Boxer and SCL Restrictions

What needs to be checked to restrict transfer of mail attachments and files transmission between Boxer and SCL for iOS and Android:

1.  To restrict transfer of documents in specific controlled apps, on Organization Group level: a. Allow DLP – SCL-step2 functionality

b.  Search for and add Boxer for iOS/Android – SCL-step3

2. Next step for devices in Organization Group: a.  Create a new profile for all devices of a group – SLC-step4.

b.  Turn off “Allow documents from managed sources in unmanaged destinations”  – SCL-step5

1.  To restrict transfer of files from SCL into Boxer the file share, connected to SCL, has to be configured in the Security tab - SCL-step6:

a.  Allow Open in Email = OFF b.  Allow Opent in Third Party Apps = ON

2.  Check that in the security profile properties, Enable Composing Email = No (SCL-step7).

Boxer and SSL for PoC

Boxer has 2 types of accounts:

• main – is being added on install, is usually configured with policies. Cannot be deleted.
• additional – is added by users if this is allowed by policies. Can be configured manually.

Variant 1 (recommended): server is signed by a cert, which was given by a inner CA (issued by =/= issued to)

Solution: on all devices in the test, you have to manually deploy the certificate chain in the trusted section:

iOS: http://longwhiteclouds.com/2013/01/03/installing-corporate-ca-certificates-on-iphone-or-ipad-for-use-with-vmware-view/

Android: https://support.google.com/nexus/answer/2844832?hl=en

Variant 2: server is signed by a self-signed cert (issued by == issued to)

Solution: use the first account to distribute policies from any public EMail. For example, Office365 from our VMTestDrive

1. After Boxer installation connect to the account provided by policies (VMTestDrive)
2. Choose Add Account (“Добавить аккаунт”) in Boxer left menu (IMG_1455.jpg)
3. Insert an address (IMG_1456.jpg) and later choose Manual configuration (“Ручная настройка”). Type -> Exchange Server.
4. See config in IGM_1457.jpg ang IGM_1458.jpg as an example of such a connection. It is important to choose SSL (Accept any certificates / “принимать любые сертификаты”).

5. Choose the default account (IMG_1459.jpg)

Boxer Copy-Paste

Boxer Copy&Paste restrictions in two ways

Unlike all other WS1 SDK-enabled Apps, Boxer has two different approaches to restrict Copy&Paste:

At the Assignment stage in App Policies, there is a Copy Paste setting. As a result, copy&paste functions will be denied in ANY directions

❗️Unrestricted personal mail accounts in Boxer still can be troublmakers in this case. Recommend to disable it

If you need to do more granular restriction you need to implement this on SDK profile

• Recommended to set Native Boxer DLP capability to Unrestricted. It can be Restricted for potential more secure way, but SDK settings must be enabled after this settings
• The Boxer App must be published with SDK-profile enable. We use the Default profile, but it should work with Custom SDK-profile as well
• Before actual install Apps on devices, you need setup SDK-profile: Authentication Type =/= Disable; SSO must be enabled
• In DLP section (Security Policies) you may enable Copy&Paste Into to get user possibility to copy from unmanaged messengers/notes/etc into Boxer emails

As a result, copy&paste functions will be denied only in the desired way: into or out from managed Apps

Boxer for Android Fingerprint

• VMware Boxer v 4.5+ for Android 
• AirWatch Console 9.0.5+

Following are the steps for fingerprint authentication on the Android Boxer app:

• In the Apps SDK settings (Groups & Settings > All Settings > Apps > Settings and Polices > Security Polices), enable the Biometric Mode.
• While deploying the Boxer app, enable the Application to use AirWatch SDK and Select the Global SDK for Android.
• In the Email settings, enable the Application Configuration and enter “AppForceActivateSSO” (without the quotes) under Configuration Key and Value Type as Boolean and Configuration Type as True.
• Make sure passcode is set as None 
• Push the boxer app to the device and download it from the Play Store

ENS Basic Troubleshooting

Network

ENSLINKAddress On-Premise, should point to the externally accessible hostname pointed to ENS service. A support ticket has to be made with VMware Airwatch to request API token (internally the support reaches out to Boxer product manager and requests API key).

MS Exchange Server

User agent is configured for ENSv2 on MS Exchange Server CAS role. User agent must have access to receive data from MS Exchange, or ENS will not be able to receive PUSH notifications.

Troubleshooting

ENSLINKAddress for On-Premise installation should point it correctly to the customer’s externally accessible hostname pointed to ENS service.

Autodiscovery errors showing on logs.

• Make sure that the EWSUrl key is configured in the console with a correct value for the EWS url for their exchange environments.
  Test it out by opening it on the browser and making sure you are prompted for credentials.
  Tip

  Alternatively they can just turn ON autodiscovery on their environment.

Authentication errors (401s)

• Check what type of authentication is enabled in EWS? Make sure it has parity with whatever they are using for ActiveSync (Basic, OAuth, CBA) as Boxer will be the one to pass whatever type of credentials it has to ENS to use against EWS.
• Verify the EWSUrl is correct and resolves to Exchange environment and test the credentials used by navigating to the EWS URL and testing them there.
• Run “Outlook Connectivity Tests” on https://testconnectivity.microsoft.com
  Tip

  Try the Exchange Server or Office 365 tabs accordingly

ENSv2 not sending notifications but no logs found on help portal.

• Verify the ENSAPIToken key is correct in the console configuration.

• Verify the ENSLinkAddress key is correct in the console configuration

  Tip

  Try appending the “alive” endpoint for the environment and make sure it responds.

• Verify the EWSUrl is correctly configured with a valid EWS value.

• Verify that ENSv2 servers have inbound access to their EWS environment (firewall may be blocking access, they need to open the corresponding IPs)

• Verify that EWS can send outbound traffic to the corresponding ENSv2 domain (https://.getboxer.com/api/ens)

General FAQ

• **How are credentials or authentications tokens handled?
  **
  • Although the client does share the credentials/tokens with the ENSv2 environment upon registration, they are not kept (saved anywhere) by AirWatch servers. Rather, the Exchange server passes them back to AirWatch, encrypted, as part of a notification it sends whenever a new email is available. From that notification (Exchange -> ENSv2), ENS decrypts the credentials and uses them to make any requests necessary to the Exchange server. After performing any necessary requests, the credentials are once again discarded.

• If credentials are not persisted, is there any data persistent at all by ENS? How is it secured?
  • There is a secure database that keeps a list of devices and a list of public private key pairs used to unencrypt the credentials when they come from Exchange;
  • Logs are also kept to aide in debugging issues and monitoring the system. These don’t contain any customer’s private information and access to them is also tightly secured via account permissions.
• What data is transmitted through the ENS server without being persisted? How is it secured?
  • User credentials (encrypted with RSA encryption)
  • Email subject and sender (sent via HTTPS)
  • All communication is done via HTTPS
• What additional cloud services does ENS depend on?
  • AWS Simple Notification Service (SNS) for push notification handling.
  • Apple Push Notification Service (APNS) as it is the only way to pass notifications to Apple devices.
  • AWS Relational database service (RDS) for data persistence.
• What is the user agent used by ENSv2 when sending requests to Exchange?
  • MailNotificationService/v2 (ExchangeServicesClient/15.00.0913.015+ (will change as new libraries from Microsoft are released)
• What email folders does ENSv2 monitor for incoming messages and actions?
  • Currently, ENSv2 only monitors each user’s Inbox folder.

Load Balancing ENSv2

For HA, it is recommended to load balance several ENS web servers as needed following the Hardware Requirements. All web servers should point to the same database server as this will be their shared source of state for each of the clients.

Since the ENS web application itself is stateless there are no requirements to configure any session handling (stickiness) in the loadbalancer so a straightforward configuration should suffice.

Integration - Microsoft IRM-RMS

RMS features in Boxer

According to Boxer User Guide for iOS 4.5.1, Boxer User Guide for Android 4.5.0

Main features

• Edit
• Reply
• Reply All
• Forward
• Copy-Paste
• Modify recipients
• Extract
• Print
• Export
• Content Expiry Date

Other Features

• Press and hold an email message to copy and paste it into the application.
• You cannot copy data from the Boxer application and paste anywhere outside the application. However, you can copy data from outside the application and paste into the Boxer application.
• If your email message has contact number details, tap hold on the number to immediately dial it.
• If restricted by your administrator, attachments may open through the VMware Content Locker and other AirWatch approved apps. Hyperlinks may open only through the VMware Browser.
• If configured by your administrator, you can preview emails and their attachments within Boxer (See Boxer supported files’ types).
• On the attachment preview screen, the Share icon will be unavailable. When tapped on Share icon, you are presented with a toast message “Disabled by your admin”.
• After performing an action on an email while viewing it, you can have Boxer either advance to the next message, the previous message, or return to the conversation list. This setting can be configured from Mail settings (navigate to Settings > Mail > More mail settings > Auto Advance).

RMS Attachments

Boxer does not open RMS-restricted attachments - it transmits them to Content Locker. To use Content Locker on iOS device, the following has to be done:

1. Root certificate must be placed on device

2. In new iOS version the root Trust has to be ACTIVATED in a special menu option

3. In order for Content Locker to access RMS attachments, it must be registered on the ADFS server with this command:

Add-AdfsClient -Name "<App name>" -ClientId "<ID name>" -RedirectUri "<RedirectUri>"

Example: Client ID for VMware Content Locker for iOS is e9fcfce0-a20b-4d34-b580-909332723090

SEG on Windows Proxy

External Link

SEG Guide - VMware AirWatch SEG Guide

Prevent usage of Native EMail on enrolled devices

Problem: Users can gain access to Exchange ActiveSync from uncontrolled devices and mail clients on them. Usage of SEG solves the problem of uncontrolled devices access.

You can enforce using Boxer/Inbox by creating an email compliance policy from the AirWatch console:

Email> Compliance Polices > General Email Policies > Mail Client

SEG as MS Exchange OWA Proxy

You can restrict mobile traffic to seg.company.com by installing IP and Domain restrictions on the IIS on the Exchange server, and then enable IP filtering to deny everyone but the SEG on the ActiveSync endpoint on IIS. This will ensure all enrolled mobile devices will access email through SEG. You can also implement email policies to ensure that unmanaged devices do not access the SEG.

AirWatch cannot block access to OWA for unenrolled mobile devices since SEG does not manage OWA. The only way to do so would be checking through the AD for unenrolled users and preventing them from webmail access from there.

SEG Java Keystore

Default password for SEG Java Key store = changeit

SEG on Windows Java Memory

Resolution

• Upgrade to latest version of SEG (2.18+);
• Set the max heap size to 5Gb;
• Use Shenandoah as the garbage collection method.

Follow these steps to apply the settings:

1. Stop SEG service;
2. Go to SEG install directory and edit file SecureEmailGateway-2.18/service/conf/segServiceWrapper.conf
3. Update max heap to 5Gb, look for “Xmx” and update the property to: 

wrapper.java.additional.3=-Xmx5120m

4. Use Shenandoah GC, look for “#wrapper.java.additional.38” and in the next line add: 

wrapper.java.additional.39=-XX:+UseShenandoahGC
wrapper.java.additional.40=-Xlog:gc=debug:file=tmp/gc-%p-%t.log:time,level,tags:filecount=10,filesize=50m*

5. Save file and start the SEG service. 

• Observe the system resources once this change is placed + enable GC logs in the above settings.

If no issue is seen, then remove the GC logging setting by following these steps: 

1. Stop SEG service. 
2. Go to SEG install directory and edit file SecureEmailGateway-2.18/service/conf/segServiceWrapper.conf
3. Remove line: 

wrapper.java.additional.40=-Xlog:gc=debug:file=tmp/gc-%p-%t.log:time,level,tags:filecount=10,filesize=50m*

4. Save and start SEG service.

SEG Clustering

If multiple SEG servers are load balanced, single policy broadcast messages apply to only one SEG. This includes the messages sent from the AirWatch Console to SEG upon enrollment, compliance violation, or correction. Use Delta Sync with a refresh interval of ten minutes to facilitate newly enrolled or compliant devices. These devices experience a waiting period of maximum ten minutes before email begins to sync. Benefits of this approach include:

•  Updated policies from the same API source for all SEG servers. 
• Smaller performance impact on API server.  
• Reduced implementation or maintenance complexity compared to the SEG clustering model.   
• Fewer failure points as each SEG is responsible for its own policy sets.
•  Improved user experience. 
   

