Managed apps not downloading with Android Enterprise

Managed apps not downloading with Android Enterprise

We've been having trouble in recent weeks with enrolling new devices into Android Enterprise as a work managed device. From a factory restore state, using afw#mobicontrol, the device will enroll as AE Work Profile. We never used to have this issue, afw#mobicontrol would enroll the device as AE work managed device. 

The closest we've been able to get is using the Stage Programmer app and a QR code to enroll the device in MobiControl. Using this method, it will enroll as AE work managed device. However, while our profiles and packages will apply, the app catalog rules will not. We have several apps that are set as mandatory that will not automatically download. I've tried downloading manually through the MobiControl App Catalog but when I tap to install it takes me to the Play store and says that my administrator has not given you access to this item.

We've done a lot of testing with our device vendor. We've tried different versions of the web console and different android OS versions. All our devices are 7.1.2 and we attempted enrolling an android 6 device with afw#mobicontrol and got the same results. Throughout our testing, the only thing we have not been able to change is the MobiControl agent version (13.6.0.1567) since that is controlled by MobiControl's deployment server. Our last deployment of devices all used agent 13.5 with no problem. This time around, with agent 13.6, we are having problems.

Has anyone else experienced problems like this? Being unable to use afw#mobicontrol to enroll into AE work managed device. Or, having issue with mandatory apps not downloading to a device once we do get it enrolled as a work managed device using the stage programmer app?

27 Answers

Order By:   Standard | Newest | Votes
Raymond, Chan | posted this 29 January 2019

What are the brands and models of the problematic devices?  

 

Did you have consistent problematic results for multiple devices of the same device brand & model?

 

What about the version and build numbers of your MobiControl Server?

 

  • 0
  • 0
David P. | posted this 29 January 2019

The devices we are using are all Zebra TC75X devices. Three devices have had the same problem now, of not being able to enroll and install mandatory apps. Our MobiControl server is cloud based and version 14.2.0.2894.

  • 0
  • 0
Matt Dermody | posted this 29 January 2019

I have been having the same issue recently where the hashtag based enrollment only led to a Work Profile enrollment and not Work Managed. After running into that I resorted to using the MobiControl Stage Programmer app with NFC bump. I found that the NFC bump process was much faster than the manual afw#mobicontrol entry that I was previously using so I haven't put much effort troubleshooting why the hashtag method isn't working properly. I'm also using Zebra Android devices (TC51, TC52, MC3300). 

  • 0
  • 0
Raymond, Chan | posted this 30 January 2019

Hi Matt,

Have you tried app-catalog rule on your devices and got the same problem as David with 13.6.0.1567 agent?

 

  • 0
  • 0
Matt Dermody | posted this 30 January 2019

Sorry, I should have elaborated that I haven't seen the same problem with App Catalog Rules but have seen the other issue with the afw#mobicontrol based enrollment. With that said, I don't leverage App Catalog Rules particularly often as most of what we deploy are B2B applications and packages that we build ourselves. I'll try to add a Rule when I get a chance to see how it behaves. 

  • 0
  • 0
Kaan Gayretli | posted this 30 January 2019

I have been having the same issue recently where the hashtag based enrollment and not Work Managed. I'm also using Samsung Android devices (Galaxy Tab S2).  I used application catalog rule but Mandatory apps not installing on devices.

  • 0
  • 0
Raymond, Chan | posted this 30 January 2019

Are you sure your enrolled device in managed-device mode has the automatically generated managed-google-account set-up completed properly?  If it is not,  you of course cannot see any mandatory app pushed.    What is the value of "Google Account Identities" field reported in the web-console for your problematic device? 

 

A moment ago, I did a quick test on agent v13.6.0.1567 for a device brand/model and server version different from yours.  Enrollment and app-catalog rules work fine, but did find changes related to app-catalog rule on the device screen.  The list of app icons that used to be found in the "Managed Google Play store app"  are not shown as they were in the past.  However, I could still see all the allowed app items from the "Application Catalog" tab of MobiControl device agent. Here, mandatory apps  automatically pushed were shown to be "installed", and non-mandatory apps could be interactively selected and installed.

 

 

 

  • 0
  • 0
David P. | posted this 30 January 2019

Raymond,

 

Your first question may have been for Kaan but I'll answer as well just in case. For the devices in question, I don't see a Google Account Identity but I do see an Android Identity with an address of several numbers followed by @android-for-work.gserviceaccount.com. This is under the Android Enterprise section of Device Details. It also shows Android Status as Provisioned/Enabled with Managed Google Play Accounts and Management Type as Work Managed Device.

