This section provide solutions to the problems you might encounter while using the Mobile Management feature.
If any of the ZENworks operations fail, then you can check the following logs for additional details:
loader-messages.log: logs messages related to background tasks performed by ZENloader services, which can be accessed from the following locations:
On a Windows Server: %ZENWORKS_HOME%\logs\loader-messages.log
On Linux Server: /var/opt/novell/log/zenworks/loader-messages.log
services-messages.log: logs issues related to tasks performed by the ZENworks Server, which can be accessed from the following locations:
On a Windows Server: %ZENWORKS_HOME%\logs\services-messages.log
On Linux Server: /var/opt/novell/log/zenworks/services-messages.log
zcc.log: logs issues related to ZENworks Control Centre User Interface related failures while configuring or creating components such as push notifications, bundles, policies, user sources or an MDM server. These logs can be accessed from the following locations:
On a Windows Server: %ZENWORKS_HOME%\logs\zcc.log
On Linux Server: /var/opt/novell/log/zenworks/zcc.log
NOTE:References to %ZENWORKS_HOME% indicates the following default path that can be changed during installation: C: \Program Files\Novell\ZENworks.
zapp.log: logs issues related to the ZENworks Agent App installed on Android devices. This can be found on the device at: storage/emulated/0/ZENworks/logs. For logs within a Work Profile, the administrator needs to approve a file manager app using which the file can be viewed in the device.
The following table lists some of the possible troubleshooting scenarios along with details of related log files that might help you resolve the issues:
Scenario |
Logs |
---|---|
Apple Volume Purchase Program |
|
Unable to create a VPP subscription. |
zcc.log, services-messages.log |
VPP Subscription has failed to replicate bundles based on apps approved in Apple VPP. |
loader-messages.log |
VPP Bundle distribution has failed on the device |
services-messages.log |
ActiveSync Server |
|
ActiveSync server creation fails in the ZCC wizard. |
zcc.log |
Failed to establish a connection with the ActiveSync server. |
services-messages.log |
Android Enterprise |
|
Unable to create an Android Enterprise Subscription |
zcc.log, services-messages.log |
The subscription has failed to replicate bundles based on apps approved in the managed Google Play Store. |
loader-messages.log |
Work profile enrollment has failed |
services-messages.log, zapp.log (on the personal side of the device) |
Work managed enrollment has failed |
services-messages.log |
Apple Device Enrollment Program |
|
Unable to assign the DEP server role to an MDM Server. |
zcc.log, services-messages.log |
DEP device enrollment fails |
services-messages.log |
Intune App Management |
|
Microsoft Graph API configuration fails |
zcc.log, services-messages.log |
Failed to create an Intune App Protection policy |
zcc.log, services-messages.log |
iOS Bundles |
|
Failed to create an iOS bundle |
zcc.log, services-messages.log |
Failed to distribute an iOS bundle |
zcc.log, services-messages.log |
Push Notifications |
|
APNs certificate import has failed |
zcc.log, services-messages.log |
Mobile Security and Control Policies |
|
Device control policy settings are not applied on the device |
zcc.log, services-messages.log. For an Android device, check zapp.log on the device. |
Microsoft Graph API Configuration fails
ZENworks Server using which Microsoft Graph API is configured does not have outbound connectivity to contact the Azure portal.
Pop-up blocker is not disabled on the browser using which Microsoft Graph API is configured. Disable the pop-up blocker and try again.
iOS Intune App Protection Policy creation fails in ZENworks.
ZENworks Server using which Microsoft Graph API is configured does not have outbound connectivity to contact the Azure portal.
The access token is either invalid or has expired. You need to renew the token, in ZCC, by navigating to Configuration > Management Zone Settings > Intune App Management > Renew Token. After renewing the token, you need to start creating the policy again.
The Microsoft Graph API is either not configured or is deleted from ZENworks. To configure it, navigate to Configuration > Management Zone Settings > Intune App Management. After configuring the account, you need to start creating the policy again.
The creation or modification of iOS App Protection policy succeeds in ZENworks but fails in Azure
ZENworks Server is facing some network connectivity issues.
The access token is either invalid or has expired. You need to renew the token, in ZCC, navigate to Configuration > Management Zone Settings > Intune App Management > Renew Token.
The Microsoft Graph API is either not configured or is deleted from ZENworks. To configure it, navigate to Configuration > Management Zone Settings > Intune App Management.
The deletion of iOS App Protection policy succeeds in ZENworks but fails in Azure
ZENworks Server using which is facing some network connectivity issues.
The access token is either invalid or has expired.
Microsoft Graph API account was already removed from ZENworks.
