Forum Discussion

iMadushaN's avatar
iMadushaN
Copper Contributor
Jan 16, 2020

Cannot create work profile!

"The security policy prevents the creation of a managed device because a custom OS is or has been installed on this device"

 

But the device is not rooted, it was forcefully removed from the portal.

 

Anyone has an idea to resolve this issue?

  • iMadushaN 
    I was working on a case like this one and I stumbled with the following Samsung Official Documentation: 

    https://support.samsungknox.com/hc/en-us/articles/115013562087-What-is-a-Knox-Warranty-Bit-and-how-is-it-triggered-

    https://support.samsungknox.com/hc/en-us/articles/115013719548

    https://support.samsungknox.com/hc/en-us/articles/360039680233-Knox-Cloud-Services-KCS-solutions-do-not-start

    Refer to The documentation above: 

    This flag is a security feature that detects if unofficial software has been installed on your phone. This helps prevent malicious attempts from accessing your data.

    The Knox Warranty Bit detects if a non-Knox kernel has been loaded on the device. It is a one-time programmable bit e-fuse, which can only be turned from 0X0 to 0X1 (i.e. tripped). If a non-Knox boot loader or kernel has been installed on the device, Knox can no longer guarantee the security of the Knox container. As a result, the Warranty Bit is tripped to 0X1…

    If the Knox bit has tripped:

    • A new Workspace can no longer be created on such a device.
    • The data encrypted and stored in an existing Workspace can no longer be retrieved.
    • Other Samsung services that utilize Knox security stop working (Samsung Pay, Secure Folder.)

      Hope this helps.
    • rgildersleeve's avatar
      rgildersleeve
      Copper Contributor

      Estivengsv After working with my companies IT people, they have informed me that this is an issue with Android 10.

       

      Intune worked on my device previously, but after a large update my work associated apps (Teams & Outlook) no longer updated and directed me to install Intune Company Portal that was already installed on my phone. 

       

      I have a Samsung Galaxy S10 Plus

      Phone Software Details:

       

       

      I uninstalled Company Portal, Outlook and Teams, restarted my phone and then downloaded Company Portal to start over fresh. I logged in with my company username and password and tried to create a new "Work profile". However, every time the profile creation would fail I would get the same error:

       

      After a few more attempts I broke down and went to IT.

       

      They told me the following;
      "The custom OS error has to do with a ROM variant the Android put out the Microsoft reads as non-standard. Microsoft is supposed to be releasing an update for InTune Company Portal to address this, but they haven't yet. It's an issue w/ Android 10. They can't fix it without pushing a whole new ROM (and we all know how long it takes Samsung to push Android updates), and MS can easily fix it (allegedly)."

       

      So for now I am unable to use Teams or Outlook on my device. Hopefully I will hear more about this supposed update when IT learns a bit more.

       

      Hope this helps anyone else out there experiencing the same thing.

      • DiWoRhB's avatar
        DiWoRhB
        Copper Contributor

        rgildersleeveI had same problem with Enterprise Enrollment on Samsung Tab S5e. The solution was to upgrade the device to latest Firmware. I had to flash with Odin-Tool. After that it worked like a charm.   

      • eglockling's avatar
        eglockling
        Steel Contributor

        iMadushaN  What brand/model of device is it? Was it previously enrolled in your Intune tenant? Was it previously enrolled using a different method? (Device Admin, Fully Managed, etc.) Was the previous device registration removed from Intune prior to enrolling?

    • Jerrymayah's avatar
      Jerrymayah
      Copper Contributor
      I'm having the exact issue. But it's saying a custom Os is preventing it.
  • I_am_Rajesh's avatar
    I_am_Rajesh
    Brass Contributor

    Which model you a re using and which version? is that OS version shows some different name other than android version which is not readable by intune like MIUI or ONEUI in device details which might me causing the issue?iMadushaN 

    • iMadushaN's avatar
      iMadushaN
      Copper Contributor

      I_am_Rajesh  Hi, Please refer attached.

      • I_am_Rajesh's avatar
        I_am_Rajesh
        Brass Contributor

        iMadushaNIssue seems to be very strange because Device was working fine previously with Intune.

        I think you had already tried this but just for checking you can try this step if not done already.

         ---- Have you used Serial Number or IMEI no for enrollment ? i think you must have tried with both but in case not than just use either one like if IMEI than re enroll using SN and Vice Versa.

         

        I am not sure and also this could be not an issue but i think Intune is reading Samsung Experience 9.5 as custom OS instead of Android version.

         

        Also once you can try to hard reset to factory setting if its allowed or feasible for you.

  • benjimatt's avatar
    benjimatt
    Copper Contributor

    I have the same issue happening on multiple Samsung devices.  I have the default enrollment method set to work profiles.  As people re-enroll they are converted from device administrator.  

     

    Within the last month I have seen these issues.  

  • I_am_Rajesh's avatar
    I_am_Rajesh
    Brass Contributor

    has this issue been resolved ? if not can you try disabling or removing knox app from samsung device and see if it works iMadushaN 

  • commputethis's avatar
    commputethis
    Copper Contributor

    iMadushaN  Did you ever find a solution for this?  I am running into this same issue with another endpoint management solution.

  • fajarslatif's avatar
    fajarslatif
    Copper Contributor
    I am having the same issue. My Samsung Note9 has triggered knox (previously rooted). But at the moment it is running stock room with the latest update and security patch installed. It is still giving me the error "the security policy prevents the creation of a work profile because a custom OS has been installed on this device"

    Note that before this company portal was running perfectly fine. Now I reinstalled it and tried to login and create work profile, it does not allow anymore
  • LimianZi's avatar
    LimianZi
    Copper Contributor

    iMadushaN, I believe I've been facing the same issue except the fact that the device was never enrolled using any other method. Tried to do so though, but encountered the same issue even when trying to enroll the device as Fully managed and dedicated (KIOSK). I am not sure even how to verify the Knox warranty bit as per this document: https://docs.samsungknox.com/admin/knox-platform-for-enterprise/faqs/faq-115013562087.htm

     

    For now, I am testing a Samsung (SM-J260A) device with an Android 9.0. The device's not rooted so I'm can't tell why the device can't be enrolled in Intune. Any advice on how to verify Warranty bit would be highly appreciated. If warranty bit is turned from 0X0 to 0X1, what is the solution for this issue? 

Resources