Jump to content

Enrollment Error- DNS-


Recommended Posts

After creating enrollment link and scanning of QR code, when tapping "open" for the link we get message that it cannot contact the DNS server. Have confirmed that the DNS information is correct with nslookup to the server. Does this enrollment process have to take place while the Phone is connected on the LAN via WI-FI? I have confirmed that the phone is getting an internal IP address from the router. I have even added an DNS entry for this phone in forward lookup zones. Also have added the ports for communication on the physical firewall but nothing. I have installed the APP from google play and then to >> Settings >> Remote Administrator and put in the WAN IP and Local ip of the RA. Does the enrollment have to take place before manually connecting the phone via setttings >> RA? 

Link to comment
Share on other sites

  • ESET Staff

Hello,

the phone needs to see the MDM server at all times, otherwise it will not be able to report anything. Therefore you need to make sure your MDM server is available to the outside, either by putting the entire server in public internet (DMZ), or port-forwarding the two ports used for connections (9980 and 9981 by default). The hostname that you provide in the MDM configuration needs to be reachable from the phone, so if you set it to "mdm.yourcompany.com", you need to make sure that "mdm.yourcompany.com" is indeed visible from the public internet and ports 9980 and 9981 are open for MDM connections.

 

I suspect that you set your DNS entries in your internal network only, so the MDM server is only visible from your internal network (you tested with nslookup from a computer inside, didn't you? That says nothing about the availability from the phone).

 

The enrollment process via the QR code is in essence equivalent to setting the connection manually via app's Settings -> Remove Administrator. The QR code is just a means of simplifying it on the device, so that you don't have to type in the entire URL. So you do either the QR code enrollment, or the manual one via app's Settings. Note that you will need to add the phone identification through ERA webconsole first in either case.

 

Enrollment via IP address is supported, but is discouraged - if the IP address changes for any reason, you will need to re-enroll all the devices. On the other hand, if you enroll via host name, if the underlying IP address changes, the hostname can be reconfigured on the DNS so that the same hostname points to the new IP address, and MDM will continue working without any further changes.

 

"Cannot contact DNS server" is most likely a problem with your network configuration, it has nothing to do with MDM as such.

Link to comment
Share on other sites

Hello,

the phone needs to see the MDM server at all times, otherwise it will not be able to report anything. Therefore you need to make sure your MDM server is available to the outside, either by putting the entire server in public internet (DMZ), or port-forwarding the two ports used for connections (9980 and 9981 by default). The hostname that you provide in the MDM configuration needs to be reachable from the phone, so if you set it to "mdm.yourcompany.com", you need to make sure that "mdm.yourcompany.com" is indeed visible from the public internet and ports 9980 and 9981 are open for MDM connections.

 

I suspect that you set your DNS entries in your internal network only, so the MDM server is only visible from your internal network (you tested with nslookup from a computer inside, didn't you? That says nothing about the availability from the phone).

 

The enrollment process via the QR code is in essence equivalent to setting the connection manually via app's Settings -> Remove Administrator. The QR code is just a means of simplifying it on the device, so that you don't have to type in the entire URL. So you do either the QR code enrollment, or the manual one via app's Settings. Note that you will need to add the phone identification through ERA webconsole first in either case.

 

Enrollment via IP address is supported, but is discouraged - if the IP address changes for any reason, you will need to re-enroll all the devices. On the other hand, if you enroll via host name, if the underlying IP address changes, the hostname can be reconfigured on the DNS so that the same hostname points to the new IP address, and MDM will continue working without any further changes.

 

"Cannot contact DNS server" is most likely a problem with your network configuration, it has nothing to do with MDM as such.

I will work on the DNS issue. I found a KB article that pointed towards some url's that may need to be opened on Firewall. To activate ESET Mobile Security:

 
reg01.eset.com/mob_activate - reg04.eset.com/mob_activate
reg01.eset.com/mob_register - reg04.eset.com/mob_register
 
Do these need to be opened on my firewall to get correct enrollment to Android device? 
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...