SSL server certificate problem occurred Sophos Mobile Control

we had the same problem after our SSL cert expired and was renewed, turns out to be 2 devices out of the 4000 we have, if you search the server.log file for certificate error you will find the troublesome devices, what we did was simply unenrol the device and re-enrolled it. problem went away.

we had the same problem after our SSL cert expired and was renewed, turns out to be 2 devices out of the 4000 we have, if you search the server.log file for certificate error you will find the troublesome devices, what we did was simply unenrol the device and re-enrolled it. problem went away.

Hello, thanks for the answer. We found a device that was shown again and again in the logs. We have now removed it and wait, if the error occurs again.

Hallo JaPi,

konntest Du das Problem lösen.

Stehe vor genau dem gleichen thema.

Gruß,

Knut

Andrew Mullins said:

"...turns out to be 2 devices out of the 4000 we have, if you search the server.log file for certificate error you will find the troublesome devices...."

How did you identify the devices? By device ID?  We have several thousand and several hundred are being impacted.  Did you reach out to those users and unenroll them or did you unenroll them thru the admin console?

Hi Robyn Smith 

You can check under the logs with the error and the device ID listed. Also, if you are seeing this on many devices, could you please verify the SSL certificate of the MDM server if it is correctly updated, you will have to check in the console which devices have not connected for a long time with the MDM and then or remove them from the console, possibly by performing an unenroll of the same and then uninstalling the App later or proceed with a new enrollment of the same. 

Thank you for the quick response.  Yes, the certificate is verified in the admin console, although we do not use the MDM features for devices (we use an inhouse product for MDM instead).  The certificate is correctly updated on the SSL tab in the console.  We have been doing the 'Refresh Data' for the several thousand users out of our tens of thousands of devices, with mostly succeeding. 

I wish there was an easier method to manage thousands of users instead of a hundred in a view/click all/scroll,scroll/Nextpage/scrollscroll/clickall/scrollscroll/nextpage/scrollscroll/clickall/scrol...you get the idea. 

Also, it is disheartening to use a draconian method of unenroll/re-enroll for hundreds of devices by the certificate update....not a good enduser experience in my humble opinion.

Hi Robyn Smith 

Within the Sophos Mobile super administrator account, you should make sure that the correct public certificate parts are uploaded at Setup > System setup > SSL/TLS, the Sophos Mobile server provides an "Auto-discover" functionality. This will establish the connection. Inorder to identify the devices, the only option is to check under the server.log with string: requested certificate hashes. You will probably see a warning with the list of the devices which have requested certificate hashes. 

Once the device is identified, using the device ID the affected device can be looked up within the Sophos Mobile web console, go to devices> browse with the device ID> If the device is shown, try to send a message to the device via the Actions. Together with the message, the device will also receive the list of the new certificate hashes, once received, the connection should work.