...
Warning |
---|
All issues that arise during a scheduler iteration will appear in the scheduler logs |
Manual sync
The Add Missing Users, User Group Membership Sync, and Sync User Attributes processes can all be triggered manually by clicking a button in the console
Info |
---|
manual user attribute sync will only sync enrollment users, not administrator attributes |
Warning |
---|
If any issues arise during one of these processes when they are triggered manually, the BulkProcessingServiceLogFile.txt in the Services folder will contain the backend information. If it appears there is a UI issue with the buttons, the WebLogFile.txt file in the WebConsole folder will contain the information needed to troubleshoot. |
User enrollment
Code Block | ||||
---|---|---|---|---|
| ||||
select ExternalID, SecurityTypeID, * from mobileManagement.EnrollmentUser EU join dbo.LocationGroup LG on LG.LocationGroupID = EU.LocationGroupID where LG.Name = 'ams' |
- ExternalID – the ExternalID column contains a hashed value of the attribute configured for Object Identifier. This value is used to match the AirWatch user with the customer’s directory user. If for whatever reason this value is null or incorrect, the AirWatch user will not sync.
- SecurityTypeID – this column determines the type of user. 1 denotes a directory user, 2 denotes a basic user, and 3 denotes an authentication proxy user.
- LocationGroupID – the Organization Group ID where the user is imported. Note that all directory users will always reside at the same level Directory Services is configured, even if imported or added at a child.
- LDAPDefinitionID – the ID of the LDAP Definition the user is associated with.
Code Block | ||||
---|---|---|---|---|
| ||||
select LD.UserSearchFilter, LD. * from dbo.LDAPDefinition LD join dbo.LocationGroup LG on LG.LocationGroupID = EU.LocationGroupID where LG.Name = 'ams' |
- LastSyncDurationInMinutes – this column contains the time it took to sync the entire Organization Group in minutes.
- LastSyncedOn – last date the Organization Group synced with the directory.
- MemberPageSize – the MemberPageSize value can be configured, but should not exceed 5000 if the customer is using EIS. This value determines the chunk size of information being sent back and forth between ACC\EIS
- IsSortControlSupported – determines if the directory type supports sorting results at the directory server before the response is sent.
Code Block | ||||
---|---|---|---|---|
| ||||
select MAP. * from dbo.UserGroupEnrollment(Core)UserMapSync MAP join dbo.UserGroup UG on UG.UserGroupSyncID = MAP.UserGroupSyncID where UG.FriendlyName = 'ams' |
Code Block | ||||
---|---|---|---|---|
| ||||
select UG. * from dbo.UserGroup UG join dbo.LocationGroup LG on UG.RootLocationGroupID = LG.LocationGroupID where LG.Name = 'ams' |
Code Block | ||||
---|---|---|---|---|
| ||||
select UGS. * from dbo.UserGroupSync UGS join dbo.LocationGroup LG on UGUGS.RootLocationGroupID = LG.LocationGroupID where LG.Name = 'ams' |
Warning |
---|
A user’s primary group in Active Directory cannot be added to AirWatch, as the primary group has no memberOf attribute on the user object. This is an AD limitation. |
Query Troubleshooting
Info |
---|
LDAP Admin is the LDAP browser most commonly used internally. An LDAP browser is an excellent way to troubleshoot certain queries and determine which attributes should be configured in Directory Services. The tool can be download at http://www.ldapadmin.org/ |
Connection Troubleshooting
Test connection failures are usually due to one of two error codes, either 49 or 81. An 81 error code indicates the console cannot find the directory server, which can happen if the hostname was entered incorrectly, ACC\EIS is not functioning properly, the directory server is firewalled, or there is no route to the directory server from the console server.
When an administrator encounters a 49 error it is important to note that this error is generated by the directory server, not AirWatch. In 99% of cases this is because the bind authentication type is not supported, or the account and passwords are incorrect. To verify that the console is not sending a bad username or password, SSL must be turned off and the authentication type must be set to basic so the bind request can be sniffed off the network in plaintext. Use Wireshark!
Warning |
---|
“System.DirectoryServices.Protocols.LdapException: Error code:81” |
Tip |
---|
|
Optimization
Warning | ||
---|---|---|
| ||
Groups & Settings > All Settings > Enterprise Integration > Directory Services, Advanced section Use Recursive OID At Enrollment = Disable |
LDAP Queries
Search Group:
(&(objectClass=group)(|(CN=*{inputName}*)(distinguishedName={inputName})))
Sync Group:
(&(objectClass=group)(|(objectGUID={ExternalID1})(objectGUID={ExternalID2})))
Search User:
(&(objectCategory=person)(sAMAccountName={InputUserName}))
Sync User:
(&(objectCategory=person)(sAMAccountName=*)(|(objectGUID={ExternalID1})(objectGUID={ExternalID2})))
Add Missing Users:
(&(objectCategory=person)(sAMAccountName=*)(|(distinguishedName={UserDN1})(distinguishedName={UserDN2})))