SOTI Pulse Logo

Zebra Android 10 devices fail to remote enroll due to lack of public DNS resolution to the DS FQDN

DT
Don Tienter
Supply Chain Services LLC

I am remotely AE enrolling Zebra devices to an on-premise Deployment Server.   The on-premise DS network has a public IP address and firewall rules that will NAT ports 5494 and 443 to the DS.  This is restricted even further by only allowing this traffic from the remote public IP address that the device is being enrolled from.  The FQDN of the enrollment Rule and DMA are published in a private DNS zone local to the enrollment location.   
On Android 8, Zebra devices will properly resolve to the local DNS and enroll in the remote DS properly.   
The Zebra Android 10 devices will not resolve the local 

The DS and DMA FQDNs are published in a local DNS zone but not in a public DNS.  The GoogleMobiControl Agent on Zebra Android 8 devices will resolve to the local DNS and enroll properly.  The same agent on Zebra Android 10 will not resolve the local DNS and the agent will fail to connect to the DS without a public DNS entry.   
The agent enrollment error with an enrollment ID is “Fail to connect to Server”  Using the enrollment URL, the error is “Invalid URL”  
On the Zebra Android 10, the WiFi utilities will resolve the DNS FQDN as will Chrome resolve to the MS Web Console login (same FQDN).  
It seems that only the GoogleMobiControl Agent will not resolve a local DNS Zone on Android 10.

I tried this using the current agent:  GoogleMobiControl1513_1071.apk and an older agent: GoogleMobiControl1450_1011.apk with the same results.  I have not tested this with other mfg devices i.e. Samsung.

I have two scenarios where the on-prem DS/DMA FQDN is also a public domain  i.e. DSserver.mycompany.com where the host can be added to that public DNS zone.  

I have additional scenarios where the DS/DMA FQDN is internal i.e. DSserver.mycompany.local and cannot be published to public DNS.  I cannot enroll Android 10 devices to those DS servers remotely.  

Any thoughts?

3 years ago
SOTI MobiControl
ANSWERS
N
NTMOD@SOTI Bronze Contributor
3 years ago
N
NTMOD@SOTI Bronze Contributor
3 years ago

Hi Don,

In addition to the last message, please advise the detials for below:

1. How many devices that you have an issue with web-based remote control? Can you remote control using the Legacy remote control?

2. Please check if you have SHA2 certificate on the Mobicontrol Admistration Utility. From Android 10 onwards, you will require SHA2 certificate to be enable to enroll the device.

3. Please share the exact error message when you were trying to remote control the device.

Thank you.

Kind Regards,

DT
Don Tienter
3 years ago

Nucharee

Based on the fact that Android 8 and Android 10 device enroll correctly on premise and Android 8 devices enroll correctly remotely, your suggested troublehshooting steps are not applicable.  

The issue is with the GoogleMobiControl agent on Android 10.  It will not resolve the FQDN of the enrollment URL returned by mc-enroll.soti.net or if the URL is entered directly into the agent.  The agent fails to connect to the MobiControl Server because it cannot resolve the address. This failure only occurs if the Android 10 device is remote and the FQDN is in a DNS lookup local to the device.  If the FQDN is in public DNS, then the agent will resolve it.

N
NTMOD@SOTI Bronze Contributor
3 years ago

Hi Don,

We would like to check if the WiFi that the device is connected to can reach the Deployment server FQDN on port 5494.

Please connect a laptop to the same WiFi network that the affected device is connected to. Then please use a laptop to telnet the Deployment server FQDN on port 5494 and advise the result.

Note

The Deployment server FQDN can be found on the MobiControl Utility Administrator > Primary Agent Address > copy it and paste in the cmd command.

For example, the Primary Agent Address is Primary Agent Address. The command will be as per the example below.

telnet abcd.mobicontrol.com.au 5494

Similar Discussions