ZENworks 2017 Readme

1.0 Readme Updates

The following table contains information on the documentation content changes that were made in this Readme after the initial release of ZENworks 2017:

Table 1 Readme Updates

Date

Readme Item Added or Updated

June, 2017

Added a new known issue in the Known Issues section.

Upgrading a zone with MSSQL 2008 to ZENworks 2017 using the command line interface might fail with an error

July, 2017

Added a new known issue in the Known Issues section.

Install Network MSI and Create Directory bundle actions fail with the WNetAddConnection error when configured with DFS share

July, 2017

Added a new known issue in the Known Issues section.

System update fails on a Windows 10 device

2.0 Installation

For installation instructions, see the ZENworks Server Installation Guide and for system requirements details, see the ZENworks 2017 System Requirements.

3.0 Planning to Upgrade to ZENworks 2017

Use the following guidelines to plan for the upgrade to ZENworks 2017 in your Management Zone:

  • You must first upgrade the Primary Servers, then update the Satellite Servers, and finally the managed devices to ZENworks 2017. Do not upgrade the managed devices and Satellite Servers (or add new 2017 Agents in the zone) until all Primary Servers in the zone have been upgraded to ZENworks 2017.

    NOTE:Agents might receive inconsistent data from the zone until all Primary Servers are upgraded. Therefore, this part of the process should take place in as short a time as possible - ideally, immediately after the first Primary Server is upgraded.

  • If the managed devices have been updated to ZENworks 11.x or later, you can directly update the managed devices in the zone to ZENworks 2017.

    The system reboots once after you upgrade to ZENworks 2017. However, a double reboot will be required in the following scenarios:

    Table 2 Double Reboot Scenarios

    Scenario

    ZENworks Endpoint Security

    Full Disk Encryption

    Location Services

    Client Self Defense

    Upgrade from 11.4.x to 2017 and fresh Install of ZENworks 2017

    Disabled

    Disabled

    Lite

    Enabled

    Fresh Install of ZENworks 2017

    Disabled

    Disabled

    Full

    Enabled

    IMPORTANT:All Primary Servers running ZENworks 11.3.x or earlier should first be upgraded to ZENworks 11.4 before upgrading them to ZENworks 2017. Satellite Servers and managed devices should be updated to ZENworks 11.x before updating them to ZENworks 2017.

Table 3 ZENworks Cumulative Agent Update to 2017: Supported Paths

Device Type

Operating System

Supported Versions

Unsupported Versions

Primary Server

Windows/Linux

v11.4 and later versions

Any version prior to 11.4

Satellite Server

Windows/Linux/Mac

v11.0 and later versions

Any version prior to 11.0

Managed Device

Windows

v11.0 and later versions

Any version prior to 11.0

Linux

v11.0 and later versions

NA

Mac

v11.2 and later versions

NA

4.0 Upgrade

For detailed information on prerequisites and instructions for upgrading Primary Servers, Satellites Servers, and Managed Devices to ZENworks, see the ZENworks Upgrade Guide.

5.0 Important information about customizing ZAPP with an unsupported language

To configure ZAPP with an unsupported language:

  1. Provide the new locale files for all files present in %ZENWORKS_HOME%/zapp/i18n

  2. Go to %ZENWORKS_HOME%/zapp/conf

  3. Open the locales.json file and add an entry for the required language under SupportedLocales section.

    For example, if the language is English add the following entry:

    {"name": "English", "value": "en", "helpFolder":"en", "aliases": "[\"en-US\", \"en-UK\"]"}

    Here "value" represents locale, and for all the "aliases" provided the value locale will be effective. You need to ensure that the “help” is always provided in a supported language.

  4. End all the ZAPP process and then restart ZAPP.

IMPORTANT:ZAPP can support all languages for which “.pak” files are available in the following location: %ZENWORKS_HOME%/zapp/locales

6.0 What’s New

For information about the new features in ZENworks 2017, see the ZENworks What’s New Reference.

7.0 Windows Secure Boot

Secure Boot is a Windows feature that can be enabled in Windows devices that have UEFI firmware. Support for Secure Boot in ZENworks 2017 has the limitations described below:

Endpoint Security Management and Location Awareness: If Endpoint Security Management or Location Awareness are enabled in your zone, make sure that Secure Boot is disabled on devices before performing a new installation of the ZENworks Agent. You do not need to do this when updating an existing ZENworks Agent on a device.

Full Disk Encryption: UEFI firmware, and by extension Windows Secure Boot are not supported in Full Disk Encryption.

