KB-3158: General troubleshooting tips for Centrify for Mobile/SaaS
Applies to: Centrify for Mobile/SaaS
What troubleshooting steps can be performed for Centrify for Mobile/Saas?
If new or unfamiliar with Centrify for Mobile, it is recommended to review the Centrify Cloud Management Suite Installation and Configuration Guide
Verify basic proxy functionality:
Open the Centrify Cloud Proxy Server Configuration utility and note the last connection time and connection status – the proxy service should be started and display the last connection result as “Successful”. If the last connection result displays “Failed” or “Unknown”, restart the proxy service
If the proxy service is started but still shows the last connection result displays “Failed” or “Unknown”, run the Connection testGui.exe utility available at C:\Program Files\Centrify\Cloud Management Suite\ to verify Cloud-to-Proxy connectivity – correct any listed errors
If unable to start the Centrify Cloud Proxy service, verify the account used to start the proxy service has the necessary Active Directory permissions. See the section “Required Active Directory Permissions” on page 20 of the Cloud Management Suite Installation and Configuration Guide
If still unable to start the Centrify Cloud proxy service, it may be helpful to install another proxy instance on a different Windows 2008 server or Windows 7 workstation. See the section titled “Multiple proxy installation scenario” on page 61 of the Cloud Management Suite Installation and Configuration Guide This method can be used to restore device functionality and provide a redundant failover host while the original proxy issue is investigated. To install a 2nd proxy instance, you must register the proxy using the same Centrify website account and Customer ID used for the original proxy instance.
IMPORTANT NOTE: Do not use multiple proxy installations with different Customer ID’s for the same Active Directory forest.
Review the Centrify Cloud proxy logs for any listed errors.
The proxy logs are available at C:\Program Files\Centrify\Cloud Management Suite\Log* on the proxy host and may contain several files. As the Log.txt file grows and reaches 2MB in size, a new log file is created and the current file is renamed to “Log.txt.#” (where “#” is an incremental value). It is not uncommon to see many log files named "Log.txt", “Log.txt.1”, “Log.txt.2”, “Log.txt.3”, etc.
Managing Devices from Active Directory Users and Computers:
During installation of the Centrify Cloud proxy server, the option to install Active Directory extensions is enabled by default. This provides the ability to perform various management tasks using the standard Active Directory Users and Groups console (ADUC). To manage a device, select a mobile device object in ADUC and choose a device command from the Actions menu. Administrators can also right-click a device object to perform device actions including remote, lock, unenroll, update or re-apply group policies and remote wipe.
Viewing a device object properties will also display the Centrify Mobile tab that can be used to view additional device details and policy status
Managing Devices from the Centrify Cloud Manager:
The Centrify Cloud Manager is not required to manage or enroll devices but is required to setup and configure Apple APNS before enrolling any iOS devices. Device administrators and AD users can login to the following portals:
To login to the Cloud Manager, the AD account used must be a member of the Management Authorization group configured in the Centrify Cloud Proxy Server Configuration utility. The Domain Admins group is used by default.
To login to Cloud Manager, use one of the username format options below:
Where adusername and customerID are separated by the pipe ( | ) symbol. Example: bsmith|AB123
Where domain is the registered domain of the proxy host. Example: firstname.lastname@example.org
Note: users will not be able to login to the Cloud Manager using the Centrify website account username and password - only AD user credentials are allowed.
The Centrify Cloud Manager is provided as an extension to using the Active Directory Users and Groups console (ADUC) and can also be used to perform device actions including remote, lock, unenroll, update or re-apply group policies and remote wipe.