Forum Discussion
Cannot create work profile!
"The security policy prevents the creation of a managed device because a custom OS is or has been installed on this device"
But the device is not rooted, it was forcefully removed from the portal.
Anyone has an idea to resolve this issue?
- EstivengsvMicrosoft
iMadushaN
I was working on a case like this one and I stumbled with the following Samsung Official Documentation:https://support.samsungknox.com/hc/en-us/articles/115013719548
https://support.samsungknox.com/hc/en-us/articles/360039680233-Knox-Cloud-Services-KCS-solutions-do-not-start
Refer to The documentation above:This flag is a security feature that detects if unofficial software has been installed on your phone. This helps prevent malicious attempts from accessing your data.
The Knox Warranty Bit detects if a non-Knox kernel has been loaded on the device. It is a one-time programmable bit e-fuse, which can only be turned from 0X0 to 0X1 (i.e. tripped). If a non-Knox boot loader or kernel has been installed on the device, Knox can no longer guarantee the security of the Knox container. As a result, the Warranty Bit is tripped to 0X1…
If the Knox bit has tripped:
- A new Workspace can no longer be created on such a device.
- The data encrypted and stored in an existing Workspace can no longer be retrieved.
- Other Samsung services that utilize Knox security stop working (Samsung Pay, Secure Folder.)
Hope this helps.
- rgildersleeveCopper Contributor
Estivengsv After working with my companies IT people, they have informed me that this is an issue with Android 10.
Intune worked on my device previously, but after a large update my work associated apps (Teams & Outlook) no longer updated and directed me to install Intune Company Portal that was already installed on my phone.
I have a Samsung Galaxy S10 Plus
Phone Software Details:
I uninstalled Company Portal, Outlook and Teams, restarted my phone and then downloaded Company Portal to start over fresh. I logged in with my company username and password and tried to create a new "Work profile". However, every time the profile creation would fail I would get the same error:
After a few more attempts I broke down and went to IT.
They told me the following;
"The custom OS error has to do with a ROM variant the Android put out the Microsoft reads as non-standard. Microsoft is supposed to be releasing an update for InTune Company Portal to address this, but they haven't yet. It's an issue w/ Android 10. They can't fix it without pushing a whole new ROM (and we all know how long it takes Samsung to push Android updates), and MS can easily fix it (allegedly)."So for now I am unable to use Teams or Outlook on my device. Hopefully I will hear more about this supposed update when IT learns a bit more.
Hope this helps anyone else out there experiencing the same thing.
- DiWoRhBCopper Contributor
rgildersleeveI had same problem with Enterprise Enrollment on Samsung Tab S5e. The solution was to upgrade the device to latest Firmware. I had to flash with Odin-Tool. After that it worked like a charm.
- eglocklingSteel Contributor
iMadushaN Is there a Custom ROM installed on the device?
- iMadushaNCopper Contributor
eglocklingNope!
- eglocklingSteel Contributor
iMadushaN What brand/model of device is it? Was it previously enrolled in your Intune tenant? Was it previously enrolled using a different method? (Device Admin, Fully Managed, etc.) Was the previous device registration removed from Intune prior to enrolling?
- JerrymayahCopper ContributorI'm having the exact issue. But it's saying a custom Os is preventing it.
- I_am_RajeshBrass Contributor
Which model you a re using and which version? is that OS version shows some different name other than android version which is not readable by intune like MIUI or ONEUI in device details which might me causing the issue?iMadushaN
- iMadushaNCopper Contributor
- I_am_RajeshBrass Contributor
iMadushaNIssue seems to be very strange because Device was working fine previously with Intune.
I think you had already tried this but just for checking you can try this step if not done already.
---- Have you used Serial Number or IMEI no for enrollment ? i think you must have tried with both but in case not than just use either one like if IMEI than re enroll using SN and Vice Versa.
I am not sure and also this could be not an issue but i think Intune is reading Samsung Experience 9.5 as custom OS instead of Android version.
Also once you can try to hard reset to factory setting if its allowed or feasible for you.
- benjimattCopper Contributor
I have the same issue happening on multiple Samsung devices. I have the default enrollment method set to work profiles. As people re-enroll they are converted from device administrator.
Within the last month I have seen these issues.
- I_am_RajeshBrass Contributor
has this issue been resolved ? if not can you try disabling or removing knox app from samsung device and see if it works iMadushaN
- commputethisCopper Contributor
iMadushaN Did you ever find a solution for this? I am running into this same issue with another endpoint management solution.
- iMadushaNCopper Contributor
commputethis still the issue persists!
- Thijs LecomteBronze Contributor
So they are first enrolled in work profile, then enrolled into DA.
Are they trying to use the Samsung 'Mail' app?
- fajarslatifCopper ContributorI am having the same issue. My Samsung Note9 has triggered knox (previously rooted). But at the moment it is running stock room with the latest update and security patch installed. It is still giving me the error "the security policy prevents the creation of a work profile because a custom OS has been installed on this device"
Note that before this company portal was running perfectly fine. Now I reinstalled it and tried to login and create work profile, it does not allow anymore- I_am_RajeshBrass Contributor
Ya! its a problem with few samsung device due to Knox security and its limitationfajarslatif
below is few link which will help you out on few KNOX limitation.
https://support.samsungknox.com/hc/en-us/articles/115013719548
- EDB4YLI55Copper Contributor
I_am_Rajesh Is this as in forever. I purchased a second hand Galaxy S10+ not knowing about Knox. It has stock firmwhere on it. I have also re-flashed the original stock firmware via Odin to make sure and I am unable to install InTune. It said the Knox bit us 0x01 so looks like it has custom firmware in the past.
I bought this to be a work phone. This is stupid. Is there ANYWAY I can get round this?
- LimianZiCopper Contributor
iMadushaN, I believe I've been facing the same issue except the fact that the device was never enrolled using any other method. Tried to do so though, but encountered the same issue even when trying to enroll the device as Fully managed and dedicated (KIOSK). I am not sure even how to verify the Knox warranty bit as per this document: https://docs.samsungknox.com/admin/knox-platform-for-enterprise/faqs/faq-115013562087.htm
For now, I am testing a Samsung (SM-J260A) device with an Android 9.0. The device's not rooted so I'm can't tell why the device can't be enrolled in Intune. Any advice on how to verify Warranty bit would be highly appreciated. If warranty bit is turned from 0X0 to 0X1, what is the solution for this issue?
- maxFactorCopper ContributorAny news please?