Menu

Cannot reset device password from UEM console

Environment 

  • Knox Platform for Enterprise (KPE)
  • Device administrator (DA)-based devices running Android O and later

Overview

Due to some changes to how password implementation is handled in Android O, IT administrators may be prevented from resetting device passwords from the UEM console. A factory reset may be required for previously activated devices to restore this functionality.

NOTE—Please contact your UEM provider to confirm they have followed the guidance in this article, as it can impact live enterprise deployments.

Cause

The DevicePolicyManager.resetPassword API was deprecated in Android O, preventing apps running as a DA from resetting the lock screen password. If a user forgets the password after upgrading to Android P, an app using the deprecated DA management model cannot activate the token, requiring a factory reset of the device.

As a workaround, the Knox SDK provides the wrapper BasePasswordPolicy.resetPasswordWithToken(). MDM providers must implement this API method call to ensure that the reset password token is set correctly.

Resolution

The fix for the password implementation issue requires both a device firmware update and support from the UEM:

Device firmware update

Firmware updates have been released for the following device models:

Model

Region

Firmware version

S8

US - AT&T

G950USQU7DTA5 or higher

S8 US - Verizon G950USQU5DSC1 or higher
S8 Europe G950FXXU4DSDA or higher
Note 8 US - AT&T N950USQU7DTA3 or higher
Note 8 US - Verizon N950USQU7DSL5 or higher

Note 8

Europe

N950FXXU6DSF6 or higher

S9 US - AT&T G960USQU6CSH9 or higher
S9 US - Verizon G960USQU5CSE6 or higher

S9

Europe

G960FXXU2CSC8 or higher

Note 9 US - AT&T N960USQU2CSI1 or higher
Note 9 US - Verizon N960USQU1CSE5 or higher

Note 9

Europe

N960FXXU2CSDE or higher
S10 US G970USQU1ASD3 or higher

S10

Europe

G970FXXU1ASCA or higher

If your impacted device is with another carrier not mentioned in the above table, please log in to Samsung Knox to create a support ticket from your dashboard, referencing this article ID.

UEM support

Please consult with your UEM provider to confirm that the appropriate changes were made as per the Knox SDK guidelines.

To restore password reset functionality for previously activated devices, a factory reset may be required if the user previously set a screen lock password, then locked and unlocked the device before device enrollment. The unlocking process causes a loss of escrow data, which cannot be recovered upon enrollment into a UEM.

NOTE—If a lock screen was not set prior to enrollment, a factory reset is not required.
Share it: