NFC Device Owner Provisioning and Knox

Question

Firstly, apologies if this is an inappropriate place for this question as it is not strictly a code question but I am struggling to find any relevant resources anywhere else.

We have a solution based around using a Samsung devices, currently S7s, as a fully managed device with an application registered as "Device Owner" which then manages some additional files and applications necessary to the product. This is provisioned onto the device via NFC after factory resetting, via another phone running a custom application to generate the NFC message.

This is all done independently of any MDM or EMM system, with the Device Owner application provided by a server on our closed network, and it is all handled by native android functionality rather than involving knox at all.

This was originally developed on S7s running android version 6.0 and Knox 2.7 and worked perfectly.

However, we are currently in the process of setting up a duplicate system that ideally needs to function exactly the same as the previous but the devices we ordered now come with Android version 8.0 and Knox 3.1 and this seems to be the source of some issues.

On the first attempt at provisioning the device via NFC as before the process succeeds and the device owner is set successfully, seemingly without any issues.

When the device was then factory reset to test the process again however, after the NFC message is sent a popup is instantly shown saying: "Cannot create work profile" "The security policy prevents the creation of a managed device because a custom OS is or has been installed on this device"

This is happening before the phone even attempts to connect to the network and download our application, so the issue cannot be there.

The phone was new out of the box and had never even been set up before being initially provisioned, so there is zero chance an actual custom firmware has been deployed and just for sanity sake I verified that the Knox warranty void bit was still set to 0x0 which it was.

I know that as of Knox 3.0(?), it was much more heavily integrated with the built in android enterprise functionality but I was under the impression it could still be used without and ideally I would like to avoid having to do any unnecessary Knox SDK integration. If there is something I have to do through Knox to allow this functionality as currently the devices are essentially useless after one factory reset.

If anybody has any insight why this would be happening or how I could resolve it, that would be greatly appreciated.

Answer 1

In case anybody experiences this same issue, I received a response from a Samsung employee:

This is an issue related to DRK and is due to an invalid time certificate on the device. To fix this, you will need update the time on the device by either connecting to wifi or cellular data, or by manually changing it in the set-up screen. After this is done you will be able to provision the device.

(https://seap.samsung.com/forum-topic/knox-and-nfc-device-owner-provisioning)

Seems to be a bug with the Samsung operating system, or perhaps an intentional decision to help negate a security concern.

Anyway, I hope this helps someone in the future.