Android 11 Devices staying offline after restart except if device is unlocked once

Android 11 Devices staying offline after restart except if device is unlocked once

Hello,

has anyone encounter the issue where the backbround service & agent only start if the device was once unlocked after a restart?

Kind Regards John

9 Answers

Order By:   Standard | Newest | Votes
Rafael Schäfer | posted this 30 September 2021

That's normal behaviour we see on devices all the time if a Pin/Password is set (on every android version).

Then you first have to enter pin/password to unlock device one time and then it connects and stays connected.

 

But don't have really an experience regarding without Pin/Password.

Current used Version: 15.3.3.1065

  • 0
  • 0
John Doe | posted this 30 September 2021

We always used our devices with the device plugin and for us thats definetly not normal behaviour.

All of our devices got online after restart even if a pin was set, because mobicontrol as a da has the rights to start and run in the background.

For normal Apps thats the intended behaviour from a security perspective, but for the device administrator?

Kind Regards John

  • 0
  • 0
DRMOD@SOTI | posted this 27 October 2021

Hi John Doe

Thank you for requesting a response from SOTI Support Staff. 

As  Rafael Schäfer mentioned before, It is expected behavior on some devices. There was a developer’s ticket MCMR-25942 on the issue. Android devices 9 and higher have the “Strong Protection” feature, which encrypts the device’s data. Normally devices should be encrypted when using Android Enterprise.  

Please find related information here https://docs.samsungknox.com/admin/knox-manage/kbas/kba-360044395734.htm

 

By default, strong Protection is enabled. If you restart your device without unlocking it, only a few services are granted permission to run (e.g., alarm clock, SMS, calls). Any other services, including UEM agents, cannot run until the device is unlocked. As a result, the MobiControl agent is unable to receive commands from the server until you unlock the device after reboot.

 

The workaround, disable passcode on the device or try disabling the Strong Protection and let us know if you are able to see the device online on MobiControl.

 

We recommend using the Direct Boot Support function (ref https://developer.android.com/training/articles/direct-boot )

 

Hope this helps.

 

Kind Regards, 

 

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 0
  • 0
John Doe | posted this 29 October 2021

All of our Android 9 Devices with DevicePlugin installed (Honeywell CT40) were able to start the mobicontrol agent at boot!

I dont know what proprietary "knox security" has to do with base android 9 there is basically no option for "strong protection".

As for the "direct boot" option isnt that a thing you have to implement in your mdm agent or just request rights to run at startup / boot?

 

MobiControl starting at boot withouth the device being unlocked was defininetly possible with the honeywell device plugin installed under Android 9!

Kind Regards John

  • 0
  • 0
Raymond Chan | posted this 29 October 2021

Whether or  not  a correct password needed to be input to boot a device (the so-called "strong proection" feature) and whether such feature is enabled/disable by default and user-configurable are all dependent on specific device brand/model/firmware version & build.   If lockscreen is also enabled on such device with this "strong-protecion" enabled,  there might be a need to input the same password twice berore a user can  interact freely with different apps. 

 

MDM device agent is a normal app, but with access to some exclusive MDM api calls to the kernel to perform management funcitions, some of which normally need root right to execute.  Hence, the MobiControl device agent will not have started if a device does not have its kernel and other system functions running after an encrypted-file-system unlock witth the password associated of this so-called "strong protection" feature.

 

There is no need to argue to any MDM vendor and ask why this model or that firmware version.   Owner of EACH device firmware image has the absolute rights to decide if he/she wants to implement this "strong-protection" and make it configurable or not.   As far as I know, I think many, if not all,  big brands need or tend to have this to be enabled by default and non-configurable for Android-Enterprise devices running Android 11 or later.  For earlier firmware versions, the choice varies in somewhat chaotic way.

 

 

 

  • 2
  • 1
John Doe | posted this 02 November 2021

Thanks Raymond for clearing things up.

I will get in touch with Honeywell then.

Kind Regards John

  • 0
  • 0
DRMOD@SOTI | posted this 3 weeks ago

Hi John Doe ,

Following up this post, I was wondering if you were able to contact Honeywell?

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 0
  • 0
John Doe | posted this 3 weeks ago

Hi DRMOD,

yes they should be working on a solution with you guys.

 

 

Kind Regards John

  • 0
  • 1
DRMOD@SOTI | posted this 5 days ago

Hi John Doe,

Following up on this post, we have contacted Honeywell and they want to confirm if you are using the Device Admin app or Android Enterprise?

Additionally, Honeywell informed us that they are missing some pieces of information. Please contact them and let us know any updates.

Kind Regards, 

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback