Dns problems setting up profile manager

Similar Messages

• Problems setting up Profile Manager

  Hi everyone,
  I've got 35 iPads in one room and I'd like to be able to configure them to use Profile Manager. I am running OSX 10.7.3 and all the tools are up to date.
  I cannot get Profile Manager to run on the iPads. Here's what I've done so far:
  - Enabled Profile Manager on the server
  - Created a Self-Signed Certificate using Server.app
  - Able to login to Profile Manager via the browser
  I am stuck on the next part which is enroling the devices to Profile Manager. When I login to profile manager on the iPad, I get the option the "Enrol" the iPad, when I click "Enrol" I get the following error message:
  "Unverified Profile" - "The authticity of "Device Enrollment" cannot be vertified. Installing this profile will change settings on your iPad.". I select 'Install Now', enter my passcode and I get this error: "The server certificate for "https://servername.domain/devicemanagment/api/device/ota_service" is invalid. When I press OK, I go back to the "Install Profile" window.
  Has anyone had this issue before or know what's causing it? I suspect it's to do with certificates but I have created a Self-Signed one - do I need to do something else?
  Thanks is advance,
  Morgan

  I had a similar issue before.  I had changed the cert so many times that my keychain started having issues; ended up reformating the drive and reinstalling server.
  I set my server up with a public domain and bought a UCC certificate from go daddy.  Spending the money on a cert does bypass installing the whole trust profile as TeenTitan said.
  Here's how I did it:
  Setting up w/ Signed CA:
  Establish your host name (ex. server.domain.com)
  Don't turn on Profile Manager before setting up certs
  Open Server.app, click on your server under "Hardware"
  Go to "Settings"
  Click on "Edit" next to SSL Certificate
  In the drop down screen click the gear wheel in the left corner, select "Manage Certificates"
  Click the "+" in the window, Click "Create a Certificate Indentity"
  In the Name field type in your servers host name (ex. server.example.com)
  Click the check for "Let me override defaults"
  Fill out the next two windows with your organization's info
  Click through the next few windows leaving all the defaults until you get to the window labeled "Subject Alternate Name Extension"
  In the "dNSName" field add the the following records: yourdomain.com; server.yourdomain.com; www.yourdomain.com; autodiscovery.yourdomain.com (you could add more if you plan on hosting mail, address book, etc..)
  IMPORTANT- make sure you add those "dNSName"  addresses as Alternate name extensions when you are creating your SSL cert from an Authorized CA issuer like GoDaddy for example.
  Click continue and finish creating your self generated cert
  When you are finished you will return back to the Manage Certificates window and see your newly self generated SSL cert. 
  Click on the gear wheel and select "Generate Certificate Signing Request (CSR)"
  Copy the following text
  Close the window
  Next, you need to go to your CA issuer and generate your cert.  Copy the text into the field for generating your own SSL cert.  (Your milage may vary in this process; I only know how to do it in GoDaddy)
  After creating your cert, download it from your CA issuer's website.  You should have two files, one being your "gd_intermediate.crt" and the other "yourdomain.com.crt"
  Go back to the Settings section in Server.app and select "Edit" in "SSL Certificate" section
  click the gear wheel icon and select "Manage Certificates"
  Highlight your self genereated ssl that you created in the last steps
  click the gear wheel icon and select "Replaced Certificate With Signed Or Renewed Certificate"
  drag the "gd_intermediate.crt" that you downloaded into the window
  Allow the keychain to add the record
  Close Server.app
  Open "Keychain Access" in your App folder
  Click the lock in the bottom left corner and authenticate
  In the top left pane select, under Keychains, "System"
  in the bottom left pan, under Category, select "Certificates"
  Drag the "yourdomain.com.crt" file that you downloaded from you CA issuer
  Close keychain
  Go back to Server.app in the settings section
  select your newly generated SSL cert as your primary cert
  Next, Enable Apple Push Notifications
  Go to Profile Manager
  Configure your directory services  (I created an Open Directory Master)
  Click Sign configuration profiles and choose your new SSL cert
  Finally, turn on Profile Manager and if all goes well, you should be able to add your devices. 
  Hopefully this is helfpful; these were the steps I took to get my server going with a public address. 
  Other Info:
  iOS devices enrolled had iOS 5.0.1 or higher (Models 3GS, 4, 4S)
  I had ports 1640 & 2195 open for Profile Manager on my router
  OS X Lion 10.7.3
  Lion clients enrolled were 10.7.2 and up

• HT201334 How does one set up profile manager on a completely closed network with no Internet access available or even possible?

