Recently, I was prompted to sign in again with my managed Gmail app on my Android device enrolled as Android Enterprise.
The mail profile was pushed from my AirWatch UEM console, and we have Secure Email Gateway (SEG) set up to proxy the mail traffic to our Exchange on-premises environment. Knowing that my AD credential has yet to expire, I double-checked my password under Email setup before clicking Next. Afterward, I encountered the error message Can’t reach the server. I tried restarting my Android device and/or re-pushing the mail profile, but neither one makes a difference.
After consulting with VMware support, I was referred to this KB which helps with my root cause analysis. As you can see in my UEM console, there are two device records for the same device: one is Enrolled and the other one is Unenrolled.
Under EMAIL > List View, I also see duplicate records of the same device for mail sync. Thus, what seems to be happening is that the mail sync request might have come from the Unenrolled device and it was blocked as a result (with letter ‘E’ under the Reason column.)
Per this KB, duplicate records for the same device in the UEM console is expected due to changes made to generate the UDID. Either way, there’s not much we can do to avoid duplicate device record from being created (unless you restrict user from un-enrolling his/her Android device through the Intelligent Hub app.)
To address this mail sync issue, we will have to delete the Unenrolled device record under DEVICES > List View. This will also remove the duplicate record under EMAIL > List View. Afterward, you may also need to re-push the mail profile for mail to sync again.
I thought removing the Unmanaged Device under EMAIL > List View might work as well which will also preserve device history of the Unenrolled device (i.e. for audit purposes). However, VMware support advised this would not solve the issue as the problem is the EAS ID and not the device UDID. Thus, cleaning up the Unenrolled device record under DEVICES > List View is the only way to rectify this issue.
To see this option mentioned above, you would have enabled the applicable email compliance policy as shown below.
If this in fact is an unmanaged device, to delete you would first select the unenrolled device and then select Remove Unmanaged Device under ADMINISTRATION.
Enter the key code as prompted to complete the removal process.