Can you skip network connection in Android Enterprise Edition?

Arifn
Level 2.0: Eclair

Hello community,

We have Samsung XCover6 Pro Enterprise Edition sent to customer in May this year. (Android v.12)

They have started the phone and then didn't enroll it. They have just started the phone and put it on the shelf and battery has died and now they have started the phone. There are two problems:
1. They can skip to connect to the Wi-Fi

2. Even if they connect to Wi-Fi the phone doesn't get enrolled, the enrollment phase never comes up, you can just continue to setup the normally

If we remove the phone from Zero Touch Portal, hard wipe the device by connecting it to a PC and then upload it to ZTP and connect it to Wi-Fi. Then it starts with enrollment. 

So I wanted to test this myself. I took the exact same model of the phone Samsung XCover6 Pro Enterprise Edition from our shelf and started it and to my surprise I COULD NOT skip network connection. 
Now the only difference between the phone that I tested and the phone that we sent to the customer is that, we sent the phone to customer like 6 months ago. But my test phone purchased recently, like a month ago.
I tested this with several different Enterprise phone models and got the exact same result! COULD NOT skip network connection. I had to connect to a network before continuing with the setup.

This is exactly what I want because of the obvious reasons.

 

So my questions:
Isn't this policy / feature (that you MUST connect to a network) by default set to TRUE for all Android Enterprise? Or is it different based on Android version? 

1 ACCEPTED SOLUTION

jasonbayton
Level 3.0: Honeycomb

I think you'll need to speak to Samsung on this. 

 

If the devices are showing correctly registered in ZT either via IMEI1 or SN & hardware details, and the config is assigned, it sounds to me like a bug in the build missing a step.

 

Are you buying enterprise edition models or anything outside of standard off-shelf devices from a normal retailer?

 

Are you able to flash/update with e-FOTA or OTA these devices to their latest builds and verify the behaviour still happens?

View solution in original post

14 REPLIES 14

Sean
Level 1.6: Donut

To my knowledge and based on actual testing, because Zero Touch relies on the device connecting to Google's servers over the internet for verification, even if the setup wizard initially opts for an offline configuration, once the device connects to the internet, the system, through Google Play Services, detects Zero Touch settings and will mandates a forced reset of the device.

Moombas
Level 3.0: Honeycomb

Totally true.

If devices are enrolled without internet connection as a normal consumer device, as soon as the device is going online and gets detected by ZTP it will get a notification that the device will force a wipe in ~2 hours. 

 

It could be, that this won't happen if the device is connected to a restricted network where no access to Google-Services is given (just an assumption) but to the rest of internet but never tested that.

Arifn
Level 2.0: Eclair

Yes I have come to understand how ZTP and the device talk and work with each other.

Though, my question remains:
Isn't this policy / feature (that you MUST connect to a network) by default set to TRUE for all Android Enterprise? Or is it different based on Android version? 

Arifn
Level 2.0: Eclair

We have over 40 devices uploaded to ZTP six months ago but when started and connected to internet nothing happens. And still my question remains about the mandatory internet connection at the initial startup and set-up of the device.

Isn't this policy / feature (that you MUST connect to a network) by default set to TRUE for all Android Enterprise? Or is it different based on Android version? 

Moombas
Level 3.0: Honeycomb

No, as you can use them as a COPE or BYOD if you want. Especially the BYOD won't need a network connection during enrollment.

Sean
Level 1.6: Donut

I believe the issue arises from a mismatch between the data uploaded to the ZT portal and the information present on the device end. For instance, the data uploaded to the ZT portal might be IMEI1, whereas the data retrieved on the device end is IMEI2, which typically indicates an OEM image problem.

Regarding your question, I agree, you can refer to https://support.google.com/work/android/answer/10513641?hl=en"

Arifn
Level 2.0: Eclair

Okay but after we wipe the device completely and remove it from ZTP it reupload it. It works. I mean the image doesn't change, it's still the same image even after the wipe. 
Also I can't explain why I can skip the network connection on these devices specifically and I couldn't do it with my other test devices. They have the same android version. 

Logically if it's enterprise version you shouldn't be able to skip the network connection, during the first time setup. 

