Issues in reverting Knox Policies in Samsung devices upgraded from Android 9 to 10

Issues in reverting Knox Policies in Samsung devices upgraded from Android 9 to 10

Description

An issue has been detected in Samsung devices upgraded from Android 9 to 10, which resulted in the loss of Knox Platform for Enterprise (KPE) functionalities in Android Go and One UI Core devices. Knox Platform for Enterprise (KPE) enables you to manage Knox container and Knox APIs on Samsung devices and provides advanced security features such as customizing factory reset settings, enforcing passcode policy, web content filtering, etc. In One UI Core and Android Go devices, running Android 9.0 and above, Samsung deprecated the Knox Platform for Enterprise features and replaced it with Android Enterprise, since these devices by design do not support " Secured by Knox " designation, due to lack of hardware support.

Problem

Due to a defect in Android 9, some of the deprecated KPE features that were supported in earlier versions of Android One UI Core and Android Go devices were not discontinued, which allowed users to continue associating the security restrictions on these devices from MDM. In Android 10 release, the issue was fixed by Samsung, causing the KPE functionalities to be deprecated on Android - One UI Core and Android Go devices starting from Android 10. Hence, when Android - One UI Core or Android Go devices are upgraded from OS 9 to OS 10, MDM could no longer configure the KME features and the KPE security restrictions applied to the devices, affecting the management of these devices.

According to Samsung, the only devices impacted by this issue are devices that do not support Knox, including One UI Core and Android Go devices.

Resolution: 

  • When the issue has already occurred

    If the devices have already been updated from Android 9 to Android 10, follow the steps given below to regain device control

    1. If you have not imposed a restriction to prevent users from revoking management or factory resetting the device, you can manually remove device administrator capabilities for ME MDM app . This will revoke all the Knox restrictions set on the device.
    2. If you are unable to remove device administrator capabilities, and if you have not imposed a restriction to disallow factory resetting the device, you can reset the device
    3. If you cannot factory reset the device, you can contact and visit your local Samsung service center where they can resolve the issue.

    Once device control is regained and the Knox policies are removed, re-enroll the device as Device Owner. With the newly updated ME MDM application, device policies will be enforced using Android APIs instead of Knox APIs.


  • To prevent Knox related issues

    If the devices are not updated from Android 9 to Android 10 and are currently enrolled with MDM server, follow the steps provided below

    1. Unenroll the device from your MDM server or factory reset the device. This revokes all of the Knox policies that were applied on the device
    2. Update the current version of the ME MDM app to the latest version on the MDM Console
    3. With the newly updated ME MDM app, re-enroll the devices with the MDM server as Device Owner. Once the updated ME MDM app is installed, the device will be detected as running Android - Others or Android Go and all the policies will be enforced using Android APIs instead on Knox APIs. Therefore no Knox related issues would occur when and if the devices are upgraded to Android 10.


For more details, refer this document.