Menu

Work profile is removed if UEM client is upgraded in Android 8.1 or 9

Environment 

  • Knox Platform for Enterprise (KPE)
  • Android 8.1, 9
  • Android Enterprise (AE) Profile Owner (PO) mode

Overview

Some users are experiencing an issue where the work profile on their device, while locked, is removed when the UEM agent is upgraded or replaced.

The issue is reproduced with the following steps:

  1. Install the UEM client. 
  2. Create an AE PO work profile and set a password for the work profile.
  3. Reboot the device, after which the work profile is locked.
  4. Upgrade the UEM client to a higher version.
  5. Observe that the work profile is removed.

Cause

The UEM client is a package with device administrator privileges. When a UEM client upgrade is pushed to a device, the Knox framework looks for information about the Device Admin app as a security measure, but fails to check inside the work profile. If the work profile or device itself is turned off, Knox automatically removes the unidentified Device Admin app.

  

Resolution

The Samsung Knox team has identified a fix for this issue, which is currently rolling out to affected devices.

Workaround

If you are encountering this issue, please re-enroll your device through the UEM.

Share it: