AFW Stuck Authenticating

DmitriAltum · ‎08-21-2018

We are running 9.2 on-prem and recently began having an issue with AFW enrollment, we are using the afw#airwatch identifier to enroll the device during set-up. The device does properly communicate back to our enrollment server and authenticates AD credentials properly, however after encryption during Work Account Registration we get one of two errors, it either gives us an error stating ' Failed to register google account. Please enroll again. Wipe/Retry' or it sits at a screen showing ' Authenticate' indefinitely. It does also occasionally work (about 30% success and 70% failure). Anyone have any ideas what might be causing this as we are fairly stuck.
Thanks

RaulCostaRaulCo · ‎08-21-2018

Hi Dimitri,
If some times it goes through it looks like some kind of connectivity issue.
Regards,
Raul Costa

msweisberg · ‎08-21-2018

This is a known issue on the 8.2 agent due to a google api change. AirWatch fixed it in the 8.3 agent.

https://support.workspaceone.com/articles/360007752373

RaulCostaRaulCo · ‎08-21-2018

Michael,
That article states it only affects Android 8.0 devices. If it were that case how would it explain the success cases Dmitri described?
We are effectively having a similar issue but we don't use Android 8.0 and we also cannot enroll with QR code. We cannot enroll any device whatsoever. We already opened a ticket with AirWatch and they're suspecting a problem with Android for Enterprise configuration even though we haven't changed anything. It just stopped working about a week ago after the upgrade to AirWatch 9.6 (it's a SaaS environment).

RaulCostaRaulCo · ‎08-21-2018

Dmitri,
Can you detail which versions are you working with (Android and Agent)? Different manufacturer devices?
In the light of AirWatch support suspicion this could also contribute: https://support.workspaceone.com/solutions/SOL-17114

JohnZoda · ‎08-21-2018

Dmitri, I encountered this issue and was stuck on the authentication screen. I restarted the device and it appears to have completed the enrollment process. Your results may vary.

DmitriAltum · ‎08-21-2018

We are using agent 8.3 and currently using Android 6.0.1 on these specific devices (Bluebird Handheld EF500's), so I agree that the known issue does not appear to be the root cause. For us this started on Thursday last week. We encounter the issue whether we are using email address to enroll or QR code.
John, most of the time if we reboot it does not work, however every once in a great while after rebooting we can open the agent and it prompts ' Login to your corporate Google account with {emailaddress}@meijer.com to complete set-up' we click login and it finishes enrollment.

DmitriAltum · ‎08-21-2018

We seem to have found an additional piece of info. A device that gets stuck during the enrollment lists the account simply as ' Android Enterprise' whereas a successful enrollment lists the account as ' Managed Account' which when selected shows something along the lines of ' 67645486734486543578@android-for-work.gserviceaccount.com' we aren't sure if this is of any significance yet but it seems to be, at the very least, related.

RaulCostaRaulCo · ‎08-22-2018

Dmitri,
The issue you report is the typical result when an Android for Work - Work Managed Device - does not enroll correctly/completely.
We're also getting the same. Although I believe we're not having the same problem. How's your Android EMM registration account mode configured? Managed Google Accounts or Managed Google Domain?

CharlesTchia · ‎03-24-2019

Hi. We're currently experiencing similar issues, getting the ' Failed to register google account. Please enroll again. Wipe/Retry' The device is a Samsung A8 device, with Android 8, and using Hub app (19.02). The Android EMM registration account mode is ' managed google play accounts' . I did manage to get this working once but since it's been a failure every time.

LSIMM · ‎04-04-2019

Likewise this has started for us just recently, we've been enrolling Enterprise devices for nearly a year and suddenly this starts happening.

Android v8
Samsung S9
SaaS v1903
Hub app v1903

Managed Google/Play Account

However it only occurs occasionally, like maybe 1 or 2 out of 10 will do it.

LSIMM · ‎04-15-2019

Has anyone got a support ticked in place for this already? If so, any verdict from them?

CharlesTchia · ‎04-29-2019

HI Leo

Yes we raised a support ticket and the last response was as follows:

Please ensure the following websites are whitelisted on the network's firewall:
• apis.google.com
• fonts.gstatic.com
• lh3.googleusercontent.com
• notifications.google.com
• ogs.google.com
• play.google.com
• ssl.gstatic.com
• fonts.gstatic.com
• www.gstatic.com
• accounts.google.com
• clients1.google.com
• clients4.google.com
• ogs.google.com
• myaccounts.google.com
• *.googleapis.com
• play.google.com/work

NOTE: We need to make sure we are able to open ' https://play.google.com/work' & ' https://play.google.com' even if TELNET works correctly.
'

I can't say for sure if it works or not yet as I'm waiting on our IT network security team to implement it. However in another post I submitted, someone noted that you need to be on version 1810/1811 for Android Enterprise to work correctly, and currently we're on 9.5

CharlesTchia · ‎04-29-2019

Forgot to add we're on-prem so maybe a different issue to you

LSIMM · ‎04-29-2019

Yeah we're SaaS and all of our devices get enrolled directly across the 4G mobile network, so nothing touches our internal network, except the comms between SaaS and our on prem VESC server, when syncing LDAP details, which happens independently of the enrolment process..... but we still get the issue sometimes.

Also we have been using Android Enterprise enrolment for testing since it was implemented in console v9.4 I think it was, so never heard of anyone needing to be on 1810, unless it was just to take advantage of improvements and bug fixes etc..

Boe_K · ‎04-30-2019

If you guys haven't signed up to be part of the beta's I would strongly recommend doing so. The Samsung enrollment issue was a know bug that was resolved (at least according to the release notes) in the 19.03 Hub release.

Resolved Issues
AAGNT-185884: TC52 devices not automatically checking into console
AAGNT-185707: Android - EnterpriseWipe command is not getting processed when Hub(with PBE) is SSO locked
AAGNT-185673: Parsing issue for special character in custom settings profile group
AAGNT-185622: Samsung enrollment - ' failed to register google account'
AAGNT-183571: Bookmarks are not shown on launcher screen for oreo devices

CharlesTchia · ‎04-30-2019

HI Boe, thanks, yes i'm using Hub 19.03 and still wasn't working. I noticed 19.04 released today and I've tried that too but same result.

JuniorMenezes · ‎12-24-2020

Hi guys.

I faced the same problem. But in my case I was using a Staging account. When about 50 devices have been configured with the same account (Staging account), then the problem happened "Failed to register google account. Please enroll again." I fixed the problema criating a new account for Staging but the same problem occurred with about 50 device configured.

I find in the Google Documention that exist a limit of 50 devices per user registration. link: https://developers.google.com/identity/protocols/oauth2

Then I modify the registration method from the user-based for device-based on Devices Settings> Devices & Users> Android> Android EMM Registration> Enrollment Settings -> DEVICE-BASED. This take time to work (5 minutes).

Now its possible to enroll more device with the same account because the generated Google account on the device is unique to each device enrolled by the same enrollment user.

I hope this information is useful.

Sorry for my English, Im learning.

All

AFW Stuck Authenticating

Device Enrollment