Device Associated LDAP User keep Unassigning

Device Associated LDAP User keep Unassigning

We keep having issues whereby multiple users are being randomly unassigned from Samsung SM-T365 (Android) devices for no reason whatsoever. Whenever this happens their Exchange profile is removed and we see the below entry in the log file for the device:

Device Configuration removed ([EAS Settings] Configuration is being uninstalled)

We are then able to re-assign the user and the Exchange profile is automatically re-added, however this is getting quite annoying!

We are currently running Soti MobiControl v13.2.0.3247

Has anyone else seen the same issue?

 

Thanks,

Stuart

4 Answers

Order By:   Standard | Newest | Votes
Raymond Chan | posted this 12 October 2018

For each of the problematic devices that you have, did the LDAP user account get associated with the device when the device agent was enrolled to your MobiControl server?  Or did the LDAP user account get manually associated with the problematic device by MDM administrator using the web-console?  Are the answers to the above questions the same for all your problematic devices found so far?     There must be some pattern(s).  E.g. are all these devices using the same device agent version+build numbers?  

 

MobiControl v13.2.0.3247 was released 22+ months ago.  How long have the LDAP account and Exchange profile been used with this server?  Did you just find this problem recently?  Have you checked the device log on the web-console for items related to LDAP user/Exchange profile removed, and what was shown in such log entries?

 

Is there a possibility that an MDM administrator mistakenly changed the LDAP user association in the web-console or someone force the device to "administrator mode" on the device and make unexpected reconfiguration?

 

  • 0
  • 0
Stuart Barrett | posted this 12 October 2018

Thanks for your reply.

In answer to your questions:

These LDAP users will all have been associated manually after enrolling the device as we do not require LDAP association on the device at enrollment. All of our devices use the same device agent ver (13.0.0.33861) but we currently have 30 platform-signed agents and around 1700 ELM agents. We are currently going through our devices migrating them to ELM so that we can upgrade to the latest MobiControl version.

The devices that are losing the LDAP user association are all ELM devices as far as I am aware and there doesn't seem to be a pattern. On our S7 devices this was happening daily, so we have created them a new Exchange profile that doesn't target users by LDAP group at all to get around the issue of losing the Exchange profile every day! Our Tab Active devices have this happen randomly, some more often than others.

We have always used the same Exchange profile with the associated LDAP users since we installed this MobiControl version, however I'm pretty sure this wasn't happening until this year. I need to check the device logs, but it is difficult to catch one in time. I will try and do that for the next one we get!

I don't think an MDM administrator is doing anything because as far as I am aware it is not possible to fully remove an LDAP user association from a tablet, only change it to another user. With regards to the device itself no one knows the Admin password so this won't be an issue.

  • 0
  • 0
Stuart Barrett | posted this 12 October 2018

I have now managed to catch a device where this has happened. The device log file has multiple entries, but I think this is the block that (partially) relates to this issue: https://pastebin.com/jEQzGbct

 

  • 0
  • 0
Raymond Chan | posted this 12 October 2018

Hi Stuart,

From what you said,  one suspicious pattern is related to S7 devices as the problem repeats daily.  For example, it many be related to the S7 firmware, or incompatibility with the device agent or server used.    I was wondering if you had checked if the timestamps of Exchange profile  in these S7 device logs have any timing pattern(s).  As the error repeat daily, you can replicate the problem, and  report all related details to Soti support team so that they can look into the server and device log in details to track the problem.

 

Also, if you could successfully used the approach of creating a new Exchange profile that doesn't target users by LDAP group at all  for the S7 devices, can't you use the same approach for your Samsung SM-T365 (Android) devices?

 

To be frank,  the version of your server is a bit old.   Using LDAP group as filter in profile deployment is a relatively new feature in v13.x, and there might be glitches for its implementation in your server version.  The latest v13.4.0  may have this and many other problems fixed.  Please consult Soti support team if you should upgrade.   After all, if you do not upgrade to newer server, and the device agents not updated to v13.5.0+,  the Bitdefender antivirus functionalities will not be available starting from next month (Nov 2018).

 

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback