This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No MDM sync after upgrade to 8.5.4

I upgraded to the version 8.5.4 on a customer installation about 3 weeks ago.

Since the update the devices don't sync correctly anymore, to be exactly:
- MDM sync has a date before the update on most devices, some synced for the last time 2 days after the update
- SMC sync has an actual date
- SSE sync has an actual date
- SSW has an old date (but isn't used anyway)

The failing sync was resulting in nearly all devices becoming uncompliant and closing access to the SSE container. Actual workaround was deactivating the compliance entry for the sync.

I tested to connect a new device which worked without any problem. I tried restarting the (standalone) EAS proxy and the SMC server but without any luck. In the logs I didn't find any clue what's going wrong.

Any ideas where I can have a look at?



This thread was automatically locked due to age.
Parents Reply Children
  • The solution was reverting my fault... ;-)

    I had a remote session with Sophos support and it turned out that I changed the MDM certificate (APNs certificate) instead of renewing it. I did this while upgrading the version, so it seemed to be an upgrade issue first, but it wasn’t.

    So new devices got the new APNs certificate and were able to sync but the devices with the old certificates weren‘t able to. I renewed the original APNs certificate and after that only the 2 newly registered devices had to be re-enrolled and the old devices were able to sync again. You can see the APNs certificate‘s fingerprint in the device properties, so it was easy to see, which devices used the wrong certificate.

    What was new to me is the way how SMC communicates with the devices. MDM commands are sent to apple and from there to the device. If the device doesn‘t know the APNs certificate used for that connection it ignores it completely - alone for security reasons. My understanding was before, that this sync is between the SMC server and the device directly.

    SMC sync is then directly between the SMC server and the device - for example to deliver the compliance policies.

    SSE sync is the communication within the secure mail container, for example to ‚tunnel‘ the actice sync communication.

    SSW sync is the communication with the secure workspace.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner