13.2.5 MBA Device Lock policy. Prominent disclosure and consent requirement

MBAs distributed with the device whose primary purpose is to manage the device locking function for a device may be excluded from the ransomware category provided they successfully meet requirements for secure lock and management, and adequate user disclosure and consent requirements as detailed below. In addition, adequate user disclosure and consent requirements are required each time the account owner changes until the device is paid in full. The disclosure

  • MUST be presented without the need for the user to navigate into a menu or settings.
  • MUST NOT be placed in a lengthy, off-device privacy policy or Terms of Service (ToS).
  • MUST include a request for user consent (#device-lock-consent). Explicit user consent

  • MUST accompany and immediately follow the disclosure.
  • MUST present the consent dialog clearly and unambiguously.
  • MUST require an affirmative user action (for example, tap to accept, select a checkbox) to accept.
  • MUST NOT interpret navigation away from the disclosure (including tapping away or pressing the Back or Home button) as a consent.
  • MUST be presented until there’s an affirmative action and not use auto dismissing or expiring messages. User notifications before device lock applicable to financed devices and subsidy devices

The device users must be given a warning period in which to take action before the device is locked. See the table below for the minimum warning periods.

Payment plan Minimum warning period before device is locked
7 days
5 days
1 day

All rights reserved. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2022-02-01 UTC.