That's normal behaviour we see on devices all the time if a Pin/Password is set (on every android version).

Then you first have to enter pin/password to unlock device one time and then it connects and stays connected.

But don't have really an experience regarding without Pin/Password.

We always used our devices with the device plugin and for us thats definetly not normal behaviour.

All of our devices got online after restart even if a pin was set, because mobicontrol as a da has the rights to start and run in the background.

For normal Apps thats the intended behaviour from a security perspective, but for the device administrator?

Hi John Doe

Thank you for requesting a response from SOTI Support Staff. 

As  Rafael Schäfer mentioned before, It is expected behavior on some devices. There was a developer’s ticket MCMR-25942 on the issue. Android devices 9 and higher have the “Strong Protection” feature, which encrypts the device’s data. Normally devices should be encrypted when using Android Enterprise.  

Please find related information here https://docs.samsungknox.com/admin/knox-manage/kbas/kba-360044395734.htm

By default, strong Protection is enabled. If you restart your device without unlocking it, only a few services are granted permission to run (e.g., alarm clock, SMS, calls). Any other services, including UEM agents, cannot run until the device is unlocked. As a result, the MobiControl agent is unable to receive commands from the server until you unlock the device after reboot.

The workaround, disable passcode on the device or try disabling the Strong Protection and let us know if you are able to see the device online on MobiControl.

We recommend using the Direct Boot Support function (ref https://developer.android.com/training/articles/direct-boot )

Hope this helps.

Kind Regards, 

All of our Android 9 Devices with DevicePlugin installed (Honeywell CT40) were able to start the mobicontrol agent at boot!

I dont know what proprietary "knox security" has to do with base android 9 there is basically no option for "strong protection".

As for the "direct boot" option isnt that a thing you have to implement in your mdm agent or just request rights to run at startup / boot?

MobiControl starting at boot withouth the device being unlocked was defininetly possible with the honeywell device plugin installed under Android 9!

Whether or  not  a correct password needed to be input to boot a device (the so-called "strong proection" feature) and whether such feature is enabled/disable by default and user-configurable are all dependent on specific device brand/model/firmware version & build.   If lockscreen is also enabled on such device with this "strong-protecion" enabled,  there might be a need to input the same password twice berore a user can  interact freely with different apps. 

MDM device agent is a normal app, but with access to some exclusive MDM api calls to the kernel to perform management funcitions, some of which normally need root right to execute.  Hence, the MobiControl device agent will not have started if a device does not have its kernel and other system functions running after an encrypted-file-system unlock witth the password associated of this so-called "strong protection" feature.

There is no need to argue to any MDM vendor and ask why this model or that firmware version.   Owner of EACH device firmware image has the absolute rights to decide if he/she wants to implement this "strong-protection" and make it configurable or not.   As far as I know, I think many, if not all,  big brands need or tend to have this to be enabled by default and non-configurable for Android-Enterprise devices running Android 11 or later.  For earlier firmware versions, the choice varies in somewhat chaotic way.

Thanks Raymond for clearing things up.

I will get in touch with Honeywell then.

Hi John Doe ,

Following up this post, I was wondering if you were able to contact Honeywell?

Hi DRMOD,

yes they should be working on a solution with you guys.

Hi John Doe,

Following up on this post, we have contacted Honeywell and they want to confirm if you are using the Device Admin app or Android Enterprise?

Additionally, Honeywell informed us that they are missing some pieces of information. Please contact them and let us know any updates.

Kind Regards,