Moombas
Level 3.0: Honeycomb

Interesting, i can enroll all our AER devices on first time and after that without any network connection as far as i know but they then bahve as you described: Enrolling like a consumer device (or more likely unconfingured devices without any Google account etc.).

Arifn
Level 2.0: Eclair

Yes, so on enterprise modell of the device, it should not be possible to skip network connection for the initial device setup. I confirmed this by taking in 4 different models of Android enterprise phones from Samsung and none of them gave me the option to skip network connection at the initial setup.
I had to connect it to Wi-Fi or use cellular data.

But then we have these that are sent to customer exact same model that I test AND they can skip network connection at the initial setup.
As @Sean mentioned maybe misconfigured OEM image from Samsung? I don't know I don't have any answer and I have been working with the issue for over a week now. Done like a 100 tests! 

Moombas
Level 3.0: Honeycomb

Tested and you are right (again learned something, thanks!).

But I'm not sure what Google is checking being able to connect to in that step because reachability of the ZTP won't be part of it as companies may not use it and so don't want to grant access to it.

If the Wifi-Network you connect to provides internet access but blocks the relevant Google Services it could be possible to enroll without ZTP detection.

Also sometimes because of a somehow strange issue it could happen that devices are not detected by the ZTP correctly (enrolling as consumer device even if listed in ZTP correctly).

We have seen this on very few devices where it helped to reassign the correct configuration and after a wipe they were detected correctly. Is this maybe the case here as well?

jasonbayton
Level 3.0: Honeycomb

@Arifn 

 

Isn't this policy / feature (that you MUST connect to a network) by default set to TRUE for all Android Enterprise? Or is it different based on Android version? 

 

No, this would be configured at the OEM for their build of Android. Most devices don't even know they're for enterprise until after they first connect to the internet where ZT is concerned. Samsung gains the benefit of OEM solutions storing locally a config after first setup to force devices to connect to the internet, though this wouldn't normally apply for ZT, rather KME.

 

Are you ZT exclusively or have you used other Samsung solutions to date? KME or Configure?

Arifn
Level 2.0: Eclair

Hello @jasonbayton and @Moombas   Thank you for the reply 🙂 
We are using only ZT for this customer but I am familiar with Samsung's KME too and have used it with other customers. 
But here is another thing that I discovered. I tested four different enterprise model of Samsung phones. A53, A33, XCover6 Pro and S22 and without even uploading them to Knox or ZTP. They behaved exactly the way I want them. Out of the box, I couldn't skip network connection in first setup. This was set to true for all the models above that I tested.

So this could be very much as you say, there could be another build of OEM image on these phones that are sent to our customer.
But then these phones, we have uploaded them to ZTP before we sent to the customer, this is what gives me headache! They don't talk to ZTP, after they are turned on and connected to network, nothing happens. And no there is no network restrictions that could prevent them from talking to Google APIs and services.

And of course we could solve the problem by hard wiping the device, reimport them into ZTP and enroll them because this works. But we are talking about more than 100 phones here.... 

I have double checked and they have a config profile in ZTP and imported correctly.

I just want to know the root cause of the problem (why they aren't talking to ZTP and why we have to hard wipe every device) so I can present it to our customer.

 

jasonbayton
Level 3.0: Honeycomb

I think you'll need to speak to Samsung on this. 

 

If the devices are showing correctly registered in ZT either via IMEI1 or SN & hardware details, and the config is assigned, it sounds to me like a bug in the build missing a step.

 

Are you buying enterprise edition models or anything outside of standard off-shelf devices from a normal retailer?

 

Are you able to flash/update with e-FOTA or OTA these devices to their latest builds and verify the behaviour still happens?

Arifn
Level 2.0: Eclair

@jasonbayton 

Are you buying enterprise edition models or anything outside of standard off-shelf devices from a normal retailer?
We are buying enterprise edition only.

I haven't tried to update them to the latest build because the customers are using the phones on daily basis but will definitely give it a shot.

 

I have now opened a ticket with Samsung and they think (not sure) that these phones are missing a GSM update. 

Thank you for all the help replies and info!