A.3 MDM Servers

While configuring access controls to secure an MDM Server, Administration access is denied for all

Explanation: While configuring access controls to secure an MDM Server, Administration access is denied for all and ZCC remains inaccessible except from the server in which the access was allowed or denied.
Action: Change the configuration by accessing ZCC from the MDM Server in which the access was denied. You can access ZCC in the following ways:
  • Enter the Server IP.

  • Enter https://localhost (applicable for IPv4 addresses only)

  • Enter the loopback address.

If you are still unable to access ZCC, then delete the configuration file access-filters.json from the directory available at %ZENWORKS_HOME%/share/tomcat/conf. Restart the MDM server. Administration access will be allowed for all. You need to navigate back to ZCC and re-configure the access controls.

After configuring access controls to secure an MDM Server, an IP address of a device that is denied access is still able to contact the ZENworks Server

Explanation: While securing an MDM Server, a specific IP address of a device is denied access to the server. However, this device is still able to contact the MDM Server.
Action: Enable the Tomcat valve logging to check the logs. For more information, see Tomcat Valve Logging.

Also, check whether the device is communicating with the ZENworks Server using a proxy server. If so, you need to deny access to the IP address of the proxy server, if other devices are not using this proxy server.

Mobile devices are unable to contact the ZENworks Server

Explanation: Mobile devices are unable to communicate with the MDM Server.
Action: Verify that the Primary Server, to which the device is enrolled, still has the MDM Server Role. Since mobile devices contact the MDM Server to which they are enrolled and if mobile devices are enrolled to a server that you have chosen to remove from the zone, then you will have to re-enroll these mobile devices to the zone using another MDM Server. Before re-enrollment, ensure that you delete the corresponding device objects in ZCC. However, if you are upgrading or replacing the MDM Server with another server, then the enrolled devices will automatically reconcile with the replaced server.

NOTE:Also, if you delete all the MDM Servers in the zone, then the Push Notifications configuration (APNs and GCM) will be automatically deleted.

APNs keystore fails to replicate on a newly added MDM Server in the zone

Explanation: When a new MDM Server is added in the zone, the APNs keystore is replicated on this server by retrieving the keystore from one of the existing MDM Servers.This will ensure that the newly added MDM Server also has the capability to communicate with the APNs server. However, if the existing MDM Server is not connected to the network, the APNs keystore fails to replicate on the new MDM Server.
Action: When you add a new MDM Server to the zone, ensure that all the MDM Servers are online. After you ensure that the existing MDM Servers are online, remove the MDM role from the newly added MDM Server and re-assign it to the same server.