I really need you opinion about a case, can you write to me? I will explain it all, please write to godog@supercable.net.ve. It about SCMDM, just an opinion.

Thanks a lot!

The CA is an x86 Server 2003 Enterprise server and all the other MDM servers are running x64 Server 2008 Std.

The error I an getting is:

Certificate not issued (Denied) Denied by Policy Module 0×80094800, The request was for a certificate template that is not supported by the Certificate Services policy: scmdmwebserver(Instance_Name). The requested certificate template is not supported by this CA. 0×80094800 (-2146875392)
Certificate Request Processor: The requested certificate template is not supported by this CA. 0×80094800 (-2146875392)
Denied by Policy Module 0×80094800, The request was for a certificate template that is not supported by the Certificate Services policy: scmdmwebserver(Instance_Name).

I am pulling my hair out trying to figure this out. Anyone have any ideas?

Are you enforcing that VPN must be connected? VPN should work over WiFi, but maybe there’s a conflict. Does it work connecting an enrolled device to the WiFi if VPN is disabled? And if you are able to get WiFi working, would it then be possible to connect the VPN tunnel manually afterwards?

Hey, I followed your guide, and in the end of the day I have a lab with working enrollment, management and Gateway server.

My devices connect via wifi to the external interface of the gateway, and to the external interface of the enrollment server.

The enrollment process works great, the device (Samsung omnia ) asks for a reboot, and then troubles start 

For some reason, which I cannot figure out, the device cannot join our wifi network. After some wireshark research is seems that there is something wrong with the DHCP or with the WIFI settings…
I can see DHCP offers but the client doesn’t take it. If I assign ip address manually, I can connect, and the client tries to connect to the gateway. However, even in this scenario, it cannot resolve the gateway’s ip address. Looking in wireshark I can see netbios requests (the client is trying to resolve the gateway’s address), which is strange since I have manually configure the dns server’s address in the client’s settings. Moreover, I cannot surf the web using these settings (the ip address statically set ), and I cannot see any dns requests from the client.
Any help will be very appreciated.
Thanks
Roee

Now, of course your firewall could be blocking ping requests for a reason, but I still think the routing is something to look into as well.

At this point I’d check the routes on the gateway server, and probably fire up Wireshark or Network Monitor to try and trace the traffic to see what happens. It can be quite tricky, but you are probably dealing with a configuration issue in your infrastructure.

1. The event view on my GW shows that the device was assigned 192.168.20.4 (based on the network subnets for the ipsec remote address assignment

2.I was unable to ping this Ip from my gateway server (external facing is 172.16.12.11 , internal was 192.168.165,15)

3.I was also not able to ping my gateway server from my device.

Clearly the handset was unable to communicate with gateway server. Also to take note is i am using hostedit file to force the handset to know gateway.scmdm.local to be known as 172.16.12.11. Pretty confusing for me

However it seems your device is not able to communicate with the device management server. Most likely reasons are routing and/or firewall issues.

I assume that the servers themselves are ok, show no errors, and that the gateway is receiving config from the DM server.

- Check the Event Viewer on the GW to see if an IP address was assigned to the device.
- Check if you are able to ping this IP from your servers.
- Check if you can ping your server from your device (vxUtil works great for this purpose).
- If this is ok try opening https://DM-SERVER:8443/TEE/Handler.ashx from your device. (Should be prompted for a certificate.)

Your router needs to be able to recognize the subnet the device is part of, so you need to verify there is a route both to and from this subnet.

I managed to establish mobile vpn as show on the tick icon of my device.

However besides establish that, i was not able to obtain schedule wipe or push down of any policies. I tried using mdm connect now tool, other then establishing the session id, the last connection status will show unknown.

If u need any other information. I will be glad to furnish you with it

Thanks a lot dude

But I assume that schedule wipe and policies work like they should? If not there’s most likely a routing issue.

There is no “instant policy”. Since SCMDM is designed to scale up to thousands of devices there’s some issues with trying to apply policies to plenty of devices at a time. Though I agree it would be nice to have the feature nonetheless as long as one know how to use it. (Maybe for a new release of SCMDM – don’t know…)