Warning with fully managed Samsung devices and Intune

We ran into a pretty serious issue while testing Samsung deployments with Knox Service Plugin (KSP). If you deploy an Intune OEMConfig device config profile through KSP that blocks device reset or wipe, it’s not just an Android-level restriction. It’s enforced at the firmware level, including recovery. Here’s where it goes sideways. Intune will still let you send a wipe command. It reports success, removes the device from Intune, but the phone only clears company data and never actually resets. After a reboot, KSP is still there enforcing the same policy. At that point, you’re basically stuck. Download Mode appears to be disabled on newer firmware, and since the OEMConfig policy is still applied, there’s no way to undo it or reflash the device. You end up with a device that technically works, but is no longer manageable or usable. Bottom line, the setting can be useful for preventing wipes, but Intune doesn’t check for it before allowing a wipe command. That’s a pretty bad design oversight on Microsoft’s part.