Gmail, VPN apps stop working on Samsung phones running Microsoft Intune
Enterprise users of Microsoft Intune have reported that after updating their Samsung smartphone to Android 12, they are unable to use some email and VPN apps like Gmail and AnyConnect VPN (via SamMobile).
According to Microsoft, the access problem is caused by the update to Android 12, which causes some apps to lose access to certificates assigned and deployed before the update, thus prohibiting users from using the apps. Devices with certificates enrolled after upgrading to Android 12 are not affected.
Although Microsoft and Samsung are currently working on a fix, Microsoft has provided two workarounds for the access issue on its website: one for the AnyConnect VPN app and one for the Gmail app.
Users of the AnyConnect VPN app will see a prompt saying that the app can't find the client certificate needed for the connection and that a valid certificate needs to be chosen. To resolve the issue, Microsoft suggests clearing the app's data cache.
To clear the AnyConnect VPN app's data cache, go to Settings > Work Profile > Apps. In the Apps menu, select the AnyConnect VPN app, then Storage > Clear Data.
Upon opening the Gmail app, users will be asked to select a certificate. When users select the certificate, the app will display the error message "Can't reach server." According to Microsoft, there are two ways to resolve the issue. The first one is for users to use their device to reinstall the work profile and Company Portal. The second one needs an IT administrator action to re-add the Gmail device configuration.
Open the Company Portal app, select Menu, then tap on Remove Company Portal. After that, open the Google Play app and find the Intune Company Portal app. First uninstall the app, and when the uninstallation is complete, install the Intune Company Portal app again, open it, and sign in. According to Microsoft, Gmail should now work as expected.
Navigate to the Microsoft Endpoint Manager administration center, create an exclusion group for the Gmail app, and add the users to the group. Then sync the policy on the Android device and confirm that the Gmail app has been uninstalled. When the Gmail app is removed, remove the users from the exclusion group. Then again, confirm that the Gmail app is added to the device, and Gmail should now work in the work profile as expected.
According to Microsoft, the access problem is caused by the update to Android 12, which causes some apps to lose access to certificates assigned and deployed before the update, thus prohibiting users from using the apps. Devices with certificates enrolled after upgrading to Android 12 are not affected.
Workaround for the AnyConnect VPN app certificate issue
Users of the AnyConnect VPN app will see a prompt saying that the app can't find the client certificate needed for the connection and that a valid certificate needs to be chosen. To resolve the issue, Microsoft suggests clearing the app's data cache.
To clear the AnyConnect VPN app's data cache, go to Settings > Work Profile > Apps. In the Apps menu, select the AnyConnect VPN app, then Storage > Clear Data.
After you have cleared the data cache, open the AnyConnect VPN app. Upon opening, the app will display a popup prompt requesting certificates. To resolve the issue, choose the certificate.
Workaround for the Gmail app certificate issue
Upon opening the Gmail app, users will be asked to select a certificate. When users select the certificate, the app will display the error message "Can't reach server." According to Microsoft, there are two ways to resolve the issue. The first one is for users to use their device to reinstall the work profile and Company Portal. The second one needs an IT administrator action to re-add the Gmail device configuration.
Using the user device to resolve the problem
Open the Company Portal app, select Menu, then tap on Remove Company Portal. After that, open the Google Play app and find the Intune Company Portal app. First uninstall the app, and when the uninstallation is complete, install the Intune Company Portal app again, open it, and sign in. According to Microsoft, Gmail should now work as expected.
Resolving the issue using IT administrator action
Navigate to the Microsoft Endpoint Manager administration center, create an exclusion group for the Gmail app, and add the users to the group. Then sync the policy on the Android device and confirm that the Gmail app has been uninstalled. When the Gmail app is removed, remove the users from the exclusion group. Then again, confirm that the Gmail app is added to the device, and Gmail should now work in the work profile as expected.
Things that are NOT allowed: