Lockout features are built in to the OS many times, even if MDM enforces nothing. If they've put themselves in a situation where the device is locked out and MDM can not be disabled due to policy, there isn't much we can do as our actions (and policy changes) get locked out as well.
They may have to flash back to factory settings similar to what was described above, but in worst case scenarios the devices need to be sent back to the manufacturer for recovery.
We strongly suggest that the features that harden device management be used sparingly, it's not an everyday use feature because of the kind of behavior seen in this post. Clients can leverage Factory Reset Protection features as a theft deterrent and zero touch programs to enforce enrollment. These features provide many of the protections they want with far fewer risks.
------------------------------
Matt Shaver
System Architect
IBM
mshaver@us.ibm.com------------------------------
Original Message:
Sent: Tue August 31, 2021 05:35 AM
From: mohanraj muthusamy
Subject: HELP Required, device disabled! Cannot remove MDM
Hi Matt,
One of my customers reported this same issue. Is there any way for MaaS360 admin can revert from the portal?. Also, they did not enable failed attempt policy. It's a Samsung device.
Thanks.
------------------------------
mohanraj
Original Message:
Sent: Tue January 19, 2021 07:55 PM
From: Matt Shaver
Subject: HELP Required, device disabled! Cannot remove MDM
Hi Steve,
Glad you were able to resolve this. As for the behavior - this is enforced in Policy under Passcode:
Lock device on Failed Passcode Attempts |
This is specifically for Samsung devices - if disabled then it will revert to default system settings or a full wipe if policy dictates after 'x' number of failed passcode attempts.
------------------------------
Matt Shaver
System Architect
IBM
mshaver@us.ibm.com
Original Message:
Sent: Tue January 19, 2021 04:37 PM
From: Steve Birkett
Subject: HELP Required, device disabled! Cannot remove MDM
Solved!
I flashed some engineers software to the device, wiped the data and re-flashed it with stock firmware. Problem solved and I will now rebuild the device with Maas360 and hand back to the user. It is a real shame that the IBM Maas360 platform disabled the device after failed password attempts, rendering the device useless with no way of rectifying the issues caused. I appreciate this may only affect certain devices and not all devices. Non the less it caused a lot of unnecessary work.
Steve.
------------------------------
Steve Birkett
Original Message:
Sent: Mon January 18, 2021 02:15 PM
From: Steve Birkett
Subject: HELP Required, device disabled! Cannot remove MDM
Hi,
I am reaching out for help in the community as one of our devices has been disabled after the user got his password wrong so many times. I am unable to communicate with the device (Samsung Galaxy Active 1 - SM-T365) as it says 'Device Disabled, Contact your IT administrator'. I cannot factory reset the device as the MDM is preventing this. I have re-flashed the firmware but the device remains as it because I have been unable to get the firmware that wipes the data and instead it has just flashed the stock firmware.
Is there a piece of software that i could use to put on a Transflash memory card that will remove the Maas360 MDM? or a file to use with ODIN Flash software?
Any help will be much appreciated, thank you.
------------------------------
Steve Birkett
------------------------------