Google is removing passcode reset for MDM vendors on Android 7.0 devices + workaround

Google is removing passcode reset for MDM vendors on Android 7.0 devices + workaround

android7Bad news for the users that are using Android devices and sometimes forget their passcode. Google is removing the ability for administrators and users to remotely reset the passcode of devices that are based on Android 7.0.

When using earlier versions of Android users could reset their passcode via the Company Portal website and admins could reset the passcodes via the Intune admin console. Is there a workaround for your users besides writing the passcode on the back of the mobile phone?

I think so! 😉 Let’s see…

 

So how do we support our users?

To investigate this, I was able to install a beta of Android 7 on a Nexus device to see what options there are to recover the passcode.

After enrolling the option to reset the passcode is indeed not working. When choosing the option to unlock the device it will generate an error; Passcode reset failed. So what can we do then?

Try to reset the passcode

Try to reset the passcode


 
failed :(

failed 🙁

Google themselves are also offering an option to change the lock screen and the password remotely via the Google Device Manager which can be found here. But when trying the option in the phone will be locked and lock screen will be changed with the text that is provided. Unfortunately the configured PIN is not set, so this option provided by Google themselves is also not working.. 🙁

Trying to reset the passcode of the device

Trying to reset the passcode of the device

So we don’t want to have this;

Command to change the lockscreen passcode is received

Command to change the lockscreen passcode is received

 

 

We do not want to have this :(

We do not want to have this 🙁

So basically currently no passcode recovery options are available…… 🙁

So how to prevent factory default with loosing all (private) data?

If you sync all of your private photo’s and movies and backup things regularly to Google Drive you don’t bother about resetting the device and start over. But if your company does not allow data to be synced to any cloud service or you do not trust the cloud enough to backup everything to it you are maybe screwed. or not?

Looks like Android is changing the experience for the user with the Android ‘work security challenge’. (without the need of Android for Work)

There is a new feature called the “work security challenge” and this feature lets administrators set separate, complex passcodes on users’ devices to protect specific work data, using Android profiles. Users can use simpler PINs or codes to access their personal data.

Administrators can set lock restrictions for specific apps, and administrators can choose to use different login screens so users visually know when they log into corporate services or not. See for more information about the new security features this article.

So using profiles we have the option / workaround to create two user profiles on the Android 7 device, one (the primary) for the private stuff and a new one for business stuff. By using the primary account for private stuff will allow you to remove the business account if you loose the passcode without loosing the private stuff. If you do not use the primary account as the private account you do not have the option to delete the business account if it is the primary one. Looking at the file system both profiles cannot access their data.

Lets see how this workaround works;

Create a second user profile

Create a second user profile

 

Second account is added

Second account is added, Peter Private (primary account) Peter Business (secondary Account)

After creating the secondary user profile is created, you need to logon in the secondary account and enroll the device in Intune with the Company Portal.

Secondary account is enrolled in Intune

Secondary account is enrolled in Intune

Passcode need to be supplied while accessing the secondary account

Passcode need to be supplied while accessing the secondary account

So if a business user profile is useless since the passcode is lost, from the private user profile you are able to delete and recreate the business user profile without needing to reset the complete device.

Accessing the user in business mode does not allow you to delete one account. (which is logical)

Accessing the user in business mode does not allow you to delete one account. (which is logical)

Switching to the private account will give you more options

Switching to the private account will give you more options

After switching the user the business account can be deleted without needing to factory reset the device and loosing the private data

After switching the user the business account can be deleted without needing to factory reset the device and loosing the private data

Remove the account

Remove the account and create a new one and reenroll the device again. (don’t forget the passcode then)

Let’s see what Google will do, the lack of the passcode reset support can be very nasty for the users and cause unnecessary removal of data. My advise is to test Android 7 firmly and advice your users to wait updating until you have verified a working solution for your users.

Microsoft Intune will give a zero day support for Android 7.0, Company Portal version 5.0.3419.0 already supports the beta of Android 7.0.

Comments

 
Comments

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.

 
Read previous post:
ConfigMgr 1606 update is here to install

Today Microsoft released the 1606 update for System Center Configuration Manager. If you have ConfigMgr Read more

Close