MobiControl and Secure Pulse VPN issues

MobiControl and Secure Pulse VPN issues

We are using Zebra TC70x GMS devices running Android 7.1.2 and 8.1 with MobiControl using work Managed device and Lockdown Mode.

The devices are connected using WiFi and with Secure Pulse VPN to connect to our network. We use Managed Google Play applications and app config to get the for automatic app installation and configuration. We also have Always On VPN enabled, we have set net.pulsesecure.pulsesecure in Feature Control, Always On VPN settings.

We face two issues:
- Always On VPN
If we enroll a new device or move a device between groups without and to Feature Control (and Always On VPN) enabled, Always On VPN connects automatically. But if we reboot the device it won't connect and go Always On (manually clicking connect works).

After a reboot and the device going into Lockdown Mode, we can see a Secure Pulse icon in the notifications bar showing the VPN service is running. A couple of minutes later another icon is added showing a user certificate error message (unable to access users security certificate). Again, clicking Connect manually works.

- Device offline with Always On VPN setting enabled in Feature Control
We are unable to contact devices in groups with Feature Control / Always ON VPN enabled. In the MobiControl app, Agent status blinking Connected/Disconnected. Switching from Lockdown Mode to Admin Mode works, Agent status is Connected.

If we move the device to a group without Feature Control / Always On VPN the device is connected, the same goes even if VPN is manually connected. This to me confirms the offline issue is related to Secure Pulse Always On VPN and MobiControl.

We have allowed VPN traffic based on the recommendations below.

MobiControl Deployment Server

Note: For deployments with multiple deployment servers, for caching purposes.

Binary

5495

MobiControl Management Server

Binary

5494/5495

Google Play

HTTPS

443

Remote Control

Binary

5494

MobiControl Console

Remote Control

HTTPS (web sockets)

443


Agent version: 13.7.2 Build 1015

Thankful for any ideas how to approach these issues.

2 Answers

Order By:   Standard | Newest | Votes
Matt Dermody | posted this 12 June 2019

Do you have Doze Mode enabled still? 

  • 0
  • 0
TJ Bukoski | posted this 12 June 2019

For the first issue, are you using a certificate to authenticate to the VPN or the WiFi?

I remember a known issue with some Android devices where they will not open the certificate keystore until the end user has typed in a pin into the device. This can be problematic if you restart the device and the lock screen comes up. The device may not attempt to reconnect to the VPN until the lock screen is dismissed. This is a security feature in Android.

Based on your description I think the VPN is trying to pull the certificate before the screen is unlocked and probably is not smart enough to try again when it fails. An ADB log taken from the device may confirm this behaviour. If I am right then you may have to open a ticket with Secure Pulse. MobiControl just dumbly sets the configuration, Secure Pulse tries to make it work.

  • 1
  • 0

Give us your feedback
Give us your feedback
Feedback