SOTI Pulse Logo

Staging Wifi requirements

M
MaikStrassmann
KWS SAAT SE

Hello Soti community,


After several years of talking about it, I may now have the opportunity for a staging wifi. This of course opens up a few doors in terms of automation and improvements.

Our Soti server is an OnPrem installation which is not accessible from the internet.
Is it sufficient for the staging wifi if it only reaches the Mobicontrol server?
Are all other necessary servers/ports then routed from the Mobicontrol server or do I also have to get there from the staging wifi like the google services?

Or somewhere else?

(https://www.soti.net/mc/help/v14.2/en/setup/installing/network_ports.html)

We only deal with Android Plus and Enterprise devices from Android 8 to 12.

Best regards

Maik

wifi staging
a year ago
SOTI MobiControl
ANSWERS
RS
Rafael Schäfer
a year ago

Hi Maik,

this very depends on how you setup your devices. 
Examples:

- Do the devices use managed play store?
- Do you enroll DPC identifier (afw#mobicontrol) or Zero-Touch?
- ...

I don't think so (otherwise your Soti server would need that access as well) but those are just examples where you would need access to Google services.

M
MaikStrassmann
a year ago

Hi Rafael,
As far as I know, this is how it currently works:

The Zebra devices are installed with afw#mobincontrol.
The Honeywell devices with QR codes in the initial setup.

In both cases, the current procedure is to connect the devices to the normal company network, carry out the above steps, then configure a LAN proxy on the device, set the correct time and date and then install mobicontrol and enter the enrolment key. Then the workprofile will be configured and you have to grant some stuff to the mobicontrol agent after that.

In the future, I hope that the device will connect to staging with an initial QR code, download mobicontrol and connect. I can then move the device to Mobicontrol so that it works with the correct product wifi.

We work exclusively with work managed devices.
We also use Mobicontrol's own PlayStore later on for some own company apps.

RS
Rafael Schäfer
a year ago

I would use in your case QR enrollment. In case of Zebra, StageNow is recommended to use to generate such Barcodes. I don't know for Honeywell but should be possible using "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION" in the QR. Example for another MDM here: https://sps-support.honeywell.com/s/article/What-is-the-syntax-to-generate-the-QR-Code-to-enroll-the-mobile-device-to-MobileIron for "default" QR code enrollment.

Then you won't need to use the manual steps to reach the point to enter the DPC identifier on the Zebra for example. And i think also no need to reach Google services as well (as you don't use them when i understood correctly).

With both you should be able to enroll directly into the final Wifi without the need of a Staging Wifi and pointing to a local source for the agent. If there are still some reasons to use a staging Wifi (wu use one as well), you can do that kind of enrollment there as well.

SB
Simon Breuer
a year ago

Hi Maik,

the Android Enterprise devices need a connection to the Google services. You will have to allow access to the destinations mentioned in the following support article by Google:

Network Requirements Android Enterprise

(You won't need everything listed, of course. It depends on your requirements. At least the first both entries are needed for device enrollment.)

M
MaikStrassmann
a year ago

Ah, that's a good hint.

Then I'll have to see if I can persuade the IT management to reach Mobicontrol + the Google servers for me on a new Wifi.

Many thanks for the quick answers.

MD
Matt Dermody Diamond Contributor
a year ago

This isn't entirely true. You only need access to the Google Services if you're going to be utilizing those services. You can technically work around this requirement in the following ways.

- Use StageNow for Zebra enrollment and EP for Honeywell and have the devices download the SOTI Agent APK from an internally accessible location like an FTP server. This bypasses the need for the device to communicate with the Google Play Store to download the agent which it will do with dpc#identifier, as well as by default with QR based enrollment
- Don't assign an Android Enterprise Binding and select the option to bypass the assignment of service accounts at the time of enrollment. If you are binding to an AE org and assigning Managed Play service accounts during enrollment then devices have to communicate with the Play services at that time. If you bypass the binding and account assignments however they don't need to talk to Google and they can enroll directly in SOTI in an "Offline" manner.

 The end result of all of this will be fully managed Android devices that will be missing some of the Android Enterprise capabilities that rely on Managed Play. For example you won't be able to use Managed Play distributed OEMConfig or install any apps from Managed Play for that matter. You will however be able to install apps directly on the devices via SOTI as either Packages or Enterprise apps in App Policy.

C
CKMOD@SOTI
a year ago

Hi Maik,
 
Thanks for posting on SOTI Pulse, Thanks Rafael, Simon and Matt
for responding to the post, your expertise and willingness to help are greatly appreciated!
 
Have you had an opportunity to test the suggested solutions and has it successfully addressed your query?
 
If not, or If you have any additional questions or concerns, please don't hesitate to reach out. We're dedicated to providing assistance and support.

M
MaikStrassmann
a year ago

Unfortunately, there are still too many discussions with the IT management, which is why we are not going any further. 

C
CKMOD@SOTI
a year ago

Hi Maik, 

No worries, Once you have completed the discussion with IT management, you can try the suggested solution by Matt and Raffael. 

 Alternatively, you can post here to let us know if the suggested solution has addressed your query or not.

Similar Discussions