  I need to set up Profile Manager on a completely closed network that has no Internet access at all. I can sneaker-net files into the network if I need to.
  Profile Manager (and Lion Server in general) seems to need outside access to complete setup and I've been unable to find any meaningful answers.
  Does anyone any any ideas?
  Thanks to all

  you could try it without enabling apple push notifications in server
  you wont' be able to push out profiles without enabling apple push notification
  but users could download them, or you could install manually, e-mail etc

• Error reading setting in profile manager

  Hi
  I don't know why but for no apparent reason I have started to get this error message all the time.
  Error reading settings for the Profile Manager Service.
  All very well but I do not use Profile Magaer, it is turned off but keeps throwing this error message!!!!
  I am a real Server Newbie.
  HELP PLEASE!

  only my mac (which is running the server OS) is not enrolling.
  Why are you trying to enroll your device management server in it's own device management?
  I've never tested anything like that, but I bet you can't do that...

• Problems setting up release management

  Hi I am running into problems in setting up Microsoft Release Management. I have 2 domains. My tfs (separate server), release management server and release management client (both on single physical server) are in domain1 and deployer is in domain2 in Azure
  VM. I am using a VPN tunnel to connect release management server, release management client and deployer. They connect with each other nicely. The problem comes when I add reference to tfs in release management client. TFS fails to verify. Now
  the user I am using to connect has Make requests on behalf of
  others' permissions so that is not the issue. I get TF400324 error. I even used wireshark to troubleshoot but it looks as if release management
  client is not even trying to connect. I can access tfs url via web browser with vpn connected from machine on which release management client is running. when  Now if I disconnect the vpn and try to verify tfs from release
  management client it works. Does release management client supports connecting via ipv6 tunnel?

  Hi abhijitdamle,
  I'd like to know how do you connecting via ipv6 tunnel, and when you get the error(without vpn connection?) . If your machine can be access via HTTP/HTTPS, then RM client can also be connected. For your situation, seems you got the
  issue resolved after using vpn.
  If you have other concerns about the error, you can also check the methods below to see if it works for you:
  1. Check the permission of the user account you use, make sure it has the permission of "make requests on behalf of others"
  2. Clean team foundation cache on your RM client machine
  3. Check the team project collection url to ensure it's input correctly, or use the solution on this
  page
  Best regards,

• Problem setting provisioning profile in Simulator mode in XCode 3.1

  Hi all
  We have a problem compiling our project after updating XCode to the newest Version (XCode 3.1 and SDK 2.1).
  It's now impossible to select out provisioning profile for the "Simulator | Debug" Settings. "Device | Debug" works perfectly.
  What we do: Under Project Settings - Code Signing Provisioning Profile" we select our profile. This works under "Device Settings" but not under "Simulator Settings".
  Prior to this version we had no problems.
  Anybody had a similar problem and could give us any hints?
  Thanks in advance
  Daniel

  I had similar problems: my solution is that I run in Simulator mode with the default provisioning profile (not my profile, the one that you get when you reset the Code Signing Provisioning Profile parameter). I then use my own profile for distribution (even though I only succeeded in building with Active SDK = iPhone OS 2.1).
  As regards the Debug mode, it looks like it works as simulator, with the default provisioning profile, but in the build log it seems to hook my profile in some way.
  Anyhow, there is definitely something weird in the new SDK 2.1.

• Profile Manager problems: enroll fails, organization name NULL

  At the moment I have 4 VM's running OS X Lion Server. All four are running different services.
  I have one OD Master, and 3 OD replica's. On one of the three replica's I am trying to setup Profile Manager.
  Two problems came up:
       1. Organization is set to NULL instead of my Domain.
  Jan 24 17:13:45 laelaps scep_helper[2165]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-702.13/scep_helper/m ain.m:1084 'org' is NULL
  My Trust Profile is listed as Trust Profile for. No additional name is attached.
       2. Devices fail to enroll even after installing the trust profile. If I install the trust profile they state that the SCEP Server is invalid.
  Any advice on those two problems?

  The solution turned out to be simple, but much work.
  I destroyed the OD. Reinitialized the server that was - according to my planning - be serving Profile Manager as an Open Directory Master, configured the other servers as replica's, yet the 'org' NULL did not go away.
  The enrollment was succesfull thanks to Jonathan Melville's solution.
  After that I completely reinstalled the four servers. Made the server that was supposed to be serving ProfileManager the directory master. The three other servers were configured as replica's. Set up Profile Manager and it worked out as it was supposed to.
  The morale of this story: Server Admin does not set the organisation correctly. If you create the Open Directory using Server.app it will set this correctly. So make sure you use Server.app for the Open Directory creation. Replica's can - and have to - be done by the Server Admin.
  Thanks for the help Jonathan Melville, your shot at masters and replica's was correct.