 SEG Clustering is also available to facilitate the sharing of single policy updates to all nodes of a SEG cluster.

SEG TLSv1

Please go through the following instructions in order to enable TLSv1.0 on SEG V2:

• Go to SEG installation directory -> {SEG_DIRECTORTY}/service/conf
• Edit file conf
• Look for following properties:

Property 1

wrapper.java.additional.9=-Djdk.tls.disabledAlgorithms=MD5\, RC4\, TLSv1\, SSLv2Hello\, SSLv3\, DSA\, DESede\, DES\, 3DES\, DES40_CBC\, RC4_40\, MD5withRSA\, DH\, 3DES_EDE_CBC\, DHE\, DH keySize < 1024\, EC keySize < 224

set this property as: (Removing TLSv1 from the disabled list):

wrapper.java.additional.9=-Djdk.tls.disabledAlgorithms=MD5\, RC4\, SSLv2Hello\, SSLv3\, DSA\, DESede\, DES\, 3DES\, DES40_CBC\, RC4_40\, MD5withRSA\, DH\, 3DES_EDE_CBC\, DHE\, DH keySize < 1024\, EC keySize < 224

Property 2

wrapper.java.additional.12=-Dhttps.protocols=TLSv1.1\,TLSv1.2

set this property as:

wrapper.java.additional.12=-Dhttps.protocols= TLSv1\,TLSv1.1\,TLSv1.2

• Restart SEG Service.

IBM ISAM

Notes on integration:

• Change the attribute where Distinguished Name in the AW Console is ‘distinguishedName’ to ’entryDN’ (see attached screenshot)
• This is Accessible from the AW Console from Groups & Settings > All Settings > System > Enterprise Integration > Directory Services

Microsoft Active Directory

nc -v LDAP-SERVER-IP 636
nc -v LDAP-SERVER-IP 3269

Integration

Go to Configuration > System Configuration > System > Enterprise Integration  > Directory Services

• Directory Type: Directory platform being utilized
• Server: Address of the directory services server
• Port: TCP Port for communication with directory services
• Protocol Version: Version of LDAP being used
• Bind Authentication Type: Protocol used to authenticate the LDAP session (GSS-NEGOTIATE recommended, gives auto-choice of Kerberos/NTLM)

Advanced config

• Search Subdomains: Search subdomains by LDAP chase referrals
• Connection/Request Timeout: Timeout setting per connection/request in seconds
• Search without Base DN: Enable to search without sending a base DN
• Use Recursive OID at Enrollment/Group Sync : Only supported by AD; used to obtain group membership during enrollment and not rely on the scheduler to run
• Object Identifier Data Type: Set the object ID type to string or binary. AD is binary by default while most other LDAPs are strings.
  Note

  In AirWatch 7.3+, the AD group structure itself is stored in the sync table, and if the user is shown to be a member of a nested group whose External ID is already stored in the table, the group membership will be reflected. The only flow unaccounted for is the group structure itself changes between scheduler iterations, in which at most there will be up to a 12 hour delay from when the user enrolls and is associated with the group after the group structure has changed.

Directory users mapping

• From Directory Services, navigate to User

• Specify the Base DN AirWatch uses to find users in the directory

• For User Search Filter, enter the parameters used to associate AirWatch user accounts with AD/LDAP accounts (&(objectCategory=person)(sAMAccountName={EnrollmentUser}))

• Select Show Advanced to display additional options

• Enable Auto Merge to consolidate changes made in the directory with AirWatch automatically

• Use Attributes to assign directory services information to the correct AirWatch fields

• Click Save

  Note

  All members of the Group or Organizational Unit from the directory are first synced into the dbo.UserGroupEnrollmentUserMapSync table by running the below LDAP query (for AD).

• Another query is run for all of the DN’s in the sync table to pull the actual user information from the directory: (&(objectCategory=person)(sAMAccountName=*)(|(distinguishedName={UserDN1})(distinguishedName={UserDN2})))

• When we sync User attributes, we query the directory for the users based on their ExternalID:
  (&(objectCategory=person)(sAMAccountName=*)(|(objectGUID={ExternalID1})(objectGUID={ExternalID2})))

• The User Group Membership Sync is the process by which we sync up the group membership for users from the directory. This will happen during a scheduler iteration if the Auto Sync option is enabled on the User Group and can be performed manually by clicking the Sync button on the User Group in the List View: (&(objectClass=group)(|(objectGUID={ExternalID1}) (objectGUID={ExternalID2}))

Sync interval

There are three primary scheduler jobs that sync up the group membership and user attributes:

1. LDAP Sync – the LDAP Sync job will sync the User Group membership.
2. Sync Directory Users – this job will sync up user attributes.
3. Sync Admin Users – this job will sync up admin attributes.

Auto sync

In production all LDAP based scheduler jobs are set to fire every 12 hours. It is not recommended to lower these values for On-Premise or Dedicated SaaS customers as setting the scheduler interval too low may cause performance issues in versions older than 7.1. If a customer requires a lower interval, it is recommended to run at least one sync, and pull the LastSyncTimeInMinutes column from the dbo.LDAPDefinition table to determine how long it takes to sync the Organization Group.

Manual sync

The Add Missing Users, User Group Membership Sync, and Sync User Attributes processes can all be triggered manually by clicking a button in the console.

User enrollment

The mobileManagement.EnrollmentUser table contains information on all of the enrollment users in the environment:

select ExternalID, SecurityTypeID, * from mobileManagement.EnrollmentUser EU
join dbo.LocationGroup LG
on LG.LocationGroupID = EU.LocationGroupID
where LG.Name = 'ams'

• ExternalID – the ExternalID column contains a hashed value of the attribute configured for Object Identifier. This value is used to match the AirWatch user with the customer’s directory user. If for whatever reason this value is null or incorrect, the AirWatch user will not sync.
• SecurityTypeID – this column determines the type of user. 1 denotes a directory user, 2 denotes a basic user, and 3 denotes an authentication proxy user.
• LocationGroupID – the Organization Group ID where the user is imported. Note that all directory users will always reside at the same level Directory Services is configured, even if imported or added at a child.
• LDAPDefinitionID – the ID of the LDAP Definition the user is associated with.

dbo.LDAPDefinition table contains all of the configuration information from the Directory Services for an Organization Group

select LD.UserSearchFilter, LD. * from dbo.LDAPDefinition LD
join dbo.LocationGroup LG
on LG.LocationGroupID = EU.LocationGroupID
where LG.Name = 'ams'

• LastSyncDurationInMinutes – this column contains the time it took to sync the entire Organization Group in minutes.
• LastSyncedOn – last date the Organization Group synced with the directory.
• MemberPageSize – the MemberPageSize value can be configured, but should not exceed 5000 if the customer is using EIS. This value determines the chunk size of information being sent back and forth between ACC\EIS
• IsSortControlSupported – determines if the directory type supports sorting results at the directory server before the response is sent.

The dbo.UserGroupEnrollmentUserMapSync table will contain only the ExternalIDs of both the users and the groups that are members of the AirWatch group that was added

select MAP. * from dbo.UserGroupEnrollment(Core)UserMapSync MAP
join dbo.UserGroup UG
on UG.UserGroupSyncID = MAP.UserGroupSyncID
where UG.FriendlyName = 'ams'

The dbo.UserGroup table contains information about the configured User Groups in AirWatch.

select UG. * from dbo.UserGroup UG
join dbo.LocationGroup LG
on UG.RootLocationGroupID = LG.LocationGroupID
where LG.Name = 'ams'

The dbo.UserGroupSync table contains syncing information for directory User and Admin groups. It provides a few more columns of information that contain the settings you have configured per group in the console.

select UGS. * from dbo.UserGroupSync UGS
join dbo.LocationGroup LG
on UGS.RootLocationGroupID = LG.LocationGroupID
where LG.Name = 'ams'

Query Troubleshooting

With some issues, AirWatch is not able to find certain users and/or groups. This is often due to an incorrect filter or lack of permissions in the directory. If we are unable to find the user and group objects with the LDAP Admin tool using the same settings from the console, we will be unable to find them using AirWatch. It will be necessary to test queries during troubleshooting. To run a custom query, click the magnifying glass icon in the toolbar, select the Custom tab in the window that appears, type the Base DN in the Path field, and type the query in the Filter field.

Connection Troubleshooting

Test connection failures are usually due to one of two error codes, either 49 or 81. An 81 error code indicates the console cannot find the directory server, which can happen if the hostname was entered incorrectly, ACC\EIS is not functioning properly, the directory server is firewalled, or there is no route to the directory server from the console server.

When an administrator encounters a 49 error it is important to note that this error is generated by the directory server, not AirWatch. In 99% of cases this is because the bind authentication type is not supported, or the account and passwords are incorrect. To verify that the console is not sending a bad username or password, SSL must be turned off and the authentication type must be set to basic so the bind request can be sniffed off the network in plaintext. Use Wireshark!

Optimization

Common LDAP Queries

Search Group: (&(objectClass=group)(|(CN={inputName})(distinguishedName={inputName})))

Sync Group: (&(objectClass=group)(|(objectGUID={ExternalID1})(objectGUID={ExternalID2})))

Search User: (&(objectCategory=person)(sAMAccountName={InputUserName}))

Sync User: (&(objectCategory=person)(sAMAccountName=*)(|(objectGUID={ExternalID1})(objectGUID={ExternalID2})))

Add Missing Users: (&(objectCategory=person)(sAMAccountName=*)(|(distinguishedName={UserDN1})(distinguishedName={UserDN2})))

Novell eDirectory

Server Settings

User Settings

Advanced User Settings

Group Settings

Advanced Group Settings

Apps Deployment

AirWatch has 2,5 mechanisms to deploy apps:

1. Apps & Books → Internal. You can only deploy 3 versions of an application called “Alpha”, “Beta”, “Production”;
2. Devices → Staging & Provisioning →****Product List View → Add Product. Add Manifest → Install Application. Difference between this method and the one below is not clear, except slightly easier config;
3. Devices → Staging & Provisioning → Components → Files/Actions. Add Files/Actions → Add Manifest → Install Unmanaged Application.

I recommend the 3rd method as the most descriptive and stable if several versions of an application are needed in one Organization Group.

Things to check in application deployment

Application ID

Check if there is a modification of the Application ID while uploading the application in the Console via Staging & Provisioning → Components → Applications or check while uploading the Application, is it fetching the Application ID and populating the same name in the Application ID field.

Application Metadata

Once the app gets uploaded, AirWatch SQL writes down its’ metadata to SQL. Parsing the data:

SELECT a.name, a.versionhash, * FROM INTERROGATOR.APPLICATIONLIST AL
JOIN interrogator.Application A ON AL.ApplicationID=A.ApplicationID
WHERE DEVICEID in (1473) and isinstalled=1

See more on SQL querying apps

Application Deployment Logs

• Device receives command to install application
• Device is directed to app destination for download via Manifest.plist file - so search for “manifest” in the logs:

• Device is redirected to Manifest.plist URL
• Device locates Blobhandler.pblob URL:

• Device is redirected Blobhandler.pblob URL
• Application download begins

macOS Apps Deployment

External link:

• Troubleshooting macOS - https://github.com/micromdm/micromdm/wiki/Troubleshooting-MDM

You are able to deploy apps on Mac OSX devices either from Apps & Books or from Product & Provisioning method. If you have a pkg or dmg file, then you could simply use Apps & Books. However, if you have multiple files to be executed or scripts to run then you could use Product & Provisioning. In AirWatch 9.3+, all macOS application file types (.dmg, .pkg, .mpkg, .app) can be managed through the Internal Applications section. This new framework leverages the popular Mac Admin community tool, Munki.

Provisioning with Munki

Enabling Software Management

• Navigate to Settings > Devices & Users > Apple > Apple macOS > Software Management
• Enable Software Management , there is a check in place to verify if File Storage is enabled at this page. If there is no File Storage, the admin will be requested to enable File Storage.
• On-Prem deployments will need to enable CDN.

