Android device enrolment issue - Third party MDM app is not being installed during the sign-in process

mdas86
Level 1.6: Donut

Hello Android Enterprise Team,

 

We are experiencing a new issue with our Android device enrolments where the third-party MDM app(CyberArk MDM App) is not being installed during the sign-in process. App is configured in Android Management between our CyberArk tenant and Google domain, and user accounts are configured to do set-up for device owner enrolment.

 

Previous device enrolments are still working as expected, and we first noticed this issue on 13-11-2023. No changes have been made to either the CyberArk configuration/device policy or to Google Admin. 

 

This issue is affecting all new Android device enrolments, even across Android versions (Android 10-14 affected). 

 

Could you please help to fix this issue?

Thanks in advance

 

Error Log:

11-24 14:35:49.411 3842 4105 I Auth : (REDACTED) [BroadcastManager] [BroadcastManager] Broadcasting bad device management=%s
11-24 14:35:49.414 3842 4105 I Auth : [AccountStatusChecker] Error when fetching package info [CONTEXT service_id=343 ]
11-24 14:35:49.414 3842 4105 I Auth : sdq: Invalid package signature for app=com.google.android.apps.work.clouddpc
11-24 14:35:49.414 3842 4105 I Auth : at sdr.c(:com.google.android.gms@234414022@23.44.14 (100400-580326705):190)
11-24 14:35:49.414 3842 4105 I Auth : at sdr.a(:com.google.android.gms@234414022@23.44.14 (100400-580326705):39)
11-24 14:35:49.414 3842 4105 I Auth : at sbq.a(:com.google.android.gms@234414022@23.44.14 (100400-580326705):221)
11-24 14:35:49.414 3842 4105 I Auth : at sbp.p(:com.google.android.gms@234414022@23.44.14 (100400-580326705):34)
11-24 14:35:49.414 3842 4105 I Auth : at sbp.q(:com.google.android.gms@234414022@23.44.14 (100400-580326705):8)
11-24 14:35:49.414 3842 4105 I Auth : at sbp.m(:com.google.android.gms@234414022@23.44.14 (100400-580326705):11)
11-24 14:35:49.414 3842 4105 I Auth : at sss.a(:com.google.android.gms@234414022@23.44.14 (100400-580326705):610)
11-24 14:35:49.414 3842 4105 I Auth : at ssy.b(:com.google.android.gms@234414022@23.44.14 (100400-580326705):94)
11-24 14:35:49.414 3842 4105 I Auth : at ssv.a(:com.google.android.gms@234414022@23.44.14 (100400-580326705):642)
11-24 14:35:49.414 3842 4105 I Auth : at slx.h(:com.google.android.gms@234414022@23.44.14 (100400-580326705):3)
11-24 14:35:49.414 3842 4105 I Auth : at ncu.n(:com.google.android.gms@234414022@23.44.14 (100400-580326705):284)
11-24 14:35:49.414 3842 4105 I Auth : at ncu.c(:com.google.android.gms@234414022@23.44.14 (100400-580326705):1087)
11-24 14:35:49.414 3842 4105 I Auth : at ncu.h(:com.google.android.gms@234414022@23.44.14 (100400-580326705):2)
11-24 14:35:49.414 3842 4105 I Auth : at ncu.fe(:com.google.android.gms@234414022@23.44.14 (100400-580326705):147)
11-24 14:35:49.414 3842 4105 I Auth : at mzt.onTransact(:com.google.android.gms@234414022@23.44.14 (100400-580326705):117)
11-24 14:35:49.414 3842 4105 I Auth : at android.os.Binder.transact(Binder.java:949)
11-24 14:35:49.414 3842 4105 I Auth : at bdrr.onTransact(:com.google.android.gms@234414022@23.44.14 (100400-580326705):10)
11-24 14:35:49.414 3842 4105 I Auth : at android.os.Binder.transact(Binder.java:949)
11-24 14:35:49.414 3842 4105 I Auth : at awwb.onTransact(:com.google.android.gms@234414022@23.44.14 (100400-580326705):147)
11-24 14:35:49.414 3842 4105 I Auth : at android.os.Binder.execTransactInternal(Binder.java:1056)
11-24 14:35:49.414 3842 4105 I Auth : at android.os.Binder.execTransact(Binder.java:1029)
11-24 14:35:49.414 3842 4105 I Auth : Caused by: android.content.pm.PackageManager$NameNotFoundException: com.google.android.apps.work.clouddpc
11-24 14:35:49.414 3842 4105 I Auth : at android.app.ApplicationPackageManager.getPackageInfoAsUser(ApplicationPackageManager.java:275)
11-24 14:35:49.414 3842 4105 I Auth : at android.app.ApplicationPackageManager.getPackageInfo(ApplicationPackageManager.java:244)
11-24 14:35:49.414 3842 4105 I Auth : at akut.e(:com.google.android.gms@234414022@23.44.14 (100400-580326705):7)
11-24 14:35:49.414 3842 4105 I Auth : at sdr.c(:com.google.android.gms@234414022@23.44.14 (100400-580326705):16)
11-24 14:35:49.414 3842 4105 I Auth : ... 20 more
11-24 14:35:49.414 3842 4105 I Auth : [AccountStatusChecker] Canceling DM notification because of DM suppression [CONTEXT service_id=343 ]
11-24 14:35:49.416 3842 4105 W Auth : [GetToken] GetToken failed with status code: ThirdPartyDeviceManagementRequired

