Zero trust not pushing profiles to devices

Tomasz_T
Level 1.6: Donut

3 weeks ago

Hello.

 

Maybe someone have solution for this.

We bought some time ago Lenovo K11 tablets and our reseller added them to our ZT account.

Now I wanted to enroll them, so I created everything in Sophos MDM and created config in ZT.

When I assigned profile to devices and did factory reset then nothing happens. Tablets don`t see any profiles and let me configure as a normal user. Tried on different networks, created new configs on ZT and on Sophos side and nothing.

 

In other post one user said that I should ask reseller to re-add devices to ZT but they can`t until next two weeks so I`m searching for another solution

 

Any tips fo me?

11 REPLIES 11

Moombas
Level 4.0: Ice Cream Sandwich

3 weeks ago

Take on e of your test-devices and remove the config for this device in your Zero-Touch (not Zero-Trust :D) Portal.

After that assign the configuration to this device again, wipe the device and start again.

 

You need also to ensure that the device can reach the relevant Google services so use an unrestricted Wifi or mobile data for the enrollment.

 

In general your reseller is your support contact for your ZT-Portal and you need to reach out to them in order to get it working!

But i want to mention something in addiotion you could try on your own (risk):

 

If this works you can export your devices from ZT, change the config column to 0 and read it into ZT-Portal.

After that doing the same again but with the profile ID to assign the profiles back to the devices.

 

_____________________________________________________________________________________

 

As a last thing you can try is as your devices enrolling like a consumer device, when asked for a Google account enter following instead (DPC identifier): afw#sophos

This will force the device to grab the sophos apk and device behavior like a managed device. You will be asked for something like an enrollment ID as soon as the sophos apk is installed  and needs to be entered.

An alternative to this is using QR-enrollment (see the sophos enrollment documentation about how this is being created).

But all this last mentioned things (DPC identifier/ QR code) are just for verifying that the general enrollment works and test your  configurations and so on from MDM side and doesn't solve your real issue regarding ZT detection.

0 Kudos

Tomasz_T
Level 1.6: Donut
In response to Moombas

3 weeks ago

Of course Zero Touch not Zero trust 🙂 my bad. I`ve tried with unassigning and assigning configs.

I`ve tested it on several networks and always the same results. I have all of policies and everything on Sophos side created. With this afw#sophos, I`ve tried and device appeared in Sophos. When I used QR code user-less then it`s worked too. So all my configs on Sophos working fine I think but ZT don`t sending it to devices.

I`m gonna try this with csv and will see

 

0 Kudos

Moombas
Level 4.0: Ice Cream Sandwich
In response to Tomasz_T

3 weeks ago

I'm pretty sure if the manual thing won't work, the csv won't make a difference so your reseller is 100% in charge to investigate (maybe with Google) why this happens and/or what's wrong here.

0 Kudos

Tomasz_T
Level 1.6: Donut
In response to Moombas

3 weeks ago

So, manual export/import didn`t work. There was error when importing that number of columns are not the same. But there strange info before that. There was info that applying profile might take few days. Then error about columns.

0 Kudos

Tomasz_T
Level 1.6: Donut
In response to Tomasz_T

3 weeks ago

And I`m gonna add that i`ve checked colums options and tried to change it but still the same

0 Kudos

Moombas
Level 4.0: Ice Cream Sandwich
In response to Tomasz_T

3 weeks ago

I know about this "info message" but normally it took immediatelly place when i changed it on some less devices. Maybe this is different when done on a large number.

Your file should look like this:

 

"modemtype","modemid","serial","manufacturer","model","profiletype","profileid"
"IMEI","123456789012345","","Manufacturer","","ZERO_TOUCH","123456789"

 

0 Kudos

Tomasz_T
Level 1.6: Donut

2 weeks ago

Hello again. So idea with delete devices and add them back by reseller didn`t work. I`ve checked again all documentations from Sophos and Zero- touch and it still doeasn`t work. I think I`ve checked every option and still nothing.

0 Kudos

Moombas
Level 4.0: Ice Cream Sandwich
In response to Tomasz_T

2 weeks ago

Again, in this case your reseller needs to get in touch with Google as they need to figure out whats going on wrong here. And that goes thru thepartner portal afaik.

0 Kudos

jasonbayton
Level 4.0: Ice Cream Sandwich
In response to Moombas

2 weeks ago

Yes it does go through the partner portal. They're potentially uploading them incorrectly. 

 

@Tomasz_T I may be able to help. Message me.

 

 

Tomasz_T
Level 1.6: Donut

Tuesday

Hello Jason.

 

Your solution helped. I wanted to ask about details but I can`t dm you anymore

0 Kudos

jasonbayton
Level 4.0: Ice Cream Sandwich

Tuesday

Pick a contact method from here to reach me outside of the community. In short the issue you're facing is due to your reseller not correctly registering the devices.

0 Kudos