SOTI Pulse Logo

How do you stop end users from enabling a pin or password lock on Mobicontrol Kiosk with Samsung tablets?

Solved
RO
Ryan O.

I work for a library where we lend out tablets to our patrons. I get them back at the end of the lending period and wipe data from them for the next patron to borrow. The issue is that recently I've gotten two devices returned; one locked behind a pin and another with a password set and I can't get into them.. 

I initially called Soti support and they told me I had the correct settings set that should block this; using kiosk/lockdown mode with an authentication rule with a password set. And since I have the ‘factory reset” option blocked by Mobicontrol I can’t factory reset the device.. Soti support couldn’t help me further.

Fortunately for the pin I was able to contact the patron and they told me the pin. I asked them how they set the pin and they said they didn't know. Saying maybe it was by pairing the tablet with their phones. With a same model test tablet that run the same profile as the ones we lend out I ran a test, pairing my smartphone with the tablet but afte trying it several times I didn't find any way that triggered or prompted me to set a pin so I don't know how they did that.

The second one where it's asking for a password, the patron's phone number isn't working and I don't think I can get a hold of them easily to ask. The device at present isn't on wifi so no Mobicontrol cloud connection and I can't do anything with it without it asking for a password, including power cycling it. 

 I have two questions:

  1. Is there another setting(s) I need to enable/disable to block this type of thing from happening again? Let me know if you know what else I should adjust in the profile for our devices to prevent this from happening again. 
  2. Any other tips for accessing the password protected tablet? I’m thinking if I can’t get the password from the patron then it's stuck.. But I’d thought I’d ask in case I’m missing something I could do/try.

 

What I have set on these devices:

-They're locked in kiosk/lockdown mode with an authentication rule and password set (password policy type disable lockscreen).

-We’re using android enterprise and these are work managed devices provisioned/enabled with a managed google play accounts.

-The password protected tablet is using agent v15.4.6.1013 and the tablet itself is a Galaxy Tab S5e (all our tablets are this model)

-I have the factory reset blocked in feature control (the idea was I wanted to keep knowledgeable end users from wiping/stealing our devices..)

Thanks for your time.

android password pin passcode
2 years ago
SOTI MobiControl
ANSWERS
RO
Ryan O.
2 years ago

Thank you all for the ideas and tips! 

In case this helps another I’m mentioning this here:

My coworker actually helped me get into the tablet that was blocked by the password! The trick was that he had a usb C to ethernet adapter. After connecting that to the tablet and plugging in an ethernet cable that provided a connection online, I then saw that tablet as checking in, in the Mobicontrol dashboard online! Since it was checking in, I could unlock the device from there and was able to remove the lock successfully!

As such I’m going to follow your suggestions:

  1. Change admin password
  2. Disable status bar in lockdown profile (and possibly other additional restrictions)
  3. Create task profile that removes password/pin that runs daily

However if I do run into this again, it's good to know I can borrow that usb c > ethernet adapter as a safety net.

Solution
AW
Adam Williams
2 years ago

Hi Ryan,

Assuming devices have no connection to Mobicontrol and behind the pin lock, I have no suggestions to help with the devices you currently have locked out.

But to prevent the issue in the future you try the following.

1) You could assign a Wifi profile for the Library netowrk, so they will have wifi access once they arrive back.

2) Then for those devices with Pins assigned, you can use the action "Reset Passcode" to a passcode of your choosing. You have to set the delivery method to "Platform Notification Service", which atleast for devices I have tested, will deliver the action even when mobicontrol agent hasn't started but the device has internet connection.

3) You can then "Disable Passcode Lock" to remove the unwanted passcode from the device.

Option 2 which I dont think you would like to implement due to theft would be Wipe device after X number of failed passcode attempts. Not sure if this works if you prevent factory reset.

Finally in terms of looking for the source of the issue, I did a quick test.

With an authentication profile which sets "Password Policy Type" to "Disable Lockscreen". I could still navigate to Android Settings->Security->ScreenLock and then set the device pincode. To me seems like the incorrect behaviour, potentially worth getting SOTI Support to  investigate for you.

So as you have a lockdown, there may be a way in which the end users can still access the device settings from lockdown via the "settings cog" icon (OEM Dependent). To help with this it might be worth reviewing the type of lockdown (Native vs Activity Supression) and the options selected (e.g. full lockdown).  Look out for the settings action which may permit access into the settings. If you cant remove these settings cog icons using the provided lockdown options, some OEMs provide functionality to remove them via intents/OEMConfig.

Areas I ahve seen this icon include on the volume settings bar and also pulling down the notifications bar twice so that all shortcuts.

RS
Rafael Schäfer
2 years ago

To your "1": That won't help as the entire Android (including Soti Agent) won't be loaded until the Pin was entered one time after reboot correctly.

AW
Adam Williams
2 years ago

Hi Rafael,

I dont quite understand how 1) doesnt work.

The Wifi Profile is assigned at the Library during the intitial configuration and so that SSID is stored on the device and that SSID is switched to automatically once it arrives back at the library and behind the pin lock.

I am not proposing the profile is delivered only on arrival to the Library, otherwise I would see your point.

If I am missing your point, please let me know.

Thanks

RO
Ryan O.
2 years ago

Hi Adam,

FYI I have already been using a wifi profile configuration on Mobicontrol. From what I'm seeing, the tablet that's currently locked down isn't on our wifi (and I can't change it since its locked behind that password).

Note the other tablet that was locked out via a pin the other week, it showed it had wifi access but neither it or the recent password locked tablet show up as checking in on the Mobicontrol web ui under devices. As such I haven't been able to do that #2 or #3 sadly.