• How to set a profile to a system profile in Profile Manager on Server Mavericks

  We're trying to create a profile to allow wifi connection to allow AD logins. We have 802.1x PEAP network and we are able to set the profile up but it does not connect until after an user signs in. I know that there used to be a setting in Profile Manager to set the type (User, System or Login Window) but I can't seem to find it now. I know I could edit the profile code but I'd rather not get mucking around in there unless absolutely necessary.

  You posted in the iPad forum instead of the OSX Server forum. To get answers to your question, next time post in the proper forum. See https://discussions.apple.com/index.jspa  I'll request that Apple relocate your post.
   Cheers, Tom

• Is there a way to reset Profile manager to the default settings (i.e.) like it was never set up without reinstalling?

  I recently set up profile manager wrong and need to reconfigure it. Any Ideas?

  Brilliant! Thank you. To get this working in my case, I need to make a few tweaks to the commands:
  sudo su -         #Since I have a different ruby install avaliable to my local user and that breaks things.
  cd /usr/share/devicemgr/backend
  serveradmin stop devicemgr
  serveradmin start postgres
  RAILS_ENV="production" rake db:drop
  RAILS_ENV="production" rake db:create
  RAILS_ENV="production" rake db:migrate
  serveradmin start devicemgr

• Argh! Profile Manager and Code-Signing of profiles

  I am setting up Profile Manager in Mavericks with Server.app 3.0.1.
  I have DNS correctly setup, I have created an OD Master for Profile Manager, Profile Manager is running and network users can login and I can setup profiles. I also have the https site working properly for clients although that needed some help.
  We have a self-signed root CA and off that we have two intermediate CAs, one for signing server SSL certificates, and one for signing codesigning certificates. On my server I have installed the rootCA, and the intermediate CAs and of course the server SSL certificate itself. As mentioned initially I had a problem with the https site on the server and what was happening was that the server was not sending the intermediate certificate along with the server certificate to clients. (The clients already have our rootCA certificate installed and trusted.)
  As a result the chain was incomplete and clients did not trust the http site. I tracked this down to the files in /etc/certificates it turned out that of the four files for the server certificate i.e. .key.pem, .chain.pem, .concat.pem and .cert.pem that the .chain.pem did not contain the intermediate CA. I replaced it with the intermediate CA pem file and restarted Apache and clients now get the full chain and can therefore trust the https site.
  My problem now is with the codesigning certificate, this also has been selfsigned this time by the intermediate codesigningCA. It is accepted by Profile Manager and it does sign the profiles. However when I download the Trust profile and try installing it, it comes back unverified. (If it was unsigned it would say unsigned instead.) This trust profile contains a copy of the server certificate and the rootCA certificate but does not contain the intermediate codesigningCA certificate.
  I tried the same trick of swapping out the codesigning .chain.pem file in /etc/certificates but this did not help. I am currently stuck, any suggestions from any one?
  Thanks.

  I would really appreciate being walked through these steps. I just upgraded to Yosemite and Server.app 4 and am dealing with all the brokenness.
  Profile Manager does not show a code signing certificate when I ask it to sign configuration profiles.
  I DO NOT have the Code Signing Certificate in my keychain created when OD was created.
  I DO have the four code signing certificate files:
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.cert.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.chain.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.concat.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem
  Furthermore, when I search my System keychain passwords, for <UUID hash>, I see that have the password that decrypts these pem's, e.g. via the openssl command
  openssl rsa -outform der -in 'host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem' -out 'host.domain.tld.Code Signing Certificate.<UUID hash>.key'
  What's the specific step-by-step to convert these four files into something that Profile Manager can use to sign configuration profiles?
  I am stuck.

• Why can't I turn profile manager on?

  I just downloaded Lion Server and I am a complete novice. There is a pretty good chance I am doing something wrong, but basically I am trying to set up profile manager so I can get VPN access from my Mac at work to my network at home. From what I understand, profile manager can make this happen with ease, but for whatever reason I cannot turn profile manager on. It says its on in Server.app, but when I click to get to the web interface, it says the service is turned off. Anyone have any advice on how I can resolve this problem?
  Thanks in adavnce.

  Have you tried connecting with HTTP instead of HTTPS?