Before uploading macOS File to AirWatch

All primary macOS software file types will now be uploaded through Internal Applications (.pkg, .dmg, .mpkg). A .pkg file can be a Bootstrap Package or can be managed through full lifecycle management (this feature). In order to configure Advanced Management options for macOS software and for effective desired state management, which is achieved through the integrated Open-Source Munki library in the AirWatch Agent, a metadata file must be generated for the file separately before uploading it to the AirWatch Console. Munki’s deployment logic is built on the concept of pkginfo files, which are xml/plist files that contain metadata, configuration information, and more for a given application file. AirWatch requires this pkginfo file along with the application file to manage the deployment in the Console.

The pkginfo file is genetrated with VMware AirWatch Admin Assistant (see tools page for download). This is a GUI wrapper for a Munki command-line utility and is used to generate the pkginfo metadata file for a given application file.

Generating a pkginfo metadata file using VMware AirWatch Admin Assistant

1. Download and install the Admin Assistant tool to a macOS device or VM.

2. Open the Assistant. The Assistant dialog will ask for the application installer files to parse.

3. Upload an application installer file by dragging & dropping a .pkg, .dmg, .mpkg, .app file into the labeled field, or browse the local files on the machine in order to find an installer file.

   Note

   If the file is .app, it will be converted into a .dmg for deployment

4. Once the file is selected and uploaded, the Assistant will automatically start parsing process the process. Additional files can be added during this time if needed.

5. Once the parsing is complete, the tool will prompt to reveal the parsed metadata files in Finder. Store the metadata files in a local folder where they can be easily retrieved during the Software Distribution procedure.

Generating a pkginfo metadata file using Autopkg

There are multiple ways to obtain the metadata/pkginfo file aside from using the Admin Assistant. One of them is to use Autopkg and its’ GUI tool Autopkgr.

Uploading a macOS Application to the AW Console:

1. Navigate to Apps & Books > Applications > Native > Internal
2. Click Add Application
3. Upload app/software file (.pkg, .mpkg, .dmg)
4. Continue to the next screen and Upload the pkginfo .plist file
5. Continue to customize the app deployment. The proceeding screens will display any available configurations present in the pkginfo file (for example, a pkginfo from AutoPkg may contain an install_check script). Additional deployment configurations can be defined, and will be merged with the existing configurations
   • If the pkginfo file has one or more key and configuration that are not exposed in the UI, they will not be affected. This feature is important as it allows administrators to upload pkginfo files with keys that would be supported by the Munki client but would not be configurable in the UI. Any changes in the UI will be merged with the existing keys.

Pre/Post Install Scripts

A common reason to repackage software is to perform additional configuration tasks or to install additional items. A technique to avoid repackaging is to add pre-install scripts and/or post-install scripts to the configuration of an item. These scripts can take care of some of the tasks which previously may have required repackaging to implement.

An Exit Code of 0 will define the script as successfully executed in order to allow Munki to continue.

Uninstall Methods

There are multiple options available for uninstallation of software. The appropriate option will be selected by default by the VMware Admin Assistant tool based on the software’s file type. If needed options to override the default values are available in the AirWatch Console.

Remove Copied Items
Used primarily for software installed from a .dmg

• Pulls from items_to_copy array[dicts] in the pkginfo file
  • All file paths in this array will be deleted
• Future Console release will show the paths in the items_to_copy array in the UI

Remove App

• Pulls from installs array[dicts] in the pkginfo file
  • All file paths in this array will be deleted
• Future Console release will show the paths in the installs array in the UI

Remove Packages 
Used primarily for software installed from a .pkg

• Uses receipts and analyzes the packages to remove
  • Tries to determine what files were installed via the Bom file
  • Deletes receipt
• Will only remove if package is not associated with any other files or programs
• Future Console releases will show the receipts that Munki check for in the UI

Uninstall Script 
Can be used for any installer type

• Written in shell script
• Used to perform custom uninstall operations if needed
  • If the Admin has a customized deployment of an app, they will need to also write a corresponding uninstall script to remove their custom configurations

Install or Uninstall Verification

With some software, the Admin needs to configure what exactly defines a Successful Install or Uninstall. Munki allows this through setting an Install or Uninstall Check Script

Install Check Script - If present, this script is executed to determine if an item needs to be installed. A return code of 0 means install is needed; any other return code causes install to be skipped.

Uninstall Check Script - If present, this script is executed to determine if an item needs to be uninstalled. A return code of 0 means uninstall is needed; any other return code causes uninstall to be skipped.

Conditions

Conditions can defined on a per-application level so that they are evaluated prior to the download and installation of a software.

Built-in Conditions Currently available built-in attributes for conditional comparison:

Example:

machine_type == “laptop” AND os_vers BEGINSWITH “10.7”

date > CAST(“2016-03-02T00:00:00Z”, “NSDate”)

Dates in conditions:

The date string must be written in UTC format, this format is interpreted as a local date/time. The condition date > CAST("2013-01-02T00:00:00Z", "NSDate") is True if the local time is after midnight local time on 02 Jan 2013.

Literal types in comparisons

• Strings are delimited by either single or double-quotes: os_vers BEGINSWITH "10.7"

• Integers have no quotes: os_vers_major == 10

• Booleans are indicated as TRUE or FALSE (and have no quotes, or they’d be strings!): some_custom_condition == TRUE

• Dates are possible, but they must be cast from ISO 8601 strings: date > CAST("2013-01-02T00:00:00Z", "NSDate")

Updates

Updates can be managed similarly to the other platforms in the AirWatch Console. If a new version of the file needs to be added, perform the following:

1. Navigate to Apps & Books > Native
2. Click on the App that requires an update. Clicking the app will navigate to the Details View page.
3. In the top right side, click “Add Version”
4. Upload the new installer for the new app version
5. Upload the new pkginfo file for the new version
6. Make any additional changes and then save the configuration

Troubleshooting

The AirWatch Console will show report macOS app installation data from a device in several  locations:

• Apps & Books > Applications > Native > Internal. Click onto the Application to drill into Application Details > Devices Tab. The grid in this tab will display installation statuses for each device.
• Devices & Users > Devices > List View. Click on a device to drill into Device Details > Troubleshooting Tab. The grid on this tab will show activity on the device and provides filtering options to show information relating to Software Distribution.

Munki Logs can also be directly accessed on the device: /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log

tail -n 20 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log

Munki Known Issues

• Once software has been published and installed on a few devices, if any of the configuration options such as “install script”, “uninstall script” etc.. are changed, devices which already have the application installed successfully will not receive the updated options as these can only be updated when an “InstallApplication” command. This is the only command that can update the locally cached PKGInfo files on the device. In order to update the scripts, administrators will have to manually select all of the devices which have the software installed and repush the command. Repushing the command will update the respective cached PKGinfo file with the latest information.
  Note: Repushing the command will NOT reinstall the application unless there is a change in the software version. Munki is has mechanisms in place to not reinstall software when the application is already installed.
• If a package has a dependency on another package or software then an administrator will have to manually provide a required key in the pkginfo of the package with a dependency. Providing the key in the pkginfo is the only way for Munki to recognize if there are any dependencies, and determine the sequence of installation steps for such dependent packages. Unless otherwise specified, packages are installed in random order. Such package installation will fail if a package dependency is not met during the installation. 
  Example: Netbeans requires that Java be present and installed on the machine. Netbeans will not implicitly install Java while installing the Netbeans software package. Even if administrators attempt to install Netbeans without utilizing M****unki or using standalone Munki, the installation will fail and will prompt the administrator to first install Java before installing Netbeans.
• For packages which have the same receipts array with same version even on an upgraded package, Munki will not be able to detect that a new package is an upgraded package. The reason is that the receipt array has the same version as the previous package. The impact of duplicated receipts arrays is that the packages will not be installed on User machines as Munki cannot determine that a new version needs to be installed.
  Note: The best solution for packages with duplicate versions in the Receipts Array is to use an Autopkg Recipe, which adds an installs array in the pkginfo. This method allows Munki to detect upgraded packages; alternatively an administrator can manually add an installs array into the pkginfo.

Example: Wireshark is an example of a package which has identical receipts which contain the same version, thus Munki cannot detect the when upgraded packages are deployed.

Legacy methods (AirWatch 9.2 & older)

Apps & Books

• Go to Groups & Settings > All Settings > Devices and Users > Apple > MAC OS > Software Distribution.
• Enable Software distribution.
• Now go to Apps and Books > Native > Internal > Add Application.
• Upload the .pkg or .dmg file.
• Once uploaded, click on Continue. You will get an option to download VMware AirWatch Admin Assistance tool.
• Download the tool.
• Upload the .pkg or .dmg file there.
• You will see that it will open the package into .dmg file, .plist file and .png file.
• Go back to the Console and upload the .plist file for metadata.
• Click on upload and you will see the application description.
• You will get an option to upload the image. Upload .png file there.
• Now assign the application to the required Smart Group.
• Click on Save and Publish.

Product provisioning

It allows you to create, through AirWatch, products containing profiles, applications, and files/actions (depending on the platform you use). These products follow a set of rules, schedules, and dependencies as guidelines for ensuring your devices remain up to date with the content they need.

• Navigate to Devices > Staging & Provisioning > Components > Files/Actions
• Click on Add > General
• Navigate to Files > Add Files and enter the specific path
• Navigate to Manifest. Under Install Manifest, click Add Action. Choose the action type Install and provide the specific path. 
• Under Uninstall Manifest, click Add Action and set the action type as Install, again providing the specific path. 
• Under Uninstall Manifest, click on Add Action and choose the action type Uninstall, and provide the exact application name with the extension as ‘.app’.
• Select Save
• Navigate to Staging & Provisioning > Product List View and select Add Product.
• Under General, verify the details and assignment group are filled in.
• Navigate to the Manifest tab and click on Add. Choose the created component after selecting Install/Action.

With this configuration, the application will first be downloaded to the Downloads folder on the Mac. You can then install the application, which will be available in the Applications folder. If you want only to uninstall the application which was previously installed, you may choose the Delete Files option while creating files and actions.

Recipes

Script recipies

TextWrangler Post Install Script Implement a post-install script that copies the command-line tools from the TextWrangler bundle to their intended locations.

After uploading the appropriate files to AirWatch, pre/post install scripts can be configured for the app in the Scripts tab of the Application Details. Simply paste the script into the appropriate field and AirWatch will format it to be used by Munki.

App recipes

Manifest recipies

Quick fix for root user login bug (https://techcrunch.com/2017/11/28/astonishing-os-x-bug-lets-anyone-log-into-a-high-sierra-machine/ )

Enable root user with random password

Below are steps to fix the issue via  Product Provisioning -

A. Create a File

1. Go to Devices > Staging & Provisioning > Components > Files /Actions.
   2.  Add Files / Actions > macOS
2. Manifest > Install Manifest > Run > Command Line and Arguments to run /usr/bin/dscl . -passwd /Users/root $(/usr/bin/openssl rand -base64 20)
3. Click Save

B. Create a Product to include above File

1. Go to Devices > Staging & Provisioning > Products List View  > Add Product > macOS
   2.  Click on Manifest > Add Manifest > Actions to Perform > Install Files / Actions > Files/Actions (Enter the saved file).
2. Save & Activate the product

Unsigned application launch bypassing Security & Privacy

Use above recipe with command Manifest > Install Manifest > Run > Command Line and Arguments to run:

sudo xattr -rd com.apple.quarantine /Applications/@cursor # where '/Applications/@cursor' is the target app

Certificate Batching

Prior to the certificate batching logic, when a defined-CA profile is published to a large number of devices, it can result in significant performance issues on Airwatch Cloud Connectors in the AirWatch environment.  This is due to the extra processing required to issue each device a certificate from the CA, as well as the normal processing required to push the profile to the device.  The performance issues generally lead to CPU spikes and high memory usage on ACC or DS (if no ACC is configured) servers because:

• Certificate generation is a CPU intensive task. Too many concurrent certificate generation requests spike the CPU usage.
• Certificates are stored in memory of the process (w3wp - devicesservices) so that they can be reused for the same device.

AirWatch 7.1+ has certificate batch logic to throttle the deployment of all defined-CA profile publish jobs. These profile publish jobs will be broken into multiple batches at the environment level and a next batch will only be executed if the previous batch has been completed. 

