This one could get interesting to explain, i'll try and list what i have things set to in case anyone can point out a mistake...
First of all, I have Gsuite managed accounts, but Gsuite uses Azure AD as an SSO provider using the "Setup SSO with third party identity provider" settings and i have my Gsuite account bound to Meraki using the "Manage EMM provider for Android" options, along with "Enforce EMM policies on android devices" ticked.
Lastly for settings in Gsuite, i have Mobile Management set to "Unmanaged" for Android devices, i presume this is correct, as on Basic/Advanced i get asked for the google device app policy rather than system manager when trying to enroll a device?
As I've got Gsuite linked to Azure AD, the process i go through for setting up a new Android Enterprise device is as follows:
I make an account on my local AD > Azure AD Sync creates the account on Office 365 > I assign a license in Office 365 > Gsuite picks up the new account within roughly 30 minutes of all that being done. (I do this because i read in the meraki instructions that each device needs a unique account, is that definitely correct?)
I then factory reset an Android device, I login with the account i created, I get redirected to my Office 365 login page where i login with the same details, I'm then asked to install Meraki System Manager, i go through that process fine.
This is where things start to go wrong. On Monday i enrolled 15 devices flawlessly, but I've got one more to do today and no matter what i do, no matter what settings i try or what account i attempt to login with, the device doesn't auto enroll like the others did, I'm instead asked for the QR code/ID, I input those and then I'm sent another login screen...no google, ad etc details work here. Only an account I manually setup as an "Owner" account in Meraki logs in here, and if i do that the device is enrolled, but in a BYOD capacity (No SM device owner tick)
I can't work out what has gone wrong between Monday and today that's caused the process to change. Has anyone got any suggestions? I know it's not the most straight forward setup, so if I've made no sense just fire away with questions.
Thankfully the other 15 work with only one small exception....on android, should deployed apps auto install? I've noticed i have to tap install in order for them to go on to the devices.
EDIT: Last problem with this device, though i've not tested this on any others.....i cannot for the life of me get the QR reader way of enrolling a device to work, it just sits on "Installing QR reader" then eventually says "Cannot install QR reader" (have of course ensured it's not a filtering issue regarding the download process there) The tablet in question is a Lenovo Tab E7
> each device needs a unique account, is that definitely correct?
It needs an owner account, but it does not need to be unique to the best of my knowledge. A single user can have multiple devices.
I would say there is nothing wrong with your setup, that something has gone wrong on the Meraki side, and that if you do nothing it will start working in a week or so.
It would probably be worth while opening a case with suport though.
Have you considered authenticating against Azure AD directly, rather than against GSuite and then against AzureAD?
We use AzureAD ourselves for authentication. We don't use GSuite though.
We have a single Google account used for setting up the MDM side.
>If i do change to that route, will i need to re-enroll my existing devices through that route? Or will they continue to work fine as setup currently?
I don't know this for sure - but I think it will continue to work fine. If the Meraki Dashboard you'll just start seeing owner accounts with an "A" before them meaning they use AzureAD.
We have used both local and AzureAD accounts in the past and it seemed to be fine.
And in your case, they really are all AzureAD accounts.
So after a lot of messing about with this tablet, including trying the alternative route i think i discovered why i couldn't get it to work.....it's not in the Android Enterprise supported devices list!
The 15 i had setup initially were Lenovo Tab E10 devices, the one i was trying on its own was a Lenovo Tab E7. (Consumer devices, but we're education looking for the cheapest possible solution to a problem) The Lenovo Tab E10's are in the supported devices list but the E7 isn't. Doh.