Updated 06/06/22: The content below has been updated, please use the workarounds provided if you run into this issue.
Environment
Overview
In Q3 2021, Google introduced the Android Keystore2 as a replacement for the current Keystore in Android 12. In an effort to harmonize with Google and the modernization of the Android Operating System, Samsung deprecated its custom Knox key store and certificate manager in favor of the Android Keystore2. The new Samsung devices starting on Android 12 and higher use the Android Project's default 'Keystore2' implementation.
Although there are no reliable software fixes to this issue, this article provides guidance to a manual workaround.
Cause
Microsoft Endpoint Manager uses the Android Management API as an underlying device management technology.
Currently, the Android Management API model does not have a way of initializing the low-level keystore. Therefore, when you upgrade Samsung devices from Android 11 to Android 12, the migration from the custom keystore to the new ‘Keystore2’ is not successful, and causes deployed apps to lose access to the stored certificates.
Resolution
After upgrading your Samsung devices from Android 11 to Android 12, remove and redeploy the impacted certificates or app configuration to the devices.
Android Enterprise personally-owned with a work profile configurations
First, uninstall the affected app.
Android Enterprise fully managed, Android Enterprise corporate-owned with a work profile, and Android Enterprise dedicated configurations
Please contact your Microsoft representative if the issue continues to persist after the redeployment of the impacted app configuration. Samsung and Microsoft have a close cooperation on this issue. We appreciate your support and patience through this process.
If you have any questions, reply to this post or reach out to Microsoft Intune Support @IntuneSuppTeam on Twitter.
Additional information
If you are a developer using Samsung products, you can find more detailed information here:
Post updates:
03/02/22: Added update text at the beginning of this post.
06/06/22: Updated content and workarounds.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.