Certificate Batching Logic

The deployment of defined-CA certificate profiles will follow the steps outlined below:

• AirWatch Administrator publishes a profile that contained a defined CA certificate
• Install profile commands are queued for all assigned devices in the Device Command Queue in the AirWatch Database.  These commands are queued in the Held status.  Commands in the Held status will not be processed by devices.
• A ProfilePublishBatchJob is created to process these commands.
• The ProfilePublishJobScheduler selects a batch and batch size, based on the settings configured in the AirWatch Console (under Settings → Installation → Performance Tuning for On-Premises environments).
• A batch detail entity is inserted into the AirWatch DB; the mobilemanagement.CommandQueueHeldBatch_Update stored procedure is called to “release” a number of the Install Profile commands that are currently in the Held status.  The number released will be equal to or less than the overall batch size.
• Periodically, more batches of the Install Profile command will be released until all commands are active (or have successfully been issued to devices).  Three scenarios are outlined below that describe this step in more detail.  This time period is defined by the Profile Publish Batch Job in the AirWatch Scheduler (Settings → Admin → Scheduler for On-Premises environments).

In SaaS and on-premise environments, the default Batch Size is set to 50, and the Profile Publish Batch Job interval is set to 3 minutes.

Scenario 1: All devices are consistently active

• Devices=24000
• Batch size=200

When a profile is published, all 24000 commands are queued in the Held status (status = 7).  The scheduler released the first 200 commands based on the batch size.  The commands are sent to devices (through APNs/Firebase), and devices consume the commands and install the profile.  At the interval defined by the Profile Publish Batch Job, the system will view how many pending install commands are still active.  As all devices are currently active and check in regularly, all of the previously queued commands will be processed, and another batch of 200 will be released.  This process repeats until all 24,000 install commands are released.

Scenario 2: Devices frequently check in (within 30 minutes)

• Devices=24,000
• Batch size=200

During any particular iteration of the Profile Publish Batch Job as outlined above, if {X} number of commands are still in Pending Install state for a period of less than 30 minutes, then only ({batchSize} -{X}) commands will be released in the current iteration.  For example, if the previous batch released 200 commands, but at the time of the next batch only 50 commands have been processed by devices (so that 150 are still active), then only 50 commands will be released at the current batch.  At the time of this iteration, it will ensure that the “active” batch size returns to 200.

Scenario 3:  Devices periodically check in (within 12 hours)

• Devices=24,000
• Batch size=200

During any particular iteration of hte Profile Publish Batch Job, if {Y} number of commands are still in Pending Install state for a period of more than 30 minutes, then {batchSize} number of commands will be queued up to maximum limit of *{batchSize}10 commands in queue. This means that at a single point in time, the maximum of *{batchSize}10 Install Profile commands can be queued in Pending Install status.

Following Scenario 2 above, if a new batch iteration is occurring, and all active Pending Install commands are over 30 minutes old, then a full batch size will be released.  If there are {X} pending commands less than 30 minutes and {Y} pending commands greater than 30 minutes, then {batchSize} - {X} commands will be released, up until a total of *{batchSize}10 overall active commands are queued.

Scenario 4:  Devices do not check in for over 12 hours

• Devices=24,000
• Batch size=200

After a pending install command has been queued for over 12 hours, it no longer counts toward the *{batchSize}10 limit specified in Scenario 3.  The logic outlined in the first 3 Scenarios will continue, not counting any of these older commands.  These “older” commands remain in the command queue and are active, but no longer affect the batching logic.

Relevant Database Tables

• dbo.BatchJob - Profile Publish places an entry with “profileVersionID” 
• dbo.BatchJobDetail - Every Batch Job iteration will place an entry with the number of commands released as “Count”
• deviceCommandQueue.DeviceQueue - Stores commands (profile install commands in this case) for every device

Large-Scale Performance

WS1 UEM Services/Applications

API Workflow
Batch Processing
Entity Change Queue Monitor
EventLog Processor Service
Integration Service
MEG Service
Messaging Service
Outbound Queue Monitor Service
Smart Group Service
Agent Builder Service
Background Processor Service
Compliance Service
Content Delivery
Device Scheduler
Directory Sync Service
GEM Inventory Service
Policy Engine
SMS Service
Google Play Service
Data Platform Service
Interrogator Queue Service
Provisioning Package Service
MSMQ

IIS Web Server Performance Counters

Boxer for Android Logs

Boxer for Android Architecture

Boxer communicates with a few different systems to provide these services.
The flow of the Android Boxer log file looks like this:

• Boxer reaches out to the console to get the profile information;
• Boxer reaches out to the console to get any S/MIME certificates and client authentication certificates available from the console;
• Boxer reaches out to the Exchange ActiveSync(EAS) email endpoint to make the options, provision, foldersync, and ping request;
• Boxer reaches out to the Email Notification S ervice (ENS) and provides the Exchange Web Services (EWS) credential information that was used for ActiveSync so it can subscrib e to email notifications.

• Boxer logs are in GMT. That means the entries there are 5 hours ahead of EST time. In addition, the logs are in 24 hour time so you will need to subtract 12 if you want am/pm.
• The very first line in the Boxer logs has the last date of the logs in the file. For example 2019-01-08T21:28:04.539Z - [-] - ###--HEADER--###
• Boxer logs can persist in the app for up to 3 days, so they can be pulled for review even if the issue hasnt occurred recently, but at least within the 3 day period. This is useful for intermittent types of issues, or where there is a delay in an affected user reporting the issue to their techsupport.

Boxer Communication Logs

Here is an example of what you might see in the logs followed by notes (in bold) that detail what the log entry tracks:

2019-02-05T13:51:52.636Z - [-] - ###--HEADER--### | This is the time of the last log entry in this log file for easy reference.

-------------------------------------------------------------- DEVICE INFO

--------------------------------------------------------------  
DEVICE ID = boxerc59d6cd3d34aba549 | the EAS device identifier  
MANUFACTURER = samsung  
MODEL = SM-G930F  
SDK VERSION = 26  
COMPROMISED = false | shows whether or not the device is jail broken  
APP VERSION CODE = 758  
APP VERSION NAME = 5.3.0.3  
STANDALONE = false  
ANCHOR APP = com.airwatch.androidagent | shows how the device is enrolled through the AirWatch agent, Boxer, or other method CONSOLE VERSION = 19.3.0.0  
PASSCODE ENABLED = false | shows whether or not Boxer will prompt the user for a password when opening Boxer  
AUTO-REFRESH FOLDERS = true | shows the sync frequency specified in the profile. "true" will be returned if it's set to "automatic" -- Stats --  
EnsRegister_1 => {"total_events_today":1,"average_events_per_hour":1.0}

AttachmentServiceWakeLock => {"total_events_today":4,"average_events_per_hour":4.0} Eas.SSLException => {"total_events_today":30,"average_events_per_hour":3.0}  
IrmSync => {"total_events_today":1,"average_events_per_hour":1.0} AccountProtocolCache.Cache_Used => {"total_events_today":103,"average_events_per_hour":103.0} EnsUpdateEnsConfig_-1 => {"total_events_today":1,"average_events_per_hour":1.0}

1/Socket Timeout => {"total_events_today":4,"average_events_per_hour":0.22222222} FetchManagedConfig => {"total_events_today":3,"average_events_per_hour":3.0} Eas.SyncAdapter => {"total_events_today":5,"average_events_per_hour":5.0} EnsGetSubscriptionStatus_1 => {"total_events_today":1,"average_events_per_hour":1.0} -- End Stats --

-- Power Info --  
Power saving mode enabled = false | shows whether or no the application is excluded from power saving mode which will cause application and networking issues Ignoring battery optimizations = true | shows whether or not the application is excluded from battery optimizations which will cause application and networking issues Device idle enabled = false  
-- End Power Info --

-- Permissions Info -- | shows whether or not the proper permissions are enabled for the application Calendar read: true  
Calendar write: true  
Contacts read: true

Contacts write: true Call: false  
Phone state: false Storage: true Camera: false

-- End Permissions Info --

-------------------------------------------------------------- ACCOUNT SETTINGS

-------------------------------------------------------------- DESCRIPTION = nas98.airwlab.com:8002 DISPLAY_NAME = Legend Wilcox  
EMAIL = lwilcox@labmail.airwlab.com

USERNAME = lwilcox@milkyway.local SERVER_ADDRESS = nas98.airwlab.com:8002 SSL_REQUIRED = null  
PORT = null

USER_DOMAIN = milkyway  
SIGNATURE =  
SYNC_EMAIL = true  
SYNC_CALENDAR = true  
SYNC_CONTACTS = true  
SYNC_EMAIL_LOOKBACK = 5  
MAX_SYNC_EMAIL_LOOKBACK = 5  
SYNC_CALENDAR_LOOKBACK = 7  
MAX_SYNC_CAL_LOOKBACK = 7  
LOGIN_CERTIFICATE = null  
LOGIN_CERTIFICATE_NAME = null  
TRUST_ALL_SSL_CERTS = null  
SMIME_SIGNING_CERT_ISSUER = 09e219f7-7864-437c-8c26-cd6613375e09  
SMIME_ENCRYPTION_CERT_ISSUER = 09e219f7-7864-437c-8c26-cd6613375e09  
SMIME_SIGNING_CERT_ISSUER_TOKEN = 3D9B54CEC239582BFD471D2BB1BE4E55580DF302 | this is the SMIME signing certificate thumbprint ID SMIME_ENCRYPTION_CERT_ISSUER_TOKEN = 3D9B54CEC239582BFD471D2BB1BE4E55580DF302 | this is the SMIME encryption cetificate thumbprint ID ACCOUNT_AUTHENTICATION_TYPE = 1 | 0 for basic, 1 for certificate, 2 for both (dual factor), 3 Oauth, 4 Oauth with CBA

ALLOW_MOBILE_FLOWS = false MOBILE_FLOWS_HOST_URL = null MOBILE_FLOWS_VIDM_URL = null SMIME_POLICY_TRUST_STORE = 0 SMIME_POLICY_REVOCATION_STRICTNESS = 0 SMIME_POLICY_STRICT_EKU_CHECK = false TLS_POLICY_TRUST_STORE = 0 DEFAULT_SIGNING_ALGORITHM = null DEFAULT_ENCRYPTION_ALGORITHM = null SMIME_ENCRYPTION_CONFORMING_ALGORITHMS = null SMIME_SIGNING_CONFORMING_ALGORITHMS = null STRICT_TLS_TRUST_CHECK = false

-------------------------------------------------------------- ACCOUNT POLICY

--------------------------------------------------------------  
ALLOW_CALLER_ID = true | caller ID restricted = false, caller ID unrestricted = true CALLER_ID_DEFAULT = true  
APP_MUST_USE_AIRWATCH_BROWSER = false  
APP_ALLOW_CRASH_REPORTING = true  
ATTACHMENT_VIEWER_PACKAGE_NAMES = []  
APP_PASSCODE_COMPLEXITY = 0 | passcode mode 0 for numeric, 1 for alphanumeric MIN_COMPLEX_CHARS_IN_APP_PASSCODE = 0  
MIN_APP_PASSCODE_LENGTH = 4 | how many characters required for the Boxer application password MAX_APP_PASSCODE_FAIL_ATTEMPTS = 10  
MAX_AGE_FOR_APP_PASSCODE = 90  
MAX_LOOKBACK_FOR_REPEAT_PASSCODE_CHECK = 5  
APP_PASSCODE_TIMEOUT = 2  
ALLOW_OTHER_ACCOUNTS = true  
ALLOW_COPY_PASTE = true  
ALLOW_SCREEN_CAPTURE = true  
ALLOW_ATTACHMENTS = true  
MAX_ATTACHMENT_SIZE = 2147483647  
DOCUMENT_SHARING_RESTRICTION = 0  
ALLOW_CALENDAR_WIDGET = false  
SMIME_POLICY_ALLOWED_KEY = 1  
ALLOW_EMAIL_WIDGET = false  
ALLOW_METRICS = true  
APP_FORCE_ACTIVATE_SSO = false  
ALLOW_ATTACHMENTS_FROM_DOC_PROVIDERS = true  
POLICY_ALLOW_OPEN_IN = 1  
APP_DEFAULT_BROWSER_EXCEPTIONS = null  
EMAIL_NOTIFICATION_TEXT_POLICY = -1  
SUPPORT_API_KEY having value = false  
ALLOW_ACTION_ARCHIVE = true  
ALLOW_ACTION_SPAM = true  
POLICY_APP_SWIPES_LEFT_SHORT_DEFAULT = -1  
POLICY_APP_SWIPES_LEFT_LONG_DEFAULT = -1  
POLICY_APP_SWIPES_RIGHT_SHORT_DEFAULT = -1  
POLICY_APP_SWIPES_RIGHT_LONG_DEFAULT = -1  
APP_AVATAR_ENABLED = true  
ALLOW_LOCAL_CALENDAR = true  
ALLOW_LOCAL_CONTACTS = true  
APP_DOMAINS_INTERNAL = null  
APP_DOMAINS_WARNING = false  
APP_RE_FETCH_EMPTY_LINKS_USING_MIME = false  
SHOULD_USE_PLAIN_TEXT_FOR_SYNC = false  
APP_LOG_AGGREGATION_URL = null  
APP_LOG_AGGREGATION_MODE = 0  
ALLOWED_MAIL_SERVER_CIPHERS = null

