Just to get our conversation here:
The correct usage of an MDM can prevent you from this by disabling abbility of adding (any) other accounts and so on by the user.
And as you asked something about the Zero-Touch portal:
You don't need to purchase Zero-Touch portal but you need to buy your devices from a reseller who has access to it which means the reseller can create a portal for you and upload the devices then to it.
When this is done you can create a config and assign it to your devices (also via batch as csv).
Zero-Touch portal also provides the functionality if device is wiped it always points it to your MDM as long as the IMEI has the relevant config assigned.
The 2nd hand aspect of your concerns does add a little more to consider, but there are still ways and means with a few limitations.
As @Moombas points out, zero-touch is reseller based. It is entirely free to use providing you've purchased the devices new or used from a reseller in the first place. Zero-touch won't alleviate FRP causing issues alone, but it will redirect devices into management any time they're factory reset.
On the subject of management, it's not always expensive. Consider Miradore as an example, they have a basic plan for free with no device limit. Other platforms, such as mambo EMM, Appaloosa or Wizy EMM offer limited/low cost options on a rolling monthly basis, and cover all basics for device management.
When devices are managed, again as @Moombas points out, restrictions on accounts added to the device can be put in place, but more than this, you as the admin can mandate a specific account on the device to enforce FRP, or disable FRP all together, and users with the devices (or those who get hold of them) are powerless to change this, as the management agent enforces the policies. This extends also to mandating medium to strong password requirements, and also the ability to remove a password remotely as the administrator of the managed device.
For consumers and devices that won't be put under enterprise management, well it's no different to any other asset. If you lock your front door with a piece of rope, someone will cut it and gain access, after which they can wreak whatever havoc that comes with accessing a person's home. If you secure your device with a pattern or simple pin code and leave it around for someone to gain access to it, they will. At least with a device, a proof of purchase is normally enough to get FRP removed by the manufacturer on request.
Multi-user is still a thing, by the way, it just needs to be explicitly turned on for most modern handsets.
Sure, technically a reseller can onboard any device, and in some markets they do so with proof of purchase. There's no gotcha there, it's not prohibited in the agreement, it's just not common.
From the other side of this, it used to be possible for me to grab an Android device, recovery reset it and set it back up as my own regardless of device security in place or who owned it. Granted there were vulnerabilities to get around FRP way back when but these are far fewer today.
So I argue that FRP, like the Apple, Samsung, and other equivalents, are a net positive on device security and recovery, not a detractor for consumers. It protects the consumer from losing their device to someone else, and your premise of it being overly simplistic to brick it through physical access to a device with no means of resolving that is exaggerated.
I've managed devices before FRP control was a thing, and I've been through the process of sending devices off to an OEM facility quarterly to wipe the FRP bit on corporate owned devices. From Android 6.0 it stopped being a problem for managed devices since admins gained control either over FRP being enabled, or the account used to recover it.
It's now only a problem for organisations today who choose not to manage (enforce their ownership over) their estate, and since there's many options available to do this for all budgets, there's no reason not to manage devices.
If devices are being handed out for the user to set up and look after, they are the owner on a system level. If those devices are put into management, they're owned by the company pushing the policies. That's the distinction for ownership.
The problem you describe has nothing to do with FRP, it's more likely a problem devices get stolen and resold.
A reseller has to ensure that their devices are not managed before selling them if they don't or sell them even they are managed, they are not resellers to trust. And as a consumer, i would startup every such device online (using SIM or Wifi) until request of entering the google account is arrived and not pay before.
We had several cases where devices which got stolen and someone tried to re-enroll they all ignored all the messages saying "your device is not private" and so on and then wondering why the device is locked into a kiosk screen and not useable or if they are already shipped far away just ran into a useless mode even without FRP.
This doesn't prevent us from stolen devices but hopefully shows the thiefs at some point that it doesn't make sense to steal such devices and try to resell them online or on a flea market.
No, you haven't, you could force users to unlock and wipe those devices first if you don'T want to use an MDM but this would require that they always stay in front of you in person and not send them via package or similar.
And you have this behavior not only on Android devices, you have the same on Apple devices as well. And if devices got "connected" to an account (Google account/ Apple ID) also, they need to be removed from that as well.
If handing out "free to use" devices to employees, you always need to take care of that or need to manage them to ensure entire access and ability to reset it.
It was an example just showing that not only Android (Google) has gone this way for security reasons.
I also only showed you a (yes: bad but only other possible) example how to do it without the need of MDM when FRP is active.
Should i ask you the same stupid question "in which world you are living in" when just looking at your situation where you are not able to wipe a device because you don't know the pin set by a user?
If you buy a used phone would you just take and pay for it without verifying it's working first (not locked not booting etc.) or would you check that before? That's the same when you get a "free to use" device back from an employee -> ensure it's functional which includes not locked anymore.
Thats not correct, if you have a fully managed device, there is an admin role (already described above) and user role. The only thing is you need to set it up correctly or force users to wipe the device when taking back the device (i know that this is most often very complicated).
And FRP i would only use on fully managed devices, not on work profile or BYOD or anything else otherwise you need to send such devices to repair (as @jasonbayton mentioned before as well) to get them back working again for which you may got charged, depending on your error description.
If the device is fully managed you may can disable the ability to change the pin (or enter the settings in general) if it's just "set up manually" without any restriction (like a normal consumer device) than i can just point to the reply from @jasonbayton and sorry to say but the problem is made yourself then.
Ah i missed that Multi user thing ^^ I know it's possible from the MDM we use and I'm pretty sure others can as well.
