Enable or disable Google FRP (factory reset protection)

How to enable or disable the Factory Reset Protection on a device?

WARNING: For TinyMDM versions 3.04770 to 3.04790, disabling Google reset protection (FRP) is currently unavailable. To avoid device lock-up after a factory reset, please update TinyMDM or remove any Google account from the device before proceeding with the reset.

What does “FRP” means? Google Factory Reset Protection is a security method designed to prevent anyone but the device’s owner to factory reset it. When you activate FRP, it prevents someone who doesn’t know the account from using the device. Although it’s useful when lost or stolen, it can become a problem in many situations, especially when it comes to enterprises: if an employee (signed in with his Google account as device owner) leave the company, his device will become unusable after factory reset. With TinyMDM, it is possible to preconfigure a Google account for the FRP. If you turn it on after a factory reset, you can unlock the device using the Google account.

FYI: FRP does not activate if the device is reset from the settings. This is because this reset method is considered “secure” by Android, as the user performs this action with access to the device.

A. What is the default behavior of FRP protection?

When a policy is created, the “Enable Google factory reset protection (FRP)” feature in the General wide controls sub-tab is automatically activated.

In its default state, this protection remains relatively ineffective UNLESS your policy allows users to connect to a Google account. In this case, if a device is reset and a user has associated their Google account with it, access will be blocked after the reset, and credentials will have to be entered to unlock the device. To prevent this from happening, you can check the option “Prevent adding or removing accounts (like Google accounts) on the devices” in your policy:

The best practice for FRP to play its full role in preventing unauthorized access to the device after a reset is to connect it to a Google business account, not a personal one, from the console, as this will facilitate access recovery if necessary.

B. How to activate FRP protection effectively?

1. Enable functionality from policy if disabled

From your TinyMDM account:

  • Go on to the Policies tab and click on Edit to modify the policy of your choice
  • Inside the policy, scroll down to the Device wide-controls sub tab and tick Enable Google factory reset protection (FRP).

2. Add Google Account

  • Then click on Add FRP account. An informative pop-up window appear to explain the importance of adding a FRP account.
  • Check the information boxes and confirm by clicking on Add FRP account.
  • Then, you are redirected to the Google connexion page, where you can choose an existing Google account or create a new one.
  • Once you select the account, you you go back to the TinyMDM policy and the chosen account becomes visible under “Enable Google factory reset protection (FRP)”.

C. How does this materialize on the device?

1. Device blocked without Google account access

When the device has been reset, Google Reset Protection (FRP) kicks in. When the device is restarted, a message appears on the screen asking you to enter an e-mail address or telephone number associated with the Google account previously registered in the TinyMDM policy.

If the current administrator does not have the login credentials, access to the device is completely blocked. They will not be able to configure or use the device, unless they contact the person who originally registered their Google account. This can cause difficulties, particularly if the employee concerned has left the company and his or her login details are no longer accessible. In this case, it can be complex, if not impossible, to regain access to the device.

2. Unlock device with Google credentials

If the administrator is in possession of the credentials for the Google account registered prior to the reset, this person can easily unlock the device. After entering the e-mail address and password for the Google account specified in the policy when FRP protection was activated, the device will proceed to verify the information. Once this step has been validated, the user can continue configuring the device as normal and resume full use of the device.

If you forget, you can find out which Google account to use to unlock the device in the policy:

D. How to disable FRP protection?

Via TinyMDM, you can securely disable the FRP option on all your devices in fully managed or kiosk mode, so that the Google account verification step can be skipped in the event of a reset to factory settings. We recommend checking this option for devices running Android 10 and below, as it is not possible to pre-configure a Google account for FRP on these versions.

  • From your TinyMDM account, go on the Policies tab and click on Edit to modify the policy of your choice
  • Under Device-wide controls tab, tick the Disable Google factory reset protection (FRP) box
  • Once activated, the Google account verification step after a factory reset is skipped.

IMPORTANT: The use of FRP protection may differ from case to case: for example, if your users must log in to their Google account, or if you manage a mixed fleet of devices comprising terminals running Android 10 (incompatible with FRP) as well as others running Android 11 and later versions. For more information and personalized support, please contact the TinyMDM technical support team via the Support tab on your administration console.