Android device enrolment issue - MDM app is not being installed during the sign-in process

mdas86
Level 1.6: Donut

Hello,

We are experiencing a new issue with our Android device enrolments where the MDM app is not being installed during the sign-in process. App is configured in Android Management between our CyberArk tenant and Google domain, and user accounts are configured to do set-up for device owner enrolment.

 

Previous device enrolments are still working as expected, and we first noticed this issue on 13-11-2023. No changes have been made to either the CyberArk configuration/device policy or to Google Admin. 

 

This issue is affecting all new Android device enrolments, even across Android versions (Android 10-14 affected). 

 

Would you please able to assist to fix this issue? 

 

Error Log:

11-24 14:35:49.411 3842 4105 I Auth : (REDACTED) [BroadcastManager] [BroadcastManager] Broadcasting bad device management=%s
11-24 14:35:49.414 3842 4105 I Auth : [AccountStatusChecker] Error when fetching package info [CONTEXT service_id=343 ]
11-24 14:35:49.414 3842 4105 I Auth : sdq: Invalid package signature for app=com.google.android.apps.work.clouddpc
11-24 14:35:49.414 3842 4105 I Auth : at sdr.c(:com.google.android.gms@234414022@23.44.14 (100400-580326705):190)
11-24 14:35:49.414 3842 4105 I Auth : at sdr.a(:com.google.android.gms@234414022@23.44.14 (100400-580326705):39)
11-24 14:35:49.414 3842 4105 I Auth : at sbq.a(:com.google.android.gms@234414022@23.44.14 (100400-580326705):221)
11-24 14:35:49.414 3842 4105 I Auth : at sbp.p(:com.google.android.gms@234414022@23.44.14 (100400-580326705):34)
11-24 14:35:49.414 3842 4105 I Auth : at sbp.q(:com.google.android.gms@234414022@23.44.14 (100400-580326705):8)
11-24 14:35:49.414 3842 4105 I Auth : at sbp.m(:com.google.android.gms@234414022@23.44.14 (100400-580326705):11)
11-24 14:35:49.414 3842 4105 I Auth : at sss.a(:com.google.android.gms@234414022@23.44.14 (100400-580326705):610)
11-24 14:35:49.414 3842 4105 I Auth : at ssy.b(:com.google.android.gms@234414022@23.44.14 (100400-580326705):94)
11-24 14:35:49.414 3842 4105 I Auth : at ssv.a(:com.google.android.gms@234414022@23.44.14 (100400-580326705):642)
11-24 14:35:49.414 3842 4105 I Auth : at slx.h(:com.google.android.gms@234414022@23.44.14 (100400-580326705):3)
11-24 14:35:49.414 3842 4105 I Auth : at ncu.n(:com.google.android.gms@234414022@23.44.14 (100400-580326705):284)
11-24 14:35:49.414 3842 4105 I Auth : at ncu.c(:com.google.android.gms@234414022@23.44.14 (100400-580326705):1087)
11-24 14:35:49.414 3842 4105 I Auth : at ncu.h(:com.google.android.gms@234414022@23.44.14 (100400-580326705):2)
11-24 14:35:49.414 3842 4105 I Auth : at ncu.fe(:com.google.android.gms@234414022@23.44.14 (100400-580326705):147)
11-24 14:35:49.414 3842 4105 I Auth : at mzt.onTransact(:com.google.android.gms@234414022@23.44.14 (100400-580326705):117)
11-24 14:35:49.414 3842 4105 I Auth : at android.os.Binder.transact(Binder.java:949)
11-24 14:35:49.414 3842 4105 I Auth : at bdrr.onTransact(:com.google.android.gms@234414022@23.44.14 (100400-580326705):10)
11-24 14:35:49.414 3842 4105 I Auth : at android.os.Binder.transact(Binder.java:949)
11-24 14:35:49.414 3842 4105 I Auth : at awwb.onTransact(:com.google.android.gms@234414022@23.44.14 (100400-580326705):147)
11-24 14:35:49.414 3842 4105 I Auth : at android.os.Binder.execTransactInternal(Binder.java:1056)
11-24 14:35:49.414 3842 4105 I Auth : at android.os.Binder.execTransact(Binder.java:1029)
11-24 14:35:49.414 3842 4105 I Auth : Caused by: android.content.pm.PackageManager$NameNotFoundException: com.google.android.apps.work.clouddpc
11-24 14:35:49.414 3842 4105 I Auth : at android.app.ApplicationPackageManager.getPackageInfoAsUser(ApplicationPackageManager.java:275)
11-24 14:35:49.414 3842 4105 I Auth : at android.app.ApplicationPackageManager.getPackageInfo(ApplicationPackageManager.java:244)
11-24 14:35:49.414 3842 4105 I Auth : at akut.e(:com.google.android.gms@234414022@23.44.14 (100400-580326705):7)
11-24 14:35:49.414 3842 4105 I Auth : at sdr.c(:com.google.android.gms@234414022@23.44.14 (100400-580326705):16)
11-24 14:35:49.414 3842 4105 I Auth : ... 20 more
11-24 14:35:49.414 3842 4105 I Auth : [AccountStatusChecker] Canceling DM notification because of DM suppression [CONTEXT service_id=343 ]
11-24 14:35:49.416 3842 4105 W Auth : [GetToken] GetToken failed with status code: ThirdPartyDeviceManagementRequired

9 REPLIES 9

ReeceK
Google Staff

Hi @mdas86,

 

Quick update for you—I'm collaborating with other teams to find the answer to your question. I anticipate having more information in the next few days. Additionally, I've sent you a DM in case you have any further questions in the meantime.

 

Thanks, Reece

jeremy
Level 2.3: Gingerbread

@mdas86 the invalid package signature is a weird error. How do you enroll your devices? If by QR Code have you modified the QR Code somehow?

 

mdas86
Level 1.6: Donut

Hi @jeremy ,

We are using the following device set-up method as per the documentation "Setup devices using managed Google accounts"

 

Company-owned device

If you have a new or factory-reset device, add your managed Google account during device setup:

  1. Turn on your device.
  2. Follow the on-screen steps until you're prompted to enter a Google Account.
  3. Enter your managed Google account and password.
  4. Follow the on-screen steps until setup is complete.

https://support.google.com/work/android/answer/9412115?sjid=2368083653953635435-AP#zippy=%2Cset-up-a...

 

https://support.google.com/work/android/answer/9566881?hl=en#zippy=setup-devices-using-a-google-work...

 

Suddenly we saw the issue for new enrollment devices, existing enrolled devices are working fine. No changes to existing  policies/configuration.

 

Looking forward your help, thanks!

 

ReeceK
Google Staff

Hi @mdas86 

 

How are you? 

 

I have done some research into your question - 

 

Are you receiving specific prompts when the MDM app fails to install? Is the issue with MDM app installation occurring on all devices?

 

One possibility is that Cyberark has undergone a password rotation, possibly due to an auto annual rotation. It might be helpful to verify the password values assigned to the Android Management account within Cyberark to ensure they match the intended password.

 

Additionally, it's worth checking within the Google Admin directory or identity services to confirm if the account used to set up the owner enrollment is active and free from any flags or token issues.

 

To troubleshoot, you could create a local account in your MDM and utilize those credentials to temporarily enroll a device. This test would help determine if the issue persists with a different set of credentials.


I hope the above helps, if you have solved the issue please let us know 😊

Reece.

mdas86
Level 1.6: Donut

Hi @ReeceK ,

Thanks for the update!

 

Are you receiving specific prompts when the MDM app fails to install? - No,

Its completing the device set-up without downloading the MDM app and after this when I tried to open Play Store app, its not connecting (account sync is not happening). Actually it should connect to  see all managed apps (https://play.google.com/work/apps)

 

if I connect(using my test account) to https://play.google.com/work/apps in chrome browser, I could able to connect and see all managed apps without any issue.

 

Is the issue with MDM app installation occurring on all devices? - Yes

 

create a local account in your MDM  - I have created test account in Google Admin with third-party integration with Android EMM, unfortunately same issue is happening

 

FYI - These steps have been used to download MDM app

Company-owned device

If you have a new or factory-reset device, add your managed Google account during device setup:

  1. Turn on your device.
  2. Follow the on-screen steps until you're prompted to enter a Google Account.
  3. Enter your managed Google account and password.
  4. Follow the on-screen steps until setup is complete.

Hi @mdas86  

Thanks for getting back to me.

 

I am going to go back to my colleagues and get more answers for you, the problem sounds like it might lie with the MDM app installation process or perhaps with the permissions/authentication during the installation.

 

Whilst I await a response on my end,  have you reached out to your internal support channels of the MDM provider to investigate this matter further?. 

 

Additionally, have you double-checked the permissions and configurations within your Google Admin console and Android EMM settings related to app installations and device management could also be beneficial in troubleshooting this issue?.

Just want to make sure that this has been looked into internally on your end, as well as here in the community.

 

Thanks again @mdas86 

Hi @mdas86 

 

I've had a chat with my colleague, and here's the feedback regarding your question:

It's intriguing that there are no error messages when the MDM app fails to install.

 

It seems like more of a DPC issue if the problem persists even after trying with a local test account. Have you contacted your EMM about this? What have they discovered so far? Also, have they supplied the latest patch for the DPC app? If they have, it's advisable to utilize the most recent version in this case.

 

Hope this information proves useful,

Reece




mdas86
Level 1.6: Donut

Hi @ReeceK ,

Thank you for all details, Its definitely help to troubleshoot the issue.

 

I am in contact with our IT support team to check with EMM set-up with Google. Also verifying the configuration in Google Admin console using test account. We didn't find any resolution till now.

 

It seems like more of a DPC issue - need to investigate and understand how this is related with authentication failure.

 

Thank you!

Manas

Hey @mdas86  

 

Exciting to hear things are moving forward!

 

When you do hear something back, could you provide me with an update on the situation and share any feedback you've received? 

 

And of course, if you need further assistance, feel free to reach out.

 

Thanks, Reece