-------------------------------------------------------------- BOXER SETTINGS

-------------------------------------------------------------- DEVICE_ID = 1D62C4D972BB4A4799474C5C0E5BA437 NEW_SYNC_ENGINE = false ALLOW_ENTERPRISE_CONTENT = false VIP_NOTIFICATIONS = true

-------------------------------------------------------------- BOXER POLICY

-------------------------------------------------------------- ALLOW_LOGGING = null  
ALLOW_METRICS = null  
ALLOW_PRINT = null

ALLOW_ACTION_EVERNOTE = null IS_KEY_ESCROW_DISABLED = false

-------------------------------------------------------------- EMAIL CLASSIFICATION SETTINGS --------------------------------------------------------------

ENABLED = false DEFAULT CLASS = null X-HEADER KEY = null VERSION = null  
SORT ORDER = 1 CLASSIFICATIONS = []

-------------------------------------------------------------- THROTTLE SETTINGS

-------------------------------------------------------------- POLICY_CMD_FREQUENCY = null POLICY_SYNC_CMDS = null POLICY_RECENT_CMDS = null

-------------------------------------------------------------- ENS SETTINGS

--------------------------------------------------------------  
ENS_LINK_ADDRESS = https://europa.airwlab.com/MailNotificationService/api/ens ENS_API_TOKEN = 091d6a8a897b41528ea452088e7fc599 POLICY_ACCOUNT_NOTIFY_PUSH = true  
EWS_URL = https://nas98.airwlab.com:8002/ews/exchange.asmx  
ENS_STATE = (1 -> Subscribed) | the state of ENS when the logs were captured

PendingAccountEmail = null PendingAccountName = null UserDisabled = false

-------------------------------------------------------------- THREAD INFO

--------------------------------------------------------------  
com.boxer.common.e.a@811edcf[pool size = 2, active threads = 1, queued tasks = 0, completed tasks = 59, largest pool size = 7]

[com.boxer.unified.utils.at:a x 2, com.boxer.email.activity.MailActivityEmail:a, com.boxer.app.d:a x 2, com.boxer.email.provider.AttachmentProvider:onCreate, com.boxer.common.e.f:a x 18, com.boxer.common.e.f:b x 7, com.boxer.unified.widget.BaseWidgetProvider:b, com.boxer.emailcommon.provider.i:a, com.boxer.email.a.b:a x 2, com.boxer.settings.fragments.CombinedSettingsFragment:s, com.boxer.sdk.AirWatchAccountSetupService:e, com.boxer.unified.ui.ConversationViewFragment:a x 2, com.boxer.unified.providers.MailAppProvider:g, com.boxer.unified.ui.ConversationListFragment:U, com.boxer.email.service.ImapPopWorkerService:b, com.boxer.common.passcode.n:t, com.boxer.app.ag:f, com.boxer.common.activity.n:e x 2, com.boxer.common.app.v26support.k:o x 2, com.boxer.common.activity.n:c x 6, com.boxer.calendar.provider.CalendarProvider2:e, com.boxer.common.activity.ManagedActivity:P x 2, com.boxer.unified.ui.MailActionBarView:a, com.boxer.exchange.service.EmailSyncAdapterService:a]

-------------------------------------------------------------- HEALTH STATS

--------------------------------------------------------------  
[sync] com.boxer.contacts/com.boxer.exchange/eM_ADDR count=0 [sync] com.boxer.contacts/com.boxer.exchange/eM_ADDR time_ms=0 [sync] com.boxer.calendar/com.boxer.exchange/eM_ADDR count=0
[sync] com.boxer.calendar/com.boxer.exchange/eM_ADDR time_ms=0  
[sync] com.boxer.email.provider/com.boxer.exchange/eM_ADDR count=0  
[sync] com.boxer.email.provider/com.boxer.exchange/eM_ADDR time_ms=0  
[jobs] com.boxer.email/com.boxer.calendar.CalendarProviderChangedJobService count=0 [jobs] com.boxer.email/com.boxer.calendar.CalendarProviderChangedJobService time_ms=0 [jobs] com.boxer.email/.AirWatchSDKIntentService count=0  
[jobs] com.boxer.email/.AirWatchSDKIntentService time_ms=0  
[jobs] com.boxer.email.provider/com.boxer.exchange/eM_ADDR:android count=0  
[jobs] com.boxer.email.provider/com.boxer.exchange/eM_ADDR:android time_ms=0  
[jobs] com.boxer.email/com.airwatch.bizlib.gcm.GCMReceiverService count=0  
[jobs] com.boxer.email/com.airwatch.bizlib.gcm.GCMReceiverService time_ms=0  
[jobs] com.boxer.email/com.boxer.ens.EnsStateManager$RequestHandlerService count=0 [jobs] com.boxer.email/com.boxer.ens.EnsStateManager$RequestHandlerService time_ms=0 [jobs] com.boxer.email/com.boxer.service.EasOptionJobSchedulerService count=0  
[jobs] com.boxer.email/com.boxer.service.EasOptionJobSchedulerService time_ms=0  
[jobs] com.android.contacts/com.boxer.exchange/eM_ADDR:android count=0  
[jobs] com.android.contacts/com.boxer.exchange/eM_ADDR:android time_ms=0  
[jobs] com.boxer.email/com.boxer.sdk.SDKConfigurationUpdateHandler count=0  
[jobs] com.boxer.email/com.boxer.sdk.SDKConfigurationUpdateHandler time_ms=0  
[jobs] com.android.calendar/com.boxer.exchange/eM_ADDR:android count=0  
[jobs] com.android.calendar/com.boxer.exchange/eM_ADDR:android time_ms=0  
[jobs] com.boxer.email/.service.AttachmentsDeleteIntentService count=0  
[jobs] com.boxer.email/.service.AttachmentsDeleteIntentService time_ms=0  
[jobs] com.boxer.email/com.boxer.contacts.services.BoxerCallerIdIntentService count=0 [jobs] com.boxer.email/com.boxer.contacts.services.BoxerCallerIdIntentService time_ms=0 [jobs] com.boxer.email/com.boxer.irm.IRMTemplatesSyncService count=0  
[jobs] com.boxer.email/com.boxer.irm.IRMTemplatesSyncService time_ms=0  
[jobs] com.boxer.email/com.airwatch.storage.SessionDataStorageService count=0  
[jobs] com.boxer.email/com.airwatch.storage.SessionDataStorageService time_ms=0  
[jobs] com.boxer.email/com.boxer.exchange.provider.GALDirectoryUpdateService count=0 [jobs] com.boxer.email/com.boxer.exchange.provider.GALDirectoryUpdateService time_ms=0 [jobs] com.boxer.contacts/com.boxer.exchange/eM_ADDR:android count=0  
[jobs] com.boxer.contacts/com.boxer.exchange/eM_ADDR:android time_ms=0  
[jobs] com.boxer.calendar/com.boxer.exchange/eM_ADDR:android count=0  
[jobs] com.boxer.calendar/com.boxer.exchange/eM_ADDR:android time_ms=0  
[foreground activity] count=0  
[foreground activity] time_ms=0  
[foreground_service] count=0  
[foreground_service] time_ms=0  
[top] count=0  
[top] time_ms=0  
[top_sleeping] count=0  
[top_sleeping] time_ms=0  
[background process state] count=0  
[background process state] time_ms=0  
[cached process state] count=0  
[cached process state] time_ms=0  
[cpu] user_cpu_time_ms=0  
[cpu] system_cpu_time_ms=0  
[user activity] button_user_activity_count=0  
[user activity] touch_user_activity_count=0  
[process] sessionTokenStorage.data anr_count=0  
[process] sessionTokenStorage.data crash_count=0  
[process] sessionTokenStorage.data foreground=0  
[process] sessionTokenStorage.data starts=10  
[process] sessionTokenStorage.data system_time=60  
[process] sessionTokenStorage.data user_time=130

[process] com.boxer.email [process] com.boxer.email [process] com.boxer.email [process] com.boxer.email [process] com.boxer.email [process] com.boxer.email  
[wifi] wifi_running_ms=0  
[wifi] wifi_full_lock_ms=0  
[wifi] wifi_rx_bytes=0  
[wifi] wifi_tx_bytes=0  
[mobile] mobile_rx_bytes=0 [mobile] mobile_tx_bytes=0 [mobile_radio_active] count=0 [mobile_radio_active] time_ms=0

anr_count=0 crash_count=0 foreground=289340 starts=10 system_time=58290 user_time=153290

-------------------------------------------------------------- ACCOUNTS INFO

--------------------------------------------------------------  
NAME: lwilcox@labmail.airwlab.com, TYPE: 5, IS_MANAGED: true, FETCHES_MIME: false

Common Ways to Search Through the Logs

On the console where you configure your Boxer profile, you will have places where you can enter profile information like Account Name, Domain, User, etc… However, in the Boxer logs, when you are looking for the corresponding data there, the wording might be slightly different. You can use the mapping information below to see what this would say in the Boxer logs. The value on the left is what you will see in the console. The value after “=” is what you will see in the Boxer logs.

Account Name = DESCRIPTION  
Exchange ActiveSync Host = SERVER_ADDRESS  
Domain = USER_DOMAIN  
User = USERNAME  
Email Address = EMAIL  
Email Signature = SIGNATURE  
Authentication Type = ACCOUNT_AUTHENTICATION_TYPE | 0 basic, 1 certificate, 2 both Copy Paste = ALLOW_COPY_PASTE  
Screenshots = ALLOW_SCREEN_CAPTURE  
Allow email widget = ALLOW_EMAIL_WIDGET  
Allow calendar widget = ALLOW_CALENDAR_WIDGET  
Hyperlinks = POLICY_ALLOW_OPEN_IN  
Sharing = DOCUMENT_SHARING_RESTRICTION  
Caller ID = ALLOW_CALLER_ID  
Personal Accounts = ALLOW_OTHER_ACCOUNTS  
Personal Contacts = ALLOW_LOCAL_CONTACTS

Boxer reaches out to the console to get the profile information

2019-02-07T15:21:55.345Z I [18459-BoxerWorker-5] - App initialization step complete: 1

2019-02-07T15:21:55.578Z E [18459-main] - FLF.setSelectedAccount(null) called! Destroying existing loader.

2019-02-07T15:21:55.589Z I [18459-BoxerWorker-3] - Waiting for app restrictions

This entry is the best example we have of when Boxer reaches out to the console. You can use Fiddler to further determine when Boxer is reaching out to the console. In the Boxer logs, you can’t directly see this. The other place you can see this is in the ADB device logs. The line here that says “waiting for app restrictions” just indicates that Boxer is waiting to read from the database. Boxer reaches out to the console to get any S/MIME certificates and client authentication certificates available from the console.

