That's normal behaviour we see on devices all the time if a Pin/Password is set (on every android version).

Then you first have to enter pin/password to unlock device one time and then it connects and stays connected.

But don't have really an experience regarding without Pin/Password.

We always used our devices with the device plugin and for us thats definetly not normal behaviour.

All of our devices got online after restart even if a pin was set, because mobicontrol as a da has the rights to start and run in the background.

For normal Apps thats the intended behaviour from a security perspective, but for the device administrator?

Hi John Doe

Thank you for requesting a response from SOTI Support Staff. 

As  Rafael Schäfer mentioned before, It is expected behavior on some devices. There was a developer’s ticket MCMR-25942 on the issue. Android devices 9 and higher have the “Strong Protection” feature, which encrypts the device’s data. Normally devices should be encrypted when using Android Enterprise.  

Please find related information here https://docs.samsungknox.com/admin/knox-manage/kbas/kba-360044395734.htm

By default, strong Protection is enabled. If you restart your device without unlocking it, only a few services are granted permission to run (e.g., alarm clock, SMS, calls). Any other services, including UEM agents, cannot run until the device is unlocked. As a result, the MobiControl agent is unable to receive commands from the server until you unlock the device after reboot.

The workaround, disable passcode on the device or try disabling the Strong Protection and let us know if you are able to see the device online on MobiControl.

We recommend using the Direct Boot Support function (ref https://developer.android.com/training/articles/direct-boot )

Hope this helps.

Kind Regards, 

All of our Android 9 Devices with DevicePlugin installed (Honeywell CT40) were able to start the mobicontrol agent at boot!

I dont know what proprietary "knox security" has to do with base android 9 there is basically no option for "strong protection".

As for the "direct boot" option isnt that a thing you have to implement in your mdm agent or just request rights to run at startup / boot?

MobiControl starting at boot withouth the device being unlocked was defininetly possible with the honeywell device plugin installed under Android 9!

Whether or  not  a correct password needed to be input to boot a device (the so-called "strong proection" feature) and whether such feature is enabled/disable by default and user-configurable are all dependent on specific device brand/model/firmware version & build.   If lockscreen is also enabled on such device with this "strong-protecion" enabled,  there might be a need to input the same password twice berore a user can  interact freely with different apps. 

MDM device agent is a normal app, but with access to some exclusive MDM api calls to the kernel to perform management funcitions, some of which normally need root right to execute.  Hence, the MobiControl device agent will not have started if a device does not have its kernel and other system functions running after an encrypted-file-system unlock witth the password associated of this so-called "strong protection" feature.

There is no need to argue to any MDM vendor and ask why this model or that firmware version.   Owner of EACH device firmware image has the absolute rights to decide if he/she wants to implement this "strong-protection" and make it configurable or not.   As far as I know, I think many, if not all,  big brands need or tend to have this to be enabled by default and non-configurable for Android-Enterprise devices running Android 11 or later.  For earlier firmware versions, the choice varies in somewhat chaotic way.

Thanks Raymond for clearing things up.

I will get in touch with Honeywell then.

Hi John Doe ,

Following up this post, I was wondering if you were able to contact Honeywell?

Hi DRMOD,

yes they should be working on a solution with you guys.

Hi John Doe,

Following up on this post, we have contacted Honeywell and they want to confirm if you are using the Device Admin app or Android Enterprise?

Additionally, Honeywell informed us that they are missing some pieces of information. Please contact them and let us know any updates.

Kind Regards, 

Hi  John Doe  , Following up this post, I was wondering if you were able to contact again Honeywell? did you get any updates?
Kind Regards

For now i didnt get any new updates, but as stated earlier, we were told that there might be a solution coming and that it´s being worked on.

Yes we are using android enterprise.

I have customers being affected by the same issue. Like Experiment 626 said - this is related to SOTI Device Agent not being a direct boot application. There are several challenges creating a direct boot application.

Direct Boot divides the device's storage space into two categories:

1. Device Encrypted (DE) storage: This is available as soon as the device boots up. Apps that have been approved to run in Direct Boot mode can access data stored here.
2. Credential Encrypted (CE) storage: This area becomes accessible only after the user unlocks the device for the first time, and it is where most sensitive data is stored.

The Qualcomm 6490 chipset, used in newer devices like the Zebra TC53/58, supports Android's modern security features, including file-based encryption and Direct Boot. The chipset is designed to handle the security requirements demanded by newer Android versions, such as Android 11 and up, providing hardware support for these features.

For MDM solutions like SOTI MobiControl, implementing support for Direct Boot is an absolute must to ensuring that device management agents can start and run even after a restart without the user needing to unlock the device. This ensures that the device can be managed and receive updates immediately after a restart, which is obviously critical for enterprise use. 

One of the challenges with Direct Boot is that apps needing to run in this mode must be specifically designed for it. They must be able to operate in a restricted environment where they only have access to the DE storage area and must be capable of handling restrictions in available Android APIs until the user unlocks the device.

Implementing Direct Boot in MDM agent applications therefore requires close collaboration between device manufacturers (like Zebra), chipset providers (like Qualcomm), and MDM providers (like SOTI) to ensure that security and management functionalities can seamlessly operate together under any startup conditions. Achieving this is much easier said than done. But SOTI has always been a pioneer in the Enterprise Mobility field, so I would not be surprised they suddenly decide to fix it - especially if one of the other MDMs solves the issue. Or when enough customers demands a change.