Android 10 and higher devices will not enroll while older OS devices enroll successfully

  • 7025094
  • 30-Apr-2021
  • 01-Jun-2021


ZENworks Configuration Management 2020
ZENworks Configuration Management 2017 Update 4


Android devices with OS 10 or higher will not enroll.  Older Android OS 9 devices and non-Android devices work properly.

ZAPP logs gathered from the device and a stack trace show the following error:
"Caused by: Signature uses an insecure hash function: 1.2.840.113549.1.1.5"


Android OS 10 and higher devices will not function if the Certificate Authority is SHA-1 while the server certificate is SHA-256.  The entire chain is validated when validating certificates.  Therefore if any cert in the chain has an insecure algorithm, the certificate is not trusted.  When the server certificate has a higher encryption algorithm than the Certificate Authority, the cert will not be trusted and the device will not enroll.

The only solution to this situation is to remint the Certificate Authority.  This situation should not be taken lightly and requires adequate planning to ensure proper communication of all devices both during and after the remint process.  Contact Micro Focus Technical Support to confirm this scenario and review the process.

Once the Certificate Authority is reminted and confirmed to be SHA-256, all Android devices should register correctly.