topic Re: Android Enrollment Question in Endpoint Security

Android Enrollment Question

mrjrtykr — Wed, 08 May 2024 14:40:16 GMT

We recently setup AD integration on an MX for the purpose of enrolling a user's BYOD Android device. We can make it work, but, the issue we run into is this: When we create Android configuration setting, we can ONLY get it to work if we use the "Owner Email" and "Owner Username" as the values for their respective keys.

The problem with that is that the AD sync process only sets the user name as username@domain.com which is replicated as the email address. Unfortunately, we use firstname.lastname@domain.com as our email address format. Further, to successfully login, the user name must be in the format of domain\username which is not what the AD sync sets as the owner username.

We tried using setting the key value type to TXT and using variables of $emailaddress$ and $username$ as the instructions indicated was possible but, either we did it wrong or it just doesn't work as designed.

At this point, we're stuck with having to manually adjust the owner information to get Androids to work. iOS devices do not have this issue as you can set the domain information in the apple mail settings profile.

Any ideas/guidance would be appreciated.

Re: Android Enrollment Question

Philip D'Ath — Wed, 08 May 2024 21:28:16 GMT

I don't understand what the MX has to do with in this process.

The MDM users whatever Enatra ID wants to use for a username. I don't understand wy you couldn't use firstname.lastname@domain.com on the Android device.

What login screen is the user trying to log into?

Re: Android Enrollment Question

Philip D'Ath — Wed, 08 May 2024 21:29:52 GMT

Hold on - I think I am starting to understand. You are actually authenticating directly against AD.

Could you authenticate against Entra ID instead? Do you have Office 365? That is probably an easier way to go.

Re: Android Enrollment Question

mrjrtykr — Wed, 08 May 2024 21:33:27 GMT

Thanks for the replies. We're an on-prem Exchange shop at the moment. And the only login option we see when the user launches the Meraki Systems Manager app is username and password.

Re: Android Enrollment Question

Arthur Dent — Mon, 13 May 2024 10:50:45 GMT

Have you tested with the Email Domain name (Systems Manager > General > End User authentication settings) to manipulate the domain (ie: getting the username from AD and then adding acme.com to the end)?

Re: Android Enrollment Question

mrjrtykr — Mon, 13 May 2024 14:31:42 GMT

@Arthur Dent

That is exactly how we have it configured. Unfortunately, it sets the email address as username@hattiesburgclinic.com and the username is set to username@hattiesburgclinic.com. Our email address is based on firstName.LastName@hattiesburgclinic.com and the for the authentication to work, the username must be formated as hbclinic\username.

Re: Android Enrollment Question

mrjrtykr — Mon, 13 May 2024 14:33:02 GMT

@Arthur Dent If this setup is actually supposed to pull in what we need, then we either have something misconfigured, or something is broken.