8.0 Known Issues

This section contains information about issues that might occur while you work with ZENworks 2017:

8.1 Installation

This section contains information about issues that you might encounter during installation:

On a SLES 11 SP4 or SLES 12 device when you install the ZENworks Agent using the YaST add-on an Unknown GnuPG key message is displayed

When you install the ZENworks agent on a SLES 11 SP4 or SLES 12 device using the YaST add-on, an Unknown GnuPG Key message is displayed.

Workaround: Manually add the GnuPG key.

  1. Navigate to the zenworks-agent-addon page.

    For example: <ZENworks_serverIP>/zenworks-agent-addon/

  2. Click the required SLES link.

  3. Right-click content.key and select Save Link As... to download the GnuPG key.

  4. In the Configured Software Repositories window, click the GPG keys… button.

  5. Click Add, browse to the location where content.key was downloaded, and click OK.

Unable to install ZENworks 2017 on Windows 2012 and 2016 Servers

While installing ZENworks 2017 on a Windows 2012 or 2016 server, the installation exits with a Java crash error.

Workaround:

  1. Disable Microsoft DEP (Data Execution Prevention) on the Windows server.

    To disable DEP on the Windows server, run the following command in the command prompt with administrator privileges:

    bcdedit /set nx AlwaysOff

    For more information, see Boot Parameters to Configure DEP and PAE.

  2. Rename the sfrhook.dll file to sfrhook64.dll. This file can be accessed from the following location: %program files%\citrix\system32\

Installation fails or hangs while reinstalling ZENworks after a rollback

When you reinstall ZENworks after a rollback, the installation fails or hangs.

Workaround: After you roll back ZENworks, in the Environment Variable window, perform the following changes and then reinstall ZENworks.

  • Remove the ZENWORKS_HOME system variable.

  • In the Path variable, remove the ZENworks install path.

8.2 Upgrade

This section contains information about issues that you might encounter during upgrade:

Upgrading a zone with MSSQL 2008 to ZENworks 2017 using the command line interface might fail with an error

When you upgrade a zone with MSSQL 2008 to ZENworks 2017 using the command line interface, the upgrade might fail with the This database version is not supported for ZENworks error.

Workaround: Upgrade the zone using the GUI interface instead of the command line interface, or upgrade MSSQL to 2012, and then upgrade the zone.

While upgrading a ZENworks SLES 12 Primary Server, modifications to pxemenu.txt is lost

When you are upgrading a ZENworks SLES 12 Primary Server, any configuration changes made to the Novell Preboot Services Menu in the pxemenu.txt file will be replaced with the default configuration settings.

The pxemenu.txt file is located:

  • \srv\tftp\pxemenu.txt

  • \srv\tftp\efi\x86_64\pxemenu.txt

  • \srv\tftp\efi\ia32\pxemenu.txt

Workaround: Before upgrading ZENworks, back up the pxemenu.txt file.

A blank screen is displayed after completing the appliance configuration

While configuring the ZENworks Appliance on a VMware workstation or vSphere client 5.x, a black screen is displayed after completing the YaST configuration. This issue occurs only during the first install.

Workaround: After the Appliance configuration is completed, restart the appliance.

When you upgrade the operating system of a Macintosh device the agent page appears blank

After upgrading the operating system on a Macintosh device, the ZENworks Agent page appears blank.

Workaround: After upgrading the operating system, perform the following steps:

  1. Stop the agent service on the Macintosh device by executing the launchctl unload /Library/LaunchDaemons/com.novell.zenworks.agent.plist command.

  2. Navigate to the /opt/novell/zenworks/zmd/java/lib/configuration directory, and manually delete the following folders:

    • org.eclipse.core.runtime

    • org.eclipse.osgi

  3. Start the agent service on the Macintosh device by executing the launchctl load /Library/LaunchDaemons/com.novell.zenworks.agent.plist command.

Package Update fails on the Primary Server during system update deployment

While deploying the ZENworks 2017 update to all managed devices in the zone, the package update fails.

Workaround: Check whether the zman service is running before starting the package update. If the zman service is running, then stop the service by running the zman sss command.

While upgrading a Windows server from ZENworks 11.4.x to ZENworks 2017, Windows Explorer stops working

When you manually upgrade a Windows server from ZENworks 11.4.x to ZENworks 2017 through media upgrade, or through Standalone Updater, Windows Explorer stops working during the Upgrading Packages stage. Due to this issue, you will not be able to view the File Explorer.

Workaround: After completing the upgrade, restart the device.

