Known Issue: Missing certificates after updating Samsung work profile devices to Android 12

Intune_Support_Team · ‎Jan 20 2022

Updated 06/06/22: The content below has been updated, please use the workarounds provided if you run into this issue.

Environment

Microsoft Intune using client certificates to authenticate VPN and email
Samsung devices upgrading from Android 11 to Android 12

Overview

In Q3 2021, Google introduced the Android Keystore2 as a replacement for the current Keystore in Android 12. In an effort to harmonize with Google and the modernization of the Android Operating System, Samsung deprecated its custom Knox key store and certificate manager in favor of the Android Keystore2. The new Samsung devices starting on Android 12 and higher use the Android Project's default 'Keystore2' implementation.

Although there are no reliable software fixes to this issue, this article provides guidance to a manual workaround.

Cause

Microsoft Endpoint Manager uses the Android Management API as an underlying device management technology.

Currently, the Android Management API model does not have a way of initializing the low-level keystore. Therefore, when you upgrade Samsung devices from Android 11 to Android 12, the migration from the custom keystore to the new ‘Keystore2’ is not successful, and causes deployed apps to lose access to the stored certificates.

Resolution

After upgrading your Samsung devices from Android 11 to Android 12, remove and redeploy the impacted certificates or app configuration to the devices.

Android Enterprise personally-owned with a work profile configurations

First, uninstall the affected app.

If the affected app is a required app, it will automatically be reinstalled.
If the affected app is an available app, the device user has to manually reinstall from the corporate Play Store.

Android Enterprise fully managed, Android Enterprise corporate-owned with a work profile, and Android Enterprise dedicated configurations

If the affected app is an available app, the device user must manually uninstall and reinstall the app from the corporate Play Store.
If the affected app is a required app, your corporate admin must send a policy to remove the app and they must reinstall through policy. Follow these steps (as per Microsoft):
1. In the Microsoft Endpoint Manager admin center, create an exclusion group for the affected app.
2. Add the user(s) to the exclusion group.
3. Sync the policy on the Android device.
4. Confirm the affected app is removed from the device.
5. Remove the user from the exclusion group.
6. Confirm the app is added to the device.

Please contact your Microsoft representative if the issue continues to persist after the redeployment of the impacted app configuration. Samsung and Microsoft have a close cooperation on this issue. We appreciate your support and patience through this process.

If you have any questions, reply to this post or reach out to Microsoft Intune Support @IntuneSuppTeam on Twitter.

Additional information

If you are a developer using Samsung products, you can find more detailed information here:

Post updates:

03/02/22: Added update text at the beginning of this post.

06/06/22: Updated content and workarounds.

Chris Schildhorn · ‎Jan 20 2022

I can add Outlook to the list. The SMIME certificate deployed with MEM is no longer available in the Outlook SMIME settings.

Workaround is removing and reinstalling Outlook. No need to delete the work profile.

On the other hand, removing certificate assignments and re-assigning does not fix the issue.

JKS97 · ‎Jan 25 2022

Do you have a list of affected Samsung devices? This issue seems not to persist on every device.

Chris Schildhorn · ‎Jan 25 2022

@JKS97 We can currently confirm the issue on an A52s 5G and A52 that was enrolled with Android 11 and was updated to 12. The certificates were assigned and deployed before the update. Devices enrolled after upgrading to Android 12 are not affected.

Sanitar2034 · ‎Jan 28 2022

Same problem with OnePlus 9 pro on Oxygen OS 12 (android 12) and OPPO devices (show error "the security certificate cannot be installed by secondary users"). But after reinstalling intune company portal doesn't proceed with confirm device settings (shows always last check 01.01.0001).

@Intune_Support_Team

Chris Schildhorn · ‎Feb 02 2022

Samsung told us that the issue can be addressed by UEM partners by using the Knox API addPermissionApplicationPrivateKey. It's possible to grant permission for apps to use installed keys.

More details:
https://docs.samsungknox.com/dev/knox-sdk/tima-ccm-keystore-deprecation.htm
https://docs.samsungknox.com/devref/knox-sdk/reference/com/samsung/android/knox/keystore/Certificate...

Intune_Support_Team · ‎Feb 03 2022

@Sanitar2034 the OnePlus, OPPO, etc issue is not the same as what's described here with Samsung (we thought it was too, but checked with Intune engineering and they've confirmed they are different). Intune engineers just checked with Google and they are actively reviewing the issue and working with OnePlus and OPPO. We're hoping that they'll provide documentation on soon we can point you to.

Karan_m123 · ‎Feb 28 2022

Same problem here, We have OPPO and ONEPLUS devices with latest version of Android 12. While enrollment of company portal app device stuck on registration phase due to that enrollment is not done. @Intune_Support_Team provide any update on that.

Dheeraj Oswal · ‎Mar 03 2022

@Intune_Support_Team could you please let us know more details of the issue and the remediation steps. We have Samsung devices enrolled with Android enterprise BYOD instance and all the devices are facing issues with connecting to WIFI ( Cert based authentication) impacted devices are newly enrolled Android 12 and upgraded devices from Android 11. ( S21, S22, A5 etc)

Intune_Support_Team · ‎Mar 07 2022

Hi @Karan_m123, sorry to hear you are experiencing issue. We've followed up with you over a private message with more info in relation to OPPO.

Amywall · ‎Mar 21 2022

Android Enterprise work profile : Pulse secure Certificate missing issue and Samsung Gallery application showing your device is not supported. This issue occur on all Samsung devices Which comes with Android 12.

Please suggest me how to fix the issue.

Robbie_Schroeder · ‎Aug 16 2022

I am having the same issue with my Samsung Galaxy S20+. When I try to enroll in Intune, it begins the set up, and then shows the error 'Cannot create work profile'. I have uninstalled/reinstalled many times, as well as reset my phone. I was never enrolled before, and I am trying to create this for the first time. Is there any solution to this so I can actually get my work email on my phone?

Model name: Galaxy s20+ 5G

Hardware version: REV1.0

One UI version: 4.1

Android version: 12

Knox version:

- Knox 3.8

- Knox API level 35

- Knox ML 1.2

-DualDAR 1.4.0

HDM 2.0-F

Intune_Support_Team · ‎Aug 18 2022

Hi @Robbie_Schroeder Thanks for the info! Be on the lookout for an incoming DM to talk through the scenario!

orsty3001 · ‎Dec 20 2022

@Intune_Support_Team The fix in the article doesn't seem to hold. We can get the devices to receive the certificates again but after about a week they lose their WiFi certificates.

We have about 600 devices enrolled and most of them will lose their WiFi and VPN certificates as soon as they connect to our network. All devices that have this issue are Samsung devices. Android 11 or 12. None of the Zebra or other devices have this certificate missing issue.

We've recreated the profile several times. It just never sticks. Is there any developments on this issue?

Intune_Support_Team · ‎Jan 12 2023

Hi @orsty3001, thanks for the info, and sorry to hear your experiencing this behavior. Can you confirm if updating to Android 13 helps to resolve the issue? Thanks!

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Known Issue: Missing certificates after updating Samsung work profile devices to Android 12