Ysoulieres
Contributor
Contributor

New Organization, Different LDAP server, vIDM authentication, cannot enroll devices. Error message enclosed

Hey everyone! I've got a ticket open for this, but wanted to see if anyone had seen this issue...

I've recently created a new organization group under the master org for a daughter company. I've established communication with its LDAP servers to sync users, both in Workspace One and vIDM (vmwareidentity) since enrollment authentication goes through there. Sync with LDAP is also working fine in vmwareidentity.

Now, when I go in the intelligent hub and try to enroll a test user in that organization, it does find the organization with the email I enter, so far so good. Then it asks me which directory to use for auth. Afterwards I use the username/password for that user and I can see in the vIDM audit logs that it does the ActivationToken Create part. Again, so far so good.

Right after that though, both on iOS or Android, enrollment fails. On Android, I get ' Enrollment message rejected from server' . On iOS, I get ' We're having trouble loading this page. Please contact your admin to work through this error.'  and at the bottom, ' Request failed' .

So it does look like authentication succeeds, and that it tries to lead the next step in the enrollment process but fails to do so. Restriction, misconfig? I am out of ideas right now.

Any help would be much appreciated!

Cheers
Labels (1)
0 Kudos
5 Replies
GregRStar21
Contributor
Contributor

Im getting the same error. However, it works for all Corporate devices which goes through Apple Business Manager or Knox.

0 Kudos
VigneshKumarVMw
Enthusiast
Enthusiast

Hey, I am facing same issue. Were you able to fix it ?

0 Kudos
darrylm8
VMware Employee
VMware Employee

I resolved this for an environment by enabling Custom Attributes in UEM.  Which then populated email values for all users synced from the on-prem AD. I assumed this was required so that Access could then pass this info to UEM for the device enrollment to succeed.

0 Kudos
wdparker
Contributor
Contributor

I had an issue with one account where we were getting 'Enrolment message rejected by server' when trying to enroll a device.  It turns out the AD account had been created and synced through to WS1 without a last name and email address.  These were added to AD later but hadn't synced through.  Once I updated those fields enrolment worked fine.

0 Kudos
dmcgurk
Contributor
Contributor

Were you able to fix your issue?

0 Kudos