[KB6374] MDMCore Troubleshooting (6.5 and later)

Issue

ESET business product no longer supported

This article applies to an ESET product version that is currently in End of Life status and is no longer supported. The content in this article is no longer updated. 

For a complete list of supported products and support level definitions, review the ESET End of Life policy for business products.

Upgrade ESET business products.

Solution

MDMCore reports Protection Status problems

Protection status of MDMCore in ERA Web Console Troubleshooting steps
HTTPS certificate does not meet criteria required by Apple

If you are not managing iOS devices, disable the Send iOS related application statuses setting in your MDM policy.

If you are managing iOS devices, verify that your https certificate meets the criteria described in documentation https://help.eset.com/esmc_install/71/en-US/mobile.html.

MDM hostname does not match HTTPS certificate The Hostname in the HTTPS certificate (Android / iOS) must match the Hostname in the ESET Mobile Device Connector Policy (Android / iOS). If they do not match, change one of them and re-apply the policy to the MDM host device.
HTTPS certificate is not valid Check the validity of your HTTPS certificate. If it is expired, generate a new one, upload it to your MDM Policy and save the changes. You may be required to initiate a re-enrollment of your mobile devices.
HTTPS certificate expires soon Check the validity of your HTTPS certificate and if the expiration is close, generate a new HTTPS certificate and initiate a certificate exchange. 
HTTPS certificate expired Generate a new HTTPS certificate and initiate a re-enrollment of your mobile devices.
HTTPS certificate chain is incomplete. Enrollment is not allowed In order to complete the certificate chain, export your current HTTPS certificate that is being used by MDM Policy and import it into the certificate store on the MDM host device according to these steps for Windows or Linux.
Missing APNS certificate Generate a new APNS certificate and import it into MDC Policy. 
Missing APNS key
APNS certificate or APNS key not valid
HTTPS certificate change still in progress. The old certificate is still being used Not all mobile devices are using the new HTTPS certificate. Make sure that all mobile devices will connect to the MDM server during certificate change.
Multiagent is overloaded. Some clients failed to report their status in the last hour This is only an informative message. If you see this warning often, consider adding more resources to the MDM host device.
APNS service certificate validation failed

The MDM host device does not have the latest Apple / Google CA. Download the required CA (Download Apple CADownload GCM CA) and import it into certificate store on the MDM host device according to these steps.

 
GCM service certificate validation failed
APNS Feedback service certificate validation failed
APNS service connection problems

Create a new firewall rule to allow APNS service connection (gateway.push.apple.com and feedback.push.apple.com) or GCM service connection (android.googleapis.com). If the error message is still present, follow the steps as mentioned for the APNS certificate expires soon.

 
GCM service connection problems
APNS Feedback service connection problems
APNS certificate expires soon Follow the steps as mentioned for I received an email from Apple Push Certification Portal that my APNMS certificate is about to expire.
MDM policy contains invalid https certificate. The old certificate is still being used. Replace the HTTPS certificate in the MDMCore policy with a valid one.
There is problem with connection to remote peer Follow the instructions below.

Manually remove a mobile device from ERA MDM 

Use Stop Managing task to remove a device

Keep in mind, that the only correct way to remove (de-enroll) a mobile device is with Stop Managing task. And the steps below are only to be used as a "last-resort" solution.

Manually deactivate iOS MDM seats

 Also, you will need to manually deactivate iOS MDM seats from ELA, as the seat will not be released after you manually remove the device from ERA MDM DB.

