Device Associated LDAP User keep Unassigning
For each of the problematic devices that you have, did the LDAP user account get associated with the device when the device agent was enrolled to your MobiControl server? Or did the LDAP user account get manually associated with the problematic device by MDM administrator using the web-console? Are the answers to the above questions the same for all your problematic devices found so far? There must be some pattern(s). E.g. are all these devices using the same device agent version+build numbers?
MobiControl v126.96.36.19947 was released 22+ months ago. How long have the LDAP account and Exchange profile been used with this server? Did you just find this problem recently? Have you checked the device log on the web-console for items related to LDAP user/Exchange profile removed, and what was shown in such log entries?
Is there a possibility that an MDM administrator mistakenly changed the LDAP user association in the web-console or someone force the device to "administrator mode" on the device and make unexpected reconfiguration?
Thanks for your reply.
In answer to your questions:
These LDAP users will all have been associated manually after enrolling the device as we do not require LDAP association on the device at enrollment. All of our devices use the same device agent ver (188.8.131.52861) but we currently have 30 platform-signed agents and around 1700 ELM agents. We are currently going through our devices migrating them to ELM so that we can upgrade to the latest MobiControl version.
The devices that are losing the LDAP user association are all ELM devices as far as I am aware and there doesn't seem to be a pattern. On our S7 devices this was happening daily, so we have created them a new Exchange profile that doesn't target users by LDAP group at all to get around the issue of losing the Exchange profile every day! Our Tab Active devices have this happen randomly, some more often than others.
We have always used the same Exchange profile with the associated LDAP users since we installed this MobiControl version, however I'm pretty sure this wasn't happening until this year. I need to check the device logs, but it is difficult to catch one in time. I will try and do that for the next one we get!
I don't think an MDM administrator is doing anything because as far as I am aware it is not possible to fully remove an LDAP user association from a tablet, only change it to another user. With regards to the device itself no one knows the Admin password so this won't be an issue.
From what you said, one suspicious pattern is related to S7 devices as the problem repeats daily. For example, it many be related to the S7 firmware, or incompatibility with the device agent or server used. I was wondering if you had checked if the timestamps of Exchange profile in these S7 device logs have any timing pattern(s). As the error repeat daily, you can replicate the problem, and report all related details to Soti support team so that they can look into the server and device log in details to track the problem.
Also, if you could successfully used the approach of creating a new Exchange profile that doesn't target users by LDAP group at all for the S7 devices, can't you use the same approach for your Samsung SM-T365 (Android) devices?
To be frank, the version of your server is a bit old. Using LDAP group as filter in profile deployment is a relatively new feature in v13.x, and there might be glitches for its implementation in your server version. The latest v13.4.0 may have this and many other problems fixed. Please consult Soti support team if you should upgrade. After all, if you do not upgrade to newer server, and the device agents not updated to v13.5.0+, the Bitdefender antivirus functionalities will not be available starting from next month (Nov 2018).