Android devices not enrolling via AE or Android +.

Android devices not enrolling via AE or Android +.

Hi,

I already have a case for this(C00275940), but just wanted to check if anyone might have a suggestion.

 

Issue:

Devices of various (7.0+) Android builds, networks (4G, Wi-Fi) and OEMs cannot enroll (times our when trying to connect to server in MC agent) after a DNS update. Everything is marked green by admin util. and already enrolled devices connect just fine.

If I manually enter the enrollment page in a browser, then it is properly displayed and accessible from all devices and networks (available from on internet).

The weirdest is however, that when testing alongside support, THEY where able to enroll devices to the environment. None of us have been able to explain this behaviour yet.

 

For now we have fetched ADB-logs which is then to be submitted to development. I however just have a feeling this has to do with the DS certificate. Even though this is mapped to the correct hostname and everything is marked green (And support was able to enroll their test device.).

 

This entry is repeated in the ADB logs during enrollment: 11-01 15:37:18.310 8859 8917 E soti : Caused by: java.security.cert.CertificateException: Certificate with Issuer: 2.5.4.46=#132433323346343431352d304146332d343139392d424430432d363433323331424246454243,CN=MobiControl Root CA and Subj: CN=MobiControl Server is not trusted

 

Brgds,

Ole

4 Answers

Order By:   Standard | Newest | Votes
Matt Dermody | posted this 01 November 2018

Your DNS name changed for your SOTI server? If so I think you're going to need a new server certificate that reflects that change otherwise a Nougat Android device is going to reject it. I'm guessing that the devices SOTI support tested with are either not on Nougat or may have a the MobiControl Root CA already installed manually in the keystore on the device. 

  • 0
  • 0
Ole, Daugaard | posted this 01 November 2018

Hi Matt,

 

Thanks for the reply. 

 

Yes, the DNS records for the server was changed. But the new DNS-name is also reflected in the details for the DS certificate. So as far as I know that should be ok.

In regards to 7.0(Nougat), has there been less strict certificate handling in prior Android versions since you mention this? I didn't verify which versions they used, but I know the performed factory resets of the devices, thus I didn't expect the Mobicontrol Root CA to be trusted upon enrollment after that(maybe some settings persist)?

Thanks!

 

Ole

 

  • 0
  • 0
Matt Dermody | posted this 01 November 2018

Yes, we encountered a number of issues when Android N first started appearing because it included a change to how certificates are trusted:

https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

 

  • 0
  • 0
Ole, Daugaard | posted this 02 November 2018

Just tested when enrolling 5.1.1 device, and after releasing enough licenses it works. And I also noticed that the testdevice from Soti was Len. 6.0. So really nice to know with the API updates to 7.0, now at least part of the issue has been explained.

 

Thanks! 

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback