Messages posted by: Bethesdaadk
I'm getting some push-back from staff on installing any kind of MDM app or profile on their personal phones.

I tell them that I can't get to any of their data - just lock and reset the phone. However, the Playstore description:

for permissions shows the app to be very very intrusive. I really can't see any of the data collected - as far as I can tell. But someone is collecting it...or are they?

Can you provide a better explanation of the permissions for both the Android app and iOS profile so I can better reassure our staff that I am not spying on them.

Since the agent requires on authentication to install and communicate with the SysAid server, what happens if, say after 30 days, you are required to change your Active Directory password? Does the user need to take action on their mobile phone to somehow reflect the change in the corporate password? Or is the initial install of the agent a one-time deal and no action is required?

ok. I thought it would NOT work on 2.3 and under. Not 2.3 and over. It never occurred to me that support would only be for a phone that no one uses anymore.

So, effectively, the exchange policy is useless - because Android 2.3 and under is first, second at best, generation Android. Those phones are 4-5 years old or older. It's equivalent to Windows 98.

My mistake for not seeing the difference. Thanks for clearing that up.

To be clear, the Android 2.3.4 phone is not my phone. It was a test phone. The MDM policy worked for reset and wipe, but not Exchange - which conforms to what you are saying and I accept that.

What you are not answering just yet, is the fact that my phone is Android 5.0.2

It already has an exchange account on it for my corporate email.

The MDM policy did not prompt me for anything regarding Exchange.

Was it supposed to? Or not? If I remove the existing Exchange account, do I just refresh the agent on the phone to see if an account is created?

I hope this clarifies my question.



First, assume you have a supported version of Android and a supported version of iOS. Then suppose that the user has Touchdown by Nitro or some other Exchange client on their phone. These phones come with their own Exchange client natively, but some staff install a different one - like Touchdown by Nitro.

Which client does the SysAid MDM configure with the policy? The native client? Or Touchdown?

Secondly, what if the user already has an Exchange Account on their phone. Does this policy create a second one?

When I applied the policy to my phone, which already had Exchange setup on it. It did nothing. I hesitate to remove my existing exchange account to test it, but that may be my only choice.

I hope this helps explain my questions.


Thanks. I had already added the policy to my own phone, which is running Android 5.x , but I already had active-sync installed for corporate email access.

The MDM policy had no effect. Was it supposed to create a second account? Or does it leave it alone if there's an existing account already?

What if the user has two active sync capable clients on the phone - for instance, a built-in mail client as well as an after market client like Touchdown by Nitro. Which email client would SysAid configure?

This begets a larger question of the fact that all of our staff who are eligible already have Exchange accounts on their phones (we have a 2010 server). While Exchange allows for remote wiping of phones, it is very cumbersome and you have to know Powershell to get any reports out of exchange. I see SysAid as being a solution to that.

Should we even bother with the Exchange portion of the MDM since our users are already setup?

Please advise - and I'd be interested in other users who may have had to deal with this.


Adam in DC

I was able to re-enroll the older droid after the wipe and tried a new policy.

This one had a 5 character pin, wifi guest account and exchange account.

The 5 character pin worked.

This time, the Wifi worked - it actually showed the network twice - once live and once as the policy. it appears that the password was prepopulated, so that worked.

The exchange policy did not work.

Some progress.

We are a SysAid Cloud customer. I am testing MDM. I have enrolled my production phone (Sprint HTC One M7 running Lollipop) and a test phone (Verizon Droid running Android 2.3.4)

Both enroll quite easily and show up in Assets pretty quickly.

If I modify a policy and update it, the phones respond very quickly.

Since my HTC is already hooked up to my office WiFi and email, the policies seemed to make no difference.

The Droid, however, was a freshly reset phone. Downloading the MDM Policy, where I had WiFi settings and Exchange Settings - made absolutely no changes to the phone.

However, the Wipe function was immediate and effective.

This leads me to believe that there are only certain versions of Android - and perhaps certain apps - that will actually take the WiFi and Exchange Policies of SysAid MDM.

Please advise.


Adam in Washington DC

I am already a SysAid Customer (just moved to the cloud). I am comparing SysAid MDM with Sophos MDM. I own both. Easily finding discussion threads on MDM would be helpful.


Adam in Washington DC
We are an on-premise installation. Our serverConf.xml file has no "RC" section in it. Moreover, your port suggestions don't seem to jibe with others I've received. I thought RC was done over 4228.

In the case that led me to post the original question, I uninstalled the SysAid agent and reinstalled the agent via the SysAid deploy program.

SysAid now reports the workstation as being "Online."

However, most of the SysAid Deploy Program still reports that it cannot determine what version of SysAid agent is installed on the workstation - even after uninstalling it and reinstalling it - and then rescanning the network.

I may have to open up a ticket because either the deploy agent is too buggy or I'm doing something wrong.
My GPO appears to be applied, but again, I'm not sure if what's being applied is correct. Here is a Wizard result. It indicates it's an inbound rule. Does there need to be anything else?

Inbound Ruleshide
Name Description Winning GPO
SysAid Agent Version Verification UDP Port 8193 Allows SysAid Remote Discovery to report on the version of the SysAid Agent running on a workstation behind the local Windows Firewall Firewall Exceptions
This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module
Enabled True
Program Any
Action Allow
Security Require authentication
Authorized computers
Authorized users
Protocol 17
Local port 8193
Remote port Any
ICMP settings Any
Local scope Any
Remote scope Any
Profile Domain
Network interface type All
Service All programs and services
Allow edge traversal False

I recently tried to perform a remote control session with an internal desktop that had the SysAid RC Client installed and was in my list of assets. But it wouldn't work. When I looked in my Deploy SysAid program, it reported back with the "see if it's running" message - even though it was running. Looking back on earlier posts, I realized the UDP 8193 needed to be open. However, I checked that I had indeed created a GPO for just that purpose.

However, I don't think that GPO works correctly. It was applied, but when I ran portqry on the machine in question, I did not find 8193 open.

C:\PortQryV2>portqry -n optiplex

Querying target system called:


Attempting to resolve name to IP address...

Name resolved to


TCP port 80 (http service): FILTERED


Can someone point to the correct GPO settings - in a Windows 7 environment - for opening up this port? I think there is more than one location in GPO to achieve this.


Adam in DC
Perfectly acceptable answer. Glad to know that you can reproduce it.
Any update on the 404 error?