CIFS - Docs@Work - Android Enterprise

JohnM · March 17, 2018, 3:52pm

Did any of you implement CIFS for Android Enterprise yet?
I am having struggles connecting - Docs@Work for iOS works for the same user, Docs@Work for Android drops me an metadata error from the server. I have to investigate further and just wanted to check your feedback.

What confuses me is the statement in the Release Notes for D@W 2.3: „for access to CIFS/SMB servers. CIFS/SMB traffic must be tunneled through Standalone Sentry“ BUT then along comes this statement:

• Android enterprise enabled Docs@Work does not support tunneling through Standalone Sentry.

Any help?

Thanks!

-John

andrew_dawson · March 18, 2018, 8:07pm

Hi John,

Since the Docs@Work 2.3 release is not that old I would go with the most recent information, Docs@Work 2.3 Android Enterprise supported by Standalone Sentry.

Do you have more information on the error, device/sentry logs, screenshots, etc.

,Andrew

JohnM · March 19, 2018, 6:31pm

Hi Andrew,

I have to re-enroll a device, then I can gather some logs.
The weird thing is, I am not able to enter any credentials - there is no prompt or no chance to modify it on a later point. So I think this is the issue.
Also tried to use the autofill credentials - still no password input anywhere.

Autofill:
{“default”: “mydomain/$USERID$”}

The default config within D@W app looks like this:

Device UUID:
$DEVICE_UUID$

User ID:
$USERID$

group sites: (Basic Auth)
[{“auth”:"",“domain”:“CIFS”,“name“:“My Share“,“ priority”:“false”,“subDomain”:“NetworkDrive”,“url”:“https://192.168.0.204:445/Files“,“webView":"false”}]

AppTunnel rule:
{“sentryHostName”:“https://tunnel.mydomain.com”,“sentryPort”:“443”,“domainPattern”:[“fileserver.mydomain.com”]}

Identity Certificate:
$CERT_ALIAS:AppTunnel-SCEP$

Thanks.

-John

JohnM · March 24, 2018, 9:21am

If took a look at the logs of the AppTunnel Sentry - Server returned status HTTP 401 - Unauthorized - which clearly tells me that this is an authentication issue. Like I said I was never prompted to enter the credentials on the device. Do you know how to enter the credentials within Docs@Work for Android Enterprise? I can’t find any options.
With Docs@Work for iOS I get prompted instantly for the username and credentials and the same user account gets access to the file share.

JohnM · March 24, 2018, 9:35am

I am also seeing some error with “no cipher suites” in common.
Does the Android Enteprise Docs@Work app need other cipher suites compared to the Docs@Work for iOS?

andrew_dawson · March 25, 2018, 2:03am

Do you get the same error when you manual add the cigs share from docs@work.

What error messages do you see in the sentry logs while this error occurs?

JohnM · March 25, 2018, 1:42pm

In version 2.3.0.0.8 on Android Enterprise I can’t manually add CIFS shares (I do not block adding sites)
If I click on add site I can only add Sharepoint.
If I go into settings - configuration - add symbol (+) - there is also only Sharepoint, WebDAV, BoxEnterprise, GoogleDrive.
I am updating to Sentry 9.3.0 and verify if there is any difference.

andrew_dawson · March 26, 2018, 11:24am

Created a core running 9.6.0.2 with a fresh install of Docs@work with it’s default config, ‘NetworkDrive’ is an option from the app.

Try creating a new config with no settings on the device and check if you can manually add a share.

I am wondering if there is some kind of issue with the config created prior to the ability to add Network Drives or the meta data for appconfig for the app has not updated for some reason.

JohnM · March 26, 2018, 6:29pm

Hey Andrew…
adding a new config did the trick with the manual adding of the share. thanks.
I was able to add the share manually now, but I still receive the same log entries on Sentry like I get with the deployed config. Strange…

andrew_dawson · March 28, 2018, 5:27am

Can you provide some of the debug sentry log around the time the issue occurs?

brendanmain · May 24, 2018, 10:28pm

Update from MobileIron Beta engineering team

CIFS is available for Docs@Work for Android enterprise. It is supported with KCD. However, admin tool in Docs@Work does not provide an option to add CIFS site. We will update that in the next release.

In the meantime, you can use the following json pattern for ‘Group Sites’ config to add CIFS site.
[{“auth”:“NoAuthn”,“domain”:“CIFS”,“name”:“Your-CIFS-Site-name”,“priority”:“false”,“subDomain”:“NetworkDrive”,“url”:“https://your-cifs.company.com:445”,“webView”:“false”}]

You would need to provide the ‘AppTunnel Rule’ config like the following:
{“sentryHostName”:“https://sentry.company.com”,“sentryPort”:“443”,“domainPattern”:["*.company.com"]}

In addition, the following configs are also required:
Device UUID - $DEVICE_UUID$
User ID - $USERID$
Identity Certificate - $CERT_ALIAS:scepIdentityCert$

brendanmain · June 3, 2018, 5:10am

Docs@Work CIFS/Kerberos for Android Enterprise Config

See below the right config to get Docs@Work to CIFS share using kerberos authentication from Android Enterprise

“CIFS_Any” Service Name with Kerberos drop down is required in Sentry AppTunnel rule
Docs@Work for Android Enterprise config

Device UUID: $DEVICE_UUID$
User ID: $USERID$

Group Sites (Note: “/MobileIron/” on end of URL as I want to go into MobileIron sub-folder)
[{“auth”:“NoAuthn”,“domain”:“CIFS”,“name”:“MobileIron”,“priority”:“false”,“subDomain”:“NetworkDrive”,“url”:“https://fileserver.internaldomain.com:445/MobileIron/",“webView”:"false”}]

AppTunnel Rule
{“sentryHostName”:“https://sentry.domain.com”,“sentryPort”:“443”,“domainPattern”:["*.internaldomain.local"]}

Identity Certificate: $CERT_ALIAS:AppTunnel CA$

Byodmdm · June 6, 2018, 12:14pm

Same issue even with Docs@Work configuration, i am planning to log a case with Mi Support team. If any resolution will update here