Troubleshooting: Profiles

If your Profile is not reaching your intended devices here are some troubleshooting steps you can take to determine why. 

 

Is your Device in the Assigned Devices list? 

Scope - Only some devices receive the profile. 

When creating profiles you have a range of criteria that can be used to develop the applicable device list. Keep in mind that devices without this criteria will not have the profile assigned to them. For widely applicable profiles it is best to use "Any" for these options. 

 

 

From the Profiles page you can get a quick view of the number of devices your profile is currently assigned to. If the value of assigned device is zero (0) then you should double check the assignment criteria from the General tab for the profile. 

 

Installed_Assigned.PNG

 

For more detailed information you can "View Devices" to see the complete assigned device list and individual install statuses. 

view_devices.PNG

 

If the device in question is not on this list then you should adjust your assignment criteria to include it. From here you can also identify any devices that are still "Pending Install" for this profile as well as those who may have "Removed" it. 

 

pending_install.PNG

Is the Profile "Pending Install"? 

Scope - Certain devices are not receiving the profile. 

Pending Install

For devices that are powered off, offline, and in some cases locked, AirWatch will queue up this profile to be installed as soon as the device is available.

Refused Requests

iPads with a passcode have system level encryption that prevents any changes to the files system while they are locked. In these cases profiles cannot be installed until the next time the device is unlocked. These events will show up as "Requested" or "Refused" in the device Event Log. The next time the device is available the profile will be installed. 



Refused_profile.PNG

Is the Device out of Compliance? 

Scope - Certain devices are not receiving the profile. 

Compliance rules can remove and prevent the installation of profiles for devices that meet Admin-defined criteria. If your device is "non-compliant" with one of these policies it may prevent the device from receiving the profile at all, which is the intended effect. In these cases trying to manually push the assigned profile for that device will result in the following message:

 

compliance_violation.PNG

Device Network Connectivity? 

Scope - Devices on certain networks (i.e. in other locations). 

In order for devices to receive commands and profiles on-demand they must have proper network connectivity to their platform's cloud messaging system. Troubleshooting these requirements are detailed below:

Wi-Fi vs. Cellular Networks

The device must be online of course to receive commands. If the device is connected to Wi-Fi it is possible that this network is blocking the messaging ports used for cloud messaging. By switching to a cellular network you can eliminate this variable from your testing.   

Network Requirements

For a long term solution your network will need to support device communication on the following ports. 

Destination               Destination Host                    Port
AirWatch DS Server      n/a  443
Apple APNs gateway.push.apple.com 5223
Android C2DM mtalk.google.com  5228

Check AirWatch's Connection to Cloud Messaging

Scope - No Devices are getting any profiles. 

Has your APNs certificate expired? 

Your APNs certificate must be valid in order to communicate with Apple iOS devices. You can check the expiration date of your certificate from the console under System Settings > Device > iOS > APNs For MDM.

 

APNs_Valid.PNG

 

If your APNs certificate has expired you will need to renew it before you can continue managing iOS devices. 

Is the AirWatch Messaging Service Running?

The AirWatch Messaging Service handles communication between the MDM server and the appropriate cloud messaging service. Sometimes after Windows Updates or a server reboot this service can be stopped. You can check the status of this service from Server Manager. It should be "Started" in order for AirWatch to function properly. 

 

Messaging_Service.PNG

Have your Firewall rules changed? 

As a reminder, your AirWatch server must be able to reach the APNs and C2DM servers in order to leverage those systems. If your firewall rules have changes and cut off this communication you will be unable to push profiles. 

Destination     Destination Host     Port    
Apple APNs Server        gateway.push.apple.com 2195
Apple APNs Feedback feedback.push.apple.com 2196
Android C2DM android.apis.google.com 443

You can double check these from the AirWatch server with the following Telnet commands. From a command line terminal (Run > cmd)

  • telnet gateway.push.apple.com 2195
  • telnet feedback.push.apple.com 2196
  • telnet android.apis.google.com 443 
Have more questions? Submit a request

0 Comments

Article is closed for comments.