I have an iPad I am testing on, when I enroll the iPad in MDM, it applies the IOS enrollment profile that we setup. But I can't every get the device to apply any other profiles. I have a different profile assigned to the user I am testing with via Active Directory via a group and this other profile never is applied, the IOS enrollment profile is always the one present. How can I troubleshoot why the other profile is never being applied to the device?
If a user gets two policies assigned (i.e. due to fact that the user is member of two groups and both got different policies assigned) the user will receive the policiy which is positioned higher in the policy window. Probably this is the case for your user...
The initial enrollment policy that's specified in the configuration dialog (Mobile Policy management -> Configure -> IOS Enrolment Profile) isn't listed in the policy window. The policy I would like to apply is in the policy window, and it IS the first in the list however the enrollment profile is the one that is superceding it. Is there a way to move the enrollment profile down?
Normally any "custom" profile should overwrite the enrollment profile. But since you can´t have two (or more) Passcode or Restrictions payloads in one policy probably the Mob Mgr has problems to overwrite the enrollment profile with a "custom" profile when both contain payloads of that type - who knows ?
And since you didn´t mention it, did you "force down" the profile to the device by right-clicking on the device/user and selecting the "policy-item" from the menue ? http://help.landesk.com/Topic/Index/ENU/MOBL/9.0/Content/Mobility/mobl_t_update_policies.htm
Yes, I did update the policy and it doesn't seem to have any effect. I even wiped the device using the Wipe device command and then started over in case something was corrupted. It gets the enrollment profile and nothing ever overrights it. Even when I do the 'Update policy' that you were just talking about.
I think we get to the source of the problem: the Enrollment profile is installed bei an "pull" from the device during its enrollment, while all the other actions you try to execute are "somehow push" from the Console to the device via the MDM Server. I´m sure that the Core is not able to talk to the MDM either for firewall rule reasons or for DNS name resolution reasons. Especially for the latter one I can´t help since I don´t know whether the Core uses the MDM´s fully qualified DNS , just the DNS name or the Netbios name. Re this question I already opened a threa(d|t) in this community a week ago and also opened a ticket with LD support. A sniffer trace should prove my assumption : you will not see any traffic between the Core and the MDM when initiating i.e. a wipe command. (Probably the IIS Log on the Core proves my assumption as well)
Or it´s an Certificate issue. Did you install the LD agent on the MDM server ?
regards and by for today (it´s already 6:30 PM here in Germany)
I may have to try it again, but I believe that if I change the enrollment profile and then force policies, it may have updated the payloads (but it may have been only if I reset the agent and then renrolled. That might be that they aren't talking right, we're not getting any specific errors at the moment when it tries, it just isn't working. It may or may not be related, but our portal for apps/links/docs also doesn't update to the device. It logs in ok, but then never updates, so I suppose it is possible that the MDM isn't talking to the core correctly... I would sure be nice to have easier to find logs to see the communication between pieces and see where things are breaking down.
We had one of the technicians from support help us setup our MDM and the certs since we were having trouble (we orginally tried to put the MDM server on the core server - not recommended, even if the documentation doesn't say that). He helped us split the two and setup up the certs so I'm assuming that the certs are talking correctly (but I'm not a cert expert either so...)
I under stand about being late, after close of business tomorrow I'm off for 3 weeks so this thread may get a little dusty in the mean time
Still on duty ;-)
Portal Content Update is (from the device´s view) "pull only". To update the content: Either log off - log on to the portal app, or swipe down the open Category list (talking about an IOS device - BTW there is an IOS 6 issue with the portal app - search the community)
sorry you're still on duty...
It may be the IOS 6 thing then on that. The device I'm testing on is using IOS 6. I'll look it up. (I have tried all those particular suggestions for updaing the content, logoff/on, swipe category down - it doesn't even show any categories...)
hi guys i came across this problem a while back and my solution was simple. when i enrolled the device i enrolled it with "username" only. You need to put in "domain\username" if you dont, the device will enroll and only pull down the enrollment profile, but nothing else. You will be able to send lock and such down, but will not ever recieve any other policies.
hope this helps
It didn't work for me unfortunately...
I see info showed into the inventory updated after I restart the LDAgent on the mobile (Nexus Android 4.2).
Battery status is always updated for example.
Any other command sent dosn't make effect... I'm trying to disable camera and change time wait before screen locks.
Some one can do it?
Tks and Regards,
This sounds like you may need to allow the Agent to administer the device. This can be done in the settings.
Otherwise this could be an issue with the certs. Are any devices uploading a full inventory scan?
I've already set the Agent to be administrator of the device.
The inventory seems to be a full one. It shows the last app I've installed and many details about
CPU, memory, network and so on. Is this enough to say certs are issued correctly?
I've also configured the Exchange account so I distinguish two different device name with their respective Scan Type: Agentless Mobile, using LDAP, and Mobile Agent.
Where can I find any logs about connections?
Thanks a lot for your precious support,
I configured an Android payload but it is not shown in the Payloads summary, although it is present in mobile policy management section.
As you see I don't have a key for the Cryptography, Organization field instead contains my public IP address.
You have to know I'm using a self-signed cert....that I want to check better as soon as possible...
Adding more, I still don't find the profile info onto my mobile device.
Summarizing: LD Portal works if I disconnect and connect again the user (device side)
LD Agent send detailed info about the device if I disconnect and connect again the user (device side).
Nothing updates automatically and LD Agent seems not get payloads...