Should i need custom DPC app resync policies after Factory Reset

finsolve
Level 1.5: Cupcake

I'm developing a EMM solution to my company using Android Management API. We wanted to prevent factory reset on the company owned devices. So we configured factoryResetDisabled  as true  also configured enterprise account email in "frpAdminEmails" in device policy . 

 

Factory reset protection is disabled in Settings, also when doing factory reset from boot options (Volume up/down + Power button -> Wipe/Factory reset)  asking for owner email which is configured frpAdminEmails, after successfully verified the email, mobile got freshly started as new mobile. the policy is not re-sync  again. So the device removed from the EMM control.

 

I found this article  https://developers.google.com/android/work/play/emm-api/prov-devices#google_account_method. From my understanding, It says the DPC app automatically got download from Playstore after verifying the google credentials. So the downloaded DPC will handle re-sync the policy into the device.  But now custom DPC is not allowed also Enterprise enrolments are not allowed.

 

Please advice me to resolve this issue in right way.

3 REPLIES 3

jasonbayton
Level 4.0: Ice Cream Sandwich

So the article alludes to managed Google domain, ie Google Workspace. It's not yet supported, but in the near future Android Enterprise signups will migrate for the most part from managed Google Play accounts to managed Google accounts with optional domain verification. 

 

You can then assign your enterprise to a Workspace domain, and enforce management of devices based on the account. If you then put in a google account associated to the domain of the enterprise as the FRP email, it should force a device back into management.

 

There are caveats to the account used et al to still be covered, but it's not official yet so nothing to worry about just yet.

 

For now you'll need to lean on zero-touch enrolment to ensure the device is nudged back into management.

Hello Jason,

 

If you then put in a google account associated to the domain of the enterprise as the FRP email, it should force a device back into management.

 

Could you please explain more about this. Because we have google workspace account "workspacedomain@abc.com" and play store account "playemail@gmail.com" and one google account "project@gmail.com". 

 

"project@gmail.com" is having project and in cloud console to access Android Management API. Also enterprise binding mapped. So all the devices are managed under this enterprise.

 

"workspacedomain@abc.com" is added as organisation to privately host our In-house applications. In our case its a Managed Google Play Account if i'm not wrong (Refer). 

 

"playemail@gmail.com" is a google play developer account.

 

And in frp email i've configured "project@gmail.com" and "workspacedomain@abc.com".  Tried to login after factory reset using these 2 email. But the device not coming back to management mode.

 

jasonbayton
Level 4.0: Ice Cream Sandwich

I feel like you entirely skipped the first paragraph stating it's not yet supported 😅

 

Right now your only option is zero-touch for devices.