This article goes into more detail about how these new measures will actually work compared to the blog post earlier this year from Google. Namely:
- Enabling the OEM unlocking setting will no longer prevent FRP from activating.
- Bypassing the setup wizard will no longer deactivate FRP. FRP restrictions will apply until you verify ownership of the device by signing in.
- Adding a new Google account is blocked.
- Setting a lock screen PIN or password is blocked.
- Installing new apps is blocked.
How was this not already a thing? These seem like quite basic features if you want to stop people from using stolen phones. From what I can tell online, it seems rather trivial for thieves to bypass FRP in the current incantation of the system.
I do wonder what will happen if your Google account gets banned, though. I can’t find much about it online. Some older posts suggest that only having the email address and password is enough, but these days you can log in to Google without ever entering a password, and there’s no way Google will just send your password to a new phone.
I think the reason this hasn’t been done yet is because their implementation comes with benefits like portability and low maintenance when the feature is implemented in just one app and just one part of the code. I think they hoped that patching bypasses in one app is viable and would eventually close most of the holes, but it turned out not to be so simple because bypasses emerged time and time again even with very limited initial access.
You’re not supposed to be able to skip running the wizard. A stolen phone was unusable and effectively had all of these features, but with a single point of failure that has turned out to be more of a problem then the maintenance benefit is worth.