Hello, everyone, we are back with another interesting topic for this week. In this article, we will delve deep into how to Set up Factory Reset Protection Policy for Corporate Devices using Intune. This policy is very useful if you have devices enrolled in Corporate Owned Personally Enabled(COPE) enrollment mode for your Android corporate devices.
Factory reset protection is a security feature built into the Android OS. This feature allows unauthorised access to the device after factory resetting the device. This feature can be enabled by simply adding a Google account and device PIN/Password/Pattern to the device.
If the user reset the device using Recovery mode method, while activating the device user will be prompted to enter either device PIN or Google account used on the device. Organizations often face problems when users return the device in locked state. Admins doesn’t know the PIN for the device and if they try to factory reset the device, they will be prompted to enter the device PIN or email account configured on the device.
IT admin/users cannot set the device unless they know either device PIN or Google account used on the device. In order to setup/activate the device one has to visit service centre. To avoid these situation we can create FRP policy in Intune.
Table of Contents
Create Factory Reset Protection Policy
The factory reset policy works only on Corporate Devices enrolled as Corporate Owned Business only or Corporate Owned Personally Enabled devices. Before creating a FRP policy, lets understand the scenarios where FRP policy trigger.
Imagine your organization provides Corporate devices to their employees and they enrolled their devices COPE method where users are allowed to configure the device with their personal profile along with work profile. When the device reset using Recovery mode the Factory Reset Protection will trigger as it is uncommon method to format the device.
- Onboard iOS/iPadOS Devices to Microsoft Defender for Endpoint
- Enable or Disable Background Template List Updates Policy in MS Edge Browser using M365 Admin Center
Now, this situation can be avoided by creating a Factory Reset Protection Policy in Intune. In this policy we need an Gmail account. This account helps to unlock your FRP lock on the device while reactivation it. Let’s see how we can create a FRP policy in Intune in below steps
- Login to Microsoft Intune Admin Center
- Click Devices > Configuration > Create > New Policy
- Select Platform as Android Enterprise
- Select Profile Type as Device Restrictions
- Click on Create
Now provide Name for the policy and Description to identify why the policy is created, you may include change number if you are following Change Management Process in order to identify why and who created the policy in furture. Click on Next
The device restrictions are categorised into various categories. For example password related settings are configured under Device password category. Our Factory Reset Protection policy is available under General settings. Now click on General Settings.
Scroll down and look for Factory reset protection emails, select Google Account email address. By default, the value is Not Configured. When you select Google Account email address, you will get “List of email addresses (Google account email addresses option only)” option, define the email addresses here. We can have multiple Google account defined.
Now Click on Next and if you have any scope tags, add the scope tags and click on Next for assigning the policy to the users under Assignment tab. Click on Add groups and add the user groups to which the policy has to be assigned.
Click on Next and Review the policy and click on Create to create the policy. Now I’m enrolling a device into Corporate Owned Personally Enabled device.
User Experience
As mentioned above, I enrolled a device to Intune as COPE. Let’s add a Google account on personal profile and add a device PIN or password. Factory Rest Protection will enables only when you have a Google account and device PIN or Password set and assign the FRP policy to the device.
Now I have the device. Let’s assume this is the device which your IT team received without providing the device PIN or Google account associated with it. How can you unlock the device or format the device. The option is to format using Recovery Mode. Even you reset the device using recovery mode, you will be prompted to enter either device PIN or Google account associated with the device.
Now we don’t know both, this is the scenario where Factory Reset Protection policy will be a saviour for you and your organization. For our testing I have formatted the device using Recovery method. After the factory resetting the device I have rebooted the device.
Now when I try to set up the device, I get prompt to Enter the Google account you added as part of the Factory Reset Protection policy and enter its password. You can also view the lock icon on top left corner which indicate the device is in locked/ protected state and require to unlock it. After entering the account your device will be unlocked and ready for enrolling or handing over to the new user.
Conclusion
This way you can protect the from lost/stolen and also from accidentally locking your device. If you do not have the device PIN/password, you need to visit the service center and prove your ownership and unlock the device. I hope this article helps you to plan Factory Reset policies in your organization.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
About Author – Narendra Kumar Malepati (Naren) has 13+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.