15 REPLIES 15

Moombas
Level 3.0: Honeycomb

Hi mdas, 

i recommend to investigate this with your 3rd party MDM (CyberArk).

mdas86
Level 1.6: Donut

Hi @Moombas ,

Thanks for the update!

3rd party MDM is already available in https://androidenterprisepartners.withgoogle.com/emm

This is working fine for existing user who already enrolled to their devices. All of a sudden, this stops working for new users who tries to enroll in device owner mode. Not able to download the third-party MDM app during sgin-in process.

 

These are the steps, we are using to download MDM app during device owner mode set-up

Company-owned device

If you have a new or factory-reset device, add your managed Google account during device setup:

  1. Turn on your device.
  2. Follow the on-screen steps until you're prompted to enter a Google Account.
  3. Enter your managed Google account and password.
  4. Follow the on-screen steps until setup is complete.

https://support.google.com/work/android/answer/9412115?sjid=2368083653953635435-AP#zippy=%2Cset-up-a...

 

https://support.google.com/work/android/answer/9566881?hl=en#zippy=setup-devices-using-a-google-work...

  

https://androidenterprisepartners.withgoogle.com/emm/

 

mdas86
Level 1.6: Donut

These are the steps, we are using to download MDM app during device owner mode set-up

Company-owned device

If you have a new or factory-reset device, add your managed Google account during device setup:

  1. Turn on your device.
  2. Follow the on-screen steps until you're prompted to enter a Google Account.
  3. Enter your managed Google account and password.
  4. Follow the on-screen steps until setup is complete.

https://support.google.com/work/android/answer/9412115?sjid=2368083653953635435-AP#zippy=%2Cset-up-a...

 

https://support.google.com/work/android/answer/9566881?hl=en#zippy=setup-devices-using-a-google-work...

  

https://androidenterprisepartners.withgoogle.com/emm/

Moombas
Level 3.0: Honeycomb

Hi mdas,

i personally don't know about an management enrollment using a managed Google Account.

Also on the website of Cyber ark these are the enrollment methods to be used:

MethodDescription

SMS

Enter your phone number (including the country code and area code), and then click Send. CyberArk Identity sends an SMS message to your device with links to the CyberArk Identity mobile app.

Email

Enter an email address that is accessible from your mobile device, and then click Send. CyberArk Identity sends an email with links to the CyberArk Identity mobile app.

QR code

Scan the QR code

Direct link

Click the link to the appropriate app store for your device. If you are signed in to your Google or Apple account in your browser as well as on your device, you can install the CyberArk Identity mobile app from your desktop browser.

 

Nothing about a managed Google account. What kind of enrollment you try to do? BYOD, COBO or COPE?

mdas86
Level 1.6: Donut

Hi @Moombas ,

Thanks for update!

Company owned devices which was enrolling with following steps as per Google documentation

If you have a new or factory-reset device, add your managed Google account during device setup:

  1. Turn on your device.
  2. Follow the on-screen steps until you're prompted to enter a Google Account.
  3. Enter your managed Google account and password.
  4. Follow the on-screen steps until setup is complete.

With the above steps, it is expected to download the third-party MDM app and complete the enrolment which is not happening.

mdas86
Level 1.6: Donut

Which management sets can you deploy with this setup method? - Full device management

 

what is the EMM provider? - Use a third-party Android EMM provider (CyberArk, previously registered as Centrify)

https://support.google.com/work/android/answer/9415508?sjid=3084105063576651002-AP

 

Which set-up method is used for enrolment? - Set up an Android device with a managed Google account

https://support.google.com/work/android/answer/9412115?sjid=3084105063576651002-AP#zippy=%2Cset-up-a...

 

Moombas
Level 3.0: Honeycomb

Again: You should reach out to CyberArk support because i still think you are trying to enroll it  the wrong way.

jeremy
Level 2.3: Gingerbread

As @Moombas previously said, you will get better support directly from CyberArk as this is an issue related to their product.

While we're glad to help, without proper inside knowledge of CyberArk product this will be hard to debug unless you're escalating this to CyberArk support team.

 

mdas86
Level 1.6: Donut

Hi @jeremy ,

I am from CyberArk need Android Enterprise Team help to troubleshoot this issue.

The authentication is failed in android package itself and not able to sync the account in PlayStore app, please see the following error log:

 

11-24 14:35:49.414 3842 4105 I Auth : sdq: Invalid package signature for app=com.google.android.apps.work.clouddpc

11-24 14:35:49.414 3842 4105 I Auth : [AccountStatusChecker] Canceling DM notification because of DM suppression [CONTEXT service_id=343 ]
11-24 14:35:49.416 3842 4105 W Auth : [GetToken] GetToken failed with status code: ThirdPartyDeviceManagementRequired

 

The MDM app stops working suddenly without any changes to configuration whereas the existing enrolled devices are working as expected.

 

Would like to understand if any changes to Android Enterprise policies? or why it is not able to sync the Google managed account from PlayStore?

 

Thank your patience!

 

Moombas
Level 3.0: Honeycomb

@mdas86 : I think in that case you should have another coumminty to look into (partner portal?).

I think the best information in that regard can come from @Lizzie or @ReeceK .

jeremy
Level 2.3: Gingerbread

So if you're from CyberArk you should post your question and open a support ticket in the dedicated EMM Support Community where you have access to Android Engineers.

mdas86
Level 1.6: Donut

Hi @jeremy ,

I was not aware of this. Could you please help me to provide the link where I could proceed to raise the support ticket?

Thank you!

Moombas
Level 3.0: Honeycomb

Hi mdas,

I'm a bit scared that you seem to have bought a product and want to do administration to it but just can't find the relevant support information which requires maximum 1 minute to find via Google search and their website:

https://www.cyberark.com/de/services-support/technical-support/?utm_medium=paid_search&utm_source=go...

mdas86
Level 1.6: Donut

Hi @Moombas ,

I was looking for the process to directly riase the support ticket to dedicated EMM Support Community where I should have access to Google Android Engineers. 

 

I am well aware about the process to raise CyberArk support ticket, might be something misunderstood on my query.

 

As I saw the issue in Android package auth failure, I need to verify and troubleshoot in collaboration with Teams help. 

 

Thanks for your time!

 

ReeceK
Google Staff

Hey @mdas86 ,

 

Hope you're doing well!

 

Just going through the replies to catch up on the thread. Sorry to hear you're having trouble setting up your Android device. As mentioned before, reaching out to your EMM support and opening a ticket could be a good move.

 

If that doesn't do the trick, feel free to drop an update here so we can help out more. If you find a solution, it'd be awesome to hear about it!

 

Thanks, Reece.