 

On the device, I can see all of the approved apps in the Application Catalog. Those apps are correctly marked with Mandatory. Tapping on Free next to the apps to install takes me to the Managed Google Play store app but tells me "your administrator has not given you access to this item" so I do not have the option to install.

  • 0
  • 0
Raymond, Chan | posted this 30 January 2019

Hi David,

The questions were actually all for you.

Your Android Identity field is OK, meaning your device has got the automatically assigned GPA account.

 

Could you please go to Settings->App, and check the versions of your 

- Google Support Services ?

- Google Play Store ?

 

What are the version and build numbers of your MobiControl server?

  • 0
  • 0
Brett Corlett | posted this 30 January 2019

My first answer...

I had a similar issue this week with "my administrator has not given you access to this item" . I had to remove and re-add the "Android Enterprise Binding" along with adding all the apps and setting up the Catalog all over. I only have 9 apps, so it took less than an hour. My Manage Google account also was locked out, so I had to reset that.

I also have issues with the  Mandatory Apps not downloading and installing, but at least I can do it manually.

 

I hope this helps.

 

 

  • 0
  • 0
Raymond, Chan | posted this 31 January 2019

Removing and re-adding "Android Enterprise Binding" is definitely not a viable solution for big implementations with lots of devices or lots of managed apps included.

 

My latest tests seem to pinpoint the culprit to be particular server release(s), rather than the agent v13.6.0.1567 or any device firmware version/device brand reported by others in earlier posts.

 

Could anyone having problems

- getting Managed Google Play App downloading or

- Managed Google Play account pending prompt endlessly

share the version and build numbers of their MobiControl server?   I need your data to gather statistics to confirm my conclusion, after which an official support ticket can be opened to request a fix.

 

  • 0
  • 0
David P. | posted this 31 January 2019

So I wasn't able to find Google Support Services. Through other troubleshooting I read about Google Services Framework. When troubleshooting the Play store, resetting the cache there was a suggestion. The Google Services Framework version is 7.1.1-3515457. The Google Play Store version is 13.0.23-all [0] [PR] 227930514. 

 

Our MobiControl server version is 14.2.0 Build 2894

  • 0
  • 0
Brett Corlett | posted this 31 January 2019

I just deployed 10 out of the box devices and one has the "Google account Completing configuration for your Work Profile" 

The Play Store apps still installed, but this message is still under pending actions after a couple hours.

I rebooted and it is still there. 

This is a managed Google / Android Enterprise / Device Owner Deployment

Samsung SM T377A Agent Version 13.6.0.1567

Hosted Trial Account on Mobicontrol Server Verions 14.2.2.1170

google play services
14.7.99
google play store

13.0.23-all

 

 

  • 0
  • 0
Chad | posted this 19 June 2019

Hello,

I am having a similar problem and found this thread so I hope someone can help.

I have always used Mobicontrol for Windows Mobile and only recently getting into android enterprise. I have Panasonic FZ-N1 devices with android 8.1.

It seems to me that when I get a brand new unit from box, it enrolls properly as managed device. But if I factory reset (I would unenroll and delete from Mobi) and re-enroll using the same enrollment rule, the device will go into work profile! I am on Mobi 14.3.4.

As for app catalogues with my setup, I don't get them to show up for me period when I use enterprise app (uploaded apk).

I would really want a way to re-enroll my devices as managed devices and not work profiles and yet to find a way.

I am finding with Panasonic at least and Mobi 14.3.4 there are a lot of other issues like feature controls sticking even after revoking, or wrong controls set. But let's start by one issue at a time.

Any ideas?

  • 0
  • 0
Matt Dermody | posted this 19 June 2019

 

It seems to me that when I get a brand new unit from box, it enrolls properly as managed device. But if I factory reset (I would unenroll and delete from Mobi) and re-enroll using the same enrollment rule, the device will go into work profile! I am on Mobi 14.3.4.

 

Device Owner AE enrollment requires a device to be in a factory default state. If you are past the Google Setup Wizard already I don't think you'll be able to enroll as Device Owner until you reset the device. This is not an issue with SOTI or your Panasonic device, but a core function of Android Enterprise. 

 

As for app catalogues with my setup, I don't get them to show up for me period when I use enterprise app (uploaded apk).

