Back to top
Home / Knox Manage / Knox Manage knowledge base articles /

Configure Factory Reset Protection

Last updated November 27th, 2024

Categories:

Android Enterprise

Environment

  • Knox Manage
  • Android Enterprise
  • Fully managed devices
  • Work profile on company owned devices

Overview

Factory Reset Protection protects your company devices from unauthorized use in case of theft or loss.

While Factory Reset Protection can be configured without a lock screen, we recommend setting a password or PIN lock.

Factory Reset Protection only blocks factory resets initiated through the bootloader, and doesn’t prevent a user from performing a factory reset through the device’s settings. Configuring lock screen policies ensure you are protected against both methods.

How to configure Factory Reset Protection

To configure Factory Reset Protection, first generate a Google User ID:

  1. Navigate to the Google Developers API documentation.

  2. Click Sign In.

  3. Sign in with your Google Account.

  4. Click API and modify the following fields:

    Field Value
    resourceName people/me
    personFields metadata

  5. Click EXECUTE.

  6. The response is shown below. Locate the id field and copy your Google User ID.

Next, enter your Google Account ID and Google User ID in Knox Manage:

  1. In the Knox Manage console, click Profile.

  2. Select your profile and click Modify Policy.

  3. Under the Android Enterprise policy drawer, click Factory Reset Protection.

  4. Modify the following policies:

    Policy Value
    Factory Reset Protection Allow
    Google Account ID Enter your Google Account email
    Google User ID Enter your copied Google User ID

  5. Click + to add the account.

  6. Click Save & Assign to save and push the changes to your device fleet.

After the device is reset and restarted, Factory Reset Protection is activated and the device user must sign in with the associated Google Account.

You may be required to verify the accounts used for Factory Reset Protection after it is configured to allow specific accounts. This requirement depends on the device management type and the factory reset method you used.

For fully managed devices, only factory reset actions performed using device commands from the Knox Manage console require account verification. Account verification isn’t triggered if the factory reset is initiated through device settings.

For company-owned devices with a work profile, both device commands and device settings used for factory resets trigger the account verification step.

On this page

Is this page helpful?