Android device cannot accept the KNOX privacy notification (older devices S5/S6)

Chrissy Nield 26

I am experiencing several issues with BYOD Android devices that are S5 and S6. The notice for accepting the KNOX privacy is displaying, but users attempt to accept and nothing happens. The devices remain not compliant, and as much as I can troubleshoot remotely, I believe that this is the cause. The work profile is created, but it is not usable (greyed out and tapping does not open).

This is very perplexing and very new to me. I find it most disturbing that no device information is shared, which also points to the privacy acceptance and being unable to accept by the user.

Do you have any related experience or resolutions for this type of issue? I did more reading and found that Secure Folder app was taking the place of KNOX for device encryption, but will it work for the establishment of the work profile? Will it require different settings in Intune to accommodate?

ETA: Device example
Phone - SM-G920R4
Android - 7.0
Knox - 2.7.2

Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2021-02-08T04:24:28.107+00:00
@Chrissy Nield , From your description, the KNOX device cannot accept the privacy notification. To understand it better, please collect the following information to us.

Could you let us know if the privacy notification is the one as below? Did "accept and noting happen" means the next step is not prompted?

https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-device-android-company-portal

Could you check which setting shows not compliant for the device?
Dan 1 Reputation point

2021-02-23T23:43:21.74+00:00

This is a real issue.
Android 7 and below, as apparently they initiate WP with Device Admin API's
The result is no one can accept the Knox privacy policy and compliance is never met or even allowed to evaluate.

The only realistic workaround right now is using Device admin enrollment

See below

https://support.google.com/work/android/thread/96578926?hl=en
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2021-02-24T01:23:02.62+00:00

@Dan · Thanks for the information sharing. Android Device admin enrollment can be an option for us to manage these devices with lower version.
Hemesh 6 Reputation points

2021-02-24T08:27:42.837+00:00

@Dan , I did post a workaround a while ago but still struggling to find it....

Basically I downloaded a previous version of Company Portal (APK found on google) from March 2019. I installed that and registered my device as normal via that. It was successful, I then updated the company portal app via the play store and I see the message about the knox thing on every reboot of the phone however I am officially registered and can access all my work resources.
Chrissy Nield 26 Reputation points

2021-03-08T13:40:49.7+00:00

Through all of our testing and hard work, the solution was resolved in the Company Portal app release 5.5 for Android 7.0 devices being unable to accept the ELM/Privacy with Knox 2.4/2.7 installed. Don't forget that these devices will no longer be supported by Samsung, and most of us will need to make some decisions on how much longer we support these along with the iOS 7. :)

Accepted answer

Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2021-02-25T02:17:00.617+00:00
@mfranklin , Thanks for sharing here. And I am glad to hear that it is working now. Congratulations!

From the update I get from internal, I find the new company portal with fix deployed to Prod users publish in Google Play Store can fix our issue. @everyone, we can try to install the latest company portal to see if it is also working in our environment. Here are steps we can try:

Un-enroll the device from Intune.

Remove the old company portal from the Android 6.7 device.

Download the new company portal from Google Play Store.

Enroll our device into Intune again.

Thanks for your time and have a nice day!
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

16 additional answers

Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2021-02-09T05:16:07.027+00:00

@Chrissy Nield , Thanks for the reply.

Here, I have find one Samsung knox device to test. Here are the process when I enroll the device via company portal. I find there's some change with the ELM. The screen I get are as below.

After it is enrolled, I find this device shows as "Android personally owned work profile"

Then I deploy a compliance policy for this device and choose "check device settings" in the company portal of the device. then it shows compliant in my portal.

From the picture, I find the user principle name shows none, In my test, it is shows as the user I sign in.

Could you sign in the user account into the company portal of this device and check device settings to see if the compliance policy can be applied.