Token renewal fails if the process is initiated from another ZENworks Server
DEP Server creation fails if certain mandatory information is missing in the uploaded token
DEP enrollment fails if the user initially skips applying the MDM Profile on the device
DEP enrollment does not proceed further after specifying assigned user credentials
DEP enrollment fails while re-enrolling a retired device
While configuring access controls to secure an MDM Server, Administration access is denied for all
Enter the Server IP.
Enter https://localhost (applicable for IPv4 addresses only)
Enter the loopback address.
If you are still unable to access ZCC, then delete the configuration file access-filters.json from the directory available at %ZENWORKS_HOME%/share/tomcat/conf. Restart the MDM server. Administration access will be allowed for all. You need to navigate back to ZCC and re-configure the access controls.
After configuring access controls to secure an MDM Server, an IP address of a device that is denied access is still able to contact the ZENworks Server
Also, check whether the device is communicating with the ZENworks Server using a proxy server. If so, you need to deny access to the IP address of the proxy server, if other devices are not using this proxy server.
Mobile devices are unable to contact the ZENworks Server
NOTE:Also, if you delete all the MDM Servers in the zone, then the Push Notifications configuration (APNs and GCM) will be automatically deleted.
APNs keystore fails to replicate on a newly added MDM Server in the zone
APNs certificate import fails
Push notifications to enrolled devices will not work as expected, if the APNs certificate has expired and a new certificate is imported
While migrating from Google Cloud Messaging (GCM) to Firebase Cloud Messaging (FCM), an error is displayed if the Project Number does not match with that of the existing GCM project
If you are unable to obtain these credentials, then execute the zman sgd command to remove the existing GCM values from the ZENworks database. Restart the ZENworks services and then proceed to upload the .JSON file to configure the new FCM project.
If a device enrolled as an ActiveSync Only device is fully wiped and deleted, then re-enrollment of the same device fails
Email accounts might not work properly on some mobile devices if an ActiveSync server is added after the devices are enrolled
You might be prompted to re-enter your account password. If this does not work, either initiate a Refresh action on the email account configured on the device or initiate a Refresh action from the Settings menu on the device.
For Windows devices:
Delete and re-create the email account on the device.
NOTE:For iOS devices, the email client might display an error message a couple of times, after which you will start receiving emails on the device.
As a best practice, it is advisable to configure an ActiveSync server before a device is enrolled to the ZENworks Management Zone.
Email accounts cannot be re-configured, if remote wipe is initiated on the ActiveSync Server.
During email account configuration, user authentication to ActiveSync Server fails
Email accounts on some devices might stop functioning and an authentication error is displayed
Status of a newly enrolled iOS device is displayed as Pending Enrollment in ZENworks User Portal, until the browser is refreshed
If the time on an Android device lags behind the time on the ZENworks Server, then device enrollment will be unsuccessful
Re-enrollment of a device might fail with a Constraint Violation exception
During ActiveSync enrollment of an already enrolled fully-managed Android device, automatic reconciliation to the existing device object fails
Allow the user to manually reconcile the device: by enabling the setting in the assigned Mobile Enrollment Policy. For more information, see the Mobile Management Reference.
Enable direct communication with the configured ActiveSync server: by selecting the option Do not use ZENworks Server as Proxy Server in the assigned Mobile Email Policy. The device can directly send or receive emails from the configured ActiveSync server. For more information, see the Mobile Management Reference.
If the time on the ZENworks Server lags behind the actual enrollment time of a mobile device, then any quick task that is sent to this device within this time period is not processed and its status will remain as Initiated
VPP bundle creation fails
The Apple Server is busy and not responding.
Apple is unable to provide the latest app metadata as Apple might have discontinued support for the app.
Apple has extended VPP support to a new country, which is not supported by ZENworks. Contact the Micro Focus tech support team to include this country in ZENworks.
VPP bundle distribution fails
A VPP bundle is assigned to a device with iOS version prior to 9.0. Apple supports device assignments on iOS versions 9.0 or newer.
A VPP bundle is assigned to a user and the invite to associate with the Apple VPP is not accepted by the user.
A VPP bundle is assigned to a user and the Apple ID on the user’s device is different from the Apple ID that the user has used to associate with the Apple VPP.
The app is not compatible with the device.
Deficit in the number of licenses.
The Apple VPP subscription is disabled or deleted.
The VPP token ownership has changed and is being used by another MDM solution.
Apple is unable to validate the iTunes Store ID of the specific app.
The app has discontinued in the iTunes Store.
For an Apple School Manager Account, bundle creation for associated apps that are linked to a specific location might fail in ZCC.
