042: Knox Attestation

Overview

Specify if the Samsung Knox device attestation check is required. Only unmodified devices that have been verified by Samsung can pass this check. For the list of supported devices, see samsungknox.com.

By using this setting, Microsoft Intune will also verify communication from the Company Portal to the Intune Service was sent from a healthy device.

Actions include:

Warn - The user sees a notification if the device doesn't meet Samsung Knox device attestation check. This notification can be dismissed.

Block access - The user account is blocked from access if the device doesn't meet Samsung's Knox device attestation check.

Wipe data - The user account that is associated with the application is wiped from the device.

Note: The user must accept the Samsung Knox terms before the device attestation check can be performed. If the user doesn't accept the Samsung Knox terms, the specified action will occur.

Note: This setting will apply to all devices targeted. To apply this setting only to Samsung devices, you can use "Managed apps" assignment filters.

Reference

• https://techcommunity.microsoft.com/t5/microsoft-intune-blog/hardware-backed-device-attestation-powers-mobile-workers/ba-p/3881209
• https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-android#device-conditions