question

FredEricS-7268 avatar image
0 Votes"
FredEricS-7268 asked AndyLiu-MSFT commented

Reset completely blocked Android device

Hi everyone,

I have an interesting situation. I used a Sony Xperia XA1 with Andoird 8.0 as a test device. The device was sucessfully enrolled and an administrative profile created. All device configuration policies were applied. The policies were deliberately configured to restrict the device as much as possible to test if an admin could actually render the device unusable if not knowing what they did. Lo and behold, you can totally tank the device. Now this wouldn't be a problem, even without Wifi, the posibility to reset the device or enable USB debugging for PC reset - if the device has a SIM inserted, it can get changed policies from Intune and be "unstuck".
That is, if some idiot doesn't delete the the device from intune while it's powered off. In this specific case, when the device is powered back on, it realizes it isn't managed by Intune anymore, however, all restrictions are still in place, reenrolling isn't possible and resetting the device isn't either.
So here's my question - how the hell do I get the device reset to factory settings if it's completely blocked by Intune and can't be unblocked by intune?

Cheers,

Fred

mem-intune-generalmem-intune-device-configurationsmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyLiu-MSFT avatar image
0 Votes"
AndyLiu-MSFT answered AndyLiu-MSFT edited

Basically, if some one deletes the device in Intune accidentally when it's powered off. When the device is powered back on, it still will check in with Intune, and then remove the policies and company data. Please just click Delete devices from the Intune portal for more details.

19782-image.png

In addition, the end user also can unenroll the Intune managed device. It can be performed from the Company Portal. Please refer to the following guide for more details.

Unenroll your Android device from management




If the response is helpful, please click "Accept Answer" and upvote it.


image.png (26.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FredEricS-7268 avatar image
0 Votes"
FredEricS-7268 answered AndyLiu-MSFT commented

Hi Andy,

thanks for the reply and the suggested solution, however it's not quite correct.

The device does check back with Intune, yes. And it also realizes it's not managed by Intune anymore. But, what it tries to do then does not match the Docs. It does not delete company data and it does not remove the policies. It offers to reinstall the management profile, which it can't because there's already one there. The existing policies prohibit the user from removing any profiles or accounts from the device. Hence, unenrolling the device by the user in Company Portal is not possible.

Cheers,

Fred

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If the profile, factory reset and USB debugging have been locked, there is no way to remove the company portal and policies from the client side. You must remove the locks from the Intune portal. However, the behavior of device is not as expected after it's deleted from the Intune portal. To take a further investigation for this issue, I would recommend to create an online support ticket.

On the other hand, to avoid this situation, you can remove the delete permission for most of the Intune administrators from the Intune Roles.

1 Vote 1 ·