2019-02-07T15:21:56.256Z I [18459-IntentService[AirWatchAccountSetupService]] - Fetching S/MIME signing certificate

2019-02-07T15:21:58.021Z I [18459-AsyncTask #2] - Certificate being fetched for : AccountAuthenticationCertificateId
2019-02-07T15:21:59.013Z I [18459-AsyncTask #2] - Certificate fetch successful 
2019-02-07T15:21:59.755Z I [18459-Thread-7] - TrackingKeyManager: requesting a client cert alias for 66.170.96.7 
2019-02-07T15:22:05.776Z I [18459-Thread-9] - Registering socket factory for certificate alias [AW-be6fad91fe2b4291b1d392c9eabf90be] 
2019-02-07T15:22:05.846Z D [18459-Thread-9] - Found cert chain: [ [0] Version: 3
SerialNumber: 468315651040541492877707779630191635557515624
IssuerDN: DC=local,DC=milkyway,CN=milkyway-SUN-CA Start Date: Thu Feb 07 10:11:47 EST 2019  
Final Date: Sat Mar 09 10:11:47 EST 2019  
SubjectDN: CN=lwilcox
Public Key: RSA Public Key
modulus: ccbf28975eafd49dedfcfc43f9d66a309d36c4c636fbece2bf9faa87fe6544c8e025c3da260eb4bc28096f665a231202c5cf53dbb5f1d08ceac4d9af90f0605ee2951e6239576749d39d17e8d411b39c03e6a68e155083866a69de610853ab83d149c0228b6f0b0d67d4e9e1093ce8a3316a563c48d91fcc000bae01c150644113a527d611d83f7303825a58a4382c1818d8fd56b2064ef495c709e4ae4366e7793e29cd3b376e9660028269c8233ba8cd9a42e57dc2f07087d25fc6ce536d3bcbc8fabe2f6c408ddb2fefd8b80fdc029ba16237b48d26072d0f88f9e982ab37720883ff7bfb35bc409637fb314c00cbc1cb262e7406732c45c400ca45d9357b
public exponent: 10001

Boxer reaches out to the Exchange ActiveSync (EAS) email endpoint to make the options, provision, foldersync, and ping request.

Making the Options Request

2019-02-07T15:22:05.859Z D [18459-Thread-9] - EasServerConnection about to make request OPTIONS https+clientCert+aw-be6fad91fe2b4291b1d392c9eabf90be://nas98.airwlab.com:8002/Microsoft-Server-ActiveSync HTTP/1.1 X-VMware-Boxer-RequestId:5bde2467-38bc-4a8e-9599-256217cb8c6d
2019-02-07T15:22:05.859Z V [18459-Thread-9] - query: uri=content://com.boxer.email.provider/account/1, match is 1
2019-02-07T15:22:06.080Z I [18459-Thread-9] - Requesting a client cert alias for [RSA, EC]
2019-02-07T15:22:06.081Z I [18459-Thread-9] - Requesting a client private key for alias [AW-be6fad91fe2b4291b1d392c9eabf90be]
2019-02-07T15:22:06.082Z I [18459-Thread-9] - Requesting a client certificate chain for alias [AW-be6fad91fe2b4291b1d392c9eabf90be] 
2019-02-07T15:22:06.178Z V [18459-Thread-9] - SSL socket using protocol: TLSv1.2 
2019-02-07T15:22:11.485Z V [18459-Thread-9] - Response headers:
Header [Strict-Transport-Security], value [max-age=31536000;includeSubDomains] Header [X-Frame-Options], value [sameorigin]  
Header [X-XSS-Protection], value [1;mode=block]  
Header [X-Content-Type-Options], value [nosniff]

Header [Content-Security-Policy], value [default-src 'self'; font-src 'self' data:; script-src 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; object-src 'none';] Header [Cache-Control], value [private]  
Header [Allow], value [OPTIONS,POST]  
Header [Content-Type], value [application/vnd.ms-sync.wbxml]

Header [Server], value [Microsoft-IIS/8.5]  
Header [request-id], value [73ab0f67-308f-45d2-a76b-04eb72fde4e8]  
Header [X-CalculatedBETarget], value [earth.milkyway.local]  
Header [MS-Server-ActiveSync], value [15.0]  
Header [MS-ASProtocolVersions], value [2.0,2.1,2.5,12.0,12.1,14.0,14.1]  
Header [MS-ASProtocolCommands], value [Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert] Header [Public], value [OPTIONS,POST]  
Header [X-MS-BackOffDuration], value [L/-470]  
Header [X-DiagInfo], value [EARTH]  
Header [X-BEServer], value [EARTH]  
Header [X-AspNet-Version], value [4.0.30319]  
Header [Persistent-Auth], value [false]  
Header [X-Powered-By], value [ASP.NET]  
Header [X-FEServer], value [MERCURY]  
Header [WWW-Authenticate], value [Negotiate YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRr1j3vRSNgnWRAjRmh9+c4H68rnNGVHQxp2bq87jvJsxPfGt+Wi1ciWxUKztM5Rjq2HiDSiMttELVzigj9rrUB00pGrB/LemrzZeB1NU3oyWSlYfGMd1uvo96mRGykkn8vA0kW3mlXDKacEz0=]  
Header [Date], value [Thu, 07 Feb 2019 15:22:00 GMT]  
Header [X-AW-SEG-SERVER-INFO], value [***.***.***.43|2.9.0.1|JSEG-SEG368-JOB1-2|Tue 08 Jan 2019 03:32:23 PM EST -0500]  
Header [X-AW-SEG-TRANSACTION-ID], value [c42418f6-55a1-4ffc-b4fd-6e94c2d70fe3]  
Header [X-Correlation-ID], value [c42418f6-55a1-4ffc-b4fd-6e94c2d70fe3]  
Header [Content-Length], value [0]  
Header [Set-Cookie], value [ClientId="NGLCEUYUWLVTAAWHW";$Path="/";$Domain="nas98.airwlab.com:8002";HttpOnly]  
Header [Set-Cookie], value [X-BackEndCookie="S-1-5-21-174156188-4291662551-709137977-1610=u56Lnp2ejJqByprLzcrHyMzSx8aantLLz8ic0p7Kmc7Sz52bnZqZy8nIy8mZgYHNz87G0s/M0s/Gq87Kxc3Nxc/P";$Path="/Microsoft-Server-ActiveSync";Secure;$Domain="nas98.airwlab.com:8002";HttpOnly]

2019-02-07T15:22:11.535Z D [18459-Thread-9] - Server supports versions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1 
2019-02-07T15:22:11.625Z V [18459-Thread-9] - <SyncKey> 
2019-02-07T15:22:11.625Z V [18459-Thread-9]-0 
2019-02-07T15:22:11.625Z V [18459-Thread-9] - </SyncKey> 
2019-02-07T15:22:11.625Z V [18459-Thread-9] - </FolderSync>

Perform a FolderSync

2019-02-07T15:22:11.634Z D [18459-Thread-9 ] - EasServerConnection about to make request POST https+clientCert+aw-be6fad91fe2b4291b1d392c9eabf90be://nas98.airwlab.com:8002/Microsoft-Server-ActiveSync?Cmd=FolderSync&User=milkyway%5Clwilcox%40milkyway.local&DeviceId=1D62C4D972BB4A4799474C5C0E5BA437&DeviceType=BoxerManagedAndroid HTTP/1.1 X-VMware-Boxer-RequestId:572f2ab2-cdf1-4960-b30a-6b078365b3aa  
2019-02-07T15:22:11.805Z V [18459-Thread-9 ] - SSL socket using protocol: TLSv1.2  
2019-02-07T15:22:15.574Z V [18459-Thread-9 ] - Response headers:
Header [Strict-Transport-Security], value [max-age=31536000;includeSubDomains] Header [X-Frame-Options], value [sameorigin]  
Header [X-XSS-Protection], value [1;mode=block]  
Header [X-Content-Type-Options], value [nosniff]

Header [Content-Security-Policy], value [default-src 'self'; font-src 'self' data:; script-src 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; object-src 'none';] Header [Cache-Control], value [private]  
Header [Content-Type], value [application/vnd.ms-sync.wbxml]  
Header [Vary], value [Accept-Encoding]

Header [Server], value [Microsoft-IIS/8.5]  
Header [request-id], value [3cd7bb11-e3c4-4292-be4a-87cb5d388473]  
Header [X-CalculatedBETarget], value [earth.milkyway.local]  
Header [MS-Server-ActiveSync], value [15.0]  
Header [X-MS-BackOffDuration], value [L/-469]  
Header [X-DiagInfo], value [EARTH]  
Header [X-BEServer], value [EARTH]  
Header [X-AspNet-Version], value [4.0.30319]  
Header [Persistent-Auth], value [false]  
Header [X-Powered-By], value [ASP.NET]  
Header [X-FEServer], value [MERCURY]  
Header [WWW-Authenticate], value [Negotiate YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrSwxIlKGW3nSAU46FtN7BJ3AO5tTFRrU/dbnLqIXVdl6/ySBXRFmuQ/AsFOP95xNJf0ze6ZG5Vrk/KeCaxlmsaSqlShiRmjPAxAyuIzJ8vKnjzQFf6MPFepwruykQpNDqjdGtRs7RV1/uy8M=] Header [Date], value [Thu, 07 Feb 2019 15:22:04 GMT]  
Header [X-AW-SEG-SERVER-INFO], value [***.***.***.43|2.9.0.1|JSEG-SEG368-JOB1-2|Tue 08 Jan 2019 03:32:23 PM EST -0500]  
Header [X-AW-SEG-TRANSACTION-ID], value [51e38c4f-5114-4465-a956-6f66f86c967d]  
Header [X-Correlation-ID], value [51e38c4f-5114-4465-a956-6f66f86c967d]  
Header [Set-Cookie], value [X-BackEndCookie="S-1-5-21-174156188-4291662551-709137977-1610=u56Lnp2ejJqByprLzcrHyMzSx8aantLLz8ic0p7Kmc7Sz52bnZqZy8nIy8mZgYHNz87G0s/M0s/Gq87Kxc3Nxc/L";$Path="/Microsoft-Server-ActiveSync";Secure;$Domain="nas98.airwlab.com:8002";HttpOnly] Header [content-encoding], value [gzip]  
Header [transfer-encoding], value [chunked]
2019-02-07T15:22:15.667Z V [18459-Thread-9] - <Status>  
2019-02-07T15:22:15.668Z V [18459-Thread-9] - Status: 144 
2019-02-07T15:22:15.671Z V [18459-Thread-9] - </Status> 

Perform a provision request

2019-02-07T15:22:15.681Z I [18459-Thread-9 ] - Received needs provision response in EasOperation.performOperation  
2019-02-07T15:22:15.723Z D [18459-Thread-9 ] - EasServerConnection about to make request POST https+clientCert+aw-be6fad91fe2b4291b1d392c9eabf90be://nas98.airwlab.com:8002/Microsoft-Server-ActiveSync?Cmd=Provision&User=milkyway%5Clwilcox%40milkyway.local&DeviceId=1D62C4D972BB4A4799474C5C0E5BA437&DeviceType=BoxerManagedAndroid HTTP/1.1 X-VMware-Boxer-RequestId:08e64270-501d-4732-9675-5309dd6a3675  
2019-02-07T15:22:15.834Z V [18459-Thread-9 ] - SSL socket using protocol: TLSv1.2  
2019-02-07T15:22:19.828Z V [18459-Thread-9 ] - Response headers:
Header [Strict-Transport-Security], value [max-age=31536000;includeSubDomains] Header [X-Frame-Options], value [sameorigin]  
Header [X-XSS-Protection], value [1;mode=block]  
Header [X-Content-Type-Options], value [nosniff]

Header [Content-Security-Policy], value [default-src 'self'; font-src 'self' data:; script-src 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; object-src 'none';] Header [Cache-Control], value [private]  
Header [Content-Type], value [application/vnd.ms-sync.wbxml]  
Header [Vary], value [Accept-Encoding]

Header [Server], value [Microsoft-IIS/8.5]  
Header [request-id], value [dcda9893-be8c-4b17-8fe5-067f71dd57e0]  
Header [X-CalculatedBETarget], value [earth.milkyway.local]  
Header [MS-Server-ActiveSync], value [15.0]  
Header [X-MS-BackOffDuration], value [L/-469]  
Header [X-DiagInfo], value [EARTH]  
Header [X-BEServer], value [EARTH]  
Header [X-AspNet-Version], value [4.0.30319]  
Header [Persistent-Auth], value [false]  
Header [X-Powered-By], value [ASP.NET]  
Header [X-FEServer], value [MERCURY]  
Header [WWW-Authenticate], value [Negotiate YIGVBgkqhkiG9xIBAgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRr9huiSZNPIN39dB0GIaIF4gSACDj8yrV879OKH5dUeSEQzFnRcPGIShPvLFbDCrDS+ii/N9SAvk/B20xq+MXtxXRBsHyJXFJo5vIRjkWq+3Qis5c/4+gP5Vi0bsvlVSKIW4yqRyGe5ZfGoNc=] Header [Date], value [Thu, 07 Feb 2019 15:22:08 GMT]  
Header [X-AW-SEG-SERVER-INFO], value [***.***.***.43|2.9.0.1|JSEG-SEG368-JOB1-2|Tue 08 Jan 2019 03:32:23 PM EST -0500]  
Header [X-AW-SEG-TRANSACTION-ID], value [13206ae4-e2c0-4579-a992-a3d9664a5763]  
Header [X-Correlation-ID], value [13206ae4-e2c0-4579-a992-a3d9664a5763]  
Header [Set-Cookie], value [X-BackEndCookie="S-1-5-21-174156188-4291662551-709137977-1610=u56Lnp2ejJqByprLzcrHyMzSx8aantLLz8ic0p7Kmc7Sz52bnZqZy8nIy8mZgYHNz87G0s/M0s/Gq87Kxc3Nxc/H";$Path="/Microsoft-Server-ActiveSync";Secure;$Domain="nas98.airwlab.com:8002";HttpOnly] Header [content-encoding], value [gzip]  
Header [transfer-encoding], value [chunked]
2019-02-07T15:22:19.882Z D [18459-Thread-9 ] - Provision status: 1

Perform another FolderSync, this time it works. Start email sync.

2019-02-07T15:22:24.586Z I [18459-AccountsUpdateListener] - Accounts changed - requesting FolderSync for unsynced accounts  
2019-02-07T15:22:24.975Z I [18459-SyncAdapterThread-1] - Calendar sync for account lwilcox@labmail.airwlab.com, with extras Bundle[{}] 
2019-02-07T15:22:25.236Z I [18459-SyncAdapterThread-1] - Email sync for account lwilcox@labmail.airwlab.com, with extras Bundle[{}]

2019-02-07T15:22:29.810Z I [18459-Thread-10] - Initial sync requested for account: [nas98.airwlab.com:8002:lwilcox@labmail.airwlab.com:Legend Wilcox]  
2019-02-07T15:22:30.430Z I [18459-BoxerWorker-9] - requestSync EmailProvider startSync Account {name=lwilcox@labmail.airwlab.com, type=com.boxer.exchange}, Bundle[{do_not_retry=false, __userRequest__=true, callback_method=sync_status, force=true, expedited=true, callback_uri=content://com.boxer.email.provider}] 
2019-02-07T15:22:30.447Z I [18459-SyncAdapterThread-2] - Email sync for account lwilcox@labmail.airwlab.com, with extras Bundle[{ignore_settings=true, do_not_retry=false, __userRequest__=true, callback_method=sync_status, force=true, expedited=true, ignore_backoff=true, callback_uri=content://com.boxer.email.provider}] 
2019-02-07T15:22:34.950Z I [18459-pool-21-thread-4] - Starting sync command 
2019-02-07T15:22:34.993Z I [18459-pool-21-thread-2] - Syncing account 1 mailbox "Sent Items" (class Email) with syncKey 0, operation name = HtmlMailSync 
2019-02-07T15:22:39.191Z I [18459-pool-21-thread-2] - Committing new sync key (684740726) for mailbox (Sent Items) 
2019-02-07T15:22:39.216Z I [18459-pool-21-thread-2] - Sync command finished with result 1 
2019-02-07T15:23:00.737Z I [18459-SyncAdapterThread-2] - Initial sync completed

Ping example

2019-02-07T15:40:12.911Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - Ping task starting for 1  
2019-02-07T15:40:12.912Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - Exchange ping starting  
2019-02-07T15:43:00.125Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - Changes found in: 8  
2019-02-07T15:43:00.126Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - Ping found changed folders for account 1  
2019-02-07T15:43:00.137Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - requestSync EasOperation requestSyncForMailboxes Account {name=lwilcox@labmail.airwlab.com, type=com.boxer.exchange}, Bundle[{__mailboxCount__=1, force=true, expedited=true, __mailboxId0__=5, PING_ERROR_COUNT=3}] 2019-02-07T15:43:00.139Z I [18459-PingTask-lwilcox@labmail.airwlab.com] - Exchange ping finished with result 2

2019-02-07T15:43:00.200Z I [18459-SyncAdapterThread-8 ] - Email sync for account lwilcox@labmail.airwlab.com, with extras Bundle[{ignore_settings=true, __mailboxCount__=1, force=true, expedited=true, ignore_backoff=true, __mailboxId0__=5, PING_ERROR_COUNT=3}] 2019-02-07T15:43:00.316Z I [18459-SyncAdapterThread-8 ] - Starting sync command

Boxer reaches out to the Email Notification Service (ENS) and provides the Exchange Web Services (EWS) credential information that was used for ActiveSync so it can subscribe to email notifications.

2019-02-07T15:23:08.315Z I [18459-AsyncTask #4 ] - Ens registration for account (id=1) is successful! 
2019-02-07T15:43:30.041Z I [18459-main ] - Sync triggered from distance

You can use Notepad++ to search the logs using the following search terms.

• “error” - This is a very general way to look for errors. You will have a lot of false/positives when using this search criteria.

• “exception “ - You can use this to search the file for exceptions that are generated when the application runs into an error.

• “Current Network” - This will show you what network connection the mobile device was connected to 4g, wi-fi, etc…

• “distance” - This shows you each time the ENS server has reached out to the mobile device to wake it up, send a notification, and trigger a sync • “transitioning” - Use this search term to tell when the application is transitioning from background to foreground and vice versa.

• “requestPing” - This will show you when the device reaches out to the OS to use the Android SyncAdaptor which it uses to request the ping. The response to this request will be “Email sync for account”.

• “Email sync for account” - This will be a response from the OS for a command “requestPing” or “requestSync “. Take note of how long between the request and the reply from the OS. If it’s a long time, it’s likely being throttled by the OS due to battery optimization or a third party product.

• “Changes found in: “ - is the response to a ping request. This tells us if the ping found any changes in the inbox. If it did, we will now do a “requestSync " to bring those emails or changes into Boxer.

• “requestSync” - This will show you when the device reaches out to the OS to use the Android SyncAdaptor which it uses to request email sync. The response to this request will be “Email sync for account”.

• “Q-AppInitialization “ - This shows you when the application is starting up. You will see this when you force close and reopen the application or when you start the application after a crash.

• “PingTask “ - shows you all activities related to pings

• “SyncAdapterThread “ - shows you all activities related to sync operations.

• “Email sync for account “ - The response from the OS after a “requestSync” or “RequestPing” operation.

• “ens” - Search the log files for ens errors and settings.

Collecting Boxer Logs When You Can’t Get Into Android Boxer

Depending on what model phone you have, you can follow one of the processes below to collect Boxer logs in the event that you can’t get into Boxer due to an error. You may have a different model device than the ones listed, but the process will be very similar.

Samsung S9+

• Go to “Settings” on the phone followed by “Apps” • Select “Boxer”
• Select “Mobile Data”
• Select “View App settings” • Select “Send logs” • Use one of the other mechanisms to send the logs (either by copying the logs out or another email client).

On Motorola X Pure

• Go to “Settings” on the phone followed by “Apps” • Select “Boxer” • Select “Data Usage”
• Select “App settings”
• Select “Send logs” • Use one of the other mechanisms to send the logs (either by copying the logs out or another email client).

Device-side logs collection

Collecting Device-Side Logs

macOS Devices

With version 2.x of the macOS agent, you can now collect logs via the agent by performing the following steps:

• Open the agent by right-clicking the agent icon from the menu bar, and then clicking Preferences
• From the Status screen, click on Diagnostics
• Click the button to Send Logs to Administrator
  • The agent will gather logs and zip them into an email for you automatically

To manually gather logs on older versions of the AirWatch agent, please perform the following:

• Enable Debug Logging in the Mac OS X Terminal:
  • $ sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
  • $ sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1
  • $ sudo touch /var/db/MDM_EnableDebug
  • Open the Console application from the Launchpad. Select All Messages and then click Clear Display to clear out old logs.
  • Reproduce the issue on Mac.
  • Click File > Save a Copy As. and save a copy of the logs to be sent to AirWatch.
  • Disable the Debug logging in the Mac OS X Terminal:
    • $ sudo rm –rf /var/db/MDM_EnableDebug
    • $ sudo defaults delete /Library/Preferences/com.apple.MCXDebug debugOutput
    • $ sudo defaults delete /Library/Preferences/com.apple.MCXDebug collateLogs

iOS Devices (iPhone, iPad, Apple TV)

To gather logs from iOS devices (iOS 7.x and below), please perform the following steps:

• Install iPhone Configuration Utility (iPCU) on your workstation.
• With iPCU started, connect the iOS device to your computer via the USB cable.
• On the left-hand side of iPCU, select the iOS device where you wish to collect logs.
• Click on the Console tab at the top right-hand corner.
• Reproduce the issue with your iOS devices.
• Click the Save Console As button to save the text in the console to a file.

To gather logs from iOS devices (iOS 8.0+), please perform the following steps:

• Install xCode 6 on your OS X Device. Note: You cannot gather iOS 8 logs from a Windows-based computer. You must use a Mac OS X computer.
• With xCode started, connect the iOS device to your computer via the USB cable.
• From within xCode, click on the Window menu and click Devices.
• Select your iOS device from the left hand side, then select the up arrow at the bottom corner of the right hand side.
• Reproduce the issue with your iOS devices.
• Save the contents of the activity log to a file.

Android

To gather logs using Console, please see the following documentation.  

To gather logs using ADB, please perform the following steps (see the following page for details):

• Download and set up the Android SDK per the SDK documentation.
• Open Windows Explorer and browse to the \platform-tools folder. Ensure you see the adb.exe file.
• Open a CMD window and navigate to the platform-tools folder. Or, in Windows 7, navigate back to the SDK folder, then Shift + Right-Click on the platform-tools folder, and select Open Command Window Here.
• Ensure USB Debugging is enabled on your Android device (from the Developer Settings menu). For more information on how to enable the Developer Settings menu, browse to http://www.androidcentral.com/how-enable-developer-settings-android-42
• In your Notification Center, you may need to make sure the device is not connected in USB Media Device mode.
• In the CMD window, type adb logcat –v long > androidlog.txt
• On the Android device, recreate whatever error you are trying to log.
• When complete, from within the CMD window use CTRL + C to end the logging.
• Go back to the platform-tools folder and find the log file (androidlog.txt) that you just created.

Windows 7/8/8.1/10/11

To gather logs, please perform the following steps:

• Click on Start > Run, type eventtvwr.msc and click OK. On Windows 8/8.1, from the start menu you can simply start typing Event and select the View Event Logs item returned from universal search.
• Expand Event Viewer (Local) > Windows Logs and select the Application log.
• You can filter logs by Event ID or Source if desired.
• To export for support, click on either Save All Events As or Save Selected Events to export the log entries as an *.evtx file which can be sent to support.
• You can also find logs in the following location: \AgentUI\Logs
  • AwclClient.log - AWCM-related Issues
  • AWProcessCommands.log - Issues with sending commands to the device
  • NativeEnrollment.log - Issues with Enrollment
  • TaskScheduler.log - Issues with samples sent to console

Windows Phone 8.1 (deprecated)

To gather logs, please perform the following steps:

• Ensure you have Visual Studios 2013 Update 3 installed. If not, perform the following:
  • From your Windows Laptop of VM, browse to Windows Phone SDK Archives
  • Download the Visual Studio Express 2013 for Windows and Install it.
  • From within Visual Studios, click on Tools > Windows Phone 8.1 > Developer Unlock. Follow the prompts to unlock your Windows Phone 8.1 device.
  • From within Visual Studios, click on Tools > Windows Phone 8.1 > Developer Power tools.
  • Select Device from the Select Device dropdown, then click Connect. If prompted, click Install to install the Phone Tools Update Pack.
  • Select the Performance Recorder tab, then check the Enterprise Management option under the Extras profile category.
  • Click the Start button in the Developer Power Tools window to start a log.
  • Run your scenarios and re-create the issue you’re experiencing.
  • Click the Stop button in the Developer Power Tools window to stop logging and save the ETW to a local location.
  • You will need to download the Windows Performance Analyzer to view the logs. This can be found in the Windows Performance Toolkit included in the Windows Assessment & Deployment Toolkit (ADK) and Windows Software Development Kit (SDK).