If there's anything unclear, feel free to let us know.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Kirby, Ryan 1 Reputation point

2021-02-09T11:44:04.777+00:00

What version of Android does your test device have Crystal? We aren't seeing the issue with newer devices. The one I'm working on now is a Note 5 with Android 7.0
Please sign in to rate this answer.
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2021-02-12T02:57:35.523+00:00

@Kirby, Ryan , My test device is Glaxy S10 SM-G973U,, knox version3.4.1 Android version 10. I am also working,
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Chrissy Nield 26 Reputation points

2021-02-09T13:31:01.687+00:00

I am curious as to what Knox version is on the device that you are testing. I even had the user load the Secure Folder app in hopes that this would change the setup and that it would complete.

I will ask the user to check the compliance in the portal. We did this prior, but I do not recall the exact wording. On another device, enrollment freezes entirely. The Work Profile does not create.

Policies deployed. I did a check device several times on each of the 5 devices. The work profile policy does not clear because the privacy notification is never accepted for Knox. It is a strange glitch. Looks like I may have to take this one to MS for support. :-/
Please sign in to rate this answer.
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2021-02-10T05:48:52.223+00:00

@Chrissy Nield , The knox version I tested is knox 3.4.1. If your device is with low version, we suggest to perform an update and see if the issue can be fixed.
https://docs.samsungknox.com/admin/knox-platform-for-enterprise/faqs/faq-115013574647.htm
Mote: Non-microsoft link, just for the reference.

However, if the issue still persists, log analysis is needed. As Q&A has limitation on such cases, we suggest to open case to troubleshoot. here is the link for the reference:
https://learn.microsoft.com/en-us/mem/get-support
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Hemesh 6 Reputation points

2021-02-10T08:57:25.063+00:00

After I login with my work account, I get the following screenshots before I get the issue with the device waiting for the privacy notice to be accepted:
Please sign in to rate this answer.
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2021-02-10T09:34:30.58+00:00

@Hemesh , From the pictures you provided, it seems we choose Samsung's Knox Mobile enrollment. Could you double confirm on this?
https://learn.microsoft.com/en-us/mem/intune/enrollment/android-samsung-knox-mobile-enroll

Hemesh 6 Reputation points

2021-02-10T10:07:40.317+00:00

Hi, So these screenshots are not using the Knox enrolment... right? I have Knox on my phone so I'm confused why the company portal isn't following the same route to use knox enrolment as later versions of samsung phones?

Paul Kecun 21 Reputation points

2021-02-10T14:39:42.73+00:00

Just wanted to let you know you're not alone.

I'm experiencing the same problem on Samsung SM-T365, Android 5.1.1, KNOX 2.5 - this is the latest version of the OS / KNOX that the device supports.

The screenshot process is identical to enrolment as ours, after your final screenshot, we get a 'notification slice' for the 'managed Company Portal' which says 'Accept KNOX privacy notice to finish setting up your device', when we tap this nothing happens.

We have successfully enrolled these devices in the past (as recently as November I think), but when we've come to factory reset some in the last few weeks we're getting the above so our suspicion is a recent change in the Company Portal.

Hemesh 6 Reputation points

2021-02-10T15:36:33.137+00:00

Oooo, that's really interesting that it used to work previously before a recent update (makes me think I should have tried last year!).

I have tried the enrolment procedure that @Crystal-MSFT has mentioned to see if that works but no joy just yet.

Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2021-02-11T05:43:35.71+00:00

@Hemesh , Thanks for the reply. I notice more and more customers have the issue. I will discuss with my TL and try to feedback. If I can get any update, I will post back.

Meanwhile, I also suggest to open case to do a log analysis to know if there's any new finding and if there's any compatible issue with new company portal.
https://learn.microsoft.com/en-us/mem/get-support

Thanks for the understanding and have a nice day!

Hemesh 6 Reputation points

2021-02-11T08:14:12.593+00:00

Thanks @Crystal-MSFT , I will keep hope you're able to find what may have caused this. I went to the endpoint manager as suggested, but my IT department have not given me access to the Intune section on there so I am unable to look further :(

Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2021-02-12T03:01:22.873+00:00

@Hemesh , I will try my best to see if I can get any response. But ii can't guarantee it. I appreciate that if anyone get a solution after opening a case can also share here to help others.

Thanks and have a nice day!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.