Android Agent 8.0
Prior to the release of AirWatch Agent v8.0 for Android, AirWatch had no mechanism to communicate to the AirWatch Console when users manually deleted certificates from Android device. This resulted in certificates not being automatically revoked and reissued. To resolve, AirWatch introduced a new flag (in the form of a placeholder certificate) in AirWatch Agent v8.0 for Android to report if a device certificate was removed/missing and to revoke that certificate.
Following the release of AirWatch Agent v8.0 for Android, AirWatch was not checking the device’s key store correctly, preventing installed certificates from being detected. The certificates were revoked due to the placeholder flag being sent.
AirWatch implemented the following fixes:
- Bug fix in Samsung ELM Service v4.0: Fixed an issue with detecting certificates for devices not enrolled in Samsung Knox.
- Bug fix in AirWatch Agent v8.0 for Android: Referenced the “Enable TIMA Keystore” flag as indicating if the certificate is installed inside the Knox container, or outside the container.
If “Enable TIMA Keystore” is unchecked, the certificate is not detected. This caused the placeholder flag to be sent, causing the certificate to be revoked.
Also, as part of an Android security feature, after a device was rebooted and before the device is unlocked, AirWatch does not have access to credential storage to scan for certificates. This caused the placeholder flag to be sent causing the certificate to be revoked.
Workaround if “Enable TIMA Keystore” is NOT checked:
Check the “Enable TIMA Keystore” box in the Container Credentials profile and re-publish it the profile which reissues certificates to devices. If this is done before certificates are revoked, it will not cause any disruption in email, VPN, or any other certificate-based access for users.
Implications for Customers
AirWatch is planning to make the following changes to the next major AirWatch Agent for Android version:
- Ignore the “Enable TIMA Keystore” setting for certificate reporting, so that Container certificates will always be detected properly.
- If the device is locked after a reboot, AirWatch will not send a certificate sample to prevent incorrect data from being reported. AirWatch will wait until the user has unlocked the device to report the certificates.
Note: The ELM Service must be upgraded to 4.0+ prior to upgrading to Agent 8.0+.
Our product team has been engaged and is looking to resolve the issue.