February 10, 2023

Factory Reset Protection: Secure your hardware

A security feature called Android Factory Reset Protection (FRP) stops a device from being used after an unauthorized factory reset. You can only use the device after a clean with the accounts previously configured on the personal profile of the device.

Factory Reset Protection: Secure your hardware
Android Security

A security feature called Factory Reset Protection (FRP) makes sure that if your phone is lost or stolen, it cannot be quickly reset by someone else. FRP has been a part of stock Android since Android Lollipop, which is automatically activated after you have added a Google account to Android. This is important since it makes a stolen phone more challenging, deterring someone from stealing a corporate device. The screen will show the message of signing in with the previous account synced on this mobile, making the phone useless.


How does it work, and why should you use it?

When you perform a Factory Data Reset, all settings are returned to the factory default settings. All data is erased, including files and downloaded apps.

If it's a personal Android phone, then can erasing it or doing a factory reset is a relatively simple task. You need to go to settings and initiate a full factory reset. On the other hand, for a corporate device, the option to allow/block a user to do a factory reset is controlled through MDM restrictions. However, a hard reset can still be performed if you have not configured FRP, and this is a risk of losing your corporate data and device.

If you have a Google account set up on the device, resetting it will require you to log in with your username and password. If you have multiple Google accounts set up on the device, you can log in with any of them. If an unauthorized person tries to reset the device by another method, the device would still require log-in in using the Google username and password. This means that if your device is lost or stolen, another person cannot reset it and use it.

There are various ways to bypass security measures to use a phone, but these methods are usually patched quickly. To legitimately use the phone, you will need to know the login information for the last account.


How to enable Factory Reset Protection

Using Microsoft Intune, you can easily configure FRP in a few clicks. Steps as below:

  • Create an Android device restrictions configuration profile.
  • Give it a name and description to suit the purpose.
  • Expand "General" and navigate to "Factory reset protection emails" configuration.
Select Factory reset protection emails
  • Choose Google account email addresses. Enter the email addresses of device administrators that can unlock the device after it's wiped. Be sure to separate the email addresses with a semi-colon, such as admin1@gmail.com;admin2@gmail.com.
These emails only apply when a non-user factory reset is run, such as running a factory reset using the recovery menu.
Enter the email addresses of device administrator(s)

How to find your Google Account ID?

Google Account ID refers to the 21-digit ID of your Google Account and if you are using Intune as MDM solution then you do not need th ID. However for other MDM solution, to enforce FRP you will need the Google account ID. To find your Google Account ID, head over to Google Developer page by following this link.

  1. Under Request parameters, enter people/me under resourceName.
  2. Under personFields enter metadata.
  3. Click on Execute.
  4. Login using your Google Account.
Consent for API access

The 21-digit ID corresponding to id under application/json is your Google Account ID.

Google ID : 21 digit id

Caveat!

Factory Reset Protection won’t work if the device wipe is authorized (for example,if you perform a device wipe from Settings > Factory data reset). In such cases you may be able to skip Google Account verification during the set-up process.

This behavior is expected. When you do a factory reset on the device through the Settings menu or you wipe the device from Intune in the Microsoft Endpoint Manager admin center, all your data is removed. This includes the Factory Reset Protection (FRP) data.

Solution

The only way to do a factory reset on the device without losing the FRP data is through Recovery Mode. It is recommended that you set the Factory reset value to Block to prevent users from using the factory reset option in the device settings.

Then, use one of the following methods when you reset the device to the factory settings:

  • Reset the device through Recovery mode.
  • Wipe the device from Intune when the device is in your possession and is expected to be reset for further use.
FRP protection prompt

Recovering Google FRP locked devices using KME

If you are using Samsung Knox devices and you are in a situation where you are unable to sign-in with the FRP Google account, then you can use the below steps to recover such locked devices:

KME can only be used for Google FRP removal on devices utilizing Knox version 2.7.1 or above.

Ensure the device is assigned a KME profile with the following options properly set:

  1. Verify Skip Setup Wizard is enabled for the profile. This setting is enabled by default for DO KME profiles, but must be manually enabled for DA KME profiles.
  2. Ensure the user is not allowed to cancel enrollment (the Allow end user to cancel enrollment checkbox is unselected). This setting is disabled by default for DO KME profiles, but must be manually disabled for DA KME profiles.
  3. Once the device is assigned a profile with the above settings, perform a hard factory reset using a combination of external button actions.
  4. After the device powers on, connect to the network. You will be prompted for a reboot.
  5. Perform the reboot. The enrollment will proceed without prompting for Google account login credentials.

Wrapping Up!

Disabling FRP is easy. Most phones will do it automatically when you reset the data through the phone's settings. If your phone is a corporate phone with an additional layer of security then you'll need to disable that manually first!

If you try to reset a phone through the bootloader, FRP will kick in too, and it can't be set back up without the previous account's password.

Factory Reset Protection (FRP) is an essential security method designed to ensure that someone can't just wipe and factory reset your corporate devices if they are lost or stolen. As such, which ever MDM solution you are using, you should always enforce this setting.