NOTE:If you want to continue without rebooting the device, you need to manually stop and start the File Explorer. However, if you continue without rebooting the device, then ZENworks Agent will work with limited functionality.

Initialization of ZeUS fails with an unexpected error

While upgrading ZENworks 11.4.x to ZENworks 2017, an unexpected error occurs when you restart the device after server installation.

Workaround: Restart the ZeUS service manually.

Effective Assignment is not calculated for newly added devices

If the Effective Assignment calculation is enabled, and a new device is added to the zone in between the computation interval, the effective assignment is not calculated for the newly added device.

Workaround: Perform any one of the following:

  • After adding the device to the zone, manually run the zac ref bypasscache command.

  • On the device, right-click the Z-icon and then click refresh to get the latest effective assignment.

When you migrate an 11.4.x appliance, the installed patches might not be displayed in the Online Update tab

When you migrate an 11.4.x appliance after performing an online update, the installed patches might not be displayed in the Online Update tab of the appliance console.

Workaround: If all the required patches are installed, then ignore and proceed with the appliance migration.

System update fails on a Windows 10 device

During the system update of a Windows 10 device, the update to ZENworks 2017 Update 1 fails, which is indicated in the ZCC > Configuration > System Updates page.

Workaround: Click the Status link in the Deploying System Updates panel on the System Updates page, and follow the instructions* to restart the System Update:

NOTE:This update cannot continue as at least one of first two service recovery failure modes for ZES service is set to restart the computer. Please disable client self defense, reboot the device, and restart the ZENworks Update.

8.3 Imaging

This section contains information about issues that you might encounter while using the Imaging feature:

Imaging Satellite Servers configured on SLES 10 SP3 and SP4 devices fail to communicate with ZENworks 2017 Primary Servers

The default version of OpenSSL that is installed on SLES 10 SP3 or SP4 devices breaks the communication with the 2017 Primary Servers.

Workaround: None. For more information, see TID 7017532 in the Micro Focus Support Knowledgebase.

8.4 Remote Management

Unable to delete files in the system32 folder from a remote computer during file transfer

During a file transfer session, while deleting a file from the system32 folder on a remote device, the file transfer window will become unresponsive, and the file will not be deleted from the folder.

Workaround: Delete the files from the Remote Control session instead of deleting them from the File Transfer dialog box.

Switch User and Log Off operations cannot be performed while remote controlling a Windows device from a Linux device

While remote controlling a Windows device from a SLES/SLED device, you cannot perform a Log Off or Switch User operation on the Windows device.

Workaround: None

Remote SSH on a Macintosh device fails with a Algorithm Negotiation Fail error

While installing the ZENworks Agent on a Macintosh 10.11 or 10.12 device, when you perform a remote SSH of the device using ZCC, the remote SSH on the Macintosh device fails with the Algorithm Negotiation Fail error.

Workaround:

  1. On the Macintosh agent device, add the following lines in the sshd_config file:

    KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com,hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96

  2. Restart the SSH service.

8.5 Mobile Management

This section contains information about issues that you might encounter while using the Mobile Management feature:

If a device enrolled as an ActiveSync Only device is fully wiped and deleted, then re-enrollment of the same device fails

If a device that is enrolled as an ActiveSync Only device is fully wiped and deleted using the Unenroll quick task, then you will be unable to re-enroll the same device to the ZENworks Management Zone.

Workaround: In the database, the TobeDeleted value for the device object in the zZENObject table, should be updated to 1.

As a best practice, it is advisable to fully wipe and retire the device. Subsequently, you can click Delete to remove the device from the zone.

Status of a policy that successfully applies on a device but with exceptions remains as Unknown

If a policy is assigned and successfully applied on a device but with some exceptions, then the status of the policy is displayed as Unknown in ZENworks Control Center (ZCC). This might occur if certain settings configured in the policy are not applicable for certain enrolled mobile devices. For example, if a Mobile Security Policy, in which password settings and encryption settings are enabled, is assigned to a device and the device does not support encryption, then the policy is applied successfully. However, with exceptions. The status in ZCC is displayed as Unknown.

Workaround: None.

Email accounts might not work properly on some mobile devices if an ActiveSync server is added after the devices are enrolled

If a device is already enrolled to the ZENworks Management Zone and an ActiveSync server is configured later, then the email accounts on some of these devices might not receive emails.

Workaround:

For Android devices:

  • You might be prompted to re-enter your account password. If this does not work, either initiate a Refresh action on the email account configured on the device or initiate a Refresh action from the Settings menu on the device.