After you execute a "Stop Managing Task" it may take up to 3*(2+number of all mobile devices/20) minutes until the device is removed from ERA Web Console. If the device still shows after this time, or you need to remove the device earlier, follow these steps: 

Windows:
  1.  Make sure the MDM Core is not running. in order to stop it, stop the MDCore service. (EraMDMCoreSvc).
  2.  Open the MDMCore database using your DB tool of choice (HeidiSQL, MySQL Workbench, MS SQL Server Studio...).
  3.  Locate the Device table in the DB.
  4.  Delete the row that corresponds to your device. You can use the DeviceID, DeviceName and SerialNumber(for iOS) fields to identify the device.
  5.  Start the MDMCore service (EraMDMCoreSvc). 
  6.  Select the mobile device in the Web Console and Delete it.
Linux (Virtual Appliance): 
  1.  Stop the ERA MDMCore service:
    systemctl stop eramdmcore.service
  2.  Connect to the MySQL DB:
    mysql -u USERNAME -p
  3.  Run the following command (you can add IDs with the separator)
    delete from era_mdm_db.dbo.Device where DeviceId = 'XXXXXXXXXXXX'
  4.  Start the ERA MDMCore service:
    systemctl start eramdmcore.service
  5.  Select the mobile device in the Web Console and Delete it.

If the troubleshooting steps above do not solve your problem, collect the logs with ESET Log Collector (according to these steps) and contact ESET Support


iOS device does not check-in when locked

If an iOS device does not execute the requested tasks, it may be due to an iOS lock screen setting: Data protection. When this setting is enabled, the iOS device’s storage is encrypted while the screen is locked. As a result, the iOS device is unable to execute tasks that depend on that storage.
 
After the user unlocks their iOS device, it will check-in and execute all the tasks.

This behavior is represented in MDMCore logs as: 

Received a NotNow response from device "xxxxxxxxxxxx" for command "a1b2c3e4f5". Stopping command delivery to device until a reconnect.

Figure 1-1


MDMCore alert: "There is a problem with connection to remote peer"

This Alert indicates that the MDMCore is unable to connect to the ERA server. We recommend that you perform troubleshooting locally on MDM host device. 

Check the latest MDM log files and act accordingly. 

Windows C:\ProgramData\ESET\RemoteAdministrator\MDMCore\Logs\Proxy
Linux /var/log/eset/RemoteAdministrator/MDMCore/Proxy/
Enable full logging

To enable full logging, create a dummy file named traceAll without an extension in the same folder as a trace.log and then restart the ESET Remote Administrator Mobile Device Connector service. This will enable full logging in the trace.log file.

  • last-error.html - protocol (table) that displays the last error recorded while the MDM Core is running.
  • status.html - a table showing the current state of communications (synchronization) of MDMCore and ERA Server.
  • trace.log - a detailed report of all MDMCore activity including any errors that have been recorded. 

The possible solutions (based on what you find in log files): 

  • Your network is not configured properly. Make sure that the host device of ERA server and the host device of MDMCore can communicate. 

I received an email from Apple Push Certification Portal that my APNS certificate is about to expire

Action required

This notification requires your attention. You need to renew the validity of your certificate in the APNS certificate portal according to these steps. If you do not perform the steps below, your certificate will expire which will result in the re-enrollment of all affected iOS devices.

  1. Open the Apple Push Certificate Portal and log in using your Apple ID.
  2. Click Renew next to the certificate that is close to the expiration.
  3. Follow the steps in MDM Documentation.

Import HTTPS certificate chain for MDM - Linux

To import HTTPS certificate to OpenSSL cert store on CentOS follow these steps:

  1. Copy the certificate file to /etc/pki/ca-trust/source/anchors/
  2. run system command:update-ca-trust
  3. Restart the ERA MDMCore service with the system command /etc/init.d/eramdmcore restart

Change the default enrollment ports for MDM VA

MDM 6.5 
  1. In ERA Web Console, edit your existing ESET Remote Administrator Mobile Device Connector policy, under General -> change the Port (default 9981) and Enrollment port (default 9980). Save the policy so it will be applied to your existing ERA MDM.
  2. Open the MDM VA terminal and locate file /etc/sysconfig/IPtables find a line -A INPUT -p tcp  -m tcp -- dport 9980:9981 -J ACCEPT .
  3. Replace the default ports 9980 and 9981 with your desired ports respectably as you changed them previously in the policy.
  4. Save the changes and restart the MDM VA with the command shutdown -r now.
  5. Now MDM is connecting via the new ports and you can re-enroll your mobile devices to use these ports.
MDM 7.x 

Ports can be changed only by a re-deployment of ESMC MDM VA.