Add device rule with specific AD group does not work

Add device rule with specific AD group does not work

Hello everybody,

We created an Add device rule to automatically assign the tablets that are using this rule to a specific device group
We set the authentication option to "Utilize directory services to authenticate users during device enrollment".
As long as we allow all authenticated users to use this rule, it works fine.


But as soon as we enter a specific AD group, no one can use this rule. Not even the users who are member of this specific group.
After entering the credentials in MobiControl on the tablet, we get the error message "No registration. Please try again or contact administrator".


We tried different AD groups and different users, all with the same behaviour.

We are currently using Samsung Galaxy Tab A SM-T585 devices.

SOTI Server is v.14.2.1.4394, Android Plus device Agent is Samsung ELM v13.6.0



Any ideas on how to solve this?

Regards

Robin

5 Answers

Order By:   Standard | Newest | Votes
GPMOD@SOTI | posted this 15 April 2019

Hello Robin,

You might try creating two different rules, one for the LDAP based enrollment and one for the other set of users. Please let me know if this works for you.

Thank you,

SOTI Technical Support | SOTI Inc. | 1.905.624.9828 | support@soti.net

  • 0
  • 0
Robin K. | posted this 16 April 2019

Hey,

 

I'm not sure I understand what you want me to do. What do you mean by "one for the other set of users."?

Think I'll add a screenshot for claryfication:

 

As soon as an LDAP Group is added here, enrollment with the Enrollment URL isn't possible anymore.

  • 0
  • 0
Raymond Chan | posted this 16 April 2019

In general, most options of an Add-Devices rule cannot be changed once the rule has been used for successful enrollment of one device.   This is often the case if some server parameters configured with MCadmin utility program are changed.

 

So,  all the devices that have been enrolled without authentication can be left untouched.  Any devices that do not need LDAP authentication can use you existing Add-Devices rule (with no LDAP authentication option checked).

 

Then, add another Add-Devices rule that use LDAP authentication.  Any devices that need LDAP authentication should use the enrollment ID/URL of this new rule for enrollment. 

 

 

  • 0
  • 0
Robin K. | posted this 16 April 2019

I deleted my existing rule and created new ones with the correct parameters.

I created two different rules, one with the Manual Enrollment Option and the Rule Target set to the specific device group and the User Authentication Option Set to the corresponding LDAP group.

The other rule is configured to Enrollment Option based on LDAP Group Membership. The LDAP Mapping is configured to the LDAP grup. Everyone Else is denied access.

But with both rules i get the same behaviour on the device: "No Registration. Try again or contact system administrator."

  • 0
  • 0
Raymond Chan | posted this 16 April 2019

 

Have you ever successfully enrolled any device onto your current server with AD authentication in the past (either the current or other earlier MobiControl server version/build )?  If it worked in the past in earlier version/build, your problem may stem from your current server, which I cannot say for sure there is no problem without any thorough tests.  Otherwise, you probably have no experience on the task and there is a possibility that you have mis-configured or overlooked something.

 

What is the brand and version of your LDAP server?   Have you checked any other MobiControl function after integrating this LDAP?  For example, have you checked you LDAP integration has been enabled in the Global Settings?    Have you tried adding an administrator account (for accessing the web-console) using LDAP authentication?

 

 

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback