Table of Contents
- Batch import failure
- Unable to delete a smart group
- Compliance policies troubleshooting
- Enrollment options
Batch import failure
Administrators can utilize Batch Import feature in AirWatch to import, edit, move users, register devices, and set up blacklisted and whitelisted devices.
Most commonly seen errors while doing a batch import are “User edition is not allowed for the following security type”, “Invalid Data”, “Password column is a Mandatory field”, “User not found in Directory Services. User cannot be added.”, “Obsolete”.
User edition is not allowed for the following security type
User edition is only supported for basic users, so if you attempt to do batch import and the values specified in the .csv file are different from the values in your directory, this error is expected. If the users in the .csv file do not exist in AirWatch, modify your template to match the values in your AD or remove those not required values.
This error indicates that a specific line contains invalid data. For example, default user roles that come with every AirWatch Environment are Basic Access, Full Access, and External Access, which define users accessibility to the Self Service Portal, and if you try to do a batch import with a user role specified as “Student”, this Invalid Data error is expected unless you have a customized user role named as “Student” in your environment. Please verify other fields have no invalid data before uploading your template again.
Password column is a mandatory field
When uploading a template to import basic users, password column is a mandatory field. However if you import directory users, password is not required and should not be filled in.
User not found in Directory Services. User cannot be added.
Please make sure the user with the user name specified in the batch import file do exist in your directory, correct the typo if there is any.
Make sure you have all the required field filled in and if you are only importing users, remove all the values related to device. Reduce the size of the template by splitting one file into two if the file contains over a few thousand rows. Contact AirWatch Support and provide us with the .csv file and we will analyze if there is any errors in it.
Unable to delete a smart group
When attempting to delete a smart group in AirWatch, the smart group still shows up in the list and a message was given after submitting the deletion request, “This smart group is assigned to a policy. Please unassign the smart group from the policy and try deleting again”.
Smart groups can be used to assign profiles, applications, and compliance policies. Before deleting a smart group from your environment, we will have to remove the assignments that use this specific smart group.
Navigate to Groups & Settings > Groups > Assignment Groups (In 8.2, AirWatch combined the user groups, smart groups and organization groups into one concept, Assignment Group, as they all can be used for profile, application, and compliance policy assignment in 8.2), and look for the smart group you intended to install, click on the number on assignment column. In the pop-up window, you will see all the assignments reference this smart group. Go through those profiles, applications, compliance policies and remove this smart group from the assignment and try deleting the smart group again.
Compliance policies troubleshooting
A compliance policy is a set of security rules that performs automated actions if a device is not compliant with the rules. Compliance policies are configured on the AirWatch admin console and enforced when data changes (via new sample data from the device). It is to be noted that compliance policies and the associated actions are different for different device platforms. A compliance policy is assigned to a device at the Organization Group level. For compliance to be verified for a device, certain samples need to be received. Compliance works based on these samples and evaluates the rules.
Compliance is stuck in "Pending" status
Please confirm the required samples are available. For example, if you have a compliance policy to scan the application list for non-whitelisted apps, we need to make sure that Applications List sample is being collected from the device. In this case, navigate to Devices & Users > General > Privacy, and make sure Applications are being collected. Check the application list in the device list view of that device in questions, and verify the last scan date is recent. Another example will be compromised status compliance policy, it requires AirWatch Agent to be running in the background for the latest sample to be analyzed by AirWatch and determine whether the device is compromised (jailbroken/rooted).
Compliance says its next scheduled time is in the past
The Next Compliance Scan shows the time the policy was created or the date the device was enrolled until it has run for the first time. If it shows a time in the past, query the device to get latest samples. It updates once compliance runs for the first time with the next sample. It is because compliance is sample based, only if a different sample (passcode off and then you turn passcode on) is sent, compliance runs. If the policy is time based (Last Compromised Scan), the Next Compliance Scan updates based on the defined time interval.
The app list policy hasn't run for several days
Compliance is a smart engine. If the app list sample has not changed since compliance ran initially, the policy does not run again. For example, the app list policy prohibits Facebook. At the time of enrollment, Facebook is not installed in your device, the device is compliant. No apps are installed or removed, so compliance does not run. After a few days if Twitter is installed, compliance runs again because the app list sample changes. Compliance runs because a different sample is received. For compliance to run, it is not enough if just a sample is received but the actual hashcode of the sample must change.
Administrators can customize enrollment workflow by incorporating advanced options available in the AirWatch Admin Console. You can access additional Enrollment Options by navigating to Devices > Device Settings > Devices & Users > General >Enrollment.
Admins can add your email domains in this section, and once ownership has been verified, users with that email domain will be pointed to a specific OG. This simplifies the enrollment flow so that user can just type in their email address without having to remember the environment URL and Group ID
Admin can choose from the three options Default, Prompt User to Select Group ID or Automatically Select Based on User Group. Automatically select based on user group is commonly used to simplify the enrollment flow and prevent the users from enrolling devices to wrong Organization Groups. Once this option is selected, admin will have to save this settings page before adding the user group mappings. Admins will be able to add mappings and set up rankings so that once user types in his/her credentials, AirWatch will detect the user group he/she is in and further determine where (which Organization) to place the device. Admins can also set up default Ownership, Role, and Action for Inactive Users in this Tab. If the device after enrollment is displaying in an incorrect Organization Group or ownership, it is important to check these settings to ensure the hierarchy is set correctly.
If a device is being incorrectly blocked from enrollment, it is important to check this section of the Enrollment Settings. The Restrictions tab allows you to customize enrollment restriction policies by organization group and user group roles, including the ability to:
- Create and assign existing enrollment Restrictions policies using the Policy Settings.
- Assign the policy to a user group under the Group Assignment Settings area.
- Blacklist or whitelist devices by platform, operating system, UDID, IMEI, etc.
Continuing to the Optional Prompt tab, you may decide to request additional device information or present optional messages regarding enrollment and MDM information.
Provide an additional level of end user support by configuring the Customization tab. Provide an enrollment support email address and phone number that the end user may use if they are unable to enroll their device for any reason. Additionally for iOS devices, provide a post-enrollment landing URL that the end user will be brought to upon successful enrollment. This URL may be a company resource, such as company website or login screen for additional resources.