User Profile
Josh
Level 1.6: Donut
Joined 3 years ago
User Widgets
Contributions
Re: Master ownership of Android devices
Thanks for the response Genero, please let me know if you find out anything useful. I guess what it comes down to is that there is no "User" role on androids, the user is the Admin, which didn't used to be a problem until FRP came along.13KViews2likes6CommentsRe: Master ownership of Android devices
My point is that the device user is not always the device owner, and that general consumers shouldn't have such powerful tools available. While ZT is SUPPOSED to be only devices purchased through the reseller, but they can actually onboard any device as we've experienced, but I'm not going in to that now. I can understand a business locking a device, but not some random user, potentially even by accident, and without any sort of special tools. This is about device users not being device owners, something that has never been a problem until FRP.13KViews2likes12CommentsMaster ownership of Android devices
Factory Reset Protection / persistence is a powerful tool but it does not yet feel complete, and it is quite frustrating and potentially dangerous in its current state. It is not always apparent whether any given device is persistently linked using ZeroTouch, Intune or even Google Account FRP. While these tools are available to some, they are not a financially viable option for everyone, especially for consumers. There may be documentation describing the intimate intricacies of how all of these tools work and when/where they leave signs of their presence, but I cannot find it. I have not found a PSA from google for consumers saying "if you buy a second hand phone, check x, y and z to make sure it is not locked, otherwise someone can potentially remotely brick it." As a small company we have various scenarios where we provide phones to employees and also distribute loan/event devices for other small-medium companies, and don't necessarily have the ability to invest in enterprise-grade tools like ZT, InTune or Android Enterprise. If you think, on Windows all you need is to set the BIOS password and the Admin password and User Account Control takes care of the rest. Now take the android example, you add a google account and think it's safe with the user not knowing the password, but there is nothing to stop the user from adding their own personal google account, removing yours (no password required), setting their own PIN, and turning a $1000 phone into a paperweight. If they can unlock the phone, they are the master owner. There did used to be a feature for Multi-User on android but I haven't seen it in a long time, and I think there were performance issues with it as they all had to be loaded at once. While I may be lacking understanding knowledge and making some assumptions, should a consumer really need to know exactly how Android Enterprise works in depth just to buy a second hand/"refurbished" phone? And I dare anyone to get into a device after it's been factory reset while attached to a personal google account with a PIN set without hacking tools. I know there have been exploits with Talkback in the past but it's been patched now, and again these are not lengths to which consumers should need to go. If I knew someone's pattern (most common security type and very hard to hide effectively), and had their phone for 2 minutes, I could turn it into a paperweight simply by adding a disposable google account, removing theirs, and setting a PIN. How are we supposed to protect against that as a small business?14KViews7likes17Comments