Airwatch & Aerohive integration question

  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
Is there anyone on here that is actively using the Airwatch integration with their Aerohive APs? I'm working with a customer and we seem to be able to get the device to redirect to the Airwatch enrollment page. But after going through the enrollment process and accepting the profile installation on the iDevice we get the "Enrollment Complete" page but if we try to navigate elsewhere we are just redirected back to the enrollment page.

I dont know enough about Airwatch to what is causing this issue...

APs and HMOL/1U HM are on 6.0r2a. Even backdated to 6.0r2 on the AP but didnt help any. Have a basic SSID w/WPA-PSK2 key. Everything else is defaults. Created a MDM for Airwatch that looks identical to the setup Abby has in her Airwatch demo video. All of this leads me to believe there is something I am missing on the Airwatch end, but I dont get much help from them in this regard as I can register the device on a manually on a "Non Airwatch enabled" SSID on a different AP and it will accept profile, and allow me access to the web...

Any assistance is much appreciated...
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
  • confused

Posted 5 years ago

  • 1
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
I haven't tried this with Airwatch, specifically, but I encountered this behavior previously with JAMF. So consider this a stab in the dark...

The problem in that case was usually something interfering with the client's ability to contact APNS in order to complete the post-enrollment inventory. In the JAMF case, the device inventory request needed to complete successfully in order for the JSS to register the device as fully enrolled, and therefore tell Aerohive to let the device have access to the network.

Other things to look at:
- check the time on the AP and Airwatch server.
- if you are using the hostname to contact the Airwatch server, make sure the AP can resolve the address (it may be using different DNS than clients).
- Do an enrollment check from HM or from the AP CLI for the device MAC. Does this return an error, or an un-enrolled message?
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
Thanks Andrew,

Couple questions/comments on your list here.

Time is correct on AP. Cant find a place to check time on the cloud hosted Airwatch Web GUI.

Can ping the Airwatch server (dsXXX.awmdm.com) from the AP, from my PC.

How exactly do I do an enrollment check?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
From HiveManager:


From the CLI:
exec airwatch-check mobile-device {mac_addr} enroll-status
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
From the GUI, under clients, I can do an Operation > Show MDM Enrollment

The device was unable to execute the following command:
exec jss-check mobile-device xxxx.xxxx.xxxx enroll-status .
Unknown error
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
If you look at the AP log, you will probably see failure of the AP to communicate with the AirWatch Server, such as:

2013-04-26 08:21:46 err ah_capture: [MDM] ah_airwatch_get_device_enroll_info: failed to query tenative URL from AirWatch server.(rc=8)
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Hey Brian, we are able to duplicate the condition here and we are working with Airwatch to resolve this issue. We will keep you posted.
Photo of Bruce Hubbert

Bruce Hubbert, Employee

  • 13 Posts
  • 7 Reply Likes
This has been escalated and is being addressed now. As soon as we have a solution I will post so here.
Photo of Bruce Hubbert

Bruce Hubbert, Employee

  • 13 Posts
  • 7 Reply Likes
Hi,

AirWatch discovered a problem in a change they made to their latest version. They have made a change to the system we use for development and testing and we are testing it now to see if it is fixed. I will keep you informed of the outcome.

Please contact AirWatch support and let them know that you have been communicating with us about this and that you are having the same issue.

-Bruce Hubbert
Photo of Matthew Cross

Matthew Cross

  • 1 Post
  • 0 Reply Likes
Any update on this?
Photo of Bruce Hubbert

Bruce Hubbert, Employee

  • 13 Posts
  • 7 Reply Likes
AirWatch made a change to how existing users are treated and their enrollment status. There is a work around that AirWatch can provide until they fix it which should be done very quickly.
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
Any chance of detailing out the "work around" here? Or any more information on a permanent resolution? Customer is getting a tad impatient.
Photo of Bruce Hubbert

Bruce Hubbert, Employee

  • 13 Posts
  • 7 Reply Likes
The customer needs to contact AirWatch for the workaround.

The "work around" is centered on the Admin user that you input into the HiveManager policy and the permissions that that user has. Existing Admin users in AirWatch were broken in AirWatch's last update, so a new one with special permissions needs to be created.

I do not know what these permissions are as AirWatch created this for us on our server (since it is cloud based) and they need to do the same for the customer.

The AirWatch Account Manager for this account should have contacted the customer already. If not, the customer needs to call them.
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
Thank you. I'll pass this information along!
Photo of Lisa Niles

Lisa Niles

  • 8 Posts
  • 1 Reply Like
 Please see I have finally wrapped up 6 months ofhttps://www.synercomm.com/pdf/Aerohive-AirWatch_Integration.pdf working with Air-watch to get this working.  Using HM6 and Air-watch.  Please see attached doc.  It works!  Thanks Lisa