×

OnePlus 6T Android Enterprise validation report

Model: OnePlus 6T A6013 (8GB RAM, 128GB storage)
Acquired: Early November
OS: Android 9.0 Pie (Oxygen OS 9.0.4)
Build: ONEPLUS A6013_41_181024
Security: 1 November 2018

This device has been tested against the public validation process, and the following mix of (non-exhaustive) issues and recommendations have been noted:

1. Notable problems

1.1. Factory reset issue

When performing a factory reset from Settings > System > Reset Options > Erase all data (factory reset), if the toggle for Erase internal storage is not set to enable, upon resetting, the device boots to a state where it does not progress until factory reset once more through Android recovery.

This appears to only happen when a passcode has been set on the device before initiating a factory reset, as doing so with no passcode in use has not resulted in this issue.

The Issue
The fix

This does not impact factory reset when initiated from the UEM platform

2. Provisioning methods

No significant issues noted, however the flow of all provisioning methods is interrupted just before the DPC is launched due to the prompts to select a font style for the device, screen calibration, and screen off gestures.

These are not critical to the function of a fully managed device, and as such should be automatically skipped since the ability to manually tweak these options can be found in settings at a later point.

2.1. NFC

NFC functioned as expected, except for in the case of 1.1. Where a factory reset issue was present, the NFC radio was not enabled and as such would not accept a provisioning bump until fixed.

2.2. Zero-touch

This provisioning method is not supported

3. Deployment Scenarios

3.1. Work-managed

A. The option to toggle OTG (on the go) storage remains available despite USB storage being restricted. Actually mounting a USB drive via the USB C port is prevented, however the toggle should equally grey out. (MI Core, WS1 UEM)

B. System updates are managed via EMM, and therefore accessing the system updates settings should display a message stating they’re managed and return to system settings. On the OnePlus 6T it is possible not only to go into updates but to manually poll also. (MI Core, WS1 UEM)

C. When retiring the device from management it stalls indefinitely, with the DPC agent stuck on “retiring”. (MI Core)

D. Screen capture prevented by policy isn’t enforced (it is still possible to take a screenshot) (WS1 UEM, MI Core)

E. Forcing screen on while charging is not enforced, the screen turns off as per screen idle settings (WS1 UEM)

F. With fingerprint authentication restricted, it is still possible to set up and use fingerprint authentication on the device (MI Core)

G. With Face unlock restricted, it is still possible to set up and use face unlock on the device (MI Core)

3.2. Work profile

A. With add accounts disabled, it’s possible to sign up for a OnePlus account under the work profile (but not add other accounts) (MI Core)

B. Screenshot issue (see above) but it does black-out work apps in the task switcher as expected

C. Preventing the use one lock setting for work profile (ensuring the work profile passcode and the device passcode are not combined so that one passcode unlocks both) is not enforced (WS1 UEM, MI Core)

3.3. Fully managed with work profile

A. Disabling addition of accounts on work profile prevents it on work-managed also (WS1 UEM)

3.4. COSU (Dedicated)

A. Full access to device settings, bypasses restrictions when entering settings like wifi, bluetooth, location, through the kiosk menu (MI Core)

4. Recommendation

Based on the findings above, it is not recommended to use the OnePlus 6T in the enterprise. While it does respect and implement a number of restrictions and policies not noted in the issues list above, there are too many fundamental problems with this device under both corpate-owned (fully managed) and BYOD management.

As a fully managed device, basic data protection enforcements are not implemented by the device (face unlock, for example, can and is repeatedly fooled on basic implementations).

Furthermore, basic restrictions to prevent data leakage are not enforced, such as limiting the screenshot capability, allowing bypass of kiosk restrictions, etc.

Finally, with issues in retiring and factory resetting the device in the tested UEM platforms, the device doesn’t appear reliable enough not to doubt the outcome when a command is sent from the UEM.

Comments

There are no comments on Discuss yet, click below to leave one:

Comment