VMware Workspace ONE Community
Andi441
Contributor
Contributor

Android devices unenroll with event "Break MDM Confirmed"

I have the issue of some user's Android Enterprise devices (All Samsung) becoming unenrolled without any apparent reason. There's a few users in the US who run into this issue every time within days of re-enrolling but it also happens randomly from time to time with different users at other international locations.

What happens is that the user will pick up their phone and realize that is has unenrolled/factory reset on its own. We check the Device logs and the only relevant event within that time frame will be a single "Break MDM Confirmed" event, without any indication as to what prompted it. The phone comes up as "Unenrolled" in the UEM console and all compliance policies are still green. There's no compliance events and the console events confirm that the device wasn't unenrolled or deleted by an admin.

We tried disabling the Option "Apps > Settings and Policies > Security Policies > Compromised Protection" but I just had the first device unenroll even with that option disabled.

I'm out of ideas and open to any suggestions on how to get closer to the root of the issue. Thanks.

Labels (1)
Reply
0 Kudos
1 Reply
Andi441
Contributor
Contributor

So we did some more testing with "Compromised Protection" disabled and now had a phone that was flagged as compromised but not unenrolled.

The reason for the compromise is "Safetynet Basic Integrity failure." The user, like the others before, hasn't done anything as this happened (phone was charging). It seems like the only way to prevent this from happening is diabling SafetyNet attestation completely because it apparently produces false positives.

How big of a security issue would it be if we disabled SafetyNet attestation. I know what SafetyNet does but I don't know what capabilities Airwatch itself has to for example prevent a device from being rooted.