Loading...
Loading...
When attempting to enroll devices, enrollment fails/is unsuccessful and you may observe one or more of the following error messages: Enrollment FailedEnrollment Denied49: LDAP_INVALID_CREDENTIALS81: LDAP_SERVER_DOWN82: LDAP_LOCAL_ERROR87: LDAP_FILTER_ERROREnrollment Denied: Device Not Approved. When using the Test Connection function to test connectivity, you receive the error message: Test Connection Failed.AirWatch Cloud Messaging (AWCM) not connecting (error: Unable to connect to AWCM) and devices failing to check in to Workspace ONE. iOS re-enrollment fails with error: "Unable to login at this time. This device is already registered to a different environment. Please Contact your IT administrator. We are unable to finish building your digital workspace at this time. Please try again or sign out. If you sign out, you will have the option to re-enter your email address or server URL."
This article features many common troubleshooting steps administrators can take to address issues with device enrollment, such as enrollment failing. Review the multiple sections listed below to perform these troubleshooting steps that will help you to resolve the enrollment issue you are experiencing.You may also refer to the following Knowledge Base articles if you observe any of these errors during enrollment: If the enrollment process is cycling through a continuous loop without completion and/or time-out errors, see Enrollment process stuck and/or Time Out error when attempting to enroll devices with Workspace ONE.Error: "Your account is not allowed to enroll. Please contact your system administrator" during Workspace ONE enrollment "Enrollment Denied, Device Not Approved" error during Workspace ONE enrollmentWorkspace ONE Enrollment Error: "Invalid User Credentials" and/or "Failed to validate user credentials.""You are not allowed to enroll your device. You have exceeded the maximum number of enrolled devices allowed." error on Workspace ONE "The device licenses have expired. Enrollment is suspended for this organization group." error on Workspace ONE Intelligent Hub"403: Not allowed" error when enrolling devices based on tag assignment for Workspace ONE UEMError: "Email Domain Registration Failure. The email domain you attempted to register is not available." on Workspace ONE UEMWorkspace ONE enrollment profile with certificates failing to install on devices
To resolve and troubleshoot enrollment issues, verify and perform all steps below in the order that they are presented. If one section does not resolve the enrollment issue you are experiencing, move on to the next section. Identify any Account-related issuesConfirm if the Directory Services Integration is workingReview and resolve common LDAP Error CodesConfirm if ACC is Working (Error: Test Connection Failed)Check if the Cloud Connector Service starts without any issueVerify the values in ACC Configuration File and DatabaseVerify AWCM Connection (On-Premise only)Re-enroll iOS Devices Identify Account-related issues Ensure your service account has not been locked out or expired. If so, ensure that the account is accessible and marked as active before moving forward.Ensure the actual user account has not been locked out, especially if they have several failed enrollment attempts. You can unlock the user account in the Console if this is the case.Determine whether the scope of this issue is a single user, multiple users, or all users. This can help determine next troubleshooting steps.Determine if any enrollment restrictions are blocking user enrollment. Refer to Error: "Your account is not allowed to enroll. Please contact your system administrator" during Workspace ONE enrollment for additional details on enrollment restrictions. Attempt to enroll with a basic user account (one that is created directly in Workspace ONE) as this can help identify configuration issues and provide relevant error messages. Confirm Directory Services Integration is working In the Workspace ONE UEM Console, navigate to Settings > System > Enterprise Integration > Directory Services at the organization group where you configured your integration. Use the Test Connection button to ensure that Workspace ONE is connecting and authenticating properly to your directory system. If needed, you can update the connection settings on this page. Resolve common LDAP Error Codes Use the errors present on the device and when using the Test Connection function to identify the corresponding solutions in the chart below. Code ErrorDescriptionSolution49: LDAP_INVALID_CREDENTIALSIndicates that during a bind operation one of the following occurred: *The client passed either an incorrect DN. *The password is incorrect because it has