SOTI Pulse Logo

Android devices not enrolling via AE or Android +.

OD
Ole, Daugaard
Twise I/S

Hi,

I already have a case for this(C00275940), but just wanted to check if anyone might have a suggestion.

Issue:

Devices of various (7.0+) Android builds, networks (4G, Wi-Fi) and OEMs cannot enroll (times our when trying to connect to server in MC agent) after a DNS update. Everything is marked green by admin util. and already enrolled devices connect just fine.

If I manually enter the enrollment page in a browser, then it is properly displayed and accessible from all devices and networks (available from on internet).

The weirdest is however, that when testing alongside support, THEY where able to enroll devices to the environment. None of us have been able to explain this behaviour yet.

For now we have fetched ADB-logs which is then to be submitted to development. I however just have a feeling this has to do with the DS certificate. Even though this is mapped to the correct hostname and everything is marked green (And support was able to enroll their test device.).

This entry is repeated in the ADB logs during enrollment: 11-01 15:37:18.310 8859 8917 E soti : Caused by: java.security.cert.CertificateException: Certificate with Issuer: 2.5.4.46=#132433323346343431352d304146332d343139392d424430432d363433323331424246454243,CN=MobiControl Root CA and Subj: CN=MobiControl Server is not trusted

Brgds,

Ole

android enrollment android-enterprise android-plus certificates
7 years ago
Android
ANSWERS
MD
Matt Dermody Diamond Contributor
7 years ago

Your DNS name changed for your SOTI server? If so I think you're going to need a new server certificate that reflects that change otherwise a Nougat Android device is going to reject it. I'm guessing that the devices SOTI support tested with are either not on Nougat or may have a the MobiControl Root CA already installed manually in the keystore on the device. 

OD
Ole, Daugaard
7 years ago

Hi Matt,

Thanks for the reply. 

Yes, the DNS records for the server was changed. But the new DNS-name is also reflected in the details for the DS certificate. So as far as I know that should be ok.

In regards to 7.0(Nougat), has there been less strict certificate handling in prior Android versions since you mention this? I didn't verify which versions they used, but I know the performed factory resets of the devices, thus I didn't expect the Mobicontrol Root CA to be trusted upon enrollment after that(maybe some settings persist)?

Thanks!

Ole

MD
Matt Dermody Diamond Contributor
7 years ago
OD
Ole, Daugaard
7 years ago (edited 7 years ago)

Just tested when enrolling 5.1.1 device, and after releasing enough licenses it works. And I also noticed that the testdevice from Soti was Len. 6.0. So really nice to know with the API updates to 7.0, now at least part of the issue has been explained.

Thanks! 

Similar Discussions