Device Enrollment

Mobile devices can be managed via ERA and an ESET security product running on the mobile device. To start managing mobile devices, you need to enroll them in ERA (it is no longer necessary to enter IMEI or other identification numbers into the mobile device).

The diagram below illustrates how a Mobile Device communicates with Mobile Device Connector during the enrollment process:


This diagram explains when enrollment, re-enrollment and unenrollment can be used and explains the difference between managed and unmanaged devices.


Enrollment: Enrollment can only be used when the device is not managed by MDM. In this case, the device doesn't exist in the Computers section. Deleting a device from the webconsole doesn't make it unmanaged and the device will appear in the webconsole after a successful replication. Only the unenrollment process can remove a device from managed status. Each enrollment token is unique and one-time-only so it can be used only once. Once the token is used it can't be used again.

Re-enrollment: Re-enrollment can only be used if the device is managed. The re-enrollment token is always different from the enrollment token and it can also be used only once.
To re-enroll a device, open the Computers section and select the mobile device you want to re-enroll. Open the Actions menu and select Mobile > Re-enroll.

Unenrollment: Un-enrollment is the correct way to stop managing a device. Unenrollment is performed using a Stop managing client task. If the device is not responding it can take up to 3 days until the device is actually removed. If you want to remove the device just to enroll it again, use re-enrollment instead.


If you are performing iOS Device enrollment with the Apple Device Enrollment Program (DEP) continue here.

You can enroll mobile devices in the Computers section or under Admin > Groups. Select the Static Group that you want to add mobile devices to, click Add new > Mobile devices and then select one of the following enrollment methods:

Enrollment via email - mass enrollment of mobile devices via email. This option is best suited if you need to enroll a large number of mobile devices or if you have existing mobile devices which you do not have physical access to. Using this option requires active participation from the user/owner of the mobile device.

Individual enrollment via link or QR code  - single mobile device enrollment. You will be able to enroll one mobile device at a time and will need to repeat the same process for each device. We recommend that you use this option only when you have a smaller number of mobile devices to enroll. This option is suitable if you do not want users/mobile device owners to do anything and must perform all enrollment tasks yourself. Also, you can use this option if you have new mobile devices which will be handed over to users once the devices are all set up.


1.What should I do if I get error message: "The Enrollment token is already being used or is not valid." ?

It is likely that you are attempting to re-enroll with an old enrollment token. Create a new re-enrollment token in the webconsole and use that one instead. It is also possible that you are attempting a second re-enrollment  too  soon after the first one. Verify that the re-enrollment token  is different from the first one. If it is not, then wait a few minutes and try to generate a new re-enrollment token again.

2.What should I do if I get error message:"service certificate validation failed" ?

This error message indicates that there is a problem with your APNS or GCM service certificate. This is announced in ERA Web Console as one of the following warnings under MDM Core alerts:

GCM service certificate validation failed (0x0000000100001002)

APNS service certificate validation failed (0x0000000100001000)

APNS Feedback service certificate validation failed (0x0000000100001004)

Make sure you have the correct certificate authority available on your system:

APNS certificate authority: Entrust Certification Authority, need to validate certificate from;

APNS Feedback certificate authority: Entrust Certification Authority, need to validate certificate from;

GCM certificate authority: GeoTrust Global CA, need to validate certificate from

The desired certificate authority should be included in the certificate store on the MDM host machine. In a Windows system, you can search for "Manage Trusted Root Certificates". In a Linux system, the certificate location is dependent on the distribution you are using. Some examples of certificate store destinations include:

on Debian, Cent OS: /usr/lib/ssl/cert.pem, /usr/lib/ssl/certs;

on RedHat: /usr/share/ssl/cert.pem, _/usr/share/ssl/certs;

command openssl version -d usually returns desired path.

If the desired certification authority is not installed on the system the MDM Core is running on, install it. Following installation, restart the ERA MDC service.

validation-status-icon-error WARNING

Use caution, certificate validation is a security feature, so if the warning occurs in web console it could also indicate a security threat.