1 2 Previous Next 15 Replies Latest reply on Mar 11, 2013 9:29 AM by bnelson

    Cannot change the policy applied to a mobile device.

    bwallace Apprentice

      I have an iPad I am testing on, when I enroll the iPad in MDM, it applies the IOS enrollment profile that we setup. But I can't every get the device to apply any other profiles. I have a different profile assigned to the user I am testing with via Active Directory via a group and this other profile never is applied, the IOS enrollment profile is always the one present. How can I troubleshoot why the other profile is never being applied to the device?

        • 1. Re: Cannot change the policy applied to a mobile device.
          Rookie

          If a user gets two  policies assigned (i.e. due to fact that the user is member of  two groups and both got different policies assigned) the user will receive the policiy which is positioned higher in the policy window. Probably this is the case for your user...

          • 2. Re: Cannot change the policy applied to a mobile device.
            bwallace Apprentice

            The initial enrollment policy that's specified in the configuration dialog (Mobile Policy management -> Configure -> IOS Enrolment Profile) isn't listed in the policy window. The policy I would like to apply is in the policy window, and it IS the first in the list however the enrollment profile is the one that is superceding it. Is there a way to move the enrollment profile down?

            • 3. Re: Cannot change the policy applied to a mobile device.
              Rookie

              Normally any "custom" profile should overwrite the enrollment profile. But since you can´t have two (or more) Passcode or Restrictions payloads in one policy probably the Mob Mgr has problems to overwrite the enrollment profile with a "custom" profile  when both contain payloads of that type - who knows ?

               

              And since you didn´t mention it, did you "force down" the profile to the device by right-clicking on the device/user and selecting the "policy-item" from the menue ?  http://help.landesk.com/Topic/Index/ENU/MOBL/9.0/Content/Mobility/mobl_t_update_policies.htm 

               

              regards,

               

              Detlef

              • 4. Re: Cannot change the policy applied to a mobile device.
                bwallace Apprentice

                Yes, I did update the policy and it doesn't seem to have any effect. I even wiped the device using the Wipe device command and then started over in case something was corrupted. It gets the enrollment profile and nothing ever overrights it. Even when I do the 'Update policy' that you were just talking about.

                • 5. Re: Cannot change the policy applied to a mobile device.
                  Rookie

                  I think we get to the source of the problem: the Enrollment profile is installed bei an "pull" from the device during its enrollment, while all the other actions you try to execute are "somehow push" from the Console to the device via the MDM Server. I´m sure that the Core is not able to talk to the MDM either for firewall rule reasons or for DNS name resolution reasons. Especially for the latter one I can´t help since I don´t know whether the Core uses the MDM´s fully qualified DNS , just the DNS name or the Netbios name. Re this question I already opened a threa(d|t) in this community a week ago and also opened a ticket with LD support. A sniffer trace should prove my assumption : you will not see any traffic between the Core and the MDM when initiating i.e. a wipe command. (Probably the IIS Log on the Core proves my assumption as well)

                  Or it´s an Certificate issue. Did you install the LD agent on the MDM server ?

                   

                  regards and by for today (it´s already 6:30 PM here in Germany)

                   

                  Detlef

                  • 6. Re: Cannot change the policy applied to a mobile device.
                    bwallace Apprentice

                    I may have to try it again, but I believe that if I change the enrollment profile and then force policies, it may have updated the payloads (but it may have been only if I reset the agent and then renrolled. That might be that they aren't talking right, we're not getting any specific errors at the moment when it tries, it just isn't working. It may or may not be related, but our portal for apps/links/docs also doesn't update to the device. It logs in ok, but then never updates, so I suppose it is possible that the MDM isn't talking to the core correctly... I would sure be nice to have easier to find logs to see the communication between pieces and see where things are breaking down.

                     

                    We had one of the technicians from support help us setup our MDM and the certs since we were having trouble (we orginally tried to put the MDM server on the core server - not recommended, even if the documentation doesn't say that). He helped us split the two and setup up the certs so I'm assuming that the certs are talking correctly (but I'm not a cert expert either so...)

                     

                    I under stand about being late, after close of business tomorrow I'm off for 3 weeks so this thread may get a little dusty in the mean time

                    • 7. Re: Cannot change the policy applied to a mobile device.
                      Rookie

                      Still on duty ;-)

                       

                      Portal Content Update is (from the device´s view)  "pull only". To update the content: Either log off - log on to the portal app, or swipe down the open Category list (talking about an IOS device - BTW there is an IOS 6 issue with the portal app - search the community)

                       

                      regards, Detlef

                      • 8. Re: Cannot change the policy applied to a mobile device.
                        bwallace Apprentice

                        sorry you're still on duty...

                         

                        It may be the IOS 6 thing then on that. The device I'm testing on is using IOS 6. I'll look it up. (I have tried all those particular suggestions for updaing the content, logoff/on, swipe category down - it doesn't even show any categories...)

                        • 9. Re: Cannot change the policy applied to a mobile device.
                          Rookie

                          hi guys i came across this problem a while back and my solution was simple.  when i enrolled the device i enrolled it with "username" only.  You need to put in "domain\username" if you dont, the device will enroll and only pull down the enrollment profile, but nothing else.  You will be able to send lock and such down, but will not ever recieve any other policies.

                           

                          hope this helps

                          • 10. Re: Cannot change the policy applied to a mobile device.
                            Rookie

                            It didn't work for me unfortunately...

                             

                            I see info showed into the inventory updated after I restart the LDAgent on the mobile (Nexus Android 4.2).

                            Battery status is always updated for example.

                             

                            Any other command sent dosn't make effect... I'm trying to disable camera and change time wait before screen locks.

                             

                            Some one can do it?

                             

                            Tks and Regards,

                            Don

                            • 11. Re: Cannot change the policy applied to a mobile device.
                              bnelson Employee

                              This sounds like you may need to allow the Agent to administer the device. This can be done in the settings.

                               

                              Otherwise this could be an issue with the certs. Are any devices uploading a full inventory scan?

                              • 12. Re: Cannot change the policy applied to a mobile device.
                                Rookie

                                I've already set the Agent to be administrator of the device.

                                The inventory seems to be a full one. It shows the last app I've installed and many details about

                                CPU, memory, network and so on. Is this enough to say certs are issued correctly?

                                I've also configured the Exchange account so I distinguish two different device name with their respective Scan Type: Agentless Mobile, using LDAP, and Mobile Agent. 

                                 

                                Where can I find any logs about connections?

                                 

                                Thanks a lot for your precious support,

                                Don

                                • 13. Re: Cannot change the policy applied to a mobile device.
                                  bnelson Employee

                                  The profile you are applying, is it part of the enrollment profile? Is it listed on the same page as the screen shot below?

                                  MDM.PNG

                                   

                                  If you have the profile as part of the payload, then it cannot be overwritten. You will have to remove the profile from the payload and push it out later.

                                  • 14. Re: Cannot change the policy applied to a mobile device.
                                    Rookie

                                    I configured an Android payload but it is not shown in the Payloads summary, although it is present in mobile policy management section.

                                    As you see I don't have a key for the Cryptography, Organization field instead contains my public IP address.

                                    You have to know I'm using a self-signed cert....that I want to check better as soon as possible...

                                    Adding more, I still don't find the profile info onto my mobile device.

                                    Summarizing: LD Portal works if I disconnect and connect again the user (device side)

                                                          LD Agent send detailed info about the device if I disconnect and connect again the user (device side).

                                    Nothing updates automatically and LD Agent seems not get payloads...

                                     

                                    MDM.jpg

                                     

                                    Regards,

                                    Don

                                    1 2 Previous Next