Purchased license count is not updated, if sync to retrieve latest VPP apps is initiated immediately after purchasing an app
While uploading or renewing a VPP token, an appropriate error message is displayed and the subscription renders as unusable.
EUP session becomes inactive when a Mobile Security or Device Control Policy is applied on iOS devices
Mobile Security policies might not apply automatically on a few Android devices
Windows mobile devices do not accept alphanumeric or complex characters even if they are enabled in the assigned Mobile Security policy
Simple passwords are accepted by a few Android devices even if the setting is disabled in the assigned Mobile Security policy
Max Grace Period and Max Inactivity Timeout restriction settings might display incorrect values on the device
Variable specified while configuring bundle app parameters, appears as is when the app is pushed to the device
Device enrollment fails with a message that indicates that the prerequisites required to enroll the device have not been met.
An Android Enterprise Subscription is not created.
The user is not a part of the user source associated with the Android Enterprise Subscription.
A Mobile Enrollment policy and an Android Enterprise Enrollment policy are not assigned to the user who is a part of the user source associated with the Android Enterprise Subscription.
The Android Enterprise Enrollment policy is assigned to a device instead of a user. If a new device is being enrolled to ZENworks, then you need to assign the Android Enterprise Enrollment policy to the users of these devices. Device assignments are supported only for those devices that have already been enrolled using the Device Admin API (the basic mode of enrollment) and need to be re-enrolled to the zone in the work profile or work-managed device mode.
NOTE:From the ZENworks 2017 Update 4 release onwards, the basic mode of enrollment has been deprecated.
The device is not Android Enterprise capable. Work profile enrollment is supported on Android 5.0 and later versions. Work-managed device enrollment is supported on Android 6.0 and later versions. For a list of all the devices that support Android Enterprise, see https://www.android.com/enterprise/device-catalog/.
Work-managed device enrollment fails
The Google Play Store on the device is not the latest version and requires an update.
The Android Enterprise subscription in ZCC is not associated with the user whose device has failed to enroll.
The Android Enterprise policy is not assigned to the user whose device has failed to enroll.
Unable to access GroupWise emails on enrolled devices using the Gmail app that was remotely configured in ZENworks
Unable to associate user context with the Android Enterprise Subscription
This might be because of any of the following reasons:
Scenario 1: The selected user context might already be associated with a subscription that is already unenrolled. The data associated with unenrolled subscription will be deleted only after 30 days.
Action: After unenrolling the Android Enterprise Subscription, delete the subscription data. To delete the subscription data run the zman sca command.
Scenario 2: Both Parent and child user are associated to the same Android Enterprise Subscription.
Action: Both parent and child user context cannot be associated with the same subscription. Depending on your requirement, you can remove either child or parent user context.
An error Work profile can’t be created because you’ve reached the maximum number of users on your device. Remove at least one user and try again is displayed on certain devices while trying to setup the work profile again.
When a device becomes compliant and restrictions are removed, app shortcuts on the home screen might not be restored
Work profile setup fails on an Android O device that already has work profile
On certain devices, apps fail to install but is made available in managed Google Play store
Work profile enrollment fails on certain Android 5.0 devices
Certain work apps crash when the user logs in to those specific apps
As a best practice, it is recommended that you pre-configure the app and deploy it using the Managed Configurations feature in ZENworks.
When the ZENworks Agent app contacts the server to obtain the new certificate after the CA remint activation date, the status of the system update is momentarily displayed as failed
The ZENworks Agent App shortcut crashes when the app is updated
On opening the ZENworks Agent App, an error Device is no longer enrolled with server. Please reinstall the app and enroll the device again is displayed.
Check whether the device object is present in ZCC or not.
If the device object is not present in ZCC, then uninstall and re-install the ZENworks Agent app. Re-enroll the device to ZENworks.
If the problem persists, disable Device Administrator for the app, clear the app data and open the ZENworks Agent app again. To clear the app data, perform the following steps:
NOTE:A Moto E4 Plus device with Android version 7.1.1 was considered to provide the following navigation path, which may vary based on the Android version or the device manufacturer.
Navigate to Settings > Security > Device Administrator. Deselect ZENworks checkbox and follow the prompts to complete deactivating Device Administrator.
Navigate back to the Settings menu, click Apps > ZENworks > Storage > Clear Data. Follow the prompts to complete clearing the app data.
Open the ZENworks Agent app.
Enrolled mobile devices might not work as expected, if a user source is deleted and the same user source is re-configured.
Activation lock bypass code cannot be retrieved from an iOS supervised device
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.novell.com/company/legal/.
© Copyright 2008 - 2019 Micro Focus or one of its affiliates.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.