Since Android 5.1 (Lollipop), Android devices have had so-called Android Device Protection or Factory Reset Protection (FRP). This is automatically activated as soon as a Google account is set up on an unmanaged device. FRP serves as anti-theft protection and becomes active if, for example, an unauthorised person resets the device to factory settings manually and not through the menu. When the device is restarted, it will be necessary to log in using the last Google account used on the device. Without that login, it will not be possible to reconfigure the device.
Aim
On MDM devices, FRP is disabled by default because Managed Google Play Accounts do not have classic Google accounts (so email address and password are not known). However, FRP can be enabled with the Policy Factory Reset Protection (FRP). In this How-To we show you how to enable FRP and define up to three Google accounts that can be used to unlock a device after a hard reset.
Implementation
- Select Administration→ Policies in the Administration Portal. Click on the plus sign to create a new policy.
- Then select Android.
- Select the Fully Managed Device enrollment method.
- Check the Enable Factory Reset Protection (FRP) checkbox (arrow in illus.) and enter the Google Account IDs and the corresponding email addresses for the Google accounts of up to three administrators.
You then assign the new policy to the users:
- To do so, select the appropriate policy and click on Assign.
- Now select the users, groups or devices to whom you would like to assign the policy.
Note! If a device is reset to factory settings through the Administration Portal, FRP will be automatically deleted. So, you are no longer prompted for the Google account to reconfigure the device. However, the situation is different if the device is in lost mode. In that case FRP will not be deleted during a full wipe. That means the device will be unusable if is stolen.
Finding a Google Account ID
- Open the following link in the browser.
- Then click on Execute (arrow in illus.).
- Next, log in with you Google account and, in the Google APIs Explorer wants to access your Google Account window, and click on Allow.
- You will then find your Google Account ID below to the right in the window (arrow in illus.).