Die von Ihnen angeforderte Seite ist derzeit nicht in Ihrer Sprache verfügbar. Sie können eine beliebige Webseite umgehend mit der in Google Chrome integrierten Übersetzungsleiste in eine Sprache Ihrer Wahl übersetzen.
/work/android/community?hl=en
This content is likely not relevant anymore. Try searching or browse recent questions.
Work profile and and user certificates.
1
We are using Android with "Work profile". 
We have company private certificates installed in the work profile in the user tab (private company certificate chain pushed by intune).
And all applications which are using AAD Authentication are supposed to use these certificates in order to validate the STS certificates chaine (ADFS authentication). But it seems  all applications do not have access to the "user work profile" certificate store, as the chaine is not validate (STS not trust for an application launch from the work profile).

Note1: 
Our STS has 2 interfaces :
- one exposed publicly with public certificate chain (which are check using system certificate store). And authentication is working on this one. Certificate chaine is trust.
- one exposed privatly with private certificate chain  (which should be validate using "user work profile" certificate store). But authentication is NOT working.Certificate chaine is not trust. 

Note2
If we install our company certificates (the same ones as before)  in the "user personal profil" and we launch the application from the personal profile (and use the same internal network) then the authentication work (certificates chain is trust!)

Question:
- What is the difference between the "user work profil" certificate store and  "user personal profil" certificate store. For me it should be the same, the first one is used by application launch from the work profile, and the the second one is used for applications launch from the personal profile. 
- Why does an entreprise application trust a site with the certificates installed in the  "user personal profil" and not with the  "user work profil" certificate store? How can we solve this issue?
Details
Pinned
Locked
Latest Update Latest Updates (0)
Relevant Answer Relevant Answers (0)
All Replies (7)
Relevant Answer
Hello Cyril,
Do you encounter this issue on only one device or across several OS Version, Device Manufacturer?
 
Certificate Installation should be handled by Intune directly, so you might also want to create a ticket with them.
 
Best,
marked this as an answer
Relevant Answer
Hi Jeremy,
This happened on multiple devices types. I personnaly think it is not a device issue, but I do not have many unrolled device to test...  I personnaly test with 2 mobiles of type "Samsung Galaxy A6". All users which try this functionality seems to have this issue, but I don't know which type of Android phone they were using. This functionality is in pilot for Android. 
I was not thinking it could be relative to the phone because from a public wifi, all seems to work.
I was thinking it could be relative to :
- the system : work profile which does not work..
- intune : does not push the AD certificate chain correctly (but the chain is in the user work profile, and the AD URL  seems to be ok for mobile browsers)
- the AD : The way private certificates is generate by the infrastucture teams for the AD. But not easy to test because it is the internal interface which did not work, so I can't use online diagnostic tools... The public interface of the AD which is using a public certificate is working fine..
marked this as an answer
Relevant Answer
Seems like a complicated issue, so would definitely recommend looping in the EMM. As you said, there are many possible causes. A smart step here would be to use a website like https://server.cryptomix.com/secure/ to test whether apps in the Work Profile have access to the cert and to compare the certs you are testing in the work side vs personal side. When you browse to this site, it asks you to choose a cert for authentication. It then presents you some details about the certificate that you chose. 

If you’re able to choose the cert while accessing the site, that suggests that all apps in the WP have access to the cert. You can then run this test using the non-working cert im the WP and the working cert in the personal side to compare.

Not a solution to your issue, but it helps narrow it down.
marked this as an answer
Relevant Answer
Hey, I have been having this same problem for well over a year. I've been through every possible troubleshooting step with Microsoft and am no closer to understanding the issue. I can definitely say that this used to work a couple of years ago. I'd really love to get to the bottom of it.

For my scenario, I'm deploying internal PKI certs to users devices using Intune SCEP (iOS and Android both work and non-work profile) and only get the 'no valid certificate found' issue on the work profile android devices. I deploy a user certificate, the issuing CA cert and the trusted root cert. Using a handy app in the play store called My Certificates, I can inspect the certs in the work profile cert store and see that the certs in question have been deployed. I can also see in Intune that the affected devices have successfully enrolled. This is all also mirrored on our internal PKI where I can see the certs being generated.

