Ryan Haines / Android Authority
TL;DR
Samsung Galaxy phones are among the best you can buy for enterprise use, thanks to features such as hardware root of trust via Knox Vault, an irreversible e-Fuse to detect firmware tampering, and the Knox Suite for managing devices at scale. But over the past few months, non-enterprise users have been encountering a “digital brick” scenario that weaponizes some of these very features, effectively locking them out of their own phones.
We’ve spotted several Galaxy S22 Ultra owners complaining (1, 2, 3, 4) that their phones are allegedly locked after a factory reset.
The sequence is identical in almost every case: After a reset, users connect to Wi-Fi to begin the standard Android setup. However, before they can sign in to their Google account, they are intercepted by the Knox Mobile Enrollment (KME) Provisioning Screen with the message “This Galaxy S22 Ultra isn’t private,” stating that the phone is managed by an organization and that all data and activity are visible to a remote IT admin.
However, the kicker here is that the phones are allegedly not provisioned through an organization at all and are not part of a corporate fleet. These phones are said to have been purchased through Samsung via standard retail channels, with no affiliation or connection to any company.
There are a few telltale signs of this being shady. For starters, the admin app is titled “SAMSUNG ADMIN” in all caps, and bears the logo with the words “FRP UNLOCK SAMSUNG.” The company mentioned is “Numero LLC,” which doesn’t appear in US company records (one of the screenshots shows “5G UC,” which means the phone is on T-Mobile’s “Ultra Capacity” network, and thus based in the US), though we could spot a link to South Korea.
Don’t want to miss the best from Android Authority?
Users have attempted to bypass this by performing multiple factory resets and even manually flashing firmware with Odin, but the lock remains. This is because the handshake happens at the IMEI level.
When the phone pings Samsung’s Attestation servers during setup, the servers check their database and see that the IMEI is “claimed” by Numero LLC. It then pushes a mandatory MDM (Mobile Device Management) profile to the phone. Because this occurs at the firmware level within the Setup Wizard, the user is stuck in a “catch-22”: accept a compromised phone with a remote “ghost” admin, or end up with a phone that cannot be activated or used.
Another possibility is that attackers may have exploited vulnerabilities in Knox, such as the recent CVE-2026-20978, spotted in KnoxGuard, which allows unauthorized parties to bypass ownership checks and tamper with enterprise management settings. However, this requires having physical access to the phone at some point.
The “FRP Unlock” branding also suggests that these hijacks might be a side effect of users previously using shady third-party unlocking services that may have harvested their IMEIs.
If you find yourself on this screen, your only legitimate recourse is to contact Samsung Support with your original proof of purchase and demand an “IMEI Unenrollment.” However, users report being stuck in a support loop: Samsung Support redirects them to Knox technical teams, who claim they lack the tools to modify enterprise records, and then redirects them back to Samsung Support. So brace yourselves for a phone that’s been digitally bricked.
We’ve reached out to Samsung to learn more about this issue. We’ll keep you updated when we hear back from the company.
Thank you for being part of our community. Read our Comment Policy before posting.
Leave a comment