question

ChrissyNield-5512 avatar image
1 Vote"
ChrissyNield-5512 asked ·

Android device cannot accept the KNOX privacy notification (older devices S5/S6)

I am experiencing several issues with BYOD Android devices that are S5 and S6. The notice for accepting the KNOX privacy is displaying, but users attempt to accept and nothing happens. The devices remain not compliant, and as much as I can troubleshoot remotely, I believe that this is the cause. The work profile is created, but it is not usable (greyed out and tapping does not open).

This is very perplexing and very new to me. I find it most disturbing that no device information is shared, which also points to the privacy acceptance and being unable to accept by the user.

Do you have any related experience or resolutions for this type of issue? I did more reading and found that Secure Folder app was taking the place of KNOX for device encryption, but will it work for the establishment of the work profile? Will it require different settings in Intune to accommodate?


ETA: Device example
Phone - SM-G920R4
Android - 7.0
Knox - 2.7.2

mem-intune-enrollment
· 4
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ChrissyNield-5512, From your description, the KNOX device cannot accept the privacy notification. To understand it better, please collect the following information to us.
1. Could you let us know if the privacy notification is the one as below? Did "accept and noting happen" means the next step is not prompted?
65077-image.png
https://docs.microsoft.com/en-us/mem/intune/user-help/enroll-device-android-company-portal
2. Could you check which setting shows not compliant for the device?
65155-image.png


0 Votes 0 ·
image.png (69.7 KiB)
image.png (50.3 KiB)

This is a real issue.
Android 7 and below, as apparently they initiate WP with Device Admin API's
The result is no one can accept the Knox privacy policy and compliance is never met or even allowed to evaluate.

The only realistic workaround right now is using Device admin enrollment

See below

https://support.google.com/work/android/thread/96578926?hl=en

0 Votes 0 ·

@Dan-9492 · Thanks for the information sharing. Android Device admin enrollment can be an option for us to manage these devices with lower version.

0 Votes 0 ·

@Dan-9492, I did post a workaround a while ago but still struggling to find it....

Basically I downloaded a previous version of Company Portal (APK found on google) from March 2019. I installed that and registered my device as normal via that. It was successful, I then updated the company portal app via the play store and I see the message about the knox thing on every reboot of the phone however I am officially registered and can access all my work resources.

0 Votes 0 ·
MervynSMorris-6224 avatar image
0 Votes"
MervynSMorris-6224 answered ·

@Crystal-MSFT
I am not sure if this is appropriate or if I should open a new post. I have two devices in my organization, both Samsung devices running Android 7.0 with the same issue.

The ELM Agent Privacy Policy was never presented to the devices or users.
Company Portal states "You need to update settings on this device"
Android Notification Bar states" Accept KNOX privacy notice to finish setting up your device". Clicking on the notification does nothing


Phone - SM-N920A
Android - 7.0
Knox - 2.7.1



65357-screenshot-20210208-071425.png
65390-screenshot-20210208-083221.png
65377-image.png



· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MervynSMorris-6224, For the "update device settings" screen, please check if there's any condition not met. For example, during my test, I set compliance policy to require passcode, on my test phone, As it is not set. the same screen as yours comes and after I set the passcode and click "Confirm the settings". The device setting is updated and the deice shows compliant. Please check this and see if it can be fixed. If the issue still persist, to avoid confusion on this thread, I suggest to open a new thread to check on your issue.

Thanks for the understanding.

0 Votes 0 ·
ChrissyNield-5512 avatar image
0 Votes"
ChrissyNield-5512 answered ·

As with MervynSMorris-6224 , the notification is the only area where the company portal prompt shows. It does not show the ELM in the enrollment process.

65446-image.png



But, because the ELM is not showing and only a notification (which when clicked, as mentioned, does nothing) the Work Profile Compliances does not evaluate. The Work Profile is created on the phone. The profile is disabled because of the unaccepted KNOX privacy ELM. The BYOD device is just sitting and waiting for the ELM to show during enrollment, and it never does. Only the notifications show the alert, but clicking on the alert does nothing.






image.png (10.6 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered ·

@ChrissyNield-5512, Thanks for the reply.

Here, I have find one Samsung knox device to test. Here are the process when I enroll the device via company portal. I find there's some change with the ELM. The screen I get are as below.

65624-image.png
After it is enrolled, I find this device shows as "Android personally owned work profile"
65584-image.png

Then I deploy a compliance policy for this device and choose "check device settings" in the company portal of the device. then it shows compliant in my portal.
65518-image.png
From the picture, I find the user principle name shows none, In my test, it is shows as the user I sign in.
65653-image.png
Could you sign in the user account into the company portal of this device and check device settings to see if the compliance policy can be applied.