For Windows devices:

  • Delete and re-create the email account on the device.

NOTE:For iOS devices, the email client might display an error message a couple of times, after which you will start receiving emails on the device.

As a best practice, it is advisable to configure an ActiveSync server before a device is enrolled to the ZENworks Management Zone.

Mobile device object is retained on the ZENworks Server if remote wipe is initiated from the ActiveSync Server

If a remote wipe is initiated directly from the ActiveSync Server, then the email account configured on the device will stop receiving emails. However, the device object is retained in ZENworks Control Center. Whenever the user tries to re-create the email account, the data on the device is wiped.

Workaround: To re-create the email account on the device, the device has to be deleted from the ActiveSync Server and the ZENworks Server, and then re-enrolled to the ZENworks Management Zone.

NOTE:As a best practice, always initiate a remote wipe from the ZENworks Server and not from the ActiveSync Server.

Notification to install bundles might not be received on devices that run on iOS versions prior to 9.2.1

When an iOS bundle is assigned to devices that run on an iOS version prior to 9.2.1, the devices might not receive a notification to install the bundle even if multiple sync requests are sent from these devices.

Workaround: Upgrade the iOS operating system to 9.2.1 or a subsequent version.

If an Unenroll quick task is initiated to fully wipe devices, then the status of the quick task might not change to Done.

When an Unenroll quick task is initiated to fully wipe devices that are already enrolled to the ZENworks Management Zone, then for a few mobile devices the status of the quick task in ZCC does not change to Done and remains as Assigned, even though the data on these devices is successfully wiped. Whenever users try to re-enroll these devices to the ZENworks Management Zone, the data on the device is wiped because of this pending quick task.

Workaround: Delete the device object from ZCC and then re-enroll the device.

Enrollment of an iOS device fails when the Common Name in the External CA certificate includes a wildcard character along with the host name

If the common name includes a wildcard character along with the hostname in the FQDN, then the iOS device enrollment will fail. For example, if the FQDN is hostname.example.com, and the common name in the certificate is hostname*.example.com or *hostname.example.com the device enrollment will fail.

Workaround: Ensure that you either use the complete host name in the common name, without any wildcard characters (hostname.example.com) or use a wildcard character in the place of the host name (*.example.com).

Installation of certain iOS apps might fail occasionally

A bundle for a specific iOS app is assigned to a device, however the app fails to install on the device and an error ‘iTunes ID cannot be validated’ is displayed, even though there are no issues with the iTunes ID.

Workaround: On subsequent syncs, the app might successfully install on the device. It is also recommended that users update their devices to the latest iOS version.

Revoking or consumption of licenses of an app assigned to a device or a user might fail

Revoking or consumption of licenses of an app assigned to a device or a user might fail and the following error messages will be displayed:

  • License already assigned: This error message might be displayed even though the license is not assigned to the device or user.

  • No license to disassociate: This error message might be displayed even though the license is assigned to the device or user.

Workaround: None. This is an iOS limitation.

While enrolling an iOS device, the device enrollment remains pending for a substantial period of time

Enrollment of an iOS device to the ZENworks Management Zone does not complete and the device object remains in the Pending Enrollment Devices folder in ZCC for a substantial period of time.

Workaround: Delete the device object from the Pending Enrollment Devices folder in ZCC. Wait for a while and then re-initiate the process to enroll the iOS device.

Re-enrollment of a device fails, if the user source to which the user belongs, is deleted and added back to the zone

If a user source that was initially deleted is added back to the zone and a device that is associated with the user who is a part of this user source, is re-enrolled to the zone, then re-enrollment fails as the device is unable to reconcile with the existing device object in ZCC.

Workaround: Manually delete the device object in ZCC and then re-enroll the device.

An action that is assigned to an MDM Server that is offline is not executed

If there are multiple MDM Servers in the zone and an action is automatically assigned to an MDM Server that is offline, then this action is not delegated to another MDM Server that is connected to the network and the execution of the assigned action remains incomplete.

Workaround: None. Ensure that you remove the MDM role assigned to a server that is not connected to the network and then re-execute the action.

Device enrollment remains pending if a different APNs certificate is re-configured

(Fixed in ZENworks 2017 Update1) The existing APNs certificate is replaced with another APNs certificate and is re-configured in the ZENworks zone. When users try enrolling their devices, the devices will remain in pending enrollment state.

Workaround: Restart all the MDM Servers in your zone and then enroll the devices.

