Updated 06/06/22: The content below has been updated, please use the workarounds provided if you run into this issue.
Environment
- Microsoft Intune using client certificates to authenticate VPN and email
- Samsung devices upgrading from Android 11 to Android 12
Overview
In Q3 2021, Google introduced the Android Keystore2 as a replacement for the current Keystore in Android 12. In an effort to harmonize with Google and the modernization of the Android Operating System, Samsung deprecated its custom Knox key store and certificate manager in favor of the Android Keystore2. The new Samsung devices starting on Android 12 and higher use the Android Project's default 'Keystore2' implementation.
Although there are no reliable software fixes to this issue, this article provides guidance to a manual workaround.
Cause
Microsoft Endpoint Manager uses the Android Management API as an underlying device management technology.
Currently, the Android Management API model does not have a way of initializing the low-level keystore. Therefore, when you upgrade Samsung devices from Android 11 to Android 12, the migration from the custom keystore to the new ‘Keystore2’ is not successful, and causes deployed apps to lose access to the stored certificates.
Resolution
After upgrading your Samsung devices from Android 11 to Android 12, remove and redeploy the impacted certificates or app configuration to the devices.
Android Enterprise personally-owned with a work profile configurations
First, uninstall the affected app.
- If the affected app is a required app, it will automatically be reinstalled.
- If the affected app is an available app, the device user has to manually reinstall from the corporate Play Store.
Android Enterprise fully managed, Android Enterprise corporate-owned with a work profile, and Android Enterprise dedicated configurations
- If the affected app is an available app, the device user must manually uninstall and reinstall the app from the corporate Play Store.
- If the affected app is a required app, your corporate admin must send a policy to remove the app and they must reinstall through policy. Follow these steps (as per Microsoft):
- In the Microsoft Endpoint Manager admin center, create an exclusion group for the affected app.
- Add the user(s) to the exclusion group.
- Sync the policy on the Android device.
- Confirm the affected app is removed from the device.
- Remove the user from the exclusion group.
- Confirm the app is added to the device.
Please contact your Microsoft representative if the issue continues to persist after the redeployment of the impacted app configuration. Samsung and Microsoft have a close cooperation on this issue. We appreciate your support and patience through this process.
If you have any questions, reply to this post or reach out to Microsoft Intune Support @IntuneSuppTeam on Twitter.
Additional information
If you are a developer using Samsung products, you can find more detailed information here:
- Deprecation of TIMA/CCM Keystore support
- App fails to retrieve CCM certificate after Android 12 OS upgrade
- TIMA Keystore dev guide
Post updates:
03/02/22: Added update text at the beginning of this post.
06/06/22: Updated content and workarounds.