If there's anything unclear, feel free to let us know.



image.png (1.0 MiB)
image.png (6.5 KiB)
image.png (60.5 KiB)
image.png (36.5 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KirbyRyan-4087 avatar image
0 Votes"
KirbyRyan-4087 answered ·

What version of Android does your test device have Crystal? We aren't seeing the issue with newer devices. The one I'm working on now is a Note 5 with Android 7.0

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KirbyRyan-4087, My test device is Glaxy S10 SM-G973U,, knox version3.4.1 Android version 10. I am also working,

0 Votes 0 ·
Hemesh-2559 avatar image
1 Vote"
Hemesh-2559 answered ·

Hi,

I have the same problem on my S6 - 920F (Android 7, Knox 2.7.1). The Company Portal App does not trigger the creation of the Work Profile for Samsung Knox, which is what I think the problem is. If that was triggered, then I'm sure it'd work fine.

Therefore, I think this is a bug in the Company Portal App?

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So I have retried the process, and it does prompt the creation of the work profile and allows you to continue with it's creation just like your test @Crystal-MSFT , however the screenshot for the Work profile is different. I will see if I can take some screengrabs of the phone rather than snap it from the video (as it's hard to read).

0 Votes 0 ·
ChrissyNield-5512 avatar image
0 Votes"
ChrissyNield-5512 answered ·

I am curious as to what Knox version is on the device that you are testing. I even had the user load the Secure Folder app in hopes that this would change the setup and that it would complete.

I will ask the user to check the compliance in the portal. We did this prior, but I do not recall the exact wording. On another device, enrollment freezes entirely. The Work Profile does not create.

Policies deployed. I did a check device several times on each of the 5 devices. The work profile policy does not clear because the privacy notification is never accepted for Knox. It is a strange glitch. Looks like I may have to take this one to MS for support. :-/

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ChrissyNield-5512, The knox version I tested is knox 3.4.1. If your device is with low version, we suggest to perform an update and see if the issue can be fixed.
https://docs.samsungknox.com/admin/knox-platform-for-enterprise/faqs/faq-115013574647.htm
Mote: Non-microsoft link, just for the reference.

However, if the issue still persists, log analysis is needed. As Q&A has limitation on such cases, we suggest to open case to troubleshoot. here is the link for the reference:
https://docs.microsoft.com/en-us/mem/get-support

0 Votes 0 ·
Hemesh-2559 avatar image
0 Votes"
Hemesh-2559 answered ·

After I login with my work account, I get the following screenshots before I get the issue with the device waiting for the privacy notice to be accepted: 66240-screenshot-20210210-082546.png66332-screenshot-20210210-082552.png66300-screenshot-20210210-082609.png66345-screenshot-20210210-083010.png66268-screenshot-20210210-083048.png66307-screenshot-20210210-083058.png66333-screenshot-20210210-083104.png66361-screenshot-20210210-083109.png66259-screenshot-20210210-083117.png66335-screenshot-20210210-083124.png66336-screenshot-20210210-083128.png66371-screenshot-20210210-083206.png



· 7 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Hemesh-2559 , From the pictures you provided, it seems we choose Samsung's Knox Mobile enrollment. Could you double confirm on this?
https://docs.microsoft.com/en-us/mem/intune/enrollment/android-samsung-knox-mobile-enroll

0 Votes 0 ·

Hi, So these screenshots are not using the Knox enrolment... right? I have Knox on my phone so I'm confused why the company portal isn't following the same route to use knox enrolment as later versions of samsung phones?

0 Votes 0 ·

Just wanted to let you know you're not alone.

I'm experiencing the same problem on Samsung SM-T365, Android 5.1.1, KNOX 2.5 - this is the latest version of the OS / KNOX that the device supports.

The screenshot process is identical to enrolment as ours, after your final screenshot, we get a 'notification slice' for the 'managed Company Portal' which says 'Accept KNOX privacy notice to finish setting up your device', when we tap this nothing happens.

We have successfully enrolled these devices in the past (as recently as November I think), but when we've come to factory reset some in the last few weeks we're getting the above so our suspicion is a recent change in the Company Portal.

1 Vote 1 ·
Show more comments
ChrissyNield-5512 avatar image
0 Votes"
ChrissyNield-5512 answered ·

Perhaps it is the latest version of KNOX with the most recent of version of the Company Portal and Android 7.0.

FYI, I did notice that someone mentioned Android 5 - not supported anymore by Endpoint Manager / Intune. That is your issue. The device must have Android 7 or greater.

@Crystal-MSFT Your device is not the same as the ones that we are troubleshooting. I have no issue with newer devices either.

