Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Known Issue: Missing certificates after updating Samsung work profile devices to Android 12

Published Jan 20 2022 02:50 PM 11.2K Views

Updated 03/01/22: Samsung has provided a potential solution that will take time for us to investigate and determine if it will work in our environment. In the meantime, please continue to use the workarounds below if you run into this issue.

 

Microsoft Intune was recently alerted to an issue for Samsung devices enrolled with a work profile that, after updating to Android 12, some email and VPN applications are losing access to certificates when the user tries to access them (such as Gmail and AnyConnect VPN). The missing certificates prevent users from being able to access their email on Gmail and VPN apps. We are working closely with Samsung to resolve this issue but wanted to share temporary workarounds to help users access their VPN apps. We’ll update this post as more information becomes available.

AnyConnect VPN

Users attempting to use the AnyConnect VPN app will see a prompt from the app suggesting that the client certificate needed to make the connection could not be found and a valid certificate should be chosen. This issue can be addressed by clearing out the app data cache.

 

 

  1. Go to Settings > Work Profile > Apps > AnyConnect VPN > Storage > Clear Data.
  2. Upon opening AnyConnect VPN again, the app will request the certificates again in a popup prompt.
  3. Select the certificate to fix the problem.

 

Gmail

Users attempting to access Gmail on their device are prompted to select a certificate when accessing Gmail and then see a “Can’t reach server” message after selecting the appropriate certificate. In this scenario, there are two different approaches you can use to work around the issue; one is on the device and the other option is through IT administrator action.

 

Option 1: On a device - Remove and reinstall the work profile and Company Portal

 

  1. Open the Company Portal app> Menu > tap Remove Company Portal.
  2. Open Google Play app > select the Intune Company Portal app > Uninstall the app.
  3. In Google Play, Install the Intune Company Portal app.
  4. Open and sign into the Company Portal.
  5. Gmail in the work profile now works as expected.

 

Option 2 (IT administrators only): Remove and re-add the Gmail device configuration

 

  1. In the Microsoft Endpoint Manager admin center, create an exclusion group for the Gmail app.
  2. Add the user(s) to the exclusion group.

  3. Sync the policy on the Android device.

  4. Confirm Gmail is removed from the device.

  5. Remove the user from the exclusion group.

  6. Confirm Gmail is added to the device.

  7. Gmail in the work profile now works as expected.

We will continue to update this post as new information becomes available. If you have any questions, reply to this post or reach out to @IntuneSuppTeam on Twitter.

 

Post updates:

03/02/22: Added update text at the beginning of this post.

