Blog Post

Intune Customer Success
2 MIN READ

Known Issue: Missing certificates after updating Samsung work profile devices to Android 12

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Jan 20, 2022

Updated 06/06/22: The content below has been updated, please use the workarounds provided if you run into this issue.

 

Environment

  • Microsoft Intune using client certificates to authenticate VPN and email
  • Samsung devices upgrading from Android 11 to Android 12

Overview

In Q3 2021, Google introduced the Android Keystore2 as a replacement for the current Keystore in Android 12. In an effort to harmonize with Google and the modernization of the Android Operating System, Samsung deprecated its custom Knox key store and certificate manager in favor of the Android Keystore2. The new Samsung devices starting on Android 12 and higher use the Android Project's default 'Keystore2' implementation.

 

Although there are no reliable software fixes to this issue, this article provides guidance to a manual workaround.

 

Cause

Microsoft Endpoint Manager uses the Android Management API as an underlying device management technology.


Currently, the Android Management API model does not have a way of initializing the low-level keystore. Therefore, when you upgrade Samsung devices from Android 11 to Android 12, the migration from the custom keystore to the new ‘Keystore2’ is not successful, and causes deployed apps to lose access to the stored certificates.

 

Resolution

After upgrading your Samsung devices from Android 11 to Android 12, remove and redeploy the impacted certificates or app configuration to the devices.

 

Android Enterprise personally-owned with a work profile configurations

First, uninstall the affected app.

  • If the affected app is a required app, it will automatically be reinstalled.
  • If the affected app is an available app, the device user has to manually reinstall from the corporate Play Store.

 

Android Enterprise fully managed, Android Enterprise corporate-owned with a work profile, and Android Enterprise dedicated configurations

  • If the affected app is an available app, the device user must manually uninstall and reinstall the app from the corporate Play Store.
  • If the affected app is a required app, your corporate admin must send a policy to remove the app and they must reinstall through policy. Follow these steps (as per Microsoft):
    1. In the Microsoft Endpoint Manager admin center, create an exclusion group for the affected app.
    2. Add the user(s) to the exclusion group.
    3. Sync the policy on the Android device.
    4. Confirm the affected app is removed from the device.
    5. Remove the user from the exclusion group.
    6. Confirm the app is added to the device.

Please contact your Microsoft representative if the issue continues to persist after the redeployment of the impacted app configuration. Samsung and Microsoft have a close cooperation on this issue. We appreciate your support and patience through this process.

 

If you have any questions, reply to this post or reach out to Microsoft Intune Support @IntuneSuppTeam on Twitter.

 

 

Additional information

If you are a developer using Samsung products, you can find more detailed information here:

 

Post updates:

03/02/22: Added update text at the beginning of this post.

06/06/22: Updated content and workarounds.

Updated Dec 19, 2023
Version 7.0
Known Issue
  • jtg0114's avatar
    jtg0114
    Copper Contributor
    Oct 08, 2024

    Intune_Support_Team is this still an issue in Android 14? Trying to push trusted certificates and SCEP certificates to a Samsung and the profiles are all stuck in Pending status for that device. Are there any workarounds for Cert Based Authentication?

  • Intune_Support_Team's avatar
    Intune_Support_Team
    Icon for Microsoft rankMicrosoft
    Jan 12, 2023

    Hi orsty3001, thanks for the info, and sorry to hear your experiencing this behavior. Can you confirm if updating to Android 13 helps to resolve the issue? Thanks!

  • orsty3001's avatar
    orsty3001
    Copper Contributor
    Dec 20, 2022

    Intune_Support_Team The fix in the article doesn't seem to hold. We can get the devices to receive the certificates again but after about a week they lose their WiFi certificates. 

    We have about 600 devices enrolled and most of them will lose their WiFi and VPN certificates as soon as they connect to our network. All devices that have this issue are Samsung devices. Android 11 or 12. None of the Zebra or other devices have this certificate missing issue. 

    We've recreated the profile several times. It just never sticks. Is there any developments on this issue? 

  • Robbie_Schroeder's avatar
    Robbie_Schroeder
    Copper Contributor
    Aug 16, 2022

    I am having the same issue with my Samsung Galaxy S20+.  When I try to enroll in Intune, it begins the set up, and then shows the error 'Cannot create work profile'.  I have uninstalled/reinstalled many times, as well as reset my phone.  I was never enrolled before, and I am trying to create this for the first time.  Is there any solution to this so I can actually get my work email on my phone? 

     

    Model name:  Galaxy s20+ 5G

    Hardware version:  REV1.0

    One UI version:  4.1

    Android version:  12

    Knox version:  

    - Knox 3.8

    - Knox API level 35

    - Knox ML 1.2

    -DualDAR 1.4.0

    HDM 2.0-F

  • Amywall's avatar
    Amywall
    Copper Contributor
    Mar 21, 2022

    Android Enterprise work profile : Pulse secure Certificate missing issue and Samsung Gallery application showing your device is not supported. This issue occur on all Samsung devices Which comes with Android 12.

    Please suggest me how to fix the issue.

  • Dheeraj Oswal's avatar
    Dheeraj Oswal
    Copper Contributor
    Mar 04, 2022

    Intune_Support_Team  could you please let us know more details of the issue and the remediation steps. We have Samsung devices enrolled with Android enterprise BYOD instance and all the devices are facing issues with connecting to WIFI ( Cert based authentication) impacted devices are newly enrolled Android 12 and upgraded devices from Android 11. ( S21, S22, A5 etc) 

  • Karan_m123's avatar
    Karan_m123
    Copper Contributor
    Feb 28, 2022

    Same problem here, We have OPPO and ONEPLUS devices with latest version of Android 12. While enrollment of company portal app device stuck on registration phase due to that enrollment is not done. Intune_Support_Team provide any update on that.

     

  • Intune_Support_Team's avatar
    Intune_Support_Team
    Icon for Microsoft rankMicrosoft
    Feb 04, 2022

    Sanitar2034 the OnePlus, OPPO, etc issue is not the same as what's described here with Samsung (we thought it was too, but checked with Intune engineering and they've confirmed they are different). Intune engineers just checked with Google and they are actively reviewing the issue and working with OnePlus and OPPO. We're hoping that they'll provide documentation on soon we can point you to.