This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Warning: One or more devices cannot connect to the Sophos Mobile server. Cannot find affected phone.

Hello,

I did an update to SMC 9 and we recently renewed our license.

Now we get alot of emails like this:
==============================
Warning: One or more devices cannot connect to the Sophos Mobile server (mobilecontrol.vandorp.eu) because the server certificate is classified as untrusted. Verify that the configured list of SSL certificates is up to date.
==============================

When I look in the server.log, I got some errors like this one:
==============================
2019-09-26 14:33:15,168 ERROR [com.sophos.mobilecontrol.server.worker.maintenance.MDMAppDeviceTriggerTimer] (EJB default - 10) could not trigger android smc app on Device [deviceId=20371, deviceGroupId=2, customerId=1, name=D**************l, email=n********@*********u, osId=20, lastSeenDate=2019-04-16 12:39:19.898,lastAppSyncDate=2019-04-16 12:39:19.898,deviceOwner=employee, modelName=Samsung Galaxy J3(2016), managedState=managed, managementType=FULL_MDM, compliant=true, easState=ALLOWED_BY_COMPLIANCE, nacState=ALLOWED_BY_COMPLIANCE, containerState=ALLOWED_BY_COMPLIANCE, complianceViolationSeverity=COMPLIANT, Base [tan=935, updateDate=2019-04-16 12:39:19.96, insertDate=2017-06-13 13:07:23.6, updatedby=s****m, insertedby=5**5]], trigger result is NOTIFICATION_FAILED
==============================

We have 1700 entries in SMC
Can you tell me how I can find out which telephone this is?
Or can you tell me what I can do about these errors?



This thread was automatically locked due to age.
  • Hi  

    From the logs, I can see that your device was last synced on 2019-04-16. Please check this article and see if the network requirements are met. Do all the emails which are triggered referring to single device, could you please confirm?

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi Edwin,

    Warning: One or more devices cannot connect to the Sophos Mobile server (mdm.company.com) because it has an untrusted certificate.

    Please ensure that the configured list of SSL certificate is up to date.

    Sophos Mobile Control uses a security functionality called "Certificate pinning" to make secure the connection against man-in-the-middle attacks.

    This requires that the Sophos Mobile Control app gets the public certificate information of the SSL certificate involved in the communication.

    To achieve this, this information is included in the initial enrollment data and in case of a change will be sent out via the Google Cloud Messaging (GCM) or Apple Push Service Notification (APNS) protocol.

    If the Sophos Mobile server recognizes that a client app is not able to establish a connection, it will send out the certificate hash to the client app in question.

    In case this error message is sent, a Sophos Mobile Control client application which tries to synchronize and requested a certificate hash update several times.

    What to do

    Within the Sophos Mobile super administrator account, you should make sure that the correct public certificate parts are uploaded at Setup > System setup > SSL/TLS.

    The list of certificates should include all certificates of involved SSL endpoints (e.g. Firewall, Proxies, SMC server). which could be providing an SSL certificate.

    To achieve this, the Sophos Mobile server provides an "Auto-discover" functionality.
    Using this functionality the Sophos Mobile server will establish a connection to "localhost" and https://mdm.company.com and import the presented public part of the SSL certificates.

    The Sophos Mobile server will create a Hash for these certificates.

    The Sophos Mobile Control app should automatically receive the new certificate hash using the GCM and APNS protocol.

    Identifying problematic devices and possible solution

    If the above is given and the warning email is still sent out, the problematic devices have to be identified.
    To do this, the server.log can be searched for the following string: requested certificate hashes

    As a results, a log line similar to this should be found:

    WARN [com.sophos.mobilecontrol.server.clientapi.backend.app.v2.certhash.CertificateRequestCache] (default task-354) device with id 1234 has requested the certificate hashes 5 times

    Using the device ID the affected device can be looked up within the Sophos Mobile web console. To do this, follow the steps below.

    1. Log in to the Sophos Mobile customer which is used to manage devices
    2. Go to the Devices section and click on an Android device to show the details of the device
    3. Within the browser bar, change the ID to the one found in the log file
      1. If nothing is presented, repeat the procedure with an iOS device
    4. As soon a device is shown, try to send a message to the device via the Actions
    5. Together with the message, the device will also receive the list of the new certificate hashes.
    6. Once received, the connection should work again

    Other possible root cause

    This issue could also occur, if the list of certificates in the SSL/TLS section was adjusted but does not cover all certificates.
    Most likely a Firewall / Proxy are involved which are not detected by the Sophos Mobile server's "Auto-discover" feature.

    In that case, the public part of the certificate has to be uploaded manually in the SSL/TLS section.

    Retrieving public part of an SSL certificate

    To retrieve the public part of an SSL certificate, the following steps can be used:

    Note: This procedure is based on the Google Chrome browser

    1. Open a browser and connect to the server via HTTPS which presents the SSL certificate in question
    2. Click on the lock icon next to the address bar
    3. Click on Certificate
    4. The SSL certificate of the website will be shown
    5. Click on the Details tab
    6. Click on Copy to file
    7. Click Next
    8. Within the Export File Format view, select Base-64 encoded X.509 (.CER) and click Next
    9. Press the Browse button to specify a location where to save the file.
    10. Click Next again
    11. An overview will be shown - press Finish to complete the procedure

    The file which is created is the public part of the SSL certificate used by the website which was accessed via the browser.
    This certificate file can be uploaded within the Sophos Mobile web console. 

     

    ==============================================

     

    If the issue persists, please get the logs as per the KBA https://community.sophos.com/kb/en-us/120855 and create a support case with us.

    My team will assist you further.

    Regards,

    JR