Troubleshooting
Problem
Google has acknowledged a known issue in Android 14 that prevents changes from being made to specific policy settings, particularly Security and Restriction settings, once they have been initially set for a device. This issue affects Android 14 devices that are enrolled in the IBM MaaS360 Platform.
Symptom
The known issue in Android 14 can lead to irreversible Security and Restriction policy settings on affected devices in the following scenarios:
- Upgrading an enrolled device from Android 13 to Android 14 after applying MDM policies
- Rebooting an enrolled device running Android 14 after applying MDM policies
Note: This issue impacts only Android Enterprise devices. It does not affect devices enrolled in Device Admin mode.
Environment
Once a device has been impacted, the device has to be unenrolled for the unchangeable policies to stop taking effect.
- Device Owner (DO) or Work Profile Company Owned (WPCO) devices: The device has to be factory reset
- Profile Owner (PO) devices: The work profile has to be removed. Note that the policies in bold below may remain unchangeable, and a factory reset would be required in that case.
Affected policy settings
S.No | Section | Subsection | Policy | Becomes Unchangeable if Set to |
---|---|---|---|---|
1. | Security | App Security | Allow installation of apps | Disabled |
2. | Security | App Security | Allow Installation of Non-Google Play Applications | Disabled |
3. | Security | App Security | Enforce App Verification | Enabled |
4. | Security | App Security | Allow uninstallation of Apps | Disabled |
5. | Security | App Security | Allow apps control | Disabled |
6. | Security | App Security | Allow device wide installation from unknown sources | Disabled |
7. | Security | Developer Option | Allow create window | Disabled |
8. | Security | Developer Option | Allow mounting of physical media | Disabled |
9. | Security | Developer option | Allow USB Debugging | Disabled |
10. | Security | Developer option | Allow USB file transfer | Disabled |
11. | Security | Device Security | Allow configuration of credentials | Disabled |
12. | Security | Device Security | Allow User profile creation | Disabled |
13. | Security | Device Security | Allow removal of user profile | Disabled |
14. | Security | Device Security | Allow modification of accounts | Disabled |
15. | Security | Device Security | Allow boot of device in Safe mode | Disabled |
16. | Security | Device Security | Allow Factory reset | Disabled |
17. | Security | Device Security | Allow lock down of wallpaper | Enabled |
18 | Security | Device Security | Allow lock down of customer user icon | Enabled |
19 | Security | Work Profile-specific Settings | Disallow Share into Managed Profile | Enabled |
20 | Security | Work Profile-specific Settings | Allow web links to apps of the parent | Disabled |
S.No | Section | Subsection | Policy | Becomes Unchangeable if Set to |
---|---|---|---|---|
1. | Restriction | Device Features | Allow outgoing beam | Disabled |
2. | Restriction | Device Features | Allow sharing of locations | Disabled |
3. | Restriction | Device Features | Allow Bluetooth Sharing | Disabled |
4. | Restriction | Device Features | Disallow Printing | Enabled |
5. | Restriction | Device Features | Disable Date & Time Configuration | Enabled |
6. | Restriction | Device Features | Disable Ambient Display | Enabled |
7. | Restriction | Device Features | Disable Brightness Configuration | Enabled |
8. | Restriction | Device Features | Disallow Locale Configuration | Enabled |
9. | Restriction | Device Features | Disallow System Error Dialogs | Enabled |
10. | Restriction | Device Features | Disable Airplane Mode | Enabled |
11. | Restriction | Network Restrictions | Allow outgoing calls | Disabled |
12. | Restriction | Network Restrictions | Allow SMS | Disabled |
13. | Restriction | Network Restrictions | Allow Wi-Fi | Disabled |
14. | Restriction | Network Restrictions | Allow VPN | Disabled |
15. | Restriction | Network Restrictions | Allow Mobile Network configuration | Disabled |
16. | Restriction | Network Restrictions | Allow Data roaming | Disabled |
17. | Restriction | Network Restrictions | Allow configuration of cell broadcasts | Disabled |
18 | Restriction | Network Restrictions | Allow Network reset | Disabled |
19 | Restriction | Network Restrictions | Allow Tethering | Disabled |
S.No | Section | Subsection | Policy | Becomes Unchangeable if Set to |
---|---|---|---|---|
1. | Passcode | N/A | Disallow Unified Password | Enabled |
Diagnosing The Problem
Example of one of the worst-case scenarios of a setting that could brick a device:
Allow Factory Reset policy setting scenario:
- An Android device has the Allow Factory Reset policy setting disabled.
- The device undergoes a reboot.
- The administrator publishes a new version of the policy that enables the Allow Factory Reset option.
- Even after the new policy is successfully delivered to the device, the Allow Factory Reset policy remains disabled on the device.
Outcome: Due to the Android 14 bug, the Allow Factory Reset policy remains disabled, and the user cannot perform a factory reset.
Resolving The Problem
First published on December 1, 2023.
Update: January 04, 2024 - To enroll Android 14 devices or upgrade enrolled devices to Android 14 without issues, customers must update the MaaS360 for Android app to version 8.41 from the Play Store.
Update: December 01, 2023 - Google is actively working on a fix for this issue and is collaborating with OEMs (Original Equipment Manufacturers) to release an Android 14 patch that prevents these settings from becoming permanently unchangeable on future devices.
Additionally, Google has provided a workaround for MDM agents. MaaS360 will incorporate this workaround into upcoming MaaS360 agent releases. (Agent version and dates to be determined.)
Once either the Google fix or the MaaS360 workaround has been deployed, newly enrolled or upgraded devices will no longer be affected.
Existing devices already affected by the issue cannot be resolved with MaaS360 or firmware patches. To address this, the affected devices must undergo a wipe or have the work profile wiped as outlined in the Environment section above. After applying the necessary firmware or MaaS360 patches on the device, re-enrollment is required.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
09 January 2024
UID
ibm17086093