This document is in early preview. If you have any questions or concerns please reach out to your Customer Success Representative.
This article will go over how to troubleshoot the Zero-Touch install when it does not work as expected. We will touch on both Windows and Mac deployments where our support team sees the most common issues.
When deployed with Zero-Touch, the user is not able to register, the app is not installed properly, or the device was registered using incorrect information.
This article uses the most current version of the script as released on November 9th, 2022.
Overview of possible solution(s)
The Zero-Touch Deployment is Failing or The Results are Incorrect
Bad MDM Config File
A failed deployment or the wrong config may result from a few different factors. The first and most common is a malformed mdm-config.json. You can find this file which is deployed by the Zero-Touch Script under C:\ProgramData\Banyan\mdm-config.json on Windows or /private/etc/banyanapp on MACOS.
The mdm-config.json needs to be a valid JSON file. If the app does not register the user and pre-configure itself after the Zero-Touch process is run on the device. This is the most common issue.
If you are not familiar with JSON formatting, you may want to look at using a third-party tool. Below is an example of a Valid mdm-config.json file:
If your user is getting registered but the app's configuration is not correct, such as in the case of the device ownership being prompted, the device not reporting as managed, or other variables not being respected. Please check the mdm-config.json on the device for typos, invalid parameters or misspellings. You can find a break down of the parameters for these options here.
The Script is Not Run in the Correct Context
When running the Banyan Zero-Touch Script, ensure you push the script to your device in a manner in which it runs as admin or system level. In order for the app to be installed correctly administrator permission is required. If the app is installed on the device or is pushed seperately, the app will not be able to self register.
You may refer to your Mobile Device Manager's documentation which includes pushing scripts to enduser devices under an elevated user context, as each MDM vendor varies on configuration instructions.
The User is Not Able to Login
This issue commonly occurs when the user information picked up by the Zero-Touch install script is not correct. This leads to the user's device getting registered to an invalid email address which does not match the address they use to log in to the IDP. You can validate if this is the issue by inspecting the device certificate in the KeyChain App. This can be found under KeyChain Access > Login > Managed-Device-<Serial Number> as a Subject Alternative name like shown here:
If you encounter this issue please verify the following parameters found on the Zero-Touch install script being pushed to the users:
This information will need to match what is deployed by your MDM. The example above is the default values for JAMF which we outline how to configure in our Documentation About Setting Up Zero-Touch with specific MDMs.
If you have followed the directions but are still having issues, please ensure the user information on the MDM is correct by checking the path in which you specified for the Zero-Touch script to validate the user info being pushed to the Device. More details about these parameters can be found in our breakdown of the Zero-Touch Script.
The User is Not Able to Login
This issue occurs commonly when the user information picked up by the Zero-Touch install script is not correct. This leads to the user's device getting registered to an invalid email address which does not match the address they use to log in to the IDP. This can be checked on Windows by going to the Managed User Certificates App > Personal > Certificates > Managed-Device-<SerialNumber> and then Details as a Subject Alternative Name as shown in the image below:
This information is pulled from the registry which is deployed at the time of the device being joined to the domain at HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo which can be found using the Registry Editor App. This should look like the image below.
If this information is not correct, ensure the Domain the machine is joined to has the correct email address attribute for the User in Active Directory. If the information cannot be found at that location you may modify line 74 of the script to point to the correct information. If you would like assistance please contact your Customer Success Representative.
Please sign in to leave a comment.