Reset Search



KB41027 - Role-mapping rule based on custom expressions using device attribute "lastSeen" causes device authentication to fail

« Go Back


Last Modified Date1/5/2018 1:48 AM
This article describes an issue where device authentication from MDM provider fails to authenticate to a PCS device with a role-mapping custom expression rule using device Attribute "lastSeen".
Problem or Goal
Role-mapping rules have been configured on the PCS device with custom expression rules using device attribute "lastSeen", however, device authentication is failing, and when a Policy Trace is taken to determine why the device fails to authenticate, the "lastSeen" attribute is not seen in the Policy Trace.
The "lastSeen" attribute is an Airwatch attribute that is used to check the date and time the device last make successful contact with the MDM.  This is a commonly used attribute in configuring a role-mapping rule on the PCS device that can be used to insure the device is running the most current profile.  

The lastSeen attribute uses a string value in the format of yyyy-mm-dd Time where Time is represented with a captial 'T'.  (e.g. 2017-09-21T20:12:34:450). If the custom expression is specified as an integer value then device authentication will fail, and the Policy Trace will not display this attribute when recording a device auth failure.  

Check the usage of the custom expression rule for deviceAttr.lastSeen to verify that it is configured with a string value instead of an integer value as per the examples below.

Incorrect format using integer:
deviceAttr.lastSeen > 3600 

Correct format using string:
deviceAttr.lastSeen > "2017-08-18T11:21:33.157" 

Keep in mind that using string format requires the PCS admin to regularly update the rule with the last date and time value that they want to check against.  
Related Links
Attachment 1 
Created ByDeep Ravjibhai Patel



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255