All,

I'll try to put this as concisely as I can but feel free to ask any questions.

We've recently upgraded our On-Prem WS1 from 1903 to 2001, then to 2005. Version 2001 introduced an issue with our Tunnel VPN in that newly enrolled Android devices (using AfE) couldn't connect/receive the VPN profile and are showing as having "No Managed Applications" on the status.
This is a bug in v2001 so we upgraded again to v2005 which contains a fix to this issue........except it hasn't in our case. The same issue remains. VMWare support have been looking at this without success for over a month so I'm starting to get a bit concerned.

The bug introduced in v2001 is:

PPAT-6440: If AWCM isn't working properly at the OG level, it is possible for non-compliant devices to connect while waiting for revocation via API

When Tunnel is configured is at parent OG and devices are enrolled at child OG, VPN cert AWCM message will not get delivered to Tunnel Server.

Although I'm not 100% convinced that this is the problem.
Our AfE is configured at a child OG and not at the parent OG.

VMWare have changed various settings in the Network traffic rules on the parent OG but we can't create a VPN profile from the Parent OG as AfE isn't configured here. Can I use the same AfE account set at the child OG? Will it cause issues with the phones already enrolled?

Anyone else have any ideas?

Thanks,

Nathan