SOTI Pulse Logo

Incomplete Enrollment, Lockdown Password not Accepted, Bricked Device?

JM
Jeff Malone

Initial Background:

We have a Zebra TC52 that was enrolled and functional but then was physically damaged.  Since it was assumed to be permanently unusable, it was deleted/unenrolled from our Devices in the SOTI Console.  Later the device was examined in more detail and found to be reparable and so we proceeded to do so.  After repair it was found that the device was not un-enrolled properly as it was offline, so the technician performed a local factory reset of the device and attempted to re-enroll via StageNow barcode scan.

After this attempt, it appears that the device partially deployed.  It did not appear in the SOTI Console, but Lockdown has been applied on the device.  Many apps did not load or partially loaded, several stating 'Package not Found' when we attempt to run them, and SOTI MobiControl Settings Manager states that it has not been configured.  The biggest problem then is that the Administrator password to exit Lockout was not correctly configured, and use of our actual password, blank, "password", "admin", etc. fail to be accepted.  Our password continues to work on all other enrolled devices, so the problem is isolated to this one unit.

The Problem:

From the SOTI Console standpoint the Device has not appeared in the list from the new enrollment, and we have Permanent Delete enabled so the original Device is also no longer present, so there is no interface we can leverage to interact with the device from the Console side.

From the device standpoint it is in Lockdown, and cannot be taken out of it with a password as it appears no valid password was ever set.  As a result a further factory/enterprise reset from the OS is not possible, as Settings cannot be accessed due to Lockdown restriction.  Likewise USB Debugging to allow ADB access cannot be enabled.  Zebra employs Recovery Protection due to the Android Enterprise account being present, which disables the ability to access ADB or SD card boot options in the Recovery boot.  This account cannot be removed due to Lockout, and I am unaware of any way to bypass Zebra Recovery Protection to initiate a Factory Reset.

Do we just have a bricked device at this point, or is there a way allowed by Lockdown and/or Zebra Recovery Protection to force enrollment/un-enrollment/reset?

 

 

 

3 months ago
SOTI MobiControl
ANSWERS
MD
Matt Dermody Diamond Contributor
3 months ago

It sounds like you might be having Search Sync integrity issues if you're not seeing the device in the inventory in SOTI. I would start by trying to resolve those issues first. 

JM
Jeff Malone
3 months ago

We have no issues current or historically with any of our other devices failing to display in the SOTI Console, is there a reason you can point to that leads you to beleive our situation has that specific problem as the source? How would we approach resolving Search Sync integrity issues as you suggest, with no test cases to reproduce the problem or other data points of the error outside of this single device (which at one point was intentionally removed) not being present in the portal? 

JM
Jeff Malone
3 months ago

One other factor I should include as an update, in further discussions with the people working on the issue here there seems to be some confusion as to whether the factory wipe and re-enroll steps took place.  I may have misunderstood the timeline, and its possible that only the Deletion while the device was offline was performed. 

Would you approach it differently if we had unenrolled/deleted the device from the Console while the unit was offline and then experienced the Lockdown password problem as soon as the unit was restored to function, without an attempt at re-enrolling?

RS
Rafael Schäfer
3 months ago

At least i would give it a shot as it' fast and easy to do, to trigger the search sync via global settings and see if the device then re-appears.

Im also, because of problems like this, not a fan of FRP.
Maybe it's worth to investigate with Support to lookup the device in the DB (so if it at least is there somehow but not shown in the console). Also (if you have it on the lockdown which i guess is not but worth to ask) do you have stagenow available in the lockdown to use their barcodes for factory reset?

And as we talk about StageNow, did you reset using their barcode or doing it via settings menu?
I sk because, at least my experience shows, if you do it via Settings, there might me data left on the device even after the wipe and this could explain the device behavior. It maybe was not entirely wiped (enterprise partition) so after setting up the device again, it still had some of the information about the configs you see now without contacting the server really. I can't remember how our devices looked like when i experienced issues with that as we fastly switched to wipe only via StageNow barcode or SD-card (because of ZTE we don't see the need for FRP).

JM
Jeff Malone
3 months ago

Thank you Rafael, I was trying to reply directly to your comment from yesterday but it doesn't look like the forum will allow me to. 

I appreciate the heads-up about the search sync, I was easily able to trigger it as you said but unfortunately it does not appear to have helped.  Your suggestion regarding StageNow is also a very good one, I think we will need to look into adding it to Lockdown for future use because I do think it could save us in this case, but unfortunately it is not available to us now with the current state of this unit.

I do think that an incomplete wipe, Enterprise wipe, or incomplete enrollment/un-enrollment is the cause unfortunately I don't know what I can confirm the specifics after the fact.  It is clear that Lockdown is still present, but SOTI settings are no loaded, and I think any one of the above would potentially be a source of that.  Due to the exact nature of the various restricitons I think we are likely just stuck on this unit.  I am going to switch my focus from recovering this unit to eliminating or reducing the risk of a reoccurrence, because unless I can bypass Lockdown or FRP we have no access to the unit to make any OS or configuration changes.  

I appreciate you taking the time to try and help, can you answer one more question?  We did not intentionally enable FRP, and in our environment it is of limited use, but all of our TC devices appear to have it as soon as we use StageNow to enroll them in SOTI.  Do you know if there is a way to intentionally disable or turn off FRP, without needing to use ZTE?

RC
Raymond Chan Diamond Contributor
3 months ago (edited 3 months ago)

Hi Jeff,

What  exactly has been done when your said " the unit was restored to function"?

It appears that your device remain offline from the time before the device was first deleted from MobiControl server.  As the device agent never gets connected to the server again, it does not know that if has been deleted from the system and the deployed policies (kiosk, feature-control blocking developer/ADB, etc.) remain active, while the prompt to enter enrollment ID/URL will NOT be displayed.

Do you know if all connections (Wifi, cellular, etc.) have been disabled with MobiControl policies?  If not, and if there is any deployed Wifi SSID/password settings onto the device before deletion from MobiControl server?  If so, is any access-point with such SSID/password settings available to the device now?

 

 

JM
Jeff Malone
3 months ago

The screen had been shattered and we initially thought the unit sustained additional damage.  It turned out that only the screen was impacted, so we replaced the LCD and Digitizer.  We know the device was deleted from the SOTI console end, but the exact steps that may have been taken from a Factory/Enterprise Reset standpoint as well as any Enrollment attempts are unclear.  It seems most likely that a partial reset is what brought the unit to its current state, but we don't know that for sure.

WiFi is not disabled in our Lockdown, and we have the ability to toggle it on and off or add a new network, but in any case the device is currently connected to our standard WiFi network.  One of our productions apps is loaded sucessfully, and we are able to log in and operate it. 

Unfortunatley since SOTI does not appear to be correctly loaded/re-loaded we cannot exit Lockdown, and Zebra Factory Reset Protection is preventing us from starting over via ADB or SD, so we have no available steps to try and change the current state of the unit.

PC
Paul Courtney
3 months ago

You can do a hard reset on most Zebra devices.  TC58 i belive is hold the Vol + and Power button when the device is off.  This should give you at least a Wipe/Reset option.

JM
Jeff Malone
3 months ago

Yes, for the TC51/52/56/57 the button that needs to be held is the PTT button on the left side, above the scan trigger button.  Due I beleive to the Zebra FRP the only options listed in the Recovery Menu are Reboot, View Recovery Logs, and Shut down.  The normal Apply Upgrade/Downgrade options are not shown, so the Factory/Enterprise reset files we can typically use from SD/ADB are not available in this case.

A
APMOD
a month ago

Hi @Jeff Malone

Thanks for posting on SOTI pulse. Thanks @Matt Dermody, @Rafael Schäfer and @Raymond Chan for responding to the post, your expertise and willingness to help are greatly appreciated!

Has your query been resolved?  If this post did not assist you in resolving the issue completely and you have additional questions, please do not hesitate to reach out or you can contact SOTI Support (support@soti.net) to open a new case and one of our support engineer will be there to assist you.

Also, if this post has helped you in solving your query, I would request you to mark the particular comment as "is solution", so that others may benefit from this information.

Kind Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

Similar Discussions