logo
Welcome to Zip
/
FAQs & Troubleshooting
/
Troubleshooting the Zip Console

Understanding Provider Failing Health Checks

In your Zip console, under the ‘Organization Settings’ you will see a tab named ‘Providers’ which gives a view of all the of the third-party providers that are connected to your Zip console. This will likely cover the IdP, MDM and EDR tools that your organization are using.
Image without caption
Along with the list of each provider, we have provided some information to help you understand that everything is working correctly, or to flag where something needs to be addressed. The two columns to assess:
  1. Health Check - indicates if there is an error that needs to be addressed
  1. Licenses in Use - counts the number of licensed assigned to users (in the case of Windows licensing).

Addressing License Counts

It is important to confirm that you have enough available licenses for all the users in your organization. You will also be notified via the Notification center if you are running low on Microsoft licenses. If this is the case, refer to the following documentation on purchasing additional licenses here.
As a reminder! If Zip is your license reseller, you do not need to take any active steps in purchasing new licenses, we will do this on your behalf.

Troubleshooting Provider Health Checks

Jamf

  1. Unmanaged Devices
    1. Devices can occasionally be marked as “unmanaged,” meaning they appear in Jamf but can’t be managed.
    2. If this fails, check our our documentation here.
  1. Jamf API Credentials Username
    1. Confirming that we have the ‘zip-service-account’ set up to access customer jamf account.
    2. If this fails, please reach out to info@zipsecinc.cc for us to investigate.
  1. Jamf API Permissions
    1. Confirming ‘zip-service-account’ has admin access
    2. If this fails, please reach out to info@zipsecinc.cc for us to investigate.
  1. Jamf API Ajax Interface is Available
    1. The Jamf API Ajax interface is needed to take certain actions on devices.
    2. If this fails, please reach out to info@zipsecinc.cc for us to investigate.
  1. Jamf Cloud Distribution Service Available
    1. The Jamf Cloud Distribution Service is needed to upload packages to Jamf Pro.
    2. If this fails, please reach out to info@zipsecinc.cc for us to investigate.
  1. SSO Configuration
    1. Confirming that SSO configuration has been set up
    2. If this fails, please reach out to info@zipsecinc.cc for us to investigate.
  1. User-Initiated Enrollment
    1. Allow users to enroll their computers themselves
    2. If this fails, please reach out to info@zipsecinc.cc for us to investigate.
  1. SSO IdP Certificate Not Expiring Soon
    1. Follow the steps in the corresponding documentation to update the identity provider’s certificate (Note: ensure that the previous certificate is deleted after updating):
      1. Google Workspace: https://support.google.com/a/answer/7394709?hl=en#
      2. Microsoft Entra: https://support.jamf.com/en/articles/11963086-renew-saml-sso-certificate-in-jamf-pro-with-entra-id
      3. Okta: https://help.okta.com/en-us/content/topics/apps/manage-signing-certificates.htm
    2. If you have access to the Jamf portal, upload the updated metadata:
      1. In the Jamf console, navigate to Jamf > Settings > Single-sign on > Edit
      2. Delete the existing metadata file
      3. Upload the updated metadata
    3. If you do not have access to the Jamf portal, send an email to info@zipsecinc.cc requesting to update the Jamf SAML metadata, with the updated metadata included, and we’ll make the update.
    4. Further Jamf SSO documentation can be found here
  1. SSO Certificate Not Expiring Soon
    1. This health check pertains to the signing certificate used to sign SAML messages from Jamf Pro to your identity provider. Zip does not add this certificate, so you should only encounter this health check failing if you configured SSO yourself.
    2. In Jamf, go to Settings > Single sign-on. Under SAML IdP Options > security, you should see Signing Certificate Information. Click Delete Certificate.
    3. You can now click to generate a certificate with Jamf or upload your own certificate. Download the certificate and click Save.
      1. If you use Entra:
      2. Log into the Microsoft Entra admin center. Go to Enterprise apps and click into the app you created to configure Jamf SSO.
      3. Click into the Single sign-on section.
      4. In the second part of step 3, Verification certificates (optional), click Edit.
      5. Check the box next to Require verification certificates.
      6. Click Upload certificate and select the certificate you downloaded from Jamf.
      7. Click Save.
    4. If you use Okta:
      1. Log into the Okta admin console
      2. Go to Applications > Applications > click into the app configured for Jamf Pro
      3. On the General tab, go to SAML Settings and click Edit
      4. Click Next to go to the Configure SAML step
      5. In part A, click Show Advanced Settings
      6. For the field Signature Certificate, click Browse Files and select the certificate you downloaded from Jamf.
      7. Click Next and then Finish.
  1. ABM Terms and Conditions
    1. ABM Terms and Conditions must be signed to enable Automated Device Enrollment.
    2. Please log into Apple Business Manager using an admin account. The terms and conditions will appear as a pop-up when you log in.
  1. Automated Device Enrollment Not Expiring Soon
    1. One or more Automated Device Enrollment instances in Jamf have expired or will expire soon. Please follow these instructions to renew it and continue syncing devices from ABM to Jamf: https://learn.jamf.com/en-US/bundle/jamf-now-documentation/page/Renewing_An_Expiring_Apple_Deployment_Program_Certificate.html.
    2. If you do not have a Jamf account, please contact Zip for assistance at info@zipsecinc.cc.
  1. APNS Connection Healthy
    1. Navigate to Jamf > Settings > Push Certificates to check if your Apple Push Notification Service (APNS) certificate is revoked or expired.
    2. If it is, please follow these steps to create a new certificate: https://learn.jamf.com/en-US/bundle/jamf-pro-getting-started/page/Creating_a_Push_Certificate.html.
    3. If you do not have a Jamf account, please contact Zip for assistance at info@zipsecinc.cc.

