Enabling AFW's factory reset protection

DamonBCSA
Comes here often

Enabling AFW's factory reset protection

Hey there, I'm relatively new to the Meraki MDM, having previously used Airwatch and MobileIron, so I'm not totally new to the world of MDM.

 

Our current policies and settings are fine and prevent anyone resetting the device once Meraki is installed an enabled via the settings menu. However I've recently discovered that even though we are registering the devices in Device Owner mode and the AFW account is enabled, that if a phone is reset via hard reset using the Android Recovery option, that you can then just register the phone again as anyone.  

 

After some trawling through these forums I've found out that Meraki have disabled Factory Reset Protection for AFW by default sometime in 2018 as per this posting https://community.meraki.com/t5/Endpoint-Management-Systems/Disable-factory-reset-protection/m-p/111...

 

My question is how can I either setup AFW's factory reset protection to default on, or at the very least, re-enable it so if a device is stolen/lost (or in our case some mischievous clients) and they do a reset that the device can't be setup again and/or they need to contact our IT department to reconfigure the phone so we can get it back in the MDM.

 

cheers

 

 

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

For "vanilla" Android I don't believe there is any way to prevent the full device reset.  I've never been able to do it.  I have used that specific feature when a phone has been accidentally bricked by locking it down too much and then cutting off its access to the Internet to get new policies.

 

I believe you can do this on Samsung phones using the Samsung Knox feature.  Never tried it.

DamonBCSA
Comes here often

Hey PhillipDAth, thanks for the reply, I didn't mean I want to lock the phone down to stop accessing the boot loader menu options. i'm talking about the factory reset protection ie. when you go to register the device and put your email address in, it verifies your account against what was registered as the owner account on the phone before it was reset. ie. at the point where we put in afw#meraki

From the link I provided, it looks like Meraki has disabled this option at the backend by default, which is good for those people who no longer have access to the email account that was used to register the device, but it's bad if the device is lost/stolen and you want to stop someone using the phone again. I never had to look for this option in either Airwatch or Mobileiron to see if it could be activated/deactivated from the MDM side as it was just always on by default, which Meraki apparently changed from On by default to Off by default back in 2018 according to my link in the original post.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels