Windows 10 LDAP Enrollment

Windows 10 LDAP Enrollment

I am attempting to enroll a Windows 10 laptop onto our SOTI MobiControl server (running version 15.2) using LDAP authentication against our on-premise Active Directory. I have set up my rule to include the group with the most permissions in our AD for enrollment purposes

I have confirmed that the domain user that I am using is a part of this group and possesses all the necessary permissions 

However, when on the laptop, I successfully join it to our domain, but nothing ever gets enrolled on the SOTI side.


Could someone point me in the right direction for where to troubleshoot or even provide a solution for how to successfully join a laptop to a domain and SOTI simultaneously?

8 Answers

Order By:   Standard | Newest | Votes
Raymond Chan | posted this 13 November 2020

Have you tried enrolling an Android device with AD/LDAP credential onto your server after your AD/LDAP server integration?  As enrollment for Android platform is relatively less strict than the Windows platform, having a successful enrollment test result helps to rule out problem related to the integration done so far.  

 

On your Win10  laptop, what did you do to initiate MDM enrollment?  Did you see any warning/error message on the device screen?  Did you check your Mobicontrol server log files for entries related to Windows 10 device enrollment?

 

 

  • 0
  • 0
Evan | posted this 13 November 2020

Raymond,

 

I have not attempted to enroll an android device using this method because we already have rules for enrollment set up for android devices that do not require LDAP

I attempted to initiate the MDM enrollment on the laptop by joining it to our domain, as specified in steps 10-14 in the following linked documentation (https://www.soti.net/mc/help/v15.2/en/console/devices/managing/enrollment/windows/modern/windowsmodern_desktop.html?hl=windows%2Cmodern%2Cldap%2Cenrollment)

I have not been able to locate any errors when attempting this process. Where on the MobiControl server would this sort of activity be logged?

  • 0
  • 0
Raymond Chan | posted this 16 November 2020

Hi Evan,

Using steps 10-14 is OK.

As said in previous post,  test enrolling an Android device with AD credential first to quickly rule out problem of your basic AD/LDAP integration with Soti MobiControl server.    Share your test results before we can look further into any Windows-10 specific problem(s).

  • 0
  • 0
Evan | posted this 16 November 2020

Raymond,

 

I don't think that is necessary, because we already an integrated LDAP connection to the MobiControl server and we have users that successfully authenticate using domain credentials / MFA on a day to day basis. So I would think our LDAP/AD integration is solid.

What troubleshooting steps beyond this can be done to see what is causing the problem?

  • 0
  • 0
Evan | posted this 19 November 2020

Can someone please provide some helpful information for troubleshooting this? So far I've not been able to get anything of use from anyone on where to find where this is erroring out and it would be nice to get some answers on this from someone.

  • 0
  • 0
JCMOD@SOTI | posted this 19 November 2020

Hi Evan,

 

I'm more than happy to assist you in moving forward.

 

Firstly Event logs in Window 10 machines are the best place to start troubleshooting for MDM related issues. From event logs: (Applications and Services Logs->Microsoft->Windows->DeviceManagement-Enterprise-Diagnostics-Provider->Admin) to see the details of the MDM and Device Management related issues.

 

Let me know what errors you see and we can look into this further. An additional tip is to check your DSE Logs, that's where the Windows Modern enrollments will hit. Set them to Verbose in MCAdmin and cross-reference timestamps from your event viewer logs.

 

Also to note, Windows Modern enrollments must complete within 30 seconds otherwise it will fail.

 

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 0
  • 0
Raymond Chan | posted this 20 November 2020

Hi Evan,

I suggested you to check the log files of MobiControl server in my first reply more than a week ago.  Have you done so?

 

Is your MobiControl server instance a new one?  Is it an on-premises or a cloud server instance?  Have you ever successfully enrolled any device onto this server?

 

 

  • 0
  • 0
Jorge Hussni - SAFIRA Telecom | posted this 26 January 2021

Hello friend, I believe that you want to create an automatic enroll process for your correct LDAP environment?

You have several ways to do this automatically and I will try to help you.

Using a GPO you can transfer files from the Windows Modern package to the machine or leave them in a secure network repository that you can be sure is mapped on all machines. With that done you need to create a start policy on Windows / User boot to execute the following powershell:

Install-ProvisioningPackage
       [-PackagePath] <String>
       [-ForceInstall]
       [-QuietInstall]
       [-LogsDirectoryPath <String>]
       [-WprpFile <String>]
       [-ConnectedDevice]

This Microsoft help files also can help you to work on that:

https://docs.microsoft.com/en-us/powershell/module/provisioning/install-provisioningpackage?view=win10-ps

Use the command parameters for a silent installation and if the target machines do not have the certificate used in the creation of the ppkg package and in the MobiControl rule create another GPO to send the certificate or find some other method within your possibilities to perform this .

The second path we use internally is using the System Center Configuration Manager which allows me to run this in real time without any major errors or alerts on the machine and for the user.

I have our internal material that we use with clients on how to create this GPO if you want to send me your email in private, I can share it with you and help you with something else if necessary.

Jorge Hussni Innovation Manager Soluções & Tecnologia Gestão de Mobilidade Corporativa, Telecom & TI Rua Alvorada, 1289 conj. 404 - Vila Olímpia São Paulo - SP - CEP: 04550-004 T: (11) 4328-7378 C: (11) 975 721 349 E: jhussni@safirast.com Novo Email! www.safirast.com Novo Site!

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback