Google is removing passcode reset for MDM vendors on Android 7.0 devices + workaround

android7Bad news for the users that are using Android devices and sometimes forget their passcode. Google is removing the ability for administrators and users to remotely reset the passcode of devices that are based on Android 7.0.

When using earlier versions of Android users could reset their passcode via the Company Portal website and admins could reset the passcodes via the Intune admin console. Is there a workaround for your users besides writing the passcode on the back of the mobile phone?

I think so! 😉 Let’s see…

 

So how do we support our users?

To investigate this, I was able to install a beta of Android 7 on a Nexus device to see what options there are to recover the passcode.

After enrolling the option to reset the passcode is indeed not working. When choosing the option to unlock the device it will generate an error; Passcode reset failed. So what can we do then?

Try to reset the passcode
Try to reset the passcode
 
failed :(
failed 🙁

Google themselves are also offering an option to change the lock screen and the password remotely via the Google Device Manager which can be found here. But when trying the option in the phone will be locked and lock screen will be changed with the text that is provided. Unfortunately the configured PIN is not set, so this option provided by Google themselves is also not working.. 🙁

Trying to reset the passcode of the device
Trying to reset the passcode of the device

So we don’t want to have this;

Command to change the lockscreen passcode is received
Command to change the lockscreen passcode is received

 

 

We do not want to have this :(
We do not want to have this 🙁

So basically currently no passcode recovery options are available…… 🙁

So how to prevent factory default with loosing all (private) data?

If you sync all of your private photo’s and movies and backup things regularly to Google Drive you don’t bother about resetting the device and start over. But if your company does not allow data to be synced to any cloud service or you do not trust the cloud enough to backup everything to it you are maybe screwed. or not?

Looks like Android is changing the experience for the user with the Android ‘work security challenge’. (without the need of Android for Work)

There is a new feature called the “work security challenge” and this feature lets administrators set separate, complex passcodes on users’ devices to protect specific work data, using Android profiles. Users can use simpler PINs or codes to access their personal data.

Administrators can set lock restrictions for specific apps, and administrators can choose to use different login screens so users visually know when they log into corporate services or not. See for more information about the new security features this article.

So using profiles we have the option / workaround to create two user profiles on the Android 7 device, one (the primary) for the private stuff and a new one for business stuff. By using the primary account for private stuff will allow you to remove the business account if you loose the passcode without loosing the private stuff. If you do not use the primary account as the private account you do not have the option to delete the business account if it is the primary one. Looking at the file system both profiles cannot access their data.

Lets see how this workaround works;

Create a second user profile
Create a second user profile

 

Second account is added
Second account is added, Peter Private (primary account) Peter Business (secondary Account)

After creating the secondary user profile is created, you need to logon in the secondary account and enroll the device in Intune with the Company Portal.

Secondary account is enrolled in Intune
Secondary account is enrolled in Intune
Passcode need to be supplied while accessing the secondary account
Passcode need to be supplied while accessing the secondary account

So if a business user profile is useless since the passcode is lost, from the private user profile you are able to delete and recreate the business user profile without needing to reset the complete device.

Accessing the user in business mode does not allow you to delete one account. (which is logical)
Accessing the user in business mode does not allow you to delete one account. (which is logical)
Switching to the private account will give you more options
Switching to the private account will give you more options
After switching the user the business account can be deleted without needing to factory reset the device and loosing the private data
After switching the user the business account can be deleted without needing to factory reset the device and loosing the private data
Remove the account
Remove the account and create a new one and reenroll the device again. (don’t forget the passcode then)

Let’s see what Google will do, the lack of the passcode reset support can be very nasty for the users and cause unnecessary removal of data. My advise is to test Android 7 firmly and advice your users to wait updating until you have verified a working solution for your users.

Microsoft Intune will give a zero day support for Android 7.0, Company Portal version 5.0.3419.0 already supports the beta of Android 7.0.

Comments

Total
0
Shares
5 comments
  1. I use Airwatch MDM to administer our mobile devices.
    This has become a right pain as almost all of our devices are currently having their PIN messed up by updates and then have to wipe the device as I cannot reset the PIN… This is ridiculous and is wasting our time as well as loosing a lot of our users data as not all are savvy enough to backup their data… Thanks for the info as I was wondering why i cant reset pass codes any more.

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

ConfigMgr 1606 update is here to install

Next Post

Integration Microsoft Intune and Lookout Mobile Threat Protection is there

Related Posts
Total
0
Share