expired. *The intruder detection has locked the account. This is equivalent to AD error code 52e. Check the service account username and password.81: LDAP_SERVER_DOWNUnable to connect to the LDAP server.Check that the required ports are open or wrong IP is populated.82: LDAP_LOCAL_ERRORSome local error occurred. This is usually a failed memory allocation.Try populating the Binding attribute under the User tab, typically the LDAP needs to bind to the mapping value of the username.87: LDAP_FILTER_ERRORInvalid search filter.Under the User and/or Group tab in Directory services check that the search filter is correct. Note: If the customer is using EIS (Enterprise Integration Service), 'Use Service Account Credentials' must be unchecked and bind username and password should be used instead. Connection FailedCould not create SSL/TLS secure channel on hostname. More than likely the SSL certificate in EIS is expired or the EIS certificates are expired.Renew the certificates to make the test successful. AirWatch Cloud Connector (ACC) Troubleshooting/AirWatch Cloud Messaging (AWCM) Failure to Connect Confirm If ACC Is Working (Error: Test Connection Failed) You can test the ACC by clicking on the Test Connection button on the Cloud Connector (System Settings > General > Enterprise Integration > Cloud Connector) screen. If all is configured as expected, you can expect to receive a message that says Connection Successful. If you get a message that says Test Connection Failed and Workspace ONE can not talk to AWCM (additional error message: Unable to connect to AWCM), this is not an ACC issue. This is an AWCM issue (please reference the AWCM section below). If you get a message that indicates that Workspace ONE CAN talk to AWCM but ACC is not responding, then there is an issue with ACC. Alternatively, you can use the Diagnostics (System Settings > Administration > Troubleshooting > Diagnostics) page mentioned in the Connect Session.Confirm That ACC Is The Correct Version The ACC version must match the version of the Workspace ONE UEM Console it is integrating with. While auto-update will keep ACC up to date, occasionally the update will fail due to external variables (security policies, virus scans, network changes, etc.). Double-check the current version installed through the Windows Add/Remove Programs page, and upgrade if it is not up to date. The Cloud Connector Service does not Start This is most commonly caused by either a networking issue (ACC cannot reach AWCM) or an issue with Java installed on the server. Networking Issue Confirm that the server you are installing the ACC on can reach AWCM by browsing to https://{url}:2001/awcm/status. You should see the status of AWCM with no SSL errors. If there is an SSL error, you must fix it before continuing or ACC will not work. Common Java Issues While uncommon, it is possible for an installation of Java to become corrupt. You can uninstall it and re-install ACC to have Workspace ONE install the correct version OR you can determine what version is currently installed in the Windows Add/Remove Programs panel, and download the version from the Oracle website: https://www.oracle.com/java/ Java installation path is wrong/removedThe other common issue can occur during Windows updates where the Java installation path gets removed from the System Variables, preventing Windows from running Java applications properly. To validate this: Right-click on My Computer and go to Advanced system settings > Advanced > Environment Variables, and edit Path under System Variables. Copy the Variable value into notepad and determine if the Java installation path is correctly added. If not, you may add it to the end of the value after a semicolon. Note: Be very cautious about what changes you make to your Java installation/Environment Variables. To resolve this issue, Workspace ONE recommends reinstalling ACC. This will resolve both issues outlined above. Verify the values in ACC Configuration File and Database Check the AirWatch Cloud Connector configuration file which is “cloudconnector.exe.config” located in {InstallPath}\AirWatch\AirWatch X.X\CloudConnector on your ACC server. The <cloudConnector /> line in the config file should contain these four URL’s: autoUpdateURL – should point to the console. Correct format is https://{url}/airwatch.awcmUrl – should point to the AWCM server. Correct format is https://{url}:{port}/awcm.awId – should contain a URL that AWCM uses to identify the Cloud Connector client which is the AirWatch Console. The {url} should be the AirWatch Console URL. Correct format is https://{url}/{groupID}/accClient.accId – should contain a URL that AWCM uses to identify the Cloud Connector. The {url} should be the