Hi Bruce and welcome back to the Centrify Community! You are absolutely correct we have made several changes over the last year (and more) related to device management. In early versions of Centrify, you would manage mobile devices exclusively in Active Directory. Now you have the ability to select between a few options…
- You can use our provided Active Directory policy and cloud connector for enrollment
- Use cloud- based policy and user directory - no Active Directory needed
- Use an external MDM vendor and leverage Centrify for SSO only – don’t forget, we can co-exist with other vendors too!
Getting back to your question and issue…new cloud connectors were installed (I assume on new hosts) and after bringing them online, new device enrollments are failing. If I understand correctly, you have verified your enrollment policy to ensure that users are allowed to enroll and that a valid OU is present and listed.
If things were working normally before the connector reinstalls, here are a couple of things you can check to get to the root cause:
- As a basic sanity check, ensure that Active Directory users can authenticate to the Centrify user portal (https://cloud.centrify.com/my or your specific tenant URL) - this is a simple test of the connector service to match and authenticate users.
- Check the connector logs and search for object conflict or access denied errors – logs are stored at C:\Program Files\Centrify\Cloud Management Suite\Log.txt*. You can also watch a running log window via the Centrify Cloud Connector Configurtation utility installed on your connector host.
- The cloud connector service must have access to the desired OU in order to create/update device objects. By default, the local system account of the connector host is used for running the service but you can also use a service account (as you stated) or other privileged account as long as it has the correct permissions. As a quick test, simply change the service account to run as a Domain Admin and see if the issue persists.If it does, double-check the permissions of the service account.
- If the above steps fail, try changing the enrollment OU configured in the policy. You can also change to a different OU > save > and then point back to the original OU again to "reset" the policy settings. If the connector needs to make any delegated changed, you will see a popup confirmation message as indication that current OU permissions may not be correct.
If you want to configure a new account or simply need to confirm correct permissions are set, take a look at our online help section Installation and service account privilege requirements. If everything looks good but enrollment is still failing, post back here with specific error messages and perhaps some screenshots so we can assist with diagnostics.
Thanks again and I look forward to your reply!
-Tony