 

I haven't really experimented much with enterprise app distribution through the App Catalog. If your devices are managed with DO I suggest building a Package containing the APK and delivering the app directly to the devices instead of using an App Catalog which is better suited to Managed Google Play distribution. 

 

I would really want a way to re-enroll my devices as managed devices and not work profiles and yet to find a way.

 

Try reseting the device from the settings menu. A device needs to start from a clean state in order to enroll as Device Owner. 

  • 0
  • 0
Chad | posted this 19 June 2019

Hi Matt,

Thanks for the answers. Maybe I was not clear but when I try to re-enroll. I do the following:

  • unenroll from Mobi
  • delete from Mobi
  • factory reset device
  • go through initial wizard and use hash tag to re enroll

I get work profile and not managed work device.

I read staging QR codes works better, I will try that tomorrow as I have been only using hash tag...

As for apps, I started with pushing enterprise apps via packages as u suggested. But I had issues where package installs would cause " google play store has stopped". So I was not able to uninstall/install/update.

I opened a case with soti and they suggested I try the app catalogues instead. Which totally didn't work.

I must also add that my devices, after enrollment are not seeing the internet, which I thought might be the cause of play store stopping error. The idea was maybe app catalogue will be less dependant on the internet connection to the play store as per my case with soti.

So my options are: - with my devices not on internet, can I have Mobicontrol install packages or enterprise APK files ? And which method is better? Obviously I won't be able to do play store apps, which is fine. But it keeps crashing. - if a connection to internet is a must, I am trying to use proxy... But not sure how to tell play store to use proxy, I did add proxy to wifi but I don't think play store is using proxy

Hope this sheds some light on why I am trying app catalogue.

Thanks,

  • 0
  • 0
Chad | posted this 19 June 2019

I just wanted to say.that the device is connected to the internet during the enrollment process. It's only afterwards it won't be, but will always be connected to Mobicontrol .

I had the same issues I described above even as a test I left the device on the internet. My Mobicontrol - android experience has not been very fruitful yet.

Thanks,

  • 0
  • 0
Matt Dermody | posted this 20 June 2019

Don't lose faith just yet! There are definitely some growing pains to get used to, especially since you kind of landed right in the middle of a pending shift from Device Administrator based management to Android Enterprise. The fact that you even grasp the difference between Work Managed (Device Owner) and Work Profile (Profile Owner) is a big first step. There are tenured EMM admin used to DA who are still grasping with AE, it's almost better that you're going straight to it. 

I would toy around with the other enrollment methods just in case there is an issue with the process. During AEDO enrollment the device is reaching out to the Play Store to pull down the latest AE agent DPC for the EMM you're enrolling into and sometimes that latest version of the APK that is hosted in the Play Store can have bugs... As painful as it is, you sometimes have to wait several days before a new version comes out unless your manufacturer gives you a non-standard way to enroll as DO outside of the Google provided methods (NFC, QR, DPC identifier, ZTE). Zebra for instance offers a StageNow based method that allows you to bypass the Google SUW and then download a specific SOTI agent from a location that you specify, outside of the Play Store. This also allows you to use a specific version if the current version in the Play Store has a bug that is affecting your deployment. I have certainly had to do this in the past. I'm not sure if Panasonic offers something similar but it is worth exploring to see if they offer any other DO enrollment methods. 

Assuming you can get the device re-enrolled successfully, I would continue pursuing the direct APK installation method via Package. I'm thinking that your Google Play crash is being caused by the lack of a clear network path back to the Play servers more so than by the APK install. I install all enterprise applications to AEDO managed devices using this method and only leverage Managed Google Play via an App Catalog if I need to distribute an app from Public Google Play (rare for my environments). Longer term, we'll want to use Managed Play to distribute apps that support Managed Configs/App Config once those are more widespread as well as leveraging it to administer OEM specific configurations via OEMConfig. At this point SOTI is still working on OEMConfig support for manufacturers like Zebra and Samsung, but I would expect it to be released soon. Once we get to that point, you'll probably want to figure out how to proxy the connections out to the Play Store, but in the meantime, you might not have any real need for Play Store access from the devices (despite Google's wishes!)

  • 1
  • 0
Raymond, Chan | posted this 20 June 2019

Hi Chad,

If your can enrol your out-of-the-box Panasonic FZ-N1 devices to DO mode but fail to re-enrol it after factory reset,  the problem is likely related to the device firmware or to the way used to factory reset the device.