AirWatch Console URL. Correct format is https://{url}/{groupID}/acc. If these values are incorrect, check the Console Site URL in the Site URLs page and ensure it is correct (i.e. not http://localhost).If the Console Site URL value is correct in the site URLs then you need to fix them in the database and in the ACC Config file. To fix in the database and config file: Update the values in the database (dbo.systemcodeoverride where systemcodeid=955 and 956) or go to the Cloud Connector page in System Configuration\System\Enterprise Integration\Cloud Connector.Save the page again.Manually edit the “cloudconnector.exe.config” file on the ACC server and restart the ACC service. Verify AWCM Connection (On-Premise only) When installing AWCM, DO NOT use a self-signed SSL certificate. Instead, ensure you select the “custom SSL” check box. Use the public SSL certificate you installed on IIS for your Device Services server. Ensure that REST API is enabled in the OG where you are enabling AWCM.Ensure that AWCM is enabled in the Site URL’s page in the Workspace ONE UEM Console. The External URL SHOULD NOT contain http:// or https://.The Internal Service URL MUST contain https:// instead of http:// and should have the port number after the URL and “/awcm” at the end. The URL should be similar to https://{url}:2001/awcm. Browse to the AWCM Status page by going to https://{url}:2001/awcm/status. If this page does not open or if there is an SSL error, resolve it by ensuring that the certificate has been renewed (use the instructions included in Renew SSL Certificate for AWCM) before you move forward.Check the SSL Certificate common name, it should match the name of the DS URL. If it says “Air Watch“ then you need to uninstall and reinstall AWCM, this time installing the correct SSL Certificate (see step #1). ACC and MAG WILL NOT WORK if you use a self-signed certificate. Re-enroll iOS Devices If you see an error similar to "Unable to login at this time. This device is already registered to a different environment..." while you enroll iOS device, manually reset the app: Within the settings for iOS, locate the settings for the Workspace Application.Check the Enable Manual App Reset check box.Re-load the Workspace ONE Application.Tap on the logo seven times to reset the application.When this is completed, attempt the enrollment process again.
ACC Workflow ACC is installed in the internal network and has access to enterprise resources (LDAP, certificate authorities, etc.). ACC also has an outbound connection to the AWCM server. Both ACC and AWCM have the Secure Channel certificate installed in their respective Java Keystores, which is used to establish trust between them. All communication between AWCM and ACC is encrypted. ACC communicates with AWCM via the (configurable) external or internal AWCM URL. This connection is persistent, as ACC will continue to listen for new commands even when idle. The ACC does have retry logic built-in should a connection be terminated prematurely. When an internal resource needs to be accessed (such as during authentication against an LDAP system), the AirWatch application establishes a session with AWCM. This session contains a unique session ID, along with specific information regarding the requester's Organization Group. AWCM queues this message. ACC will receive only the messages intended for that configuration based on the session ID and Organization Group Details. This message will be processed by ACC, and the resulting data will be conveyed back to the AirWatch application through AWCM. Additional enrollment errors and resolutions: If the enrollment process is cycling through a continuous loop without completion and/or time-out errors, see Enrollment process stuck and/or Time Out error when attempting to enroll devices with Workspace ONE.Error: "Your account is not allowed to enroll. Please contact your system administrator" during Workspace ONE enrollment "Enrollment Denied, Device Not Approved" error during Workspace ONE enrollmentWorkspace ONE Enrollment Error: "Invalid User Credentials" and/or "Failed to validate user credentials.""You are not allowed to enroll your device. You have exceeded the maximum number of enrolled devices allowed." error on Workspace ONE "The device licenses have expired. Enrollment is suspended for this organization group." error on Workspace ONE Intelligent Hub"403: Not allowed" error when enrolling devices based on tag assignment for Workspace ONE UEMError: "Email Domain Registration Failure. The email domain you attempted to register is not available." on Workspace ONE UEMWorkspace ONE enrollment profile with certificates failing to install on devices
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.