Video Screencast Help

Using email adress to enroll devices

Created: 28 Mar 2013 • Updated: 05 Apr 2013 | 8 comments
This issue has been solved. See solution.


We are trying to implement the Symantec 7.2 MDM solution. Everyting works (policys, payload, certificates) except for 1 thing. We would like to enable the option that a user can use his (AD) email adress and password to enroll his/hers device.

When I type the enrollent URL, it works perfectly. When I use an email adress, the error "Login Failed, Could not determine enrollment URL. Check with your IT department and enter a valid url"  pops up.

I have made the txt record in dns: OSIAGENTREGURL=<server url>/MobileEnrollment/Symc-IOSEnroll.ASPX

We have 2 (2008 R2) servers in our domain configured for this, and a revese proxy in DMZ.

Any ideas? What is left to check? Of to configure?



Operating Systems:

Comments 8 CommentsJump to latest comment

HighTower's picture

We have not yet been able to get this to work when our mobile devices are connected to our internal network.  As a work around we've configured our mobile devices to connect to a guest wireless network. 

The email address > enrollment URL works great in our external DNS records but we can't get it to work internally.  Admittedly we haven't spent much time trying :)

_Chris_'s picture

Thank you for your reply.

Our mobile devices are not connected to our internal network, but to "public" Wifi access points and 3G networks,

I know that the enrollment URL should work, but not in our current config.

HighTower's picture

This is lifted from our external MS DNS server:



Our real server name is not exposed to the outside world.  Instead we have our Citrix Access Gateway aliasing the server name.

This basically worked for us immediately so I'd suspect your external DNS for not catching the enrollment request.

_Chris_'s picture

We are using https. And a reverse proxy in DMZ.

But the txt record should also be added to the DNS settings of our ISP?

HighTower's picture

We have an external DNS server in our DMZ that we use for zone translation but we're not authoritative.  We push our external records up to our ISP. 

So yes, these TXT records ultimately have to be published by your ISP.

_Chris_'s picture

Have sent the request for adding the txt record to our ISP.

Logically this should resolve the problem. I'll keep you posted.

_Chris_'s picture

And... Problem solved! Thank you for your help!