SOTI Pulse Logo

Shared Device mode - Device PIN problem

Solved
N
Nick
O

Hi all,

We are in a bit of a pickle regarding Shared Device mode using EntraID

Currently we have this setup:

User Logs into device using their EntraID and password
Set Session PIN is prompted
Once connection to Entra is made, device moves to Post-Lockdown screen folder.

I have configured the Post-Lockdown screen so users cannot shut down the device without signing out first. This ensures the user signs out, the PIN is cleared, and the device is ready for the next user tomorrow.

Here is the problem

There have been instances where devices have powered off due to battery depletion or similar issues. As a result, the device shut down while the previous user was still logged in.

When the device is then charged and turned on, some users have forgotten the PIN they used, or its another user whos grabed the device and they do not know the PIN.

Because the Device PIN initiates BEFORE the SOTI MDM, it shows the device as Offline and I am unable to clear the passcode

This is a big issue and is basically bricking devices

Has anyone found a way around this?

shared device
29 days ago
Android
ANSWERS
RS
Rafael Schäfer
28 days ago (edited 28 days ago)

Only wiping the device is possible then (i hope you haven't set up FRP or set it up with an known acocunt to disable it).

That's one of the reasons why i would like to have direct_boot_support for MDM agents but as we raised an FRP to Mobicontrol, we got told that the agent is not build to fit this, sadly.

 

And if there would be a way around your experienced behavior, it would be a big security breach.

How about, making a force lockout when device reaches for example 10% battery?
Not sure if you can trigger that by script.

N
Nick
27 days ago

Hi Rafael,

Yeah I had a feeling this would be the case, the PIN screen displays before the device OS even properly initiates.

I am testing the Signal Policies, and setup the following

Battery Percentage less than or equal to 10%
Message: WARNING: Battery low detected - Device will automatically sign-out any logged in user. Please connect device to power source.
Action: Log Out Shared Device

Another hurdle is that device check in is currently default. I have to amend this to check in every 15.. or 30minutes. 
Not sure how much strain on the server that would be as we have a lot of devices.


 

RS
Rafael Schäfer
26 days ago

Haven't had signal policy in mind but good idea in that case.

I mean you don't have a 100% solution that way still but it's better than nothing.

M
MiKe
27 days ago

Script to unlock the device (or even reset the passcode but I'm not sure) could be send using Platform service not Mobicontrol Agent way is possible and device will receive it if it's connected to wifi or mobile data even before first unlock after reboot. If we are talking about Fully Managed or COPE devices.

N
Nick
27 days ago

Hi Mike,

The devices are enrolled in SOTI
Then they are registered as a Shared Device in Microsoft Entra via the Microsoft Authenticator app
When its registered, there is only an entry in Entra side, not Intune. I cannot run any commands from Microsoft side as there is no entry in Intune for the device.
Only able to control device / commands from SOTI





M
MiKe
26 days ago

I'm not sure why are you mentioning Intune. You can send some actions from Soti to the device even when Mobicontrol agent is not running as long as the device is online (powered on and connected to the internet) but you need to choose delivery to "Platform Notification Service" instead of "Mobicontrol Agent" (for example Reset Passcode action).

Solution
N
Nick
26 days ago

Hi MiKe

"you need to choose delivery to "Platform Notification Service" instead of "Mobicontrol Agent" (for example Reset Passcode action)."

You just resolved my issue

Tested
Device PIN set, battery removed to simulate battery drain
Turned Device back on
Device showing offline in SOTI, and I "do not know" the PIN to unlock
Ran the Reset Passcode in Platform Notification Service 
Device PIN was reset and I could get back in

Legend.

SH
Stefan Hagman
21 hours ago

Just to add to the conversation - the 'deliver to Platform Notification Service' method seems model dependent so your milage may vary.

In my testing (server version 2025.1, client OS A14) it worked on Zebra TC58 and Honeywell CT37 devices, but not on Zebra TC52 & TC57.

Similar Discussions