8.6 ZENworks Application (ZAPP)

This section contains information about issues that you might encounter while using ZAPP:

The ZAPP logs are not getting zipped when ZAPP reaches the maximum size

In ZAPP, the <username>.zapp.log rollover files are created after reaching the maximum size. However, the .gz zip files are not created for these rollover files due to zip-creation issues.

The latest file is named as <username>.zapp.log and the name of the oldest file is appended with the largest number.

Workaround: None. Ensure that you do not change the "zippedArchive" property value to true in the logger.json file (located at %zenworks_home%/zapp/conf).

ZAPP cannot be launched at startup

ZAPP cannot be launched at startup to run in the foreground as it is already running in the system tray.

Solution: To launch ZAPP at startup in the foreground from the next login:

  1. Go to %zenworks_home%/zapp.

  2. Open the package.json file.

  3. Search for the "show" property and change the value from false to true.

  4. Save the file.

ZAPP will not be able to communicate with the ZENworks Agent

If the Internet proxy is set, then ZAPP will not be able to communicate with the ZENworks Agent and the error messages with 503 code are displayed in the log files.

Solution: Enable Bypass proxy server for local addresses:

  1. On the Windows device, click Start, and select Control Panel.

  2. Select Internet Options.

  3. In the Internet Properties window, select the Connections tab and click LAN Settings.

  4. In the Local Area Network (LAN) Settings window, under Proxy Server, select the Bypass proxy server for local addresses option.

  5. Click OK.

  6. End all the ZAPP process and restart ZAPP.

Email client does not open from the Properties page of a bundle

Clicking the email link in the Properties page of a bundle does not open the email client.

Solution: Ensure that the email client is configured to use the mailto protocol.

8.7 Full Disk Encryption

This section contains information about issues that you might encounter while using Full Disk Encryption:

PBA User Capturing is not functioning on Windows 10 Anniversary Update version 1607

Pre-Boot Authentication (PBA) User Capturing is not functioning on Windows 10 Anniversary Update version 1607 under the following conditions:

  1. Install the ZENworks Agent with Full Disk Encryption activated on a Windows 10 device pre-Anniversary Update version, and do NOT apply a Disk Encryption policy.

  2. Update the device to Windows 10 Anniversary Update version 1607.

  3. Assign a Disk Encryption policy to the device with PBA and PBA account-User Capturing enabled (no specified PBA users).

  4. Let the PBA prompt screen “time-out” and boot to the Windows login screen.

Workaround: Press OK when the PBA prompt appears (do not let the PBA prompt screen time-out).

8.8 Database Management

Embedded Sybase database restore script fails on SLES 12

When you run the embedded database restore script on a SLES 12 Primary Server or ZENworks Appliance fails with the following error:

.../ZenworksLinuxDBRestore.sh: line 158: /etc/init.d/novell-zenmntr: No such file or directory./ZenworksLinuxDBRestore.sh: line 167: /etc/init.d/novell-zenserver: No such file or directory./ZenworksLinuxDBRestore.sh: line 171: /etc/init.d/novell-zenloader: No such file or directory...Failure: Restore...

Workaround: To resolve the issue, perform the following:

  1. Manually stop the database and database services by running the following commands:

    • systemctl stop novell-zenloader.service

    • systemctl stop novell-zenserver.service

    • systemctl stop sybase-asa.service

    • systemctl stop Sybase-audit-asa.service

  2. Copy the backup database DB and log files to the /var/opt/novell/zenworks/database folder, and overwrite the existing database files.

  3. Restart the services by running the following commands:

    • systemctl start novell-zenloader.service

    • systemctl start novell-zenserver.service

    • systemctl start sybase-asa.service

    • systemctl start sybase-audit-asa.service

  4. Run the following commands and verify that the services are running:

    • systemctl status -l novell-zenloader.service

    • systemctl status -l novell-zenserver.service

    • systemctl status -l sybase-asa.service

    • systemctl status -l Sybase-audit-asa.service

8.9 Configuration

Install Network MSI and Create Directory bundle actions fail with the WNetAddConnection error when configured with DFS share

Bundles configured with the Install Network MSI or Create Directory action from DFS share, fail with the WNetAddConnection error.

Workaround: None

While configuring the Install Network MSI action, use the UNC path instead of DFS share.

9.0 Additional Documentation

This Readme lists the issues specific to ZENworks 2017. For all other ZENworks 2017 documentation, see the ZENworks 2017 documentation website.

10.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.novell.com/company/legal/.

Copyright © 2016 Micro Focus Software Inc. All Rights Reserved.