ON PREMISES SOLUTIONS

Troubleshooting

GravityZone policy and tasks not getting applied on iOS

This section helps troubleshoot the issue with the Bitdefender GravityZone configuration policy/profile and tasks not getting applied on iOS devices.

Overview

The issue can be noticed with managed iOS devices, immediately after installing and activating GravityZone Mobile Client or sometimes at a later time, and manifests as follows:

  • GravityZone Mobile Client displays an issue about the currently assigned policy not being active on the iOS device.

  • In GravityZone Control Center, in the Mobile Device Details window of the iOS device, the policy is marked as pending, even though the device is connected to the Internet and should be able to receive the policy.

  • Tasks run from Control Center on iOS devices do not work, even though the devices are connected to the Internet and should be able to receive tasks.

29887_1.png
Troubleshooting

The issue is usually related to the Apple Push Notifications system. Whenever there's a new policy update or task to be applied to an iOS device, the GravityZone MDM system sends a push notification to the device, via the Apple Push Notifications servers, to trigger synchronization. Upon receiving the push notification, the device synchronizes with the GravityZone MDM server to receive the latest policy or task. If the push notification cannot be sent or is lost, the policy/task does not get applied.

Refer to the following table for information on troubleshooting the issue.

Possible cause

Solution

Apple Push Notifications service (APNs) certificate has not been configured, has expired or is invalid. Consequently, Control Center is unable to send push notifications via the APNs servers.

Check APNs certificate status in Control Center > Configuration > Certificates (company administrator privilege is required). If everything seems ok with the certificate, but none of the subsequent solutions work, you might want to generate a new APNs certificate.

The ports used to communicate with APNs (2195, 2196, 5223) are blocked by a firewall or gateway.

Note

Ports 2195 and 2196 are used by the Communication Server to communicate with the APNs servers. Port 5223 is used by managed iOS devices to communicate with the APNs servers over Wi-Fi in specific conditions. For more information, refer to this Apple KB article.

Make sure the APNs ports are allowed.

Note

Ports 2195 and 2196 must be open for outgoing connections.

An issue with the APNs system might cause the push notification to get lost or delayed. Note that sometimes the APNs server might be busy, resulting in push notifications being delayed.

Check again after a few hours to see if the issue still occurs.

Profile Installation Failed error when activating iOS devices

This section helps troubleshoot the issue with the Bitdefender MDM enrollment profile failing to install on iOS devices during GravityZone Mobile Client activation.

Overview

When activating GravityZone Mobile Client on iOS devices, you are prompted to install a Bitdefender MDM Enrollment Profile. Installation of this profile is required to allow the Bitdefender GravityZone MDM system to manage the iOS device remotely.

In particular situations, the "Profile Installation Failed" error message is displayed when trying to install the profile.

30232_1.png
Troubleshooting

If the error occurs on any new iOS device that you try to activate, it indicates a problem with the Communication Server certificate or trust chain configured in Control Center (usually noticeable during initial deployment or after changing the certificate). If the error only affects a few devices, those devices probably have an MDM profile already installed or an incorrect time setting.

Refer to the following table for detailed information on troubleshooting the issue.

Possible cause

Solution

The Communication Server SSL certificate is missing, expired, corrupted or misconfigured.

Check the Communication Server certificate status in Control Center > Configuration > Certificates (company administrator privilege is required).

Make sure the certificate is not expired and the common name is correct. The common name must match the IP address or domain name used by mobile devices to reach the Communication Server (as displayed in Control Center > Network > Mobile Device Details > Overview > Activation Details, without port number or https prefix). In many cases, the certificate is issued for the server's IP address, but the mobile devices are configured to connect using the server's domain name (or vice versa).

The device does not trust the Communication Server certificate (the trust chain is misconfigured or missing).

Note

This is only applicable for self-signed certificates or for certificates issued using your internal PKI system. Certificates issued by a public Certificate Authority (CA), such as Thawte or Verisign, are automatically trusted.

Make sure you have correctly configured and uploaded the trust chain file in Control Center > Configuration > Certificates (company administrator privilege is required).

The device date & time setting is incorrect (the device time precedes certificate issuance time).

Check the date & time setting on the affected iOS device (Settings > General > Date & Time).

The device is already enrolled with a different token or to another MDM system.

Check for and remove the existing Mobile Device Management (MDM) profile on the affected iOS device (Settings > General > Profiles).

Note

If none of the above solutions work, try with a new Communication Server certificate.

Troubleshooting certificate warnings in GravityZone Mobile Client for Android v1.3.2

This section addresses certificate warnings and errors received by end users when activating or after updating to GravityZone Mobile Client v1.3.2 on Android devices.

GravityZone Security for Mobiles provides a unified enterprise-grade management of iPhone, iPad and Android devices connected to a corporate network by real-time scanning and enforcing organization’s security policies on any number of devices. Security for Mobiles provides the services through GravityZone Mobile Client, available in the official Apple and Google app stores.

Overview

Starting with version 1.3.2, GravityZone Mobile Client validates the Communication Server security certificate, warning the users whenever the server provides an invalid certificate. This validation enhances communication security and prevents man-in-the-middle attacks.

The certificate is verified in the following situations:

  • When activating GravityZone Mobile Client.

  • Every time GravityZone Mobile Client initiates communication with Control Center.

  • If the user changes the Communication Server settings.

In case the GravityZone Communication Server certificate is invalid:

  • For new activations -Users trying to activate the app will receive a certificate warning, prompting them to explicitly trust the certificate or Cancel activation. No other warnings will be presented for that certificate once trusted by the user.

  • For existing installations - After update, users will see an issue next time Mobile Client tries to communicate with GravityZone, asking them to trust the certificate. Mobile Client will no longer communicate with GravityZone until the user explicitly accepts the certificate (without admin notification).

A certificate may be invalidated for various reasons:

  • It was not issued by a public/trusted Certificate Authority (for example, selfsigned certificates). Note: The default GravityZone security certificate falls also under this category.

  • It is expired or is not valid yet.

  • It was issued for a different server address.

Solution

To establish or restore communication with GravityZone:

  • You can obtain a certificate from a trusted Certificate Authority.

  • Existing users that updated the app, must follow these steps:

    1. Open the app.

    2. Open the Current Issues screen.

    3. Tap Resolve for the Server Certificate Error message.

    4. Tap Trust when prompted.

  • New users trying to activate the app, must tap Trust on the screen displaying the warning and then tap Activate once again.

Managing GravityZone certificates for mobile devices after upgrade to iOS 13

This section describes what GravityZone administrators and iOS users should do to comply with the security certificate requirements from Apple.

Starting with iOS 13, Apple introduced new requirements for trusted security certificates. Devices that do not meet these requirements will fail to connect to network, to access websites and run certain applications.

This change likely affects most GravityZone installations configured prior to iOS 13 release, depending on how the MDM certificates were issued or configured.

Symptoms

After upgrading to iOS 13, Apple devices will stop communicating with the GravityZone Control Center if the security certificates do not meet the new Apple requirements.

Right after upgrade, in the Network section of Control Center, devices will not display any particular status icon informing there would be an issue. Only after 24 hours these devices will display the status icon "Mobile, unmanaged, no issues".

22084_1.png

However, if you try to modify the policy or to run tasks from GravityZone Control Center, any of your actions will remain in pending state. Locally, the GravityZone Mobile Client will display a message informing the users that the policy is not active on their devices and a server synchronization is needed.

22084_2.png
How Android devices are affected

After adding new self-signed certificates in GravityZone Control Center, GravityZone Mobile Client may inform Android users about a server certificate error.

To fix this issue, Android users must trust the new certificate on their devices.

22084_3.png