SOTI Pulse Logo

Android Enterprise Enrollment from Internet

L
Lenz

Hello,

I've recently managed to make my devices communicate with my local MobiControl server (On Premise) by configuring my firewall to allow the ports 444 (the one I use for the deployment server, my WebConsole is listening on port 443) and port 5494.

Now I want to enroll my devices from the Internet and when I try to enroll from my local network, the device is enrolled sucessfully but when I do it from the Internet, the enrollment fails.

The step where it fails is right after the SafetyNet step. In the logs of the Deployment Server Extensions, I get an error saying that a certain parameter "s" can't be null (System.IO.StringReader..ctor(String s)).

Is there a way to fix this problem?

The MobiControl product version I work on is 15.5.

3 years ago
SOTI MobiControl
ANSWERS
RC
Raymond Chan Diamond Contributor
3 years ago

What is the Enterprise-binding google account type you chose in your device enrollment policy on you MC 15.5?

Also, have you tried disabling the option "Enroll Device even if SafetyNet Attestation Fails" in the settings tab of the enrollment policy?

 
L
Lenz
3 years ago

For the Enterprise-binding google account type, I chose a regular Gmail address (gmail.com) instead of an Gmail address for enterprises. Since it worked when I enrolled devices in my LAN, I thought it was unecessary to create a professionnal gmail address.

I tried to disable "Enroll Device even if SafetyNet Attestation Fails" but it didn't work any better.

RC
Raymond Chan Diamond Contributor
3 years ago

When you said "regular Gmail address", I assumed you meant you chose "Managed Google Play Account".   If I also assume that you have properly set up such binding (you can test by administering your custom MGP store app list when accessing https://play.google.com/work using the MGP google account), then your problem may be narrowed down to firewall settings in your infrastructure.  As little information is provided, it is hard to comment.  Also,  I am a bit curious why you chose to use port 444 for your Deployment Server.  I wouldn't rule out your use of this port address together with your firewall exceptions configuration cause your current problem.

L
Lenz
3 years ago

Yes, I can properly manage the applications on https://play.google.com/work. I am using port 444 because there is already a NAT rule on port 443 for another service in our network. I have created a NAT rule for redirecting all the traffic coming from the Internet on 444 to our MobiControl Server on port 444. However, our PCs and Servers from our LAN cannot access the enrollment page when we try to access to our public address on port 444 while it is possible from the Internet. The MobiControl Server not being able to receive an answer from our public address (the public address being set to be the Device Management Address in the MobiControl settings) may be the cause of the enrollment failing.

Similar Discussions