Windows Performance Toolkit

• Open the Windows Performance Analyzer and Open the ETL file.
• In the Graph Explorer window, expand System Activity and view the Generic Events window.
• Double-click the graphic bars in the Generic Events window to display an Analysis window.
• In the Analysis window, click Open View Editor to show a Generic Events View Editor window.
• In the Generic Events View Editor window, ensure the Message box is checked and click Apply:
  • The Message field in the analysis window provides the MDM specific log message under various providers.
  • Microsoft-WindowsPhone-Enrollment-API-Provider – ETW logs for MDM Enrollment and MDM Client Cert Renew Process.
  • Microsoft-WindowsPhone-SCEP-Provider – SCEP Cert enrollment logging
  • Microsoft-WindowsPhone-CmCspVpnPlus – VPN Configuration logging

Windows Mobile Devices with Agent 5.x

All log settings are configured in the log_config.cfg file in the \Program Files\AirWatch directory on the device. The file will resemble the following:

[*]

trace_level=5

max_file_size_kb=256

files_to_keep=2

log_file_path=\Program Files\AirWatch\Logs

use_local_time=false

[aw_setup]

trace_level=5

max_file_size_kb=256

files_to_keep=2

log_file_path=\

use_local_time=false

[awregisterdevice.exe]
trace_level=3

max_file_size_kb=256

files_to_keep=2

log_file_path=\Program Files\AirWatch\Logs

use_local_time=false

[awapplyprofile.exe]

trace_level=5

max_file_size_kb=256

files_to_keep=2

log_file_path=\Program Files\AirWatch\Logs

use_local_time=false

[awremotecontrol.exe]

trace_level=1

max_file_size_kb=256

files_to_keep=2

log_file_path=\Program Files\AirWatch\Logs

use_local_time=false

In general, the following notes apply to Windows Mobile device logging:

• The logging level can be modified as a whole, or on an individual basis:
  • The asterisk configuration is the default config for all logs. Trace levels vary from 1 (basic) to 5 (verbose/debug).
  • Each individual section, which can be used to increase logging to override the default setting from the asterisk section.
  • The log files which are available can vary (based on configuration and OEM), but the following are the most common:
    • aw_setup - Provides logging information relating to the AWMasterSetup utility, which is responsible for initiating the agent install and uninstall process on a device. This is the only log file that is not located in the “\Program Files\AirWatch” directory and is instead located in the root of the file system.
    • awacmclient - Provides logging information relating to the AWCM client on the device
    • awapplicationmanager - Provides logging information relating to product provisioning
    • awprocesscommands - Provides logging information relating to the execution of MDM commands and installation of profiles
    • AWService - Provides information about the AWService.exe component, which is responsible for managing beacon and interrogator samples
    • awapplyprofile - Relates to installation of the agent settings xml file which occurs during the enrollment process
    • awregisterdevice - Provides information about the registering of the device that occurs during the enrollment process
    • awapplauncher - Provides information about the Application Launcher executable. This log will only be present if the App Launcher utility is assigned to and being used by a device.
    • fusionwlansetup - Provides information about configuring and setting up the Fusion WiFi driver on Motorola devices.

The general process for configuring log files is as follows:

• Transfer the log file to your machine. This can be done through the file manager utility in device details or through remote management if a client has that configured.
• Open the log file via a basic text editor such as notepad.
• Edit the desired trace level to the needed value.
• Save the log file.
• Transfer the log file back down to the “Program Files\AirWatch” directory on the devices. This can be accomplished via file manager, remote manager, or product provisioning. To be safe, you may elect to first delete the old log_config.cfg file.
• Restart AWService on the device once it has the updated log_config.cfg file. This can be accomplished by directly restarting the AWService through the “Restart AirWatch Agent” or the “Warm Boot” MDM commands that are available in the AirWatch Console.
• Once the AWService has been restarted, the new logging configuration will take effect. Reproduce your issue and then repeat the steps to turn the logging back down on the device.

Collecting Service/Functionality Specific Logs

Product Provisioning

Review the AirWatch Agent Logs and look for the following items to help you troubleshoot what is occurring:

• If the device is newly enrolled, you’ll see the following in the logs: A message from [AWProductHandler sendProductResponses] stating “Products: No products with results to be sent!”
• A message from [AWEnhancedProductsHandler handleCommand:] stating “Got Products New Manifest”
  • Note: In the manifest will be a line entry called ProductID". You’ll want to save this for later on.
  • Depending on the number of products being installed, you may see an entry for each product that is required.
  • Messages from [AWAppDataManager readJobProduct:] looking to see if the product is downloaded to the local cache
  • Messages from [AWOSXUtils deleteFile:] where it attempts to delete any pre-existing plist file for the products.
  • Messages from [AWJob printJob] which show the sequence number assigned to the Product which will be installed.
  • From this point forward you can search the log by the sequence number assigned to the product install job:
    • Messages about the job being queued
    • Messages about the job being started.
      • The line will look like this: airwatchd[PID] : - [AWJobQueue doJob] [Line 98] THREAD: Current Job: where PID is the AirWatch Agent Process ID and the JobID is the Sequence Number assigned to the product.
      • You can get additional information about the product actions occurring by searching from that point forward for entries from the process ID!
• Messages about any files being downloaded to the product cache
• Messages about Job Status Change. You’ll want to search for a line ending in Job Status changed ========> :AWJobStatusFailed!" From that point, search up in the log for messages relating to the JobID and/or the ProductID (as found in the manifest). All these messages should be coming from the Process ID of the Airwatch agent that initially started the install.

Screen Recording

Screen Recording

Windows 7/8/8.1/10/11

To document click-through steps on Windows machines, perform the following:

• Click on Start > Run and type psr.exe to bring up the Problem Steps Recorder (or PSR, a built-in Windows utility).
• Click on Start Record to begin capturing steps. Note: PSR captures screenshots of ALL monitors; no scoping.
• Each Mouse-Click you make captures a screenshot. At any time during the session, click on Add Comment to provide more details about the screen, error, etc.
• When finished, click Stop Record.
• Choose where to Save the PSR file – it outputs a zip file containing a pre-compiled HTML (*.mhtml) file with all your screenshots and comments.

macOS

To document click-through steps on macOS machines, perform the following:

• Launch QuickTime Player. You’ll find it in the Other folder within Launchpad.
• From the QuickTime menu bar, click File > New Screen Recording. Click the red record button.
  • Optionally you may wish to select View > Float on Top before you start recording.
  • Optionally, you can select the upside-down triangle in the record screen to include audio recording during the screen capture for annotation.
  • Click the screen (or Click-Drag to select part of the screen) for recording.
  • When complete, click the Stop button that appears in the menu bar of the screen where you’re recording.
  • Click File > Save (or simply quit QuickTime) to be prompted with a location to save the screen capture. Note: Keep it moving when you record these; they create full-blown movies and the file gets large quickly.

REST API Example on Python

Several typical functions of working with REST API:

• Searching for devices in a tenant
• Filtering devices by OS (Win/Linux)
• Getting a list of tags for the tenant
• Scanning a file with list of Notebook/Smartphone/Tablet serial keys, then checking if enrolled devices have such serials, and writing the result in a file

• Assigning devices to a chosen tag

Code is for Python version 3.7+, and is bundled into a dataclass as methods, with error-catching and logging support.

Link to code on GitHub.

'''Version 0.3
Created by Alexei Rybalko aka Aagern.
22.05.2021'''
 
import requests, json, base64, logging, sys
from dataclasses import dataclass
from pprint import pprint
 
logging.basicConfig(filename="DeviceControl.log", level=logging.DEBUG,
                    format="%(asctime)s:%(levelname)s:%(message)s")
 
@dataclass
class DeviceControl:
    API_URL: str = 'https://mdm.example.local'
    API_Key: str = 'oxGI6OORljw/Qsql1OFBycjHvzQzEXVXa/tyEcCfIPI='
    API_User: str = 'defaultDomain\\api_user:VMware1!'
    Serials_File: str = 'S.csv'
    Output_File: str = 'DeviceSerials.csv'   
     
    API_User_B64 = base64.b64encode(API_User.encode('utf-8'))  # convert to Base64
    API_User_UTF8 = API_User_B64.decode('utf-8')
    Platforms = {'Windows':12,'Linux':21}
    Header = {"Authorization": "Basic " + API_User_UTF8, "aw-tenant-code": API_Key, "Accept": "application/json"}
    Devices = {}
    Serials = []
     
    def getMDM(self,request):
        """Get data from MDM Server. Input: API request text. Output: response data in JSON."""
        try:
            dataMDM = requests.get(self.API_URL + request, headers=self.Header)
            dataMDM.raise_for_status()
            data = dict(dataMDM.json())
        except requests.exceptions.RequestException as e:
            logging.error(f'Get request failed with {e}')
            sys.exit(1)
        logging.debug(f'Data received from {self.API_URL}')
        return data
         
    def postMDM(self,request,data):
        """Post data to MDM Server. Input: API request text. Output: HTTP response status and details."""
        try:
            responseMDM = requests.post(self.API_URL + request, headers=self.Header, json=data) # Important to do json= here, rather than prepare data with json.dumps()
        except requests.exceptions.RequestException as e:
            logging.error(f'Post request failed with {e}')
            sys.exit(1)
        logging.debug(f'Data sent to {self.API_URL}')       
        return responseMDM
     
    def scanSerialsFile(self,file=Serials_File):
        """Input file with device serials. Output list of serials from file"""
        try:
            with open(file,encoding='utf-8') as f:
                for serial_line in f:
                    self.Serials.append(serial_line)
                    Serials[0] = Serials[0][1:] # Omitting special symbol at file start
                logging.debug(f'Serials file {file} processed.')
        except OSError as e:
            logging.error(f'File opening error with {e}')
            print('File not opened. Serials list empty')
            self.Serials = []
        return self.Serials
             
    def filterDevices(self,platform='Windows'):
        """
        Method filters out Devices by Platform.
        Inputs: Platform name.
        Outputs: File with serials, Dictionary of Device:[Serial,ID]
        """
        PlatformID = self.Platforms[platform]
        dataDict = self.getMDM('/api/mdm/devices/search')
        for device in dataDict['Devices']:
            if device['PlatformId']['Id']['Value'] == PlatformID:
                self.Devices[device['DeviceFriendlyName']] = [device['SerialNumber'] if device['SerialNumber'] else 'Not set',device['Id']['Value']]
        try:
            with open(self.Output_File,mode="wt",encoding='utf-8') as output_file:
                for device,serial in self.Devices.items():
                    print(f"{device},{serial},",file=output_file)
                    if serial in Serials: print("Registered\n",file=output_file)
                    else: print("NOT Registered\n",file=output_file)
                logging.debug(f'Output file {self.Output_File} written.')
        except OSError as e:
            logging.error(f'File opening error with {e}')
            print('File not written.')
            sys.exit(1)
        return self.Devices
     
    def getMDMTags(self,tenant='570'):
        """Get all tags in tenant. Input: tenant ID. Output: list of tags and their IDs."""
        tagsDict = self.getMDM(f'/api/system/groups/{tenant}/tags')
        for tag in tagsDict['Tags']:
            print(f"Name={tag['TagName']}\t\tID={tag['Id']}")
             
    def setTagDevices(self,tagID='10000',DeviceIDs=['3']):
        """Method assigns devices to tag. Input: tag id, devices ID list. Output: total  of assigned devices"""
        FuncDeviceIDs = { "BulkValues":{"Value":DeviceIDs}}
        response = self.postMDM(f'/api/mdm/tags/{tagID}/adddevices',FuncDeviceIDs)
        print(f'Status code: {response.status_code}, \n {response.text}')
 
# Examples of usage
 
Device = DeviceControl()
data = Device.filterDevices()
Device.getMDMTags()
Device.setTagDevices()