SOTI Pulse Logo

Fusion Profile/Certificate install issue

LG
Levi Gallion
Speedway LLC

Recently we had changed our root DMZ certificate for our Zebra/Symbol MC3190 and MC3200 devices however we are having a lot of trouble with wireless connectivity on multiple devices after it went live. After the change, we are noticing that some of our Fusion profiles are not connecting anymore even after verifying our wireless settings are correct and that the correct certificate is bound to the correct profile we want to use, not all of our production devices have experienced issues. We deleted the old root certificate as well. We can use bar-code provisioning for our MC3200 devices to install a “support” profile as well as delivering the new bar-code embedded certificate which works pretty well but doesn’t stick. What we are seeing is that the certificate delivered from the bar-codes for the 3200 handhelds is disappearing each day when the device is rebooted or has a battery swapped out.

Here is the tricky part, each store has its own folder for district>region>store and each store folder has individual wireless settings. Due to this structure I was not able to use the cold boot persisting bar-codes due to the fact that it leaves copies of the said profile on the handheld (if stores use the codes more than once) and we only want the device to use the store profile we created and not the "support" profile assigned by the bar-codes. It seems that the store profile is our point of failure but I am unable to determine if this is a device issue, or a profile issue. Is it possible that the individual store profile is carrying a conflicting certificate and is somehow and overriding the new root cert that we pushed out via a blanket profile over all of production? If this is the case would it require manual removal of the root certificate from each store profile?

When we rolled out the new certificate we used a profile with the new root cert attached and assigned it to our production environment in phases. We then used the reporting feature to check to ensure all of our production devices received the new profile and reported "installed". We remoted in and verified the new certificate installed on a number of device's root cert store, but we are still seeing issues after the original cert expired. Is there any way the Fusion profile could get corrupted due to the certificate update? We are looking for a way that we can potentially re-provision our devices offline as they are now disconnected and we do not use networked charging cradles that can reach the deployment server in the stores. We are fervently trying to avoid needing to physically replace these units if possible. We appreciate any help or insight you can provide.

Thanks

fusion profiles certificates
7 years ago
SOTI MobiControl
ANSWERS
S
Scott
7 years ago

Need more details.  Are these WM or Android?  What is the network authentication mechanism?  EAP-TLS?  Are you doing mutual authentication or just server side (are your clients configured to validate the EAP server)?  You are using terms that have multiple meanings depending on context.  I assume you are always using "profiles" in the Fusion profile context, not the MC profile context, correct?  You say they are not "connecting" anymore.  Not connecting to the MC server or not even connecting to wireless?  If wireless, do you have the device side fusion client logs?  What do they indicate?  I assume you are using a RADIUS server to authenticate the device certs.  What is in the server logs?  What do you mean by "support" profile?  Do you have a special SSID that devices can use a "support" profile to connect?  If the devices are now disconnected, what mechanism are you imagining that you would use to reconfigure these devices?  Just need some clarification.

Similar Discussions