10 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-3067935%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20Issue%3A%20Missing%20certificates%20after%20updating%20Samsung%20work%20profile%20devices%20to%20Android%2012%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3067935%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can%20add%20Outlook%20to%20the%20list.%20The%20SMIME%20certificate%20deployed%20with%20MEM%20is%20no%20longer%20available%20in%20the%20Outlook%20SMIME%20settings.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EWorkaround%20%26nbsp%3Bis%20removing%20and%20reinstalling%20Outlook.%20No%20need%20to%20delete%20the%20work%20profile.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EOn%20the%20other%20hand%2C%20removing%20certificate%20assignments%20and%20re-assigning%20does%20not%20fix%20the%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3071192%22%20slang%3D%22de-DE%22%3ESubject%3A%20Known%20Issue%3A%20Missing%20certificates%20after%20updating%20Samsung%20work%20profile%20devices%20to%20Android%2012%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3071192%22%20slang%3D%22de-DE%22%3E%3CP%3EDo%20you%20have%20a%20list%20of%20affected%20Samsung%20devices%3F%20This%20issue%20seems%20not%20to%20persist%20on%20every%20device.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3072278%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20Issue%3A%20Missing%20certificates%20after%20updating%20Samsung%20work%20profile%20devices%20to%20Android%2012%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3072278%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1286085%22%20target%3D%22_blank%22%3E%40JKS97%3C%2FA%3E%26nbsp%3BWe%20can%20currently%20confirm%20the%20issue%20on%20an%20A52s%205G%20and%20A52%20that%20was%20enrolled%20with%20Android%2011%20and%20was%20updated%20to%2012.%20The%20certificates%20were%20assigned%20and%20deployed%20before%20the%20update.%20Devices%20enrolled%20after%20upgrading%20to%20Android%2012%20are%20not%20affected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3104702%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20Issue%3A%20Missing%20certificates%20after%20updating%20Samsung%20work%20profile%20devices%20to%20Android%2012%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3104702%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CP%3ESamsung%20told%20us%20that%20the%20issue%20can%20be%20addressed%20by%20UEM%20partners%20by%20using%20the%20Knox%20API%20addPermissionApplicationPrivateKey.%20It's%20possible%20to%20grant%20permission%20for%20apps%20to%20use%20installed%20keys.%3C%2FP%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3EMore%20details%3A%3CBR%20%2F%3E%3CA%20title%3D%22https%3A%2F%2Fdocs.samsungknox.com%2Fdev%2Fknox-sdk%2Ftima-ccm-keystore-deprecation.htm%22%20href%3D%22https%3A%2F%2Fdocs.samsungknox.com%2Fdev%2Fknox-sdk%2Ftima-ccm-keystore-deprecation.htm%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20nofollow%22%3Ehttps%3A%2F%2Fdocs.samsungknox.com%2Fdev%2Fknox-sdk%2Ftima-ccm-keystore-deprecation.htm%3C%2FA%3E%3CBR%20%2F%3E%3CA%20title%3D%22https%3A%2F%2Fdocs.samsungknox.com%2Fdevref%2Fknox-sdk%2Freference%2Fcom%2Fsamsung%2Fandroid%2Fknox%2Fkeystore%2Fcertificatepolicy.html%23addpermissionapplicationprivatekey(com.samsung.android.knox.keystore.permissionapplicationprivatekey)%22%20href%3D%22https%3A%2F%2Fdocs.samsungknox.com%2Fdevref%2Fknox-sdk%2Freference%2Fcom%2Fsamsung%2Fandroid%2Fknox%2Fkeystore%2FCertificatePolicy.html%23addPermissionApplicationPrivateKey(com.samsung.android.knox.keystore.PermissionApplicationPrivateKey)%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20nofollow%22%3Ehttps%3A%2F%2Fdocs.samsungknox.com%2Fdevref%2Fknox-sdk%2Freference%2Fcom%2Fsamsung%2Fandroid%2Fknox%2Fkeystore%2FCertificatePolicy.html%23addPermissionApplicationPrivateKey(com.samsung.android.knox.keystore.PermissionApplicationPrivateKey)%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3115153%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20Issue%3A%20Missing%20certificates%20after%20updating%20Samsung%20work%20profile%20devices%20to%20Android%2012%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3115153%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1290471%22%20target%3D%22_blank%22%3E%40Sanitar2034%3C%2FA%3E%26nbsp%3Bthe%20OnePlus%2C%20OPPO%2C%20etc%20issue%20is%20not%20the%20same%20as%20what's%20described%20here%20with%20Samsung%20(we%20thought%20it%20was%20too%2C%20but%20checked%20with%20Intune%20engineering%20and%20they've%20confirmed%20they%20are%20different).%20Intune%20engineers%20just%20checked%20with%20Google%20and%20they%20are%20actively%20reviewing%20the%20issue%20and%20working%20with%20OnePlus%20and%20OPPO.%20We're%20hoping%20that%20they'll%20provide%20documentation%20on%20soon%20we%20can%20point%20you%20to.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3039834%22%20slang%3D%22en-US%22%3EKnown%20Issue%3A%20Missing%20certificates%20after%20updating%20Samsung%20work%20profile%20devices%20to%20Android%2012%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3039834%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3E%3CSTRONG%3EUpdated%2003%2F01%2F22%3C%2FSTRONG%3E%3A%26nbsp%3BSamsung%20has%20provided%20a%20potential%20solution%20that%20will%20take%20time%20for%20us%20to%20investigate%20and%20determine%20if%20it%20will%20work%20in%20our%20environment.%20In%20the%20meantime%2C%20please%20continue%20to%20use%20the%20workarounds%20below%20if%20you%20run%20into%20this%20issue.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20Intune%20was%20recently%20alerted%20to%20an%20issue%20for%20Samsung%20devices%20enrolled%20with%20a%20work%20profile%20that%2C%20after%20updating%20to%20Android%2012%2C%20some%20email%20and%20VPN%20applications%20are%20losing%20access%20to%20certificates%20when%20the%20user%20tries%20to%20access%20them%20(such%20as%20Gmail%20and%20AnyConnect%20VPN).%20The%20missing%20certificates%20prevent%20users%20from%20being%20able%20to%20access%20their%20email%20on%20Gmail%20and%20VPN%20apps.%20We%20are%20working%20closely%20with%20Samsung%20to%20resolve%20this%20issue%20but%20wanted%20to%20share%20temporary%20workarounds%20to%20help%20users%20access%20their%20VPN%20apps.%20We%E2%80%99ll%20update%20this%20post%20as%20more%20information%20becomes%20available.