Force Samsung "Secure Startup" on android enterprise devices

Force Samsung "Secure Startup" on android enterprise devices

I have a Samsung device that was setup as a work managed device.

I have read that "encryption is enabled by default" on work managed devices but have seen the opposite on my devices.

When I check the device statuses the encryption status is always "no" unless I manually enable secure boot on that device.

 

I have searched high and low for an option to enable this but can not locate one. On standard android+ device profiles when the encryption option is enabled it turns on secure start up which requires entering the pin before the phone boots.

 

Is there a way to force enable secure startup via MobiControl or am I stuck manually setting it.

6 Answers

Order By:   Standard | Newest | Votes
Kirsty Monk | posted this 06 December 2019

Hi Raymond

 

Since it has been over a year maybe you have heard of some development in the Secure Start-up toggle settings?

I have just been on the phone to a MobiControl Help Desk agent and he said that this feature is beyond the control of MobiControl but he is going to do some more research anyway.

 

Thanks

 

Kirsty

 

 

  • 0
  • 0
Raymond Chan | posted this 29 August 2018

Hi Cory,

If you just want to make sure that encryption is on when your device has been successfully enrolled with Android Enterprise device agent, then you don't need to worry.  The device is definitely encrypted.   However, it is possible that the encryption status in the web-console  shows "No".   By "NO", it does not mean there is actually no encryption, but rather it means the "secure startup" option in the device's Settings has not been enabled.  

 

As you might already have known, with "secure startup" enabled, end-user will be prompted to input the correct encryption password first before the actual bootup proceeds, and will be prompted again for the same password a second time to unlock the lockscreen before he/she can use the device.    If this option is disabled, the device boots up anyway, and password will be prompted only once to unlock the lockscreen.  This is a less secure usage model, but has 2 benefits

1. It is more convenient to the end-user because the same password has to be input only once, rather than twice, for each boot-up

2. Since the Soti device agent can always get run after bootup without any password entered yet, if a "legitimate" end-user really forgets his/her password, a MobiControl administrator can send command remotely to the running device agent to unlock the device, thus avoiding the need to factory reset the device and cause any possible data loss.  

It can be less secure because if such device does not have USB and ADB debug mode blocked,  then it is possible to use USB cable to steal data inside, even if it is not possible to unlock the lockscreen in the first place.

 

With the encryption status reporting "NO" if "secure startup" is not enabled, it is then possible for administrator to set up and get a MobiControl alert rule's warning when device previously configured to use "secure startup" gets re-configured otherwise by device end-user.  So I would not consider this as a bug that you need to open a support ticket with Soti.  It's actually a feature for you to detect improper "secure startup" option, as there is currently no way to set this option via MobiControl.

It will of course be much better if there is a script command to remotely force the "secure startup" to be enabled/disabled, and/or a feature control option to force "secure startup" option to be enabled/disabled/user-configurable.  I believe Soti should have implemented them already if Google's Android Enterprise API's or Samsung's MDM API's support such features.  With these, the solution will be nearly perfect.

 

An even more perfect solution is to decouple the encryption password from the lockscreen password when secure startup is enabled, so that the end-user can choose  a strong encryption password for enhanced boot-up security , but a shorter password to unlock lockscreen for smoother day-to-day usage.  This had been proposed in various Android kernel developers' forums for years, but no solid implementation did materialize.

 

  • 0
  • 0
Cory | posted this 29 August 2018

Case Number C00266701

  • 0
  • 0
SMod@Soti | posted this 29 August 2018

 Hi Cory,

 

I tried to enroll a Samsung Android 8.0 device and found the same behavior. The device was shown not to be encrypted until I manually turned the Secure Startup on.

I would recommend creating a case with Technical Support here.

Please let me know the case number and I can work with the internal agent to provide them with more details.

Thanks

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | soti.net |

 

  • 0
  • 0
Cory | posted this 29 August 2018

Currently I am using 

Agent Version 13.5.1.1234

Phone: Samsung SM-G930V (Galaxy S7)

Android OS version: 8.0

  • 0
  • 0
SMod@Soti | posted this 29 August 2018

Hi Cory,

 

This sounds like some configuration specific to certain device models. I just tried to enroll a Samsung device as Android Enterprise managed device and the device encrypted as expected and I saw the status of encryption set to 'Yes' in the web console.

 

Can you provide more details on device model, android version and the version of MobiControl agent being used?

 

Thanks

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | soti.net |

 

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback