8 Replies Latest reply on Nov 22, 2012 8:49 AM by brechbert

    Unsuccessful CheckIn for device ...

      Hello Community,

      i got another weird problem here:

       

      The Eventlog of the internal server is full of CheckIn Errors:

       

      EMM.Hub.ActiveSyncGateway

      CheckIn : Unsuccessful CheckIn for device Applxxxx

       

       

      Not every device do get the policy which is assigned to that users via LDAP-Group. After reordering the Policies in EMM-Console some user get the policy on the top although that policy isn't assigned to that user. Principally every user is member of ONE MDM-Group.

      Any ideas?

       

      Regards
      Daniel

        • 1. Re: Unsuccessful CheckIn for device ...
          mat.kordell

          The check in errors are normal... You will get them any time a device cannot check in for any reason, such as being turned off or no service or whatever.

           

          If you are having problems with a device AND it has check in errors for days in a row you may reprovision it and make sure it can reach the portal.

           

          As for policies.  My first thoughts are, are users members of multiple policy groups?  and have you checked the personal/corporate ownership setting?  Each user can only get one policy so if they are a member of a group granting them the bottom policy but the top policy also applies to them then they will get the top policy only.  The product guide is a good place to start to double check understanding and configuration of policy application.

          • 2. Re: Unsuccessful CheckIn for device ...

            okay,

            I have double checked all AD-Group Memberships and Ownership.

             

            We have set up policies for the Headquarters and for Subsidiaries.

            In the Policy-sector under membership, "policy applies on corporate devices" are set for every Headquarters-policy. Subsidiary policies are personal only.

             

            Every user is added to one single AD-Group which is linked with one single EMM-Policy. Most of the users have the group membership "Corporate" (headquarters).

             

             

            Information about the Order of the policies:

            first the personal Subsidiary-policies are set on the top of the list.

             

            The Policy "Sales" is the first one with the setting  "policy applies on corporate devices" in the list.

            The Policy "Test" is the last policy with the setting  "policy applies on corporate devices" in the list.

             

            Example:

            User-A is has a group membership for the test policy and the ownership is set to "Personal".

            Now the Policy is resolved correctly. (User-A has the test policy applied).

             

            When I change the Ownership to "Corporate" the user will get the Sales policy, without having any membership to the sales group.

             

            Changing the Ownership back to "Personal" will resolve the Test-Policy again.

             

            And that is what I don't understand about the Policy resolving on the EMM-Server.

             

             

            Resolving policies with LDAP and Ownership doesn't work, too:

            I've copied the Policy Test to Test-Private. The only difference is that in the Test-Private Policy  "policy applies on corporate devices" isn't active.

             

            Now I can change the Ownership from Personal to Corporate and always the "Test-Private" policy is resolved. The policy should be changed with changing the Ownership, shouldn't it?

            • 3. Re: Unsuccessful CheckIn for device ...
              mat.kordell

              I'm assuming that the Test policy must be second from the bottom, is this correct?... because the bottom policy shouldn't have any membership info, no groups, no personal/corporate... It is the default policy and anyone who doesn't fit the above policies lands in the bottom poicy, and so usually it should be either the most generally used or most restrictive policy.

               

              So just be completely clear on a couple of the simple things, your are using Microsoft AD, correct?  And you are using standard GLOBAL sercurity groups in AD?

              • 4. Re: Unsuccessful CheckIn for device ...

                You are right, the Bottom Policy is the default "Starter Policy".

                 

                 

                Brechbert wrote:

                 

                Resolving policies with LDAP and Ownership doesn't work, too:

                I've copied the Policy Test to Test-Private. The only difference is that in the Test-Private Policy  "policy applies on corporate devices" isn't active.

                 

                Now I can change the Ownership from Personal to Corporate and always the "Test-Private" policy is resolved. The policy should be changed with changing the Ownership, shouldn't it?

                 

                That is not correct... I linked to the Policy Test-Private the same AD-Group as for the Test policy. After saving the Test-Private Policy the Membership of the Test policy was deleted. So I think EMM does not permit the same AD Membership on different policies.

                 

                Yes we are using standard global security AD-Groups

                 

                Nachricht geändert durch brechbert on 16.11.12 02:59:53 CST
                • 5. Re: Unsuccessful CheckIn for device ...
                  mat.kordell

                  Can you please post a sceenshot of your policy page including the policy order.

                  • 6. Re: Unsuccessful CheckIn for device ...

                    There it is:

                    Policies.png

                     

                    DEKLI1-Outside... and following policies are the policies which apply to corporate owned devices.

                    My user is a member of the DEKLI1-Test-DLSF policy. It is configured that this policy applies to corporate owned devices.

                    If my device is personal owned, the DEKLI1-Test-DLSF policy is resolved. If i change the ownership to corporate, log off and then log on again on the EMM mobile device app, my policy changes to DEKLI1-OutsideSales in the EMM-Console. But my user does not have any membership which points to the OutsideSales-Policy.

                    Regards

                    Daniel

                    • 7. Re: Unsuccessful CheckIn for device ...
                      mat.kordell

                      I thiknk that this is going to be one for support.

                      • 8. Re: Unsuccessful CheckIn for device ...

                        Hi,

                        I contacted the support and the answer wasn't a satisfying at all:

                        You can create a few corporate policies. But EMM will always resolve the first corporate policy in order, regardless of which AD-Group is assigned to the user and policy...