BTW I appreciate you testing the disable lockscreen profile. I'm going to test it again today on a test tablet and then call support if it fails too!

RS
Rafael Schäfer
2 years ago

@Adam: "1" would only work because when you fresh startup the device and don't know the pin, the device is not completely booted and the Mobicontrol Agent can't connect to the server (netherless if Wifi is connected). So, you still have no connection to the device via Mobicontrol to reset the pin.
This would require "direct boot support" for the agent which is currently not supported but i hope they can do some rework on the agent to get this implemented as this would be extremely helpfull in many cases especially if you do nightly (or manual) reboots or so.

AW
Adam Williams
2 years ago

Hi Rafael,

So this is the purpose of delivering the action via "Platform Notification Service". This for some actions including Passcode Reset / Wipe can be issued when the device has been rebooted and stuck behind the pin screen (hence Mobicontrol has not yet been launched) BUT has internet connection.

We using this method routinely for our devices 

RS
Rafael Schäfer
2 years ago

Hi Adam, hmm that's interesting as always when i test this, an offline (in Mobicontrol!, turned off, turned on again without entering any pin/passcode but available Wifi) device even doesn't get any actions even if send via PNS. Just tested right now with the same result.

I mean it would be nice and my idea in the past was the same as you described but wondering why you experience this different. But if this could help him, it would be good.

AW
Adam Williams
2 years ago

Hi Rafael,

I guess this means the behaviour is OEM dependant, thats a shame.

But I can confirm the same status as you, Offline in Mobicontrol, device rebooted, behind pin screen, wifi connected.

RS
Rafael Schäfer
2 years ago

You can block entire settings part (via application run control), so if they are in user mode they don't have access to it.
You can disable the extension of the status bar in the lockdown profile, so they are not able to reach the settings this way as well.

One recommendation: Could it be that someone(s) get to know your admin (Authentication) password? I really recommend to change it as well and see if your issue happens again.

In addition you could provide a Task-Profile (set it to once a day or so) which removes the lock of a device (if device shouldn't have a lock) or reset the lock to the one you want.
We do this as well on a daily base and since this done we never heard of someone setting own pin codes/passwords anymore.

Not sure how you enroll your devices but if you use Zero-Touch-Portal i would recommend to not use FRP.
Why?
The device gets always located to your environment even if factory reset and you never run into the issue you have right now.

The devices not being able to reset you can try to send to repair but it could end up in a out of warranty (maybe cheaper than to by a new one) and also may need to provide the invoice to show up that this device is really owned by you.

ZC
Zafer Cigdem
2 years ago

Hi Ryan,

In addition to what adviced above, you can also think about factory reset profile settings. When you restrict Factory Reset on these devices, you can also add an exception (to allow only these people can factory reset your devices). So if you may face something similar that you mention, by using one of these account (that have exception for factory rest), you can do factory reset.

 

I hope it helps. Thank you

Zafer

RS
Rafael Schäfer
2 years ago

One thing i forgot to mention as you use Samsung devices is the OEM config app from Samsung (Knox Service Plugin; already integrated at latest versions of Mobicontrol as a profile!):

There you can disallow users to change settings in the settings menu (which is better than do this via application run control i think):
Device Restrictions  -> Allow user to modify Settings -> off
If you have Knox Premium you can also disable the abillity to change the lock screen settings where the setting of a pin and so on are located:
Device Settings (Premium) -> Hide Settings Lock Screen  -> on

The only thing i don't know is, if these settings getting available again if you switch to admin mode via Mobicontrol or if those settings stay then as well.

RO
Ryan O.
2 years ago

@Rafael

I wanted to check out these settings you mentioned but I couldn't find them.

Question, how does one find these settings in Mobicontrol. I looked at the profile configurations but didn't see one for knox. Does that plugin you referenced need to be installed first before it shows up under profiles?

RO
Ryan O.
2 years ago

Thanks for the reply. Hmm, after looking at the "Factory Reset Protection" profile configuration, it doesn't appear to be a restriction to only allow certain people to factory resetting a device. It appears that anyone can reset the device (if they know how and its not blocked by featurecontrol) but that only specified users can unlock it after its been wiped as per "Configure which users are allowed to unlock the device after a factory reset".

Hmm, that could still allow stolen devices to be wiped by anyone in the know.

RS
Rafael Schäfer
2 years ago

Hi Ryan,

it can be that your Mobicontrol version is too old to contain the oem config integration:

I don't remember with which version this integration was made (and only for non-classic enrollment).
If you don't have this you need to provide the Knox Service Plugin from Playstore and change the managed app config to your need.

ZC
Zafer Cigdem
2 years ago

Agreed Rafael, if you use Android Enteprise Binding another alternative way to download the plugin is;

Go to Hamburger Menu -> Policies -> App Policy -> Add a new app policy and add the Knox Service plugin from Google market place as Rafael shared the link above, then you can enable Managed App Config and assign this to your device(s).

Zafer

RO
Ryan O.
2 years ago

Just seeing this now. Ah ok, so at present we're running v15.5.1.1010 in the cloud. If we want this new functionality I guess I need to reach out to Mobicontrol and ask them to update us.

Good to know, thanks!

M
MNMOD@SOTI
2 years ago

Hi Ryan,

Thank you for posting on SOTI Pulse!

Thank you for marking the relevant post as Solution.

Kind regards,

Technical Support Specialist | SOTI | +1 905.624.9828 | SOTI.net l Discussion Forum | Log a Case Online l Facebook l LinkedIn l Twitter 

Similar Discussions