question

@Crystal-MSFT
I am not sure if this is appropriate or if I should open a new post. I have two devices in my organization, both Samsung devices running Android 7.0 with the same issue.

The ELM Agent Privacy Policy was never presented to the devices or users.
Company Portal states "You need to update settings on this device"
Android Notification Bar states" Accept KNOX privacy notice to finish setting up your device". Clicking on the notification does nothing

Phone - SM-N920A
Android - 7.0
Knox - 2.7.1

As with MervynSMorris-6224 , the notification is the only area where the company portal prompt shows. It does not show the ELM in the enrollment process.

But, because the ELM is not showing and only a notification (which when clicked, as mentioned, does nothing) the Work Profile Compliances does not evaluate. The Work Profile is created on the phone. The profile is disabled because of the unaccepted KNOX privacy ELM. The BYOD device is just sitting and waiting for the ELM to show during enrollment, and it never does. Only the notifications show the alert, but clicking on the alert does nothing.

@ChrissyNield-5512, Thanks for the reply.

Here, I have find one Samsung knox device to test. Here are the process when I enroll the device via company portal. I find there's some change with the ELM. The screen I get are as below.

After it is enrolled, I find this device shows as "Android personally owned work profile"

Then I deploy a compliance policy for this device and choose "check device settings" in the company portal of the device. then it shows compliant in my portal.

From the picture, I find the user principle name shows none, In my test, it is shows as the user I sign in.

Could you sign in the user account into the company portal of this device and check device settings to see if the compliance policy can be applied.

If there's anything unclear, feel free to let us know.

What version of Android does your test device have Crystal? We aren't seeing the issue with newer devices. The one I'm working on now is a Note 5 with Android 7.0

Hi,

I have the same problem on my S6 - 920F (Android 7, Knox 2.7.1). The Company Portal App does not trigger the creation of the Work Profile for Samsung Knox, which is what I think the problem is. If that was triggered, then I'm sure it'd work fine.

Therefore, I think this is a bug in the Company Portal App?

I am curious as to what Knox version is on the device that you are testing. I even had the user load the Secure Folder app in hopes that this would change the setup and that it would complete.

I will ask the user to check the compliance in the portal. We did this prior, but I do not recall the exact wording. On another device, enrollment freezes entirely. The Work Profile does not create.

Policies deployed. I did a check device several times on each of the 5 devices. The work profile policy does not clear because the privacy notification is never accepted for Knox. It is a strange glitch. Looks like I may have to take this one to MS for support. :-/

After I login with my work account, I get the following screenshots before I get the issue with the device waiting for the privacy notice to be accepted:

Perhaps it is the latest version of KNOX with the most recent of version of the Company Portal and Android 7.0.

FYI, I did notice that someone mentioned Android 5 - not supported anymore by Endpoint Manager / Intune. That is your issue. The device must have Android 7 or greater.

@Crystal-MSFT Your device is not the same as the ones that we are troubleshooting. I have no issue with newer devices either.

Here is where it gets complicated. Samsung has officially ended support for the S5 and S6. A "surprise" Android update came out in the fall of last year (2020) which sent an update to the OS on these devices - Android 7.0. Even more of an issue, no more updates are being pushed and no more support has come down since the OS update.

Let's make it worse? Some of the S5 and S6 models can use Knox version 3.5, but others are stopped at 2.7.1. Intune does say that 2.4 and greater is supported though.

In Addition, KNOX is adding the Secure Folder App to handle more security and fill in the holes and vulnerabilities that the standalone KNOX has been found to have.

Lastly, the ELM prompt is coming from the Company Portal, the device compliance is being found compliant, but the Work Profile is not compliant. (I wanted to get a snip of it, but it appears that there are token issues today.) The device itself is showing compliant. It's the work profile policy that is not because of the ELM not showing and only sending a notification.

ETA: Not using Knox enrollment with a connector to Intune. This is just a BYOD setup with personal work profile setup.

Bringing this in from my notes:

• Check the Android version that you need for your device to run Knox. Before installing this Android version, do some research on the changes that come with the new version.
  Check the Android version currently on your device: Settings > General > About device > Android version.
  

• Check the software updates that are currently available: Settings > General > About device > Software update > Update.
  

• Install the Android update. (Availability depends on your carrier and country. If you are unable to upgrade your Android OS, then you can't upgrade to a newer version of Knox.)

This is where you see the issues with the older devices too. No more updates present!

I'm having the same problem with a Samsung Android 7 and Knox 2.7.2 firmware. I have a Premier support case open ATM. I'll update here if something comes from that. Last request from MS was to try to enroll over mobile carier connection instead of Wifi. This did not work and now waiting for the next step.