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1463993065%22%20id%3D%22toc-hId--1459648443%22%3EAnyConnect%20VPN%3C%2FH3%3E%0A%3CP%3EUsers%20attempting%20to%20use%20the%20AnyConnect%20VPN%20app%20will%20see%20a%20prompt%20from%20the%20app%20suggesting%20that%20the%20client%20certificate%20needed%20to%20make%20the%20connection%20could%20not%20be%20found%20and%20a%20valid%20certificate%20should%20be%20chosen.%20This%20issue%20can%20be%20addressed%20by%20clearing%20out%20the%20app%20data%20cache.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EGo%20to%20%3CSTRONG%3ESettings%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EWork%20Profile%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EApps%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EAnyConnect%20VPN%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EStorage%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EClear%20Data%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EUpon%20opening%20AnyConnect%20VPN%20again%2C%20the%20app%20will%20request%20the%20certificates%20again%20in%20a%20popup%20prompt.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20certificate%20to%20fix%20the%20problem.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1023519768%22%20id%3D%22toc-hId-1027864390%22%3EGmail%3C%2FH3%3E%0A%3CP%3EUsers%20attempting%20to%20access%20Gmail%20on%20their%20device%20are%20prompted%20to%20select%20a%20certificate%20when%20accessing%20Gmail%20and%20then%20see%20a%20%E2%80%9CCan%E2%80%99t%20reach%20server%E2%80%9D%20message%20after%20selecting%20the%20appropriate%20certificate.%20In%20this%20scenario%2C%20there%20are%20two%20different%20approaches%20you%20can%20use%20to%20work%20around%20the%20issue%3B%20one%20is%20on%20the%20device%20and%20the%20other%20option%20is%20through%20IT%20administrator%20action.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EOption%201%3A%20On%20a%20device%20-%20Remove%20and%20reinstall%20the%20work%20profile%20and%20Company%20Portal%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EOpen%20the%20Company%20Portal%20app%26gt%3B%20Menu%20%26gt%3B%20tap%20%3CSTRONG%3ERemove%20Company%20Portal%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EOpen%20Google%20Play%20app%20%26gt%3B%20select%20the%20Intune%20Company%20Portal%20app%20%26gt%3B%20%3CSTRONG%3EUninstall%3C%2FSTRONG%3E%20the%20app.%3C%2FLI%3E%0A%3CLI%3EIn%20Google%20Play%2C%20%3CSTRONG%3EInstall%3C%2FSTRONG%3E%20the%20Intune%20Company%20Portal%20app.%3C%2FLI%3E%0A%3CLI%3EOpen%20and%20sign%20into%20the%20Company%20Portal.%3C%2FLI%3E%0A%3CLI%3EGmail%20in%20the%20work%20profile%20now%20works%20as%20expected.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EOption%202%20(IT%20administrators%20only)%3A%20Remove%20and%20re-add%20the%20Gmail%20device%20configuration%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20class%3D%22TextRun%20SCXW100834507%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW100834507%20BCX8%22%3EIn%20the%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW100834507%20BCX8%22%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2109431%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW100834507%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW100834507%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3EMicrosoft%20Endpoint%20Manager%20admin%20center%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW100834507%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW100834507%20BCX8%22%3E%2C%20c%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW100834507%20BCX8%22%3Ereate%20an%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW100834507%20BCX8%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fapps%2Fapps-inc-exl-assignments%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW100834507%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW100834507%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3Eexclusion%20group%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW100834507%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW100834507%20BCX8%22%3E%20for%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW100834507%20BCX8%22%3Ethe%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW100834507%20BCX8%22%3EGmail%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW100834507%20BCX8%22%3E%20app%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW100834507%20BCX8%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CP%3EAdd%20the%20user(s)%20to%20the%20exclusion%20group.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3ESync%20the%20policy%20on%20the%20Android%20device.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EConfirm%20Gmail%20is%20removed%20from%20the%20device.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3ERemove%20the%20user%20from%20the%20exclusion%20group.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EConfirm%20Gmail%20is%20added%20to%20the%20device.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EGmail%20in%20the%20work%20profile%20now%20works%20as%20expected.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CDIV%20class%3D%22lia-message-body-wrapper%20lia-component-message-view-widget-body%22%3E%0A%3CDIV%20id%3D%22bodyDisplay%22%20class%3D%22lia-message-body%22%3E%0A%3CDIV%20class%3D%22lia-message-body-content%22%3E%0A%3CP%3E%3CSPAN%3EWe%20will%20continue%20to%20update%20this%20post%20as%20new%20information%20becomes%20available.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EIf%20you%20have%20any%20questions%2C%20reply%20to%20this%20post%20or%20reach%20out%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%40IntuneSuppTeam%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bon%20Twitter.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPost%20updates%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E03%2F02%2F22%3A%20Added%20update%20text%20at%20the%20beginning%20of%20this%20post.%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3039834%22%20slang%3D%22en-US%22%3E%3CP%3ERead%20this%20post%20to%20learn%20more%20about%20a%20known%20issue%20about%20missing%20certificates%20after%20updating%20Samsung%20work%20profile%20devices%20to%20Android%2012.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3039834%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%20Customer%20Success%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EKnown%20Issue%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Mar 01 2022 05:15 PM
Updated by: