Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3016: Troubleshooting steps for mobile device enrollment

Centrify Identity Service, App Edition ,  

4 April,17 at 06:26 PM

Applies to: Centrify Identity Service (all versions)
 


Question:
 
What troubleshooting steps can be performed if a mobile device fails to complete enrollment with the Centrify Identity Service?
 
 
 
Answer:
 
Device enrollment failures can be caused by several factors. 
 
This guide is intended to cover general device enrollment troubleshooting procedures and includes the following information sections:
 

Centrify Connector Functional Checks:
  1. Ensure the Centrify Connector service is started and running on the Windows host where it was installed
  2. Perform a connection test using the connectiontestgui.exe utility located at: C:\Program Files\Centrify\Cloud Management Suite\connectiontestgui.exe
  3. Verify the Enrollment Policy settings in the Admin Portal - only groups associated with this policy will be allowed to enroll devices.
  4. Ensure APNS configuration is complete and not expired (Admin Portal > Settings > Mobile > APNS Certificate) - required for iOS and OS X devices.
    (NOTE: APNS setup does not apply for Android device enrollment).
  5. If using Active Directory (AD) group policy management, manually delete any mobile device computer objects visible in Active Directory Users and Computers (ADUC) and/or from the Admin Portal named "unknown" and allow time for AD changes to sync to the cloud service (default time is 10 minutes) before re-attempting enrollment to avoid conflicts with computer object creation.
  6. Check the connector log for any errors - the log files are located at: C:\Program Files\Centrify\Cloud Management Suite\Log.txt.*
Filter using the words "error" for process issues and "failed" for user login authentication failures
 

Device Functional Checks:
  1. The device should have a good data signal. If attempting to enroll using corporate Wi-Fi, try using carrier data instead
  2. Ensure the device is using the latest version of the Centrify mobile app for device enrollment.
  3. Ensure the mobile OS meets the system requirements for supported platforms.
    A current list can be found at:
    http://www.centrify.com/products/identity-service/emm/
  4. It is not recommended to perform web enrollments for iOS or macOS devices using https://cloud.centrify.com/enroll - use of the Centrify mobile app or Centrify Agent for Mac are the preferred methods.
 
Device Enrollment Errors:
 
This section contains common enrollment errors and troubleshooting steps:
  • Login Failed - items to check:
    1. Verify the Centrify Connector service is started and shows successful connection state in the Centrify Connector Configuration utility
    2. User must be member of enrollment group
    3. User must enter correct Active Directory or Centrify Directory Service (CDS) username and password information
      (username@<loginsuffix>)
    4. Device must have active internet connection  - cellular or Wi-Fi
    5. Check connector log for errors (see the Centrify Connector Functional Checks section above)
  • Enrollment Timeout - items to check:
    1. Device object already exists and is active in Active Directory – unenroll first
    2. If device object already exists in Active Directory, ensure current device status is in sync with device data displayed in Admin Portal (GP Applied, Terminated, etc.)
    3. iOS - Verify if device has existing MDM profiles listed under Settings > General > Profiles – remove if needed
    4. Device must have active internet connection  - cellular or Wi-Fi connections can cause latency. If using cellular data, try Wi-Fi and vise-versa
  • Failed to get device state for iOS - items to check:
    1. Verify APNS certificate has been uploaded in Admin Portal
    2. Verify APNS certificate is not expired or revoked by Apple
    3. APNS Configuration steps are available in the Cloud Manager Online Help
  • Failed to enroll jailbroken device - items to check:
    1. Verify the enrollment policy options and linked policy Roles. 
    2. Enable policy ‘Enroll/Deny’ Jailbroken/Rooted Devices and select option ‘Enroll jailbroken/rooted devices
    3. Remove device object and re-attempt enrollment
  • Error 403 (connection refused) - items to check:
    1. Device object already exists and is active in Active Directory or Admin Portal – unenroll first
    2. If device object already exists in Active Directory, ensure current device status is in sync with data displayed in Admin Portal (GP Applied, Terminated, etc.)
    3. After device unenroll – allow time for connector to sync settings with cloud service – default time is 10 minutes
  • Error 404 (not found) - items to check:
    1. iOS - Verify if device has existing MDM profiles listed under device Settings > General > Profiles – remove if needed
    2. Device object already exists and is active in Active Directory – unenroll first
    3. If device object already exists in Active Directory, ensure current device status is in sync with data displayed in Admin Portal (GP Applied, Terminated, etc.)
    4. After device unenroll – allow time for connector to sync settings with cloud service – default time is 10 minutes
 
Collecting Centrify Mobile App Debug Information:

It may be necessary for Centrify Support to request device logs for additional troubleshooting. The Centrify mobile app for iOS and Android allows debug logs to be sent directly from the app:
  1. Open the Centrify app > Settings > Set Log Level: Debug
  2. Reproduce the enrollment issue
  3. Go back to Centrify app > Settings > Send Log File > enter the desired email address
Administrators can also configure device policy to allow for remote fetching of device logs using Device Management Commands


Contacting Centrify Support:

When contacting Centrify Support for assistance with Centrify Cloud Service products, please provide the following information:
  • Centrify CustomerID (e.g: ab123, ABC0123)
  • Cloud Connector and host OS version information
  • Device make, model and OS version
  • Cloud Connector logs (Log information is stored using UTC time zone information)
  • A complete description if the issue and severity - provide all relevant details of the issue including:
                - any specific error messages,
                - time, timezone & date when the issue occurred,
                - symptoms or screenshots the user experienced
                - if the issue is causing a production or business impact
                - if the issue can be reproduced




For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Centrify Customer Portal at support.centrify.com.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.