Android factory reset protection
Android Factory Reset Protection (FRP) is a security feature that prevents the use of a device after an unauthorized reset to factory settings. After a wipe, you can take the device into use only with the accounts set on the personal profile of the device before the wipe.
While FRP means protection against the misuse of, for example, a stolen device, it can cause problems when organizations want to hand over a device to a new user. As a solution, administrators can predefine the Google accounts for taking a device into use after a reset. This article explains how you can configure the Google accounts for Factory Reset Protection in GoTo Resolve MDM.
Requirements
- A fully managed Android device (Device Owner).
- GoTo Resolve MDM Android client version 2.8.8 or above.
Important information
The Factory Reset Protection is disabled automatically on most devices if the user factory resets the device through its settings. Using configuration profiles in GoTo Resolve MDM, you can prevent the factory reset for fully managed Android devices.
When you wipe a device remotely from GoTo Resolve MDM, you can choose the fully managed Android device if the factory reset protection is disabled completely. Read more about wiping an Android device remotely.
How to configure Factory Reset Protection?
The FRP settings are part of the Android restrictions configuration profile in GoTo Resolve MDM. In this configuration profile, you can specify the settings of Factory Reset Protection that will be enforced on the device. Go to to add a new configuration profile.
- Choose Android as a platform and select Restrictions.
- Go to Account management tab and define the Factory Reset Protection mode.
The layout of the screen may look different in the product.Options for the FRP mode:
- Not set leaves the FRP setting as it is on the device.
- Disabled disables Factory Reset Protection completely.
- Current accounts allow the accounts set currently on the personal profile of the device to be used after a wipe.
- Predefined accounts allow you to define a list of Google accounts with which a device can be taken into use after a wipe.
- If you have chosen Predefined accounts as the FRP mode, add at least one Google account for taking the device into use after a wipe.
To ensure that the activation of a device works after a reset, check that all the account IDs you have entered are valid and correct. Otherwise, you might no longer be able to use the device after a wipe.
How to add the Google accounts?
Every Google account has a numeric ID that is needed when predefining accounts for FRP. To get the ID of a Google account, follow the instructions.
- Sign in to the target Google account with a web browser. If you haven't logged in to any account, you'll need to do so later in the execution phase.
- Open the link to the People API.
- Type "me" to the resourceName field and click Execute. A popup opens for Google account selection.
-
- You might need to grant some access permissions to the Google API Explorer. The API Explorer needs to access the Google account to fetch the account ID.
The layout of the screen may look different in the product. -
- When the execution is complete, you can see the account ID from the response.
The layout of the screen may look different in the product.