Custom OS Error on AE Work Profile

%3CLINGO-SUB%20id%3D%22lingo-sub-1016515%22%20slang%3D%22en-US%22%3ECustom%20OS%20Error%20on%20AE%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016515%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20you%20are%20all%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%2C%20a%20strange%20one%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETrying%20to%20enroll%20an%20Android%207%20Samsung%20device%20via%20Android%20Enterprise%20Work%20Profile%20and%20getting%20an%20error%20saying%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECouldn't%20add%20your%20device.%20To%20get%20your%20device%20managed%2C%20you'll%20need%20to%20accept%20all%20the%20system%20permissions%20requests%3C%2FP%3E%3CP%3Eand%3C%2FP%3E%3CP%3ECannot%20create%20Work%20Profile.%20The%20security%20policy%20prevents%20the%20creation%20of%20a%20work%20profile%20because%20a%20custom%20OS%20has%20been%20installed%20on%20the%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1016515%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1018746%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20OS%20Error%20on%20AE%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1018746%22%20slang%3D%22en-US%22%3EYes%20I%20do%2C%20but%20this%20device%20is%20not%20rooted%2C%20apparently.%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20anything%20else%20cause%20this%3F%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1020270%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20OS%20Error%20on%20AE%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1020270%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131657%22%20target%3D%22_blank%22%3E%40Stuart%20King%3C%2FA%3E%26nbsp%3B%20A%20custom%20ROM%20being%20installed%20would%20also%20do%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1020363%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20OS%20Error%20on%20AE%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1020363%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F254026%22%20target%3D%22_blank%22%3E%40eglockling%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInteresting%2C%20any%20ideas%20on%20how%20to%20detect%20this%20on%20the%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInfo%20appreciated%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1020777%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20OS%20Error%20on%20AE%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1020777%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131657%22%20target%3D%22_blank%22%3E%40Stuart%20King%3C%2FA%3E%26nbsp%3B%20%3CSPAN%3ESince%20it's%20a%20Samsung%20device%2C%20c%3C%2FSPAN%3E%3CSPAN%3Eheck%20in%20%3CSTRONG%3ESettings%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EAbout%20phone%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3ESoftware%20information%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EBuild%20number%3C%2FSTRONG%3E.%20You%20should%20see%20the%20model%20number%20included%20in%20the%20build%20number%20(eg.%20G930W).%20If%20you%20don't%2C%20it%20may%20be%20a%20custom%20ROM.%20Besides%20that%2C%20you%20may%20need%20to%20check%20other%20sources%20online%20for%20in-depth%20methods%20of%20detection.%20Best%20of%20luck!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1026051%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20OS%20Error%20on%20AE%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1026051%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131657%22%20target%3D%22_blank%22%3E%40Stuart%20King%3C%2FA%3E%26nbsp%3Bwas%20that%20device%20enrolled%20before%3F%20We%20have%20seen%20such%20a%20message%20when%20enrolling%20a%20device%20not%20with%20work%20profile%2C%20but%20as%20fully%20managed%20devices.%20We%20found%20out%20that%20after%20removing%20the%20account%20from%20Intune%20and%20AAD%20it%20solved%20the%20issue%20(as%20it%20was%20not%20a%20new%20device).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1230927%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20OS%20Error%20on%20AE%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230927%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3194%22%20target%3D%22_blank%22%3E%40Peter%20Klapwijk%3C%2FA%3E%26nbsp%3B%2C%20when%20you%20say%20you%20removed%20the%20account%20from%20AAD%2C%20was%20it%20the%20device%20you%20removed%20from%20the%20user's%20profile%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1233699%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20OS%20Error%20on%20AE%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1233699%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3194%22%20target%3D%22_blank%22%3E%40Peter%20Klapwijk%3C%2FA%3E%26nbsp%3B%20Can%20you%20provide%20an%20step%20by%20step%20of%20your%20Workaround%20%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1235597%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20OS%20Error%20on%20AE%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1235597%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F584868%22%20target%3D%22_blank%22%3E%40GandalfDonGato%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F583307%22%20target%3D%22_blank%22%3E%40J2_D2%3C%2FA%3E%26nbsp%3BIn%20both%20Intune%20and%20AAD%20a%20device%20account%20was%20present%2C%20after%20removing%20both%20our%20issue%20was%20solved.%3CBR%20%2F%3EThe%20device%20could%20be%20found%20in%20AAD%20via%20device%20or%20from%20the%20User%20properties.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1490041%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20OS%20Error%20on%20AE%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1490041%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20same%20problem%20with%20Enterprise%20Enrollment%20on%20Samsung%20Tab%20S5e.%20The%20solution%20was%20to%20upgrade%20the%20device%20to%20latest%20Firmware.%20I%20had%20to%20flash%20with%20Odin-Tool.%20After%20that%20it%20worked%20like%20a%20charm.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1018737%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20OS%20Error%20on%20AE%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1018737%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20sounds%20like%20the%20device%20has%20been%20rooted.%20Do%20you%20have%20a%20compliance%20policy%20in%20place%20that%20restricts%20this%3F%20%3CSTRONG%3EDevice%20Health%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3ERooted%20devices%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EBlock%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

Hi All

 

Hope you are all well.

 

Anyway, a strange one here.

 

Trying to enroll an Android 7 Samsung device via Android Enterprise Work Profile and getting an error saying:

 

Couldn't add your device. To get your device managed, you'll need to accept all the system permissions requests

and

Cannot create Work Profile. The security policy prevents the creation of a work profile because a custom OS has been installed on the device.

 

Any ideas?

 

 

 

10 Replies
Highlighted

It sounds like the device has been rooted. Do you have a compliance policy in place that restricts this? Device Health > Rooted devices > Block

Highlighted
Yes I do, but this device is not rooted, apparently.

Would anything else cause this?

Regards
Highlighted

@Stuart King  A custom ROM being installed would also do it.

Highlighted

@eglockling 

 

Interesting, any ideas on how to detect this on the device?

 

Info appreciated

Highlighted

@Stuart King  Since it's a Samsung device, check in Settings > About phone > Software information > Build number. You should see the model number included in the build number (eg. G930W). If you don't, it may be a custom ROM. Besides that, you may need to check other sources online for in-depth methods of detection. Best of luck!

Highlighted

@Stuart King was that device enrolled before? We have seen such a message when enrolling a device not with work profile, but as fully managed devices. We found out that after removing the account from Intune and AAD it solved the issue (as it was not a new device).

Highlighted

@Peter Klapwijk , when you say you removed the account from AAD, was it the device you removed from the user's profile? 

Highlighted

@Peter Klapwijk  Can you provide an step by step of your Workaround ? 

Highlighted

@GandalfDonGato @J2_D2 In both Intune and AAD a device account was present, after removing both our issue was solved.
The device could be found in AAD via device or from the User properties.

Highlighted

I had same problem with Enterprise Enrollment on Samsung Tab S5e. The solution was to upgrade the device to latest Firmware. I had to flash with Odin-Tool. After that it worked like a charm.