get on, if you can. 


Thanks,

Lizzie



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

jasonbayton
Level 3.0: Honeycomb

I may be wrong, but I do believe that command can be sent without inputting a new password. Have you tried this?

Prathik
Level 2.0: Eclair

Hey Jason, yes the command can be sent without input and that clears the password completely, which is not ideal or secure.

jasonbayton
Level 3.0: Honeycomb

Combine it with the password requirements in-policy and users will be asked to set up a new password shortly after it's wiped.

Hey Jason, I'm running into some issues when trying this out. I'm able to reset password with or without input initially. But once the password restriction is setup in the policy. The reset command fails with any password that is not compliant with the password restriction(even empty password doesnt go through).

After this any RESET_PASSWORD command i send (even compliant one) doesn't go through. When I do the GET operation command i get a response without the `done` or the `error` fields.

{
    "name": "enterprises/LC02otg***/devices/3e4aa95e4274***/operations/1701193847359",
    "metadata":  {
        "@type": "type.googleapis.com/google.android.devicemanagement.v1.Command",
        "type": "RESET_PASSWORD",
        "createTime": "2023-11-28T17:50:47.359Z",
        "duration": "600s",
        "newPassword": "222222",
        "resetPasswordFlags":  [
            "LOCK_NOW" 
        ],
        "userName": "enterprises/LC02ot***/users/107504099415296****" 
    }
}

Prathik
Level 2.0: Eclair

Yes I have tried this and it works. The concern is that, in the period between when the password is wiped and legit user gets the chance to set a new password, any one who gets access to the device will be able to unlock witout password and set their own password.

jasonbayton
Level 3.0: Honeycomb

You can solve for this with appropriate communication with the affected users, and back the password policy up with a compliance action that blocks access to work data until a password is re-set, preventing users from working with corp data until they set a password. That should spur them on and encourage them to not leave password unset long enough to have the device taken from them by a bad actor.

Prathik
Level 2.0: Eclair

Okay thank you. We will go ahead with the following approach.
1. Set Password Policy
2. Set Policy enforcement rule for `passwordRequirement` with blockAction set to 0 days.

3. Send Reset password command with empty/static password which is not compliant with passwordRequirement.

 

That should block the user until they reset password.