Bypassing Factory Reset Protection in MaaS360

Information about securely disabling Google Factory Reset Protection for Android devices in MaaS360®.

What is Factory Reset Protection?

Factory Reset Protection (FRP) is a security feature on Android devices that prevents the use of the device if the device is reset to factory settings without your permission. After the reset, FRP requires the Android device user to sign in with a Google Account that was previously set up for the device. This means that if a device is lost or stolen, an unauthorized person cannot unlock and use the device after the factory reset.

Note: To enable FRP, users must set up a Google account on their device before it gets erased. FRP is disabled automatically if users reset the device through device settings.

Why is it required to bypass FRP?

If users forget their Google account credentials or if the original device user is no longer in the organization, administrators cannot refurbish the device without bypassing the Google account verification. Administrators can use the Factory reset protection (FRP) policies in MaaS360 to configure which accounts can unlock a device that has gone through untrusted factory reset.

Configuring Factory Reset Protection in MaaS360

Follow the steps to configure FRP.

From the IBM® MaaS360 Portal home page, go to Security > Policies.
Go to Android Enterprise Settings > Security.
Do one of the following.
- To disable FRP, leave the Enable Factory Reset Protection policy setting blank. When disabled, any user can reset a lost or stolen device and begin using the device without validating against the previously added Google Accounts.
- To enable FRP, select the Enable Factory Reset Protection policy setting and then provide the comma-separated list of Google user IDs in Authorized accounts to override. Administrators can use this option to control which accounts are authorized to override the Google Account verification after the factory reset. When the employees return the device to the organization, administrators can re-provision the devices before handing them to other employees.

Retrieving Google user IDs for configuring Factory Reset Protection policy

Google user ID is a unique 21-digit ID of your Google account. These IDs are used to unlock the device without the original Google account after the reset.

Note: The Google IDs should not be confused with Google username or email address.

Follow these steps to obtain the Google user ID of a Google account:

Go to the Google developers People API page (https://developers.google.com/people/api/rest/v1/people/get). The Google People API homepage is displayed.
In the Try this API window, provide the following details:
- resourceName - people/me
- personalFields – metadata
Click Execute.
Sign into your Google account. This is the Google account that is used to unlock devices after a factory reset when FRP is enabled. The Google APIs Explorer wants to access your Google Account screen is displayed.
Click Allow. A green header with the number 200 is displayed.
Find the 21-digit user ID in the id field.

Disabling FRP when issuing device wipe action

Administrators can disable FRP on individual devices when issuing the device wipe action through MaaS360 portal. If FRP is disabled, users can unlock the device without the Google Account verification and start using the device after the device wipe.