STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Google Android 17 COBO Security Technical Implementation Guide

V-284737

CAT II (Medium)

Google Android 17 must disable the user's ability to wipe the device.

Rule ID

SV-284737r1240611_rule

STIG

Google Android 17 COBO Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

This feature must be disabled to comply with DoW electronic records retention requirements for mobile devices. Otherwise, mobile device users could wipe the device, which would violate DoW policy. SFR ID: FMT_MOF_EXT.1.2 #47

Check Content

Review configuration settings to confirm the user is unable to perform a factory reset and the admin has the ability to inject a recovery account on the device so they can unlock Factory Reset Protection (FRP).

This check procedure is performed on the device management tool and the Google Android 17 device.

On the MDM console:

Verify factory reset configuration:

COBO:

1. Open user restrictions.
2. Verify that "Disallow Factory Reset" is enabled.

Verify factory reset protection policy configuration:

From the Android Enterprise policy management:

1. Go to the "Factory Reset Protection" section.
2. Verify that "Factory Reset Protection" is set to "Allow/Enabled".
3. Verify that the correct Google Account ID(s) is/are listed as allowed to unlock the FRP.

On the managed Google Android 17 device, verify factory reset configuration:

COBO:

1. Open Settings >> General management >> Reset.
2. Tap the "Factory data reset" option.
3. Verify that the "Action not allowed" pop-up appears and factory data reset does not proceed.

If the Android device user is able to perform a factory reset or the admin cannot unlock the Android phone after an FRP event, this is a finding.

Fix Text

Configure the Google Android 17 device to disable the ability of the user to wipe the Android device. Enable the admin to inject a recovery account on the device so they can unlock FRP.

On the MDM console:

Disallow factory reset:

COBO:

1. Open User Restrictions.
2. Enable "Disallow Factory Reset".

Set factory reset protection policy:

COBO: 

1. Open Device owner management >> Set factory reset protection.
2. From "Accounts" Section: Add Account >> Enter recovery account >> press "Ok".
3. From Enabled Section: Select "Enabled" to enable FRP policy.
4. Press "Save" to confirm all changes.

Configuration API: factoryResetDisabled, frpAdminEmails[ ]