Our login process would be to navigate to a 3rd party app or website that we secure with Azure AD. This will then attempt to log our users into their Microsoft account which is secured by our on-prem ADFS. A brief moment passes whilst the web page/app searches for a valid cert and then the error pops up. This is accompanied by an error on our ADFS server following the same pattern, e.g. no valid certificate supplied in the request.

I'm absolutely certain this is a work profile certificate store trust issue of some kind but figuring out how to fix it has been a real struggle. I'll certainly test the URL above but would love to chat to anyone who knows anything about this. I'd be happy to DM more information if it helps get to some kind of fix.

Update: I've tried the server.cryptomix.com URL in a browser in the work profile and it shows me a list of my certificates... I'm not sure if that's good or bad at this point. Using the exact same Chrome browser session to browse to my company ADFS page results in the 'no valid certificates' error. How can the same browser both work and fail depending on the URL?
marked this as an answer
Relevant Answer
Dear All,

If someone can help me in this regard. I have Pixel 4a, when i first setup the mobile; i have created a work profile with briefcase icon. I have deleted it by mistake. Now i am trying to add it everyway but its not going on. Please help me in this regard...!
marked this as an answer
Relevant Answer
Hi Paul Glover 795. Thank  you for your response. 
Your issue looks very similar to what we have. But the work around did not seems to work for us.
Our infrastructure team try to add certificats to the root, but it did not solve the issue. In our case the traffic is direct from the mobile to STS internal interface. No WAP involved. Mobile client directly connect to ADFS.
Any other good idea like this is welcome.
marked this as an answer
This question is locked and replying has been disabled.
Discard post? You will lose what you have written so far.
Write a reply
10 characters required
Failed to attach file, click here to try again.
Discard post?
You will lose what you have written so far.
Personal information found

We found the following personal information in your message:

This information will be visible to anyone who visits or subscribes to notifications for this post. Are you sure you want to continue?

A problem occurred. Please try again.
Create Reply
Edit Reply
This will remove the reply from the Answers section.
Notifications are off
Your notifications are currently off and you won't receive subscription updates. To turn them on, go to Notifications preferences on your Profile page.
Report abuse
Google takes abuse of its services very seriously. We're committed to dealing with such abuse according to the laws in your country of residence. When you submit a report, we'll investigate it and take the appropriate action. We'll get back to you only if we require additional details or have more information to share.

Go to the Legal Help page to request content changes for legal reasons.

Reported post for abuse
Unable to send report.
Report post
What type of post are you reporting?
Google takes abuse of its services very seriously. We're committed to dealing with such abuse according to the laws in your country of residence. When you submit a report, we'll investigate it and take the appropriate action. We'll get back to you only if we require additional details or have more information to share.

Go to the Legal Help page to request content changes for legal reasons.

Reported post for abuse
Unable to send report.
This reply is no longer available.
/work/android/threads
//accounts.google.com/ServiceLogin
You'll receive email notifications for new posts at
Unable to delete question.
Unable to update vote.
Unable to update subscription.
You have been unsubscribed
Deleted
Unable to delete reply.
Removed from Answers
Removed from Updates
Marked as Recommended Answer
Marked as Update
Removed recommendation
Undo
Unable to update reply.
Unable to update vote.
Thank you. Your response was recorded.
Unable to undo vote.
Thank you. This reply will now display in the answers section.
Link copied
Locked
Unlocked
Unable to lock
Unable to unlock
Pinned
Unpinned
Unable to pin
Unable to unpin
Marked
Unmarked
Unable to mark
Reported as off topic
Known Issue
Fixed
Marked Fixed
Unmarked Fixed
Unable to mark fixed
Unable to unmark fixed
/profile/0
false
Suche
Suche löschen
Suche schließen
Google-Apps
Hauptmenü
Search Help Center
true
108584
false