Error enrolling devices in profile manager!!

Similar Messages

• Can't enroll devices with Profile Manager - invalid key

  n my case I can install profiles on devices from Profile Manager page but I cannot enroll devices.
  The certificate I download to enroll is reject by my MacBook Pro Lion: Says Invalid blablabla at the end:
  Now I have done log research and I now exactly and understand why it doesn't work:
  the scep_helper daemon is supposed to listen to port 1640 TCP (which you should forward to your server by the way, if you want to be able to enroll devices) and provide the requsting client the root CA that signed the certificate. In my case, it can't find the root CAT to provide the client with so it can finalize the cert validation process.
  In my case, that's what I see in the log:
  Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:727 'status = SCEPGetCACert(session, NULL, 0)' = -25300
  Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:513 'SCEPGetCACert(session, NULL, 0)' = -25300
  Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:819 'challenge = GetChallengeFromSCEP(password, guid, hostURL)' is NULL
  Jul 29 02:12:44 teknologism ProfileManager[516]: Could not retrieve root certificate from open directory server.
  No , as for the bad news: I have no idea on how to fix. Have dug into scep_helper, googled etc. Not a single clue on how to check it's configuration or even why it can't find the root CA. By the way everyhting else (I really mean everything, ical,cardav,web,wiki etc.) work great. And profile manager too, it's just the enroll thingy that doesn't work. And the root CA cert is in /etc/certificates. My server a legit Class 1 SSL cert signed by a system trsuted CA (Startfiel to name it)
  I have tried with other certs etc... It's a no go.
  Can anyone help ??
  How can I add that missing CA Cert in opendirectory ?

  Here is some more infos...
  teknologism:root root# serveradmin settings devicemgr
  devicemgr:SSLAuthorityChain = "/etc/certificates/trinity.teknologism.org.C1D19D55699B48C94A18787E4F53B4C3230E 91FE.chain.pem"
  devicemgr:od_active = yes
  devicemgr:ssl_active = yes
  devicemgr:enableCodeSigning = yes
  devicemgr:updated_at = 2011-07-28 16:04:52 +0000
  devicemgr:email_delivery_method = ""
  devicemgr:CodeSigningPrivateKey = "/etc/certificates/teknologism.org Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.key.pem"
  devicemgr:apns_active = yes
  devicemgr:CodeSigningAuthorityChain = "/etc/certificates/teknologism.org Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.chain.pem"
  devicemgr:default_profile_created_at_least_once = yes
  devicemgr:knob_sets_enabled:com.apple.mail.managed = yes
  devicemgr:knob_sets_enabled:com.apple.vpn.managed = yes
  devicemgr:knob_sets_enabled:com.apple.carddav.account = yes
  devicemgr:knob_sets_enabled:com.apple.jabber.account = yes
  devicemgr:knob_sets_enabled:com.apple.caldav.account = yes
  devicemgr:email_authentication = ""
  devicemgr:email_port = 25
  devicemgr:email_username = ""
  devicemgr:id = 1
  devicemgr:last_modified_guid = ""
  devicemgr:SSLPrivateKey = "/etc/certificates/trinity.teknologism.org.C1D19D55699B48C94A18787E4F53B4C3230E 91FE.key.pem"
  devicemgr:od_master = "127.0.0.1"
  devicemgr:apns_topic = ""
  devicemgr:email_password = ""
  devicemgr:mdm_acl = 2047
  devicemgr:user_timeout = 43200
  devicemgr:server_organization = ""
  devicemgr:SSLCertificate = "/etc/certificates/trinity.teknologism.org.C1D19D55699B48C94A18787E4F53B4C3230E 91FE.cert.pem"
  devicemgr:created_at = 2011-07-24 11:47:33 +0000
  devicemgr:email_address = ""
  devicemgr:email_domain = ""
  devicemgr:CodeSigningCertificate = "/etc/certificates/teknologism.org Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.cert.pem"
  devicemgr:email_server_address = ""
  devicemgr:admin_session = ""
  The 3 CodeSigning certs/keys are in /etc/certificates and their permissions are correct.
  Also, don't ask me why but my ProfileManager pane in Server.app is working again. It shows all the config...but can't modify anything....as soon as I try to modify it spins the waiting whell forever... I guess it's the same error as command line serveradmin...

• Cannot enroll iOS 7 devices in Profile Manager

  Hi All,
  I had some new employees start today who had already updated to the iOS 7 GM and we're having issues enrolling them into profile manager, which we use for all contacts, email, wifi configuration.
  I noticed there was a server update to OS Server 2.2.2 (running on Mac OS X 10.8.5), and ran that already, rebooted and restarted all the services.
  When a user on an iOS 7 device visits https://server.com/mydevices and hits the "enroll" option, the profile downloads, opens sytem settings as would be expected, prompts for the 4 digit passcode and then fails to install stating "This iphone/iPad is not activated".
  Thinking this may have been a developer device, I updated one of our units using the release that happened a few hours ago. Again when I try to enroll I get the same error. I've also tried loading the enrollment profile to the device using Configurator, but no luck.
  I've also added UDID based placeholders in profile manager, and no luck.
  Anyone have any suggestions?
  Thanks!

  I was also having the same issue. Fortunately it has only been one device so far. Here is what I did...
  1. I updated the server to 10.8.5
  2. I updated Server to the newest version (2.2.2)
  3. I restored the device using iTunes to a default state.
  4. At this point I was able to get the Enroll button and enroll the device.
  Now I am running into an issue with it not pushing the settings to the device. But I am testing some things to see what I can figure out. All of my other devices are working just fine.

