Is there anyway to disable the factory reset functionality in the android recovery?

Question

Creating an MDM and want to ensure the device cannot be factory reset. Is there anyway to either disable the factory reset functionality or either have recovery mode as a whole unaccesssible or password protected?

Third party recoveries such as twrp dont seem to be the answer as they come with more customizability and options. Theres also an option in the Android Management API that allows to set "factoryResetDisabled": true, but that seems to only be for the option in settings menu, not recovery (I have not tested this atm, if someone can confirm or deny this that would be helpful)

Answer 1

The only way to disable the factory reset is done by removing or invalidating the boot loader and by redirecting the request to the already installed operating system. Then however your device OS can't be updated and you may also brick (make unusable) the device by attempting to remove the boot loader.

Some devices may have a "fuse" to disable factory reset or make the system installation read-only.

The other option is to write a new boot loader from the open source project and exclude this functionality. However, replacing the boot loader comes with the risk that nothing works after replacing, and also the system update may replace the boot loader once again.

Answer 2

As far as I know there is no "normal" way to disable the factory reset or recovery mode. I would say there is no safe workaround to invalidate this, someone already mentioned two options but both comes with risks.

It may not be useful since I don't use the Android Management API, I use Workspace One UEM to work with MDM, but what we use for this case is a profile called FRP (Factory Reset Protection) which is a security method that many devices already have integrated (OPPO devices, for example) that blocks the device access once you factory reset it.

With our MDM we configure a special account with an API from google and you can only recover that phone if you have access to that account. It's very useful for non-authorized factory resets or if the device was robbed/lost, it is also useful if you have employees that are permitted to use their google accounts and when they end their contracts you can recover those phones once you reset them.