Attempting to enroll Android devices produces the error: "Enrollment Failed"

Document ID : KB000019263
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

After building a new installation of MDM, we cannot enroll Android Devices. On submitting the "Enrollment Code" in the CA MDM client, we get a generic error: "Enrollment Failed"

Solution:

The following items below list some of the more common reasons that this can happen. Checking the items below should help to resolve the issue.

1- Before re-testing any changes made, please be sure to follow these steps to remove the MDM client from the device:

Figure 1 Removing the MDM client from an Android device

  1. Go to the "Settings" application.

  2. Select the "Security" options.

  3. Scroll down to find the "Device Administrators" item and select it.

  4. You will see one or more instances of "CA MDM" that are installed as a device administrator, each with a green "tick" next to each item.

  5. Touch the green tick. A new screen opens up...

  6. Select "Deactivate". A message "Device Admin Disabled" will be displayed.

  7. When the screen returns there may still be a green tick present next to the item you just deactivated. This seems to be an Android bug.

  8. Repeat steps 5 and 6 for the other item. You may receive a warning saying "Disabling the CA MDM Device Administrator may result in data loss". Click "OK" to proceed- the operation is safe and will not harm your device.

  9. You should now see that there are no green ticks next to either Device Administrator item.

  10. Now go back to the Settings.

  11. Find the "Applications Manager" item and select it.

  12. Scroll down to find the two "CA MDM" entries.

  13. Select one of them. A new screen opens up.

  14. Select "Uninstall" - a prompt appears saying "Application will be uninstalled". Confirm this is OK by pressing "OK". The screen says "Uninstalling…" and then "Uninstall finished". Click "OK".

  15. If there is another CA MDM item in the Application Manager, repeat steps 13 and 14 for that other item.

2- Ensure the web server certificates is installed on the device

  • On the mobile device's browser go to the "certsrv" URL at the server. So if the host is resolved by using the fqdn, i.e "win-mdmlab.localdomain" enter http://win-mdmlab.localdomain/certsrv into the mobile's web browser.

  • Click the "Download a CA Certificate, certificate chain, or CRL" link.

  • Click the "Install CA Certificate" link.

    The certificate should now be downloaded and you will often be prompted if you want to accept and install the certificate as a new "trusted root", or similar wording. Accept this and install the certificate.

    The procedure may differ depending on the device you have.

3- Validate the enrollment code.

  • Login to the CA MDM Admin portal.

  • Go to the "Policy" Tab.

  • Open the Enrollment Policy you intend to use for Android Devices as shown in Figure 2.

Figure 1:
Figure 2

  • Inspect the Enrollment Code to make sure it points to the correct URL, for example as shown in Figure 3.

Figure 2:
Figure 3

4- Ensure you are using the correct Self Service Portal for the URL.

A simple way to begin device enrollment is to access the self-service portal via the device's web browser. To work out the correct URL you need the Code from the Enrollment Policy created earlier. You can see this code by going to the Policy screen and then selecting the Enrollment Policy created earlier and clicking on the button. In Figure 3 below, the Enrollment Code is "tlqcwb4q".

Figure 3:
Figure 4

To build the URL the code "tlqcwb4q" must first be prefixed with a letter that identifies the device type.

The Android prefix the enrollment code with 'a' (iOS the prefix is 'i').

Use a URL that includes the enrollment code prefixed by 'a', for example:

http://192.168.11.12/ssp/atlqcwb4q

5- Of you are installing MDM in a Lab or Development Environment, you may be using a local Certificate Authority.

Verify the following roles are installed on the MDM server via the Windows Server Manager.

  • Application Server

  • DNS server

After installing these roles, register the aspnet service with IIS

  1. On the start menu, find the icon for the Command Line utility (e.g. by type cmd in the run box).

  2. Right-click on the Command Line icon and choose "Run as Administrator".

  3. Enter the following commands:

    cd \Windows\Microsoft.NET\Framework64\v4.0.30319
    aspnet_regiis -iru
    cd \Windows\Microsoft.NET\Framework\v4.0.30319
    aspnet_regiis -iru

Please be sure to delete any device registrations in MDM and to remove the MDM client from the device (see step #1) in between testing changes.