Certificates missing after updating Samsung devices to Android 12

Environment

• Microsoft Intune EMM
• Samsung devices upgraded from Android 11 to Android 12
• VPN and email apps authenticated through client certificates

Overview

In Q3 2021, Keystore, Android’s cryptographic key storage system, was redesigned and implemented as Keystore2. In an effort to harmonize with Google and the modernization of Android, Samsung deprecated its Knox TIMA Keystore and client certificate manager systems used on Samsung devices in favor of Keystore2. New Samsung devices that come pre-installed with Android 12 and existing Samsung devices upgrading to Android 12 now use Keystore2.

When you upgrade Samsung devices enrolled with a work profile from Android 11 to Android 12, after the certificate keystore migration process, an app loses access to its certificates. Since there are no reliable software fixes to this unintended side effect, this article provides a manual workaround.

Cause

Microsoft Endpoint Manager uses Android Management API as an underlying device management technology. Currently, the Android Management API model doesn’t have a way of auto granting an app’s access to Keystore2. Therefore, when you upgrade Samsung devices from Android 11 to Android 12, Samsung’s keystore and client certificate manager systems fail to migrate to Keystore2, and causes deployed apps to lose access to the stored certificates.

Resolutions

After upgrading your Samsung devices from Android 11 to Android 12, remove and redeploy the impacted certificates or app configuration to the devices. The required steps differ based on how the devices are enrolled.

Personally-owned devices with work profiles

First, uninstall the affected app. Then, reinstall it based on its assignment type:

• Available app — Instruct the device user to manually reinstall the app from Managed Google Play private.

• Required app — The app reinstalls automatically.

Fully managed devices, company-owned devices with work profiles, and dedicated devices

First, uninstall the affected app. Then, reinstall it based on its assignment type:

• Available app — Instruct the device user to manually uninstall and reinstall the app from Managed Google Play private.

• Required app — Deploy a policy to remove and reinstall the app. Follow these steps provided by Microsoft support:

  1. In the Microsoft Endpoint Manager admin center, create an exclusion group for the affected app.

  2. Add the affected user accounts to the exclusion group.

  3. Sync the policy to the Android devices.

  4. Verify that the affected app is removed from the devices.

  5. Remove the user accounts from the exclusion group.

  6. Confirm the app is added to the devices.

Please contact your Microsoft representative if the issue continues to persist after the redeployment of the impacted app configuration. If you have any questions, reply to Microsoft’s notice about this issue or reach out to Microsoft Intune Support @IntuneSuppTeam on Twitter.

Samsung and Microsoft are in close cooperation on this issue. We appreciate your support and patience through this process.

Additional information

If you are a developer using Samsung products, you can find more detailed information here:

• Deprecation of TIMA/CCM Keystore support in the Knox SDK developer guide.

• App fails to retrieve CCM certificate after Android 12 OS upgrade in the Knox SDK developer guide.

• TIMA Keystore in the Knox SDK developer guide.

• Known Issue: Missing certificates after updating Samsung work profile devices to Android 12 on the Microsoft Tech Community.

Learn how to enroll devices with Microsoft Intune:

• Android Enterprise fully managed devices

• Android Enterprise corporate-owned with a work profile

• Android Enterprise personally-owned work profile devices

• Android Enterprise dedicated configurations