Configuring Factory Reset Protection in Android Policy

Factory Reset Protection (FRP) is an Android feature that enables users to protect their devices should they become lost or stolen.  If a device with FRP enabled is factory restored, it will be locked to the users Google account.  A new user will not be able to complete setup of the device without the credentials.  This result can have both positive and negative impact on the organizations devices depending on the deployment.

It generally isn't an issue for users who are resetting the device themselves.  Using the the system settings to reset will automatically disable FRP since the user is signed in as the owner already.  Organizations often run in to issues when remotely wiping or using external software to reset.  The device then becomes locked to the owners Google account without so much as even a hint to which account that is.  In some scenarios, it is possible for the device to become locked to the Android Enterprise account, which, unless the account is a Google Workspace account, does not have manageable credentials.  In such scenarios, organizations can find themselves left with an unusable asset. 

Policy Feature
Admins do have options to limit access to FRP by disabling users abilities to add their own accounts.  However, it is a useful feature and a theft deterrent.  Many organizations do want the feature so long as they are able to control it.  There is a policy feature that can handle it and MaaS360 recently enhanced it to prevent locking a device permanently.

In the Android Enterprise "Security" features there is an option to "Enable Factory Reset Protection."   Once the feature is enabled, there will appear some instructions for generating the account to associate with the device, which we will outline here.

**Note: Before our 10.83 release, admins were able to save this feature as enabled without entering an account.  It would lead to scenarios where the device was locked with no credentials to override.  From 10.83 on admins will no longer be able to save if the field is blank.

First, the admin must determine the Google account to be associated with FRP override.  It can be any Google account, but it must have a password accessible by whomever will be holding the device at the time the override needs to be performed.  As devices are in a factory reset state when FRP is enforced, remote actions will not be possible.

Navigate to https://developers.google.com/people/api/rest/v1/people/get.  Chrome users may want to open in incognito to avoid any mishaps with the logged in Chrome account, if it is a different Google account.  The "Try It" window opens up on it's own but you can select it from the right side if it doesn't.

Complete the following fields (all lowercase):
resourceName = people/me
personFields = metadata

Select "Execute"

A window will open asking to select an account or enter credentials (Chrome users be wary of auto accepting the credentials associate with Chrome).

Once you have entered credentials, a "200" result will be returned along with some information fields.  Find the fields for "Type: Profile" and look for the "ID"

Copy the "ID" field in to the "Authorized Accounts To Override" field in MaaS360 policy, save, and publish.  The associated Google account will now be able to unlock FRP protected devices.