Some of our Android tablets stopped receiving policy updates after being rebooted. In Hexnode, they show a message that the devices are in Direct Boot mode. There is no passcode configured in the Android policy, so I’m not sure what “unlock the device” means here. Is this controlled by a Hexnode policy setting, or is it something on the Android side? Also, is there any way to push updates without manually unlocking each tablet?
Android devices stuck in Direct Boot mode and not receiving Hexnode policy updatesSolved
Tags
Replies (5)
Direct Boot is an Android security state that occurs after an encrypted Android device restarts or powers on, before the device has been unlocked for the first time.
While the device is in Direct Boot mode, Android keeps most application data encrypted and unavailable. Because of this, Hexnode can perform only limited actions, such as a basic device scan. Policy updates, app deployments, system update actions, and similar management commands may not be processed until the device exits Direct Boot mode.
To check whether Hexnode is enforcing a passcode:
- Open the policy applied to the Android devices.
- Go to Android > Passcode.
- Check whether a PIN, password, or pattern requirement is configured.
If no passcode is enforced from Hexnode, the device may still enter Direct Boot because of Android File-Based Encryption or because a lock method was configured locally on the device.
If there is no PIN or password to enter, wake the device and swipe past the initial lock screen after reboot. Once the device is unlocked for the first time after startup, it should exit Direct Boot mode and receive pending Hexnode policy updates.
That makes sense. In our case, the policy does not have anything configured under Android > Passcode. The tablets should only need a swipe. One more thing: some of these devices may have had passwords set earlier using a remote action instead of a policy. If that happened, would using the Clear Password action still work while the device is showing Direct Boot mode?
No. The Clear Password remote action will not work while the Android device is still in Direct Boot mode. The device must first be unlocked locally after reboot. Until that first unlock happens, Android restricts access to the encrypted data required for Hexnode to process most management commands, including Clear Password.
Do the tablets need to stay unlocked until the policy update finishes? For example, if I reboot a tablet, unlock it once, and the update starts, what happens if the screen locks again?
The device does not need to remain unlocked continuously. The key requirement is that the device must be unlocked once after reboot or power-on so that it exits Direct Boot mode. After that, the screen can lock normally, and Hexnode actions or policy updates can continue to process as long as the device is online and otherwise reachable.