Google Workspace current health checks:

  1. Google API Permissions
    1. Confirm that the correct permissions have been granted in Google Workspace to enable Zip to report correct.
    2. Why it could fail:
      1. If you haven’t enabled all the controls, you’ll get an error message. Check these instructions to ensure they are all enabled.
      2. Note! Some health checks are ‘optional’, and will flag as ‘failing’ if they are not enabled, (even though they may not be required). Again, check the instructions above to confirm.
  1. Google API Access
    1. Why this could fail:
      1. The permissions required to access your Google Workspace may have changed. please reach out to info@zipsecinc.cc for us to help troubleshoot.
  1. Google Chrome Browser Management Enabled
    1. If you have not purchased Chrome Browser Cloud Management, then you can dismiss this notification. If you have purchased it, please reach out to info@zipsecinc.cc for us to help troubleshoot.

Intune current health checks:

  1. Microsoft Graph API Permissions:
    1. Confirm that the API permissions are healthy — which means the integration between Zip <> Intune is healthy.
    2. To resolve:
      1. The easiest way is to re-consent to the permissions through the Zip console following the steps here. Instead of creating a new provider, you’ll be selecting the existing Intune provider and clicking ‘Edit’.
      2. If you set up Intune with the legacy app registration connection, the easiest option is still to follow the step above. If you’d prefer to continue with the legacy connection, you can instead ensure that permissions are correctly granted via the runbook in steps 5 and 6.
      3. As a note, if there have not been any E3 security licenses purchased yet, any permissions that relate to device management are going to show as failing. If this is the case, follow the steps above to resolve license purchasing.
  1. Microsoft Graph API Credential Not Expiring Soon:
    1. This will turn unhealthy if the API creds are expiring soon. Please refresh the Zip Service Account credential in Entra.

Entra/Azure current health checks:

  1. Microsoft Graph API Permissions:
    1. Confirm that the API perms are healthy — which means the integration between Zip <> Entra is healthy.
    2. To resolve:
      1. The easiest way is to re-consent to the permissions through the Zip console following the steps here. Instead of creating a new provider, you’ll be selecting the existing AzureAD provider and clicking ‘Edit’.
      2. If you set up AzureAD with the legacy app registration connection, the easiest option is still to follow the step above. If you’d prefer to continue with the legacy connection, you can instead ensure that permissions are correctly granted via the runbook.

CrowdStrike current health checks:

  1. CrowdStrike Portal Users
    1. Confirming that a team member has been added to access the CrowdStrike portal
    2. What to do: reach out to info@zipsecinc.cc for a user to be added.

Email Alerts current health checks:

  1. Invalid Email
    1. This health check confirms that the emails entered to receive alerts are valid emails.
    2. If it fails, please confirm the emails are correct by re-entering them in the provider configuration. If this doesn't resolve the issue, contact info@zipsecinc.cc.
  1. SendGrid Down
    1. Checks if SendGrid, which email alerts are sent through, is experiencing a service outage.
    2. If this is failing, you can check SendGrid for more information on the outage.

Slack Webhook current health checks:

  1. Slack Webhook Valid Format
    1. Checks that the Slack webhook matches the expected format, https://hooks.slack.com/services/T_____/B_____/___________.
    2. If this is failing, please try entering in your webhook again.
  1. Slack Webhook Accessible
    1. Checks if your webhook can currently be reached
    2. If this is failing, please try entering in your webhook again.
👋
Questions? Here’s how to reach us:
  • Email: info@zipsecinc.cc
Gmail: Emails Not Sending from Zip
Troubleshooting CrowdStrike
Powered by Notaku
Share
Content
Understanding Provider Failing Health Checks
Addressing License Counts
Troubleshooting Provider Health Checks
Jamf
Google Workspace current health checks:
Intune current health checks:
Entra/Azure current health checks:
CrowdStrike current health checks:
Email Alerts current health checks:
Slack Webhook current health checks: