CIFS - Docs@Work - Android Enterprise

JohnM · 2018-03-17 15:52:49 UTC

Did any of you implement CIFS for Android Enterprise yet?
I am having struggles connecting - Docs@Work for iOS works for the same user, Docs@Work for Android drops me an metadata error from the server. I have to investigate further and just wanted to check your feedback.

What confuses me is the statement in the Release Notes for D@W 2.3: „for access to CIFS/SMB servers. CIFS/SMB traffic must be tunneled through Standalone Sentry“ BUT then along comes this statement:

• Android enterprise enabled Docs@Work does not support tunneling through Standalone Sentry.

Any help?

Thanks!

-John

andrew_dawson · 2018-03-18 20:07:15 UTC

Hi John,

Since the Docs@Work 2.3 release is not that old I would go with the most recent information, Docs@Work 2.3 Android Enterprise supported by Standalone Sentry.

Do you have more information on the error, device/sentry logs, screenshots, etc.

,Andrew

JohnM · 2018-03-19 18:31:55 UTC

Hi Andrew,

I have to re-enroll a device, then I can gather some logs.
The weird thing is, I am not able to enter any credentials - there is no prompt or no chance to modify it on a later point. So I think this is the issue.
Also tried to use the autofill credentials - still no password input anywhere.

Autofill:
{“default”: “mydomain/$USERID$”}

The default config within D@W app looks like this:

Device UUID:
$DEVICE_UUID$

User ID:
$USERID$

group sites: (Basic Auth)
[{“auth”:"",“domain”:“CIFS”,“name“:“My Share“,“ priority”:“false”,“subDomain”:“NetworkDrive”,“url”:“https://192.168.0.204:445/Files“,“webView":"false”}]

AppTunnel rule:
{“sentryHostName”:“https://tunnel.mydomain.com”,“sentryPort”:“443”,“domainPattern”:[“fileserver.mydomain.com”]}

Identity Certificate:
$CERT_ALIAS:AppTunnel-SCEP$

Thanks.

-John

JohnM · 2018-03-24 09:21:23 UTC

If took a look at the logs of the AppTunnel Sentry - Server returned status HTTP 401 - Unauthorized - which clearly tells me that this is an authentication issue. Like I said I was never prompted to enter the credentials on the device. Do you know how to enter the credentials within Docs@Work for Android Enterprise? I can’t find any options.
With Docs@Work for iOS I get prompted instantly for the username and credentials and the same user account gets access to the file share.

JohnM · 2018-03-24 09:35:01 UTC

I am also seeing some error with “no cipher suites” in common.
Does the Android Enteprise Docs@Work app need other cipher suites compared to the Docs@Work for iOS?

andrew_dawson · 2018-03-25 02:03:34 UTC

Do you get the same error when you manual add the cigs share from docs@work.

What error messages do you see in the sentry logs while this error occurs?

JohnM · 2018-03-25 13:42:08 UTC

In version 2.3.0.0.8 on Android Enterprise I can’t manually add CIFS shares (I do not block adding sites)
If I click on add site I can only add Sharepoint.
If I go into settings - configuration - add symbol (+) - there is also only Sharepoint, WebDAV, BoxEnterprise, GoogleDrive.
I am updating to Sentry 9.3.0 and verify if there is any difference.

andrew_dawson · 2018-03-26 11:23:06 UTC

Created a core running 9.6.0.2 with a fresh install of Docs@work with it’s default config, ‘NetworkDrive’ is an option from the app.

Try creating a new config with no settings on the device and check if you can manually add a share.

I am wondering if there is some kind of issue with the config created prior to the ability to add Network Drives or the meta data for appconfig for the app has not updated for some reason.

JohnM · 2018-03-26 18:29:45 UTC

Hey Andrew…
adding a new config did the trick with the manual adding of the share. thanks.
I was able to add the share manually now, but I still receive the same log entries on Sentry like I get with the deployed config. Strange…

andrew_dawson · 2018-03-28 05:27:14 UTC

Can you provide some of the debug sentry log around the time the issue occurs?

brendanmain · 2018-05-24 22:28:49 UTC

Update from MobileIron Beta engineering team

CIFS is available for Docs@Work for Android enterprise. It is supported with KCD. However, admin tool in Docs@Work does not provide an option to add CIFS site. We will update that in the next release.

In the meantime, you can use the following json pattern for ‘Group Sites’ config to add CIFS site.
[{“auth”:“NoAuthn”,“domain”:“CIFS”,“name”:“Your-CIFS-Site-name”,“priority”:“false”,“subDomain”:“NetworkDrive”,“url”:“https://your-cifs.company.com:445”,“webView”:“false”}]

You would need to provide the ‘AppTunnel Rule’ config like the following:
{“sentryHostName”:“https://sentry.company.com”,“sentryPort”:“443”,“domainPattern”:["*.company.com"]}

In addition, the following configs are also required:
Device UUID - $DEVICE_UUID$
User ID - $USERID$
Identity Certificate - $CERT_ALIAS:scepIdentityCert$

brendanmain · 2018-06-03 05:10:20 UTC

Docs@Work CIFS/Kerberos for Android Enterprise Config

See below the right config to get Docs@Work to CIFS share using kerberos authentication from Android Enterprise

“CIFS_Any” Service Name with Kerberos drop down is required in Sentry AppTunnel rule
Docs@Work for Android Enterprise config

Device UUID: $DEVICE_UUID$
User ID: $USERID$

Group Sites (Note: “/MobileIron/” on end of URL as I want to go into MobileIron sub-folder)
[{“auth”:“NoAuthn”,“domain”:“CIFS”,“name”:“MobileIron”,“priority”:“false”,“subDomain”:“NetworkDrive”,“url”:“https://fileserver.internaldomain.com:445/MobileIron/",“webView”:"false”}]

AppTunnel Rule
{“sentryHostName”:“https://sentry.domain.com”,“sentryPort”:“443”,“domainPattern”:["*.internaldomain.local"]}

Identity Certificate: $CERT_ALIAS:AppTunnel CA$

Byodmdm · 2018-06-06 12:14:14 UTC

Same issue even with Docs@Work configuration, i am planning to log a case with Mi Support team. If any resolution will update here