Meraki

Community

Android Enterprise - Gsuite and Meraki issue

mrbios
Comes here often
‎Dec 11 2019 7:43 AM
‎Dec 11 2019 7:43 AM

Android Enterprise - Gsuite and Meraki issue

This one could get interesting to explain, i'll try and list what i have things set to in case anyone can point out a mistake...

 

First of all, I have Gsuite managed accounts, but Gsuite uses Azure AD as an SSO provider using the "Setup SSO with third party identity provider" settings and i have my Gsuite account bound to Meraki using the "Manage EMM provider for Android" options, along with "Enforce EMM policies on android devices" ticked.

 

Lastly for settings in Gsuite, i have Mobile Management set to "Unmanaged" for Android devices, i presume this is correct, as on Basic/Advanced i get asked for the google device app policy rather than system manager when trying to enroll a device?

 

As I've got Gsuite linked to Azure AD, the process i go through for setting up a new Android Enterprise device is as follows:

I make an account on my local AD > Azure AD Sync creates the account on Office 365 > I assign a license in Office 365 > Gsuite picks up the new account within roughly 30 minutes of all that being done. (I do this because i read in the meraki instructions that each device needs a unique account, is that definitely correct?)

I then factory reset an Android device, I login with the account i created, I get redirected to my Office 365 login page where i login with the same details, I'm then asked to install Meraki System Manager, i go through that process fine.

 

This is where things start to go wrong. On Monday i enrolled 15 devices flawlessly, but I've got one more to do today and no matter what i do, no matter what settings i try or what account i attempt to login with, the device doesn't auto enroll like the others did, I'm instead asked for the QR code/ID, I input those and then I'm sent another login screen...no google, ad etc details work here. Only an account I manually setup as an "Owner" account in Meraki logs in here, and if i do that the device is enrolled, but in a BYOD capacity (No SM device owner tick) 

 

I can't work out what has gone wrong between Monday and today that's caused the process to change. Has anyone got any suggestions? I know it's not the most straight forward setup, so if I've made no sense just fire away with questions.

 

Thankfully the other 15 work with only one small exception....on android, should deployed apps auto install? I've noticed i have to tap install in order for them to go on to the devices.

 

EDIT: Last problem with this device, though i've not tested this on any others.....i cannot for the life of me get the QR reader way of enrolling a device to work, it just sits on "Installing QR reader" then eventually says "Cannot install QR reader" (have of course ensured it's not a filtering issue regarding the download process there) The tablet in question is a Lenovo Tab E7

Labels:
0 Kudos
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 11 2019 1:24 PM
‎Dec 11 2019 1:24 PM

> each device needs a unique account, is that definitely correct?

 

It needs an owner account, but it does not need to be unique to the best of my knowledge.  A single user can have multiple devices.

 

 

I would say there is nothing wrong with your setup, that something has gone wrong on the Meraki side, and that if you do nothing it will start working in a week or so.

It would probably be worth while opening a case with suport though.

 

 

Have you considered authenticating against Azure AD directly, rather than against GSuite and then against AzureAD?

0 Kudos
In response to PhilipDAth
mrbios
Comes here often
‎Dec 11 2019 2:14 PM
‎Dec 11 2019 2:14 PM

Thanks Philip, I had considered authenticating against Azure AD, but if that is possible then perhaps i misunderstood how Android Enterprise enrollment works. Using that method i would have to have a gmail account, setup meraki to use that gmail account as the Meraki Managed Account and then change my authentication to Azure AD, have i got that correct?
Then when enrolling the devices, i'd use the afw#meraki command instead of the Gsuite account?

I think i tried it that way initially but got stuck at the same logon screen I'm getting stuck at this time. However at that time i didn't realise that i needed to setup Meraki Managed Ownership accounts within the Meraki System Manager > Owners section, and couldn't work out why everything i tried was saying authentication failed. Perhaps i will give that another go.

If i do change to that route, will i need to re-enroll my existing devices through that route? Or will they continue to work fine as setup currently?
0 Kudos
In response to mrbios
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 11 2019 2:26 PM
‎Dec 11 2019 2:26 PM

We use AzureAD ourselves for authentication.  We don't use GSuite though.

 

We have a single Google account used for setting up the MDM side.

 

>If i do change to that route, will i need to re-enroll my existing devices through that route? Or will they continue to work fine as setup currently?

 

I don't know this for sure - but I think it will continue to work fine.  If the Meraki Dashboard you'll just start seeing owner accounts with an "A" before them meaning they use AzureAD.

We have used both local and AzureAD accounts in the past and it seemed to be fine.

And in your case, they really are all AzureAD accounts.

 

0 Kudos
In response to PhilipDAth
mrbios
Comes here often
‎Dec 13 2019 1:21 AM
‎Dec 13 2019 1:21 AM

So after a lot of messing about with this tablet, including trying the alternative route i think i discovered why i couldn't get it to work.....it's not in the Android Enterprise supported devices list!

 

The 15 i had setup initially were Lenovo Tab E10 devices, the one i was trying on its own was a Lenovo Tab E7. (Consumer devices, but we're education looking for the cheapest possible solution to a problem) The Lenovo Tab E10's are in the supported devices list but the E7 isn't. Doh.

0 Kudos
In response to mrbios
mrbios
Comes here often
‎Dec 13 2019 4:17 AM
‎Dec 13 2019 4:17 AM

Hmm my next issue then is that i can't get silent app installs to push to devices. A deployed app correctly appears as a notification to say there's a new app to deploy, i can select it from the system manager managed apps list and manually tell it to install, but it just will not push to the device silently. Any suggestions?
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.