Re-issuing Zero Touch enrolled devices to other users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2024 11:12 AM
Hello,
We've just started testing Zero Touch and one of our AZT early adopter device users recently left the company. We're trying to give his device to another tester however after a wipe of the device it's prompting to verify identify and asking for the previous users PIN / Google account (which we don't have) before the AZT assigned MDM enrollment kicks in...
We were not expecting Zero Touch enrolled devices to be locked to previous users at all. Expected this to be similar to Apple DEP enrolled devices where we can easily wipe and re-issue those without any hooks to the previous users apple ID.
Is this expected behavior for Zero Touch that a Corporate Device registered in Zero Touch is still hooked in to a users Google account and we cannot wipe and reissue the Corporate Device to a different user?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2024 11:32 PM - edited 06-06-2024 11:33 PM
This can only happen if the user was allowed to add their own private account (maybe because of COPE?). Or was it unassigned from ZT and used as a BYOD/customer device?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2024 06:31 AM - edited 06-07-2024 06:34 AM
Interesting...Yes it's still registered in ZT pointing to our MDM. Our standard Android Corp model is a COPE one so the user would/could have logged in to the the Personal Profile with his own Google account. While we know we still can't do device PIN resets for example we expected that ZT would give us that flexibility to wipe and re-use the device without it being FRP locked to the previous user.
Looks like we could set an FRP admin email in our MDM Corp device config...we could still allow users to wipe the device themselves (or we block that as well) from system settings which would disable FRP however if a Corp device is reset through recovery mode we would have the associated FRP google email address to be able to set the device back up for someone else. I guess the downside is users who have to reset the device through recovery mode due to forgotten PIN would need our direct involvement...but if that means we can reuse all devices that's probably a good tradeoff...though I expect we'd need the device in hand or give the use the current google account creds which is not great...
Do I have that right? 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2024 06:35 AM
Not worked so deep with COPE yet (as we don't use it right now) but i see in our MDM i can setup accounts being allowed for factory reset:
Which i guess would mean that those accounts can always being used to wipe the devices for reuse but never tested/used yet.
- Getting issue in Finding Device enrolment status in Admin discussions
- Basic WiFi-profiles (configuration profiles) do not deploy into Device in Admin discussions
- Android device management - Unable to enroll: DEVICE_MODE_QUARANTINED in Admin discussions
- Google workspace enrolled devices, enable applications in work profile in Admin discussions
- Intune - Compliance policy not assigned in Admin discussions