Here is where it gets complicated. Samsung has officially ended support for the S5 and S6. A "surprise" Android update came out in the fall of last year (2020) which sent an update to the OS on these devices - Android 7.0. Even more of an issue, no more updates are being pushed and no more support has come down since the OS update.

Let's make it worse? Some of the S5 and S6 models can use Knox version 3.5, but others are stopped at 2.7.1. Intune does say that 2.4 and greater is supported though.

In Addition, KNOX is adding the Secure Folder App to handle more security and fill in the holes and vulnerabilities that the standalone KNOX has been found to have.

Lastly, the ELM prompt is coming from the Company Portal, the device compliance is being found compliant, but the Work Profile is not compliant. (I wanted to get a snip of it, but it appears that there are token issues today.) The device itself is showing compliant. It's the work profile policy that is not because of the ELM not showing and only sending a notification.


ETA: Not using Knox enrollment with a connector to Intune. This is just a BYOD setup with personal work profile setup.


· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

"RE: FYI, I did notice that someone mentioned Android 5 - not supported anymore by Endpoint Manager / Intune. That is your issue. The device must have Android 7 or greater."

Microsoft still indicate that Android 5.x is supported at https://docs.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers

"Note :Intune now requires Android 5.x (Lollipop) or higher for applications and devices to access company resources via the Company Portal app for Android and the Intune App SDK for Android. This requirement does NOT apply to Polycom Android-based Teams devices running 4.4. These devices will continue to be supported."

"Google
Android 5.0 and later (including Samsung KNOX Standard 2.4 and higher: requirements)"



0 Votes 0 ·
ChrissyNield-5512 avatar image ChrissyNield-5512 PaulKecun-1275 ·

I read that with Android devices less than Android 7 that Device Adm. enrollment would be needed, which is being deprecated by Microsoft. This is somewhere in all of the mobile device setup reading that I did in their support documentation.

0 Votes 0 ·
ChrissyNield-5512 avatar image
0 Votes"
ChrissyNield-5512 answered ·

Bringing this in from my notes:

  • Check the Android version that you need for your device to run Knox. Before installing this Android version, do some research on the changes that come with the new version.
    Check the Android version currently on your device: Settings > General > About device > Android version.

  • Check the software updates that are currently available: Settings > General > About device > Software update > Update.

  • Install the Android update. (Availability depends on your carrier and country. If you are unable to upgrade your Android OS, then you can't upgrade to a newer version of Knox.)

This is where you see the issues with the older devices too. No more updates present!



· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ChrissyNield-5512. Thanks for the notes. Yes, the device I tested is different from yours. Currently, I don't have any other Samsung devices to test at hand. For the device with Android version 7.0 Knox version 2.7.1 which are affected, did we open a case and get any new finding from logs? if there's any update, I appreciate your help to post back.

Thanks and have a nice day!

0 Votes 0 ·
JeroenvdL-4994 avatar image
0 Votes"
JeroenvdL-4994 answered ·

I'm having the same problem with a Samsung Android 7 and Knox 2.7.2 firmware. I have a Premier support case open ATM. I'll update here if something comes from that. Last request from MS was to try to enroll over mobile carier connection instead of Wifi. This did not work and now waiting for the next step.

· 11 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Will be interesting to see what they say, thanks and will look forward to what they reply back :)

0 Votes 0 ·

Just received and update they are at least aware of the problem and investigating. I'll keep you updated:

We are currently aware of an issue impacting enrollment on Samsung (Knox) devices running Android 6 and 7. The issue occurs at the Knox license agreement stage, when the notification does nothing and the end user cannot proceed and accept it. This is currently under internal investigation.
I will continue to monitor the progress of our internal incident and will return with updates over the next few days.

3 Votes 3 ·

Hi JerooenvdL,
Are you able to provide your ticket number at all so I can reference it in mine? I don't appear to be getting anywhere fast.

0 Votes 0 ·
Show more comments

Hi - thank you for the info, this is exactly the problem i am experiencing with android 7. Do you have an update to the bug you created? thx

0 Votes 0 ·
JeroenvdL-4994 avatar image JeroenvdL-4994 mfranklin-3109 ·

Unfortunately it has been very quiet from Microsofts side...

0 Votes 0 ·
Hemesh-2559 avatar image Hemesh-2559 mfranklin-3109 ·

I did post a workaround if it was an urgent problem.. but I think someone has removed the message ...

0 Votes 0 ·

thank you for the replies! fingers crossed microsoft published a fix soon. @Hernesh-2559: unfortunately i didnt see your workaround before it was removed.

0 Votes 0 ·