• Color profile management across LR and ps CS4

  Problem the same file when sent from LR to cs4 for fine tuning looks totally different its color.
  Therefore I'd like some advice on how to setup my color profiles for my monitor, LR and Photoshop CS4.  I shoot with Canon and the last articles have been advising to go with the Prophoto profile for it's large spectrum.
  I can set the monitor and CS4 to that....but what is LR's profile.  I can't even FIND the default.  I'm sorry.  I've poked around and poked around.
  I don't have any problems setting the profiles for printing....that part I got.
  I only used to use photoshop and didn't have these issues...but I'd like to get the programs sync'd.
  My OS is Vista.....shortly to be WIndows 7.
  Thanks in advance.
  janet

  No, the problem is that lots of monitors install profiles that have a
  corrupt perceptual rendering intent. This is very strange but unfortunately
  true. Especially Dell and Samsung monitors have this issue. Lightroom uses
  the perceptual intent if present and Photoshop uses relative to render to
  the display profile. This is only an issue on windows machines and you can
  check whether this is what is causing your problem by going to your
  monitor's properties dialog and clicking on the color management tab. There
  you should delete any profile you see. This will make windows assume that
  your monitor is sRGB and should make Lightroom and Photoshop render
  identically. This is only a test. Both will render the image wrong since
  your monitor is unlikely to be exactly sRGB. The ONLY way to get correct
  color in any program whether it be Photoshop or Lightroom is to calibrate
  and profile your monitor using one of the hockey puck calibrators. You can
  have a reasonable one (Spyder 2 or Huey Pro) for under $100. Better ones are
  $150 to $250 and often include printer profiling too. The cheapest ones do a
  very good job already if you're not too extremely critical.
  Note that we have seen literally hundreds of issues like this on this forum
  all caused by bad monitor profiles. People only noticed that this was
  happening because they compared Lightroom to Photoshop and saw a difference.
  They were having bad color in every app before already.

• How to get Profile Manager working over the internet?

  I've set up profile manager at home and it work great on my local network. Now I wanted to make it work over the internet but I can't figure out how to do so. I've already opened the required ports. When I try accessing the User Portal trought my <external ip>/mydevices it asks me whether I trust a certificate or not, but when I choose "ok" it keeps requesting the URL forever until it times out. Am I required to have a registered domain name to access my server or I can just use my external IP ? Is there anything else I should do in order to have it working?

  First off, you say you've opened 'the required ports', but which ones are they, in your opinion?
  That may sound like a dumb question, but it isn't meant to be. You'll need port 443 to support HTTPS connections, and 1640 for the Certificate Enrollment server.
  Additionally, you WILL need a valid domain for this - at least if you don't want authentication errors. SSL certificates rely on the hostname (amongst other things) to provide validation and if you access the site via IP address that validation is doomed to failure. That shoudkn't lead to the problem you're experiencing, which is no response at all, but it's still an issue to resolve.

• Firefox won't start; no error message; profile manager also won't start. What can I do?

  Suddenly, firefox won't start. I get no error message--it just won't open. System restore to a month before the problem did not help.
  From the suggestions on this page: http://support.mozilla.com/en-US/kb/Firefox%20will%20not%20start... I did not recently install add-ons or clean the registry, so I think it may be a profile problem. But profile manager will not open--only a tiny window with a white rectangle and no text.
  I would like to not lose all my bookmarks. And I would like to continue using Firefox.
  What can I do?

  dmcritchie, thank you for your reply!
  Before I received your response, I tried something that seems to have worked. I used Chrome to go to the Firefox website and downloaded Firefox (without uninstalling it first) and went through the installation process again. For some reason, this worked, even though I already had the latest version of Firefox, and I can now open Firefox successfully.
  If it stops working again, I will try your suggestion. In the meantime, thank you much!

• Profile Manager Settings for Group does not display for individual members of the group

  Hi there,
  Can anyone confirm whether I am going mad or not, I and new to Mac Server and have set up Profile Manager on OSX Mavericks from scratch and have been using it successfully to deploy enterprise iPads. I have just gone to edit the profile as we wish to increase the timeout time to locking and have been greeted with something strange.
  We have all users in a Group which has settings applied for timeout, pass code change etc. however if I go to an individual account who is part of that group then it isn't showing any settings for that user and it would appear I need to set them again. Similarly if I go to a device belonging to a member of the group then its not showing any settings for that device.
  I would have assumed that if you set restrictions for a group then when you view the restrictions for a member of the group then it would be the same however it appears that you can have a separate payload for a group. Is this the case?
  I am grateful for any advice people can give me.
  Thanks again.
  Rob

  I would have assumed that if you set restrictions for a group then when you view the restrictions for a member of the group then it would be the same
  That was never the way it worked in older versions of 10.3, 10.4, 10.5, 10.6 Server.
  The restrictions for a Group were shown for a Group. The restrictions for a User (alone) were shown for that User.
  And the advantage is that if you see something wrong for a single user, you might be tempted to fix it there, in that user, and when you had changed six of them, you might remember that you meant that to be a group setting after all.
  And the software to implement them separately is simpler, but YOU have to test it to find out the end results of compositing Group and User settings.