 

Some devices, such as some Zebra devices I tested in the past, have standard factory-reset as well as enterprise factory-reset.  The former cannot get data stored in enterprise data partition to be cleaned up while the latter can.  I haven't tested a Panasonic FZ-N1 before and I am not sure if its firmware also implement enterprise data partition in its file-system.  If so, maybe you have to check your device manual on how to do an enterprise factory-reset, or you  can try initiating a "factory reset" action of your on-line enrolled device from MobiControl web-console and then perform the "delete" action on the same device after you see the device-icon status indicates that it is already off-line.

 

As for app deployment from Managed Google Play store,  I don't know if you have tried testing with any other device brands/models.  If you have already done so and at least one of them works, the problem should be related to your device Panasonic firmware rather than with MobiControl device agent or your networking infrastructure/setup or Google's MGP server/infrastructure .  If all of the other tested brand/models fail too, you probably need to provide more information on your server/networking infrastructure before any advice can be given.

 

  • 1
  • 0
Chad | posted this 20 June 2019

Thanks Matt and Raymond,

I will work on getting Internet access to devices, I think the way things are going, this is a must. 

then, I will use package installs, I just got a reply on my ticket, looks like AE doesn't support APK install from app catalog.

Finally, regarding the factory reset, we can only get Panasonic, we are a gov entity so we have to buy whomever wins in RFP. Panasonic is what we have to work with. They indicated that they do support MobiConttrol, so I will have to talk to their support if I can't get it resolved. Although I expect that Mobi and Panasonic need to work together and not having a finger pointing match.

I wanted to note that I can re-enroll the Panasonic devices after a factory reset, but they get enrolled in the wrong mode, as work profile instead of managed device.

 

you mentioned there is a way to factory reset from console? Where? I cannot find that under the device options?

 

Thanks,

  • 0
  • 0
Raymond, Chan | posted this 20 June 2019

Hi Chad,

Under normal circumstances in which you need support for app deployment from Managed Google Play store, your device of course needs internet access to to Google's AE server to complete all the Google Play Support services update and MGPA account set-up.  Otherwise,  it is still possible to set the device into AE-DO mode on a closed corporate network, but the procedure is much more complicated.

 

Also,  AE does support APK install from app catalog rule, except that it is for on-demand deployment initiated by the device end-user rather than for silent push even if you mark the app item as mandatory in your app-catalog rule.  If you can do that, there might be some other problem with your network infrastructure set-up.

 

Finally,  you can initiate device factory reset with "wipe" option if the device is in managed-device mode.  I was just suggesting that if your initial out-of-the-box enrollment can get the device into AEDO mode, then whenever you have a need to factory reset the device, try to initiate the wipe operation from MobiControl web-console, rather than pressing the "factory reset" button on device Settings.  This is just an educated guess and you have to perform a test on your Panasonic device to see if it works or not.

 

 

  • 0
  • 0
Matt Dermody | posted this 20 June 2019

To elaborate on this. Android devices have a Reset option nested in the Settings app that can perform a basic wipe. There may be a more through Factory Reset process however that the manufacturer provides and you may just need to determine what that effort is, assuming that the Reset that you performed was from the Settings app. 

  • 0
  • 0
Chad | posted this 20 June 2019

Thank you all.

Yeah, so I will do all the recommendations. I will try the wipe and talk to Panasonic.

The only problem, which might be worth a new thread is how to get google play store to go through proxy! Although proxy works for me in browser, google play store just isn't going through it.

Thank you,

  • 0
  • 0
Douglas Creamer | posted this 03 October 2019

Hello Chad,

Did you ever figure out to get Enterprise Google Play working behind a proxy? I'm having the same issue.

  • 0
  • 0
John Doe | posted this 04 October 2019

I think the problem might be that devices are not connecting to google via fqdn etc. they are somehow using the direct ip adresses.

You might enable SSL Inspection and let your fw detect when its traffic for google play or you could whitelist the asn of google (https://bgp.he.net/AS15169).

Have you whitelisted all adresses documented in the google Bluebook Migration Document?

Kind Regards John

  • 0
  • 0
Chad | posted this 04 October 2019

Hi Douglas,

 

It seems that it doesn't like to work when using a .PAC file (automatic), I had to setup the proxy (manually), i.e proxy server name and port.

 

Hope this helps you out.

  • 1
  • 0
Douglas Creamer | posted this 04 October 2019

Not great news, we require using a PAC, but does answer the root cause. Thanks for that!

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback