Zero trust not pushing profiles to devices

Tomasz_T
Level 1.6: Donut

Hello.

 

Maybe someone have solution for this.

We bought some time ago Lenovo K11 tablets and our reseller added them to our ZT account.

Now I wanted to enroll them, so I created everything in Sophos MDM and created config in ZT.

When I assigned profile to devices and did factory reset then nothing happens. Tablets don`t see any profiles and let me configure as a normal user. Tried on different networks, created new configs on ZT and on Sophos side and nothing.

 

In other post one user said that I should ask reseller to re-add devices to ZT but they can`t until next two weeks so I`m searching for another solution

 

Any tips fo me?

12 REPLIES 12

Moombas
Level 4.0: Ice Cream Sandwich

Take on e of your test-devices and remove the config for this device in your Zero-Touch (not Zero-Trust :D) Portal.

After that assign the configuration to this device again, wipe the device and start again.

 

You need also to ensure that the device can reach the relevant Google services so use an unrestricted Wifi or mobile data for the enrollment.

 

In general your reseller is your support contact for your ZT-Portal and you need to reach out to them in order to get it working!

But i want to mention something in addiotion you could try on your own (risk):

 

If this works you can export your devices from ZT, change the config column to 0 and read it into ZT-Portal.

After that doing the same again but with the profile ID to assign the profiles back to the devices.

 

_____________________________________________________________________________________

 

As a last thing you can try is as your devices enrolling like a consumer device, when asked for a Google account enter following instead (DPC identifier): afw#sophos

This will force the device to grab the sophos apk and device behavior like a managed device. You will be asked for something like an enrollment ID as soon as the sophos apk is installed  and needs to be entered.

An alternative to this is using QR-enrollment (see the sophos enrollment documentation about how this is being created).

But all this last mentioned things (DPC identifier/ QR code) are just for verifying that the general enrollment works and test your  configurations and so on from MDM side and doesn't solve your real issue regarding ZT detection.

Tomasz_T
Level 1.6: Donut

Of course Zero Touch not Zero trust 🙂 my bad. I`ve tried with unassigning and assigning configs.

I`ve tested it on several networks and always the same results. I have all of policies and everything on Sophos side created. With this afw#sophos, I`ve tried and device appeared in Sophos. When I used QR code user-less then it`s worked too. So all my configs on Sophos working fine I think but ZT don`t sending it to devices.

I`m gonna try this with csv and will see

 

Moombas
Level 4.0: Ice Cream Sandwich

I'm pretty sure if the manual thing won't work, the csv won't make a difference so your reseller is 100% in charge to investigate (maybe with Google) why this happens and/or what's wrong here.

Tomasz_T
Level 1.6: Donut

So, manual export/import didn`t work. There was error when importing that number of columns are not the same. But there strange info before that. There was info that applying profile might take few days. Then error about columns.

And I`m gonna add that i`ve checked colums options and tried to change it but still the same

Moombas
Level 4.0: Ice Cream Sandwich

I know about this "info message" but normally it took immediatelly place when i changed it on some less devices. Maybe this is different when done on a large number.

Your file should look like this:

 

"modemtype","modemid","serial","manufacturer","model","profiletype","profileid"
"IMEI","123456789012345","","Manufacturer","","ZERO_TOUCH","123456789"

 

Tomasz_T
Level 1.6: Donut

Hello again. So idea with delete devices and add them back by reseller didn`t work. I`ve checked again all documentations from Sophos and Zero- touch and it still doeasn`t work. I think I`ve checked every option and still nothing.

Moombas
Level 4.0: Ice Cream Sandwich

Again, in this case your reseller needs to get in touch with Google as they need to figure out whats going on wrong here. And that goes thru thepartner portal afaik.

jasonbayton
Level 4.0: Ice Cream Sandwich

Yes it does go through the partner portal. They're potentially uploading them incorrectly. 

 

@Tomasz_T I may be able to help. Message me.

 

 

Tomasz_T
Level 1.6: Donut

Hello Jason.

 

Your solution helped. I wanted to ask about details but I can`t dm you anymore

jasonbayton
Level 4.0: Ice Cream Sandwich

Pick a contact method from here to reach me outside of the community. In short the issue you're facing is due to your reseller not correctly registering the devices.

jasonbayton
Level 4.0: Ice Cream Sandwich

@Tomasz_T did you get this sorted?