• Purge a device from Profile Manager

  Is there a way to completely remove any record of a device from profile manager ?
  Problem: I have two phones which were managed/supervised by Profile Manager/Configurator but were then reset and deleted from Profile Manager. BUT for some reason their SIMs have been swapped so when I reinstate them on Profile Manager it gets confused as it seems to have "remembered" each phone but using its old number i.e. the number on the SIM swapped to the other phone. As a result we cannot push any settings to those phones (they do enrol though).
  Any ideas?

  You're not going crazy :)
  There were a few posts about this problem along with a fix being posted
  The fix consisted of manually purging the sim/iphone  records from the profile manager database via terminal
  From memory the method changed when mountain lion was released, the old method didn't work
  Sorry I can't find the post that referred to the fix
  This problem persisted from lion to mountain lion, I'm not sure if it's been fixed

• Error reading setting in profile manager

  Hi
  I don't know why but for no apparent reason I have started to get this error message all the time.
  Error reading settings for the Profile Manager Service.
  All very well but I do not use Profile Magaer, it is turned off but keeps throwing this error message!!!!
  I am a real Server Newbie.
  HELP PLEASE!

  only my mac (which is running the server OS) is not enrolling.
  Why are you trying to enroll your device management server in it's own device management?
  I've never tested anything like that, but I bet you can't do that...

• How can users add their devices to Profile Manager without a user account?

  We would like to allow company devices to be tracked, inventoried and managed in Profile Manager without creating a user account for each person so they can log into /MyDevices to download the mobile profiles. We aren't staffed to have someone manage user accounts as quickly as iPads are being purchased.
  If we can't do some kind of guest access, can one user, maybe called Enroll, have literally one thousand devices attached to them?
  The other alternative is to have the profiles on a small webpage with a password to download.

  the easiest way is to use apple configurator
  using apple configurator
  enable enrollment in PM
  un tick restrict to users in device library
  apple configurator should pick up your server certs
  and the PM auto enrollment profile
  setup a enrolment wifi lan
  configure your IOS devices with apple configurator adding the
  server cert and your enrolment wifi lan
  you'll still have to handle each device tapping yes to install each profile
  but you should end up with the ipads in PM with no users
  from there you can set which wifi you wish them to connect to
  eg  staff wifi, email setings, VPN etc.
  open the correct ports on firewalls to allow PM to work internaly and externaily
  and pr any port forwading as nessessary and you'll be able to wipe lock change settings outside on your network, providing the device is online.

• Devices in profile manager not showing

  I have profile manager set up and I have tried to enroll the device, but it does not show in the devices panel.  I want to use profile manager to manage the devices, not so much the users.  These macs are on a cart and they are bound to active directory and many students login to them on any given day.  I also set up a default user so that they all get the same look and cannot change any settings.  I am stumped.  I was trying to  find a log to look at but not sure where to start to trouble shoot.  Suggestions would be appreciated  I am running os x 10.7.4 lion server. Thanks

  You should probably move this post to The OS X Server part of Apple Discussions.
  https://discussions.apple.com/community/servers_enterprise_software/os_x_server
  I don't have the clearance to actually move the post.

• Lion Server app not responding(it says Error reading settings under profile manager tab)

  Hello,
  I have installed Lion server app 10.7.3 but due to some reason i am unable to use it since it gives me an error (Error reading settings)
  I have fully made server app functional also added devices but now i cant use the profile manager tab.
  Even when i try turning ON the tab it comes back to off state.
  Need help.
  Regards,
  Vikram Madhav Shinde
  <Phone number Edited by Host>

  I ended up booting to the recovery partition, erasing the hard drive, and starting over.
  All is working fine now.

• Cant see devices in My devices under Profile Manager

  When I go into the web interface for Profile Manager to see my devices all I see is the MacBook which is the server.  I have setup 10 Ipads using Apple Configurator as supervised, why cant I see them in My Devices?

  Also, when I  sign into the users portal, the only device shown is this MAC which is my server and I do not want the users to enroll and be able to wipe the server.  How can I stop the MAC server from being on the My Device list for the Users.

• How do I push VPP managed apps to devices using Profile Manager silently?

  Here is my setup.
  100 to 150 Ipads in carts used by their departments in classrooms.
  OSX Mavericks Server running Profile manager
  I use Apple Configurator to push a wifi payload to the ipads as well as an auto enrollment profile to connect to Profile Manager.
  That part works like a dream.
  Now that I have that working. I am having a problem pushing apps to the Ipads. I downloaded some free apps, GDrive for example, using the managed distribution.
  But I cannot figure out how to push the apps to the iPads without having the iPads asking for an Apple ID and password.
  I just want to push VPP apps to the iPads silently.
  Thanks for any help.

  Sorry. Added this to the wrong section.

• How to rename registered devices on Profile Manager

  When we use the Profile Manager for our iPad control, we can not select the each iPad to rename them . Is there any way we can rename the devices in Server side? Would you advise us how we can configure in Server side for allowing to rename them?
  We use OS X:10.9.5/iOS:8.1/Server:3.2.2

  You can only rename supervised devices with the profile manager.
  All other devices will not show the Rename option at the Devices section.
  The users can rename the devices and the new name will be shown after executing "Update Info" at the profile manager. I don't know any other way, with the exception of using the Apple Configurator.

• Can an IOS device be enrolled through profile manager when the server is set as .private?  If so what steps?

  I have my server set as server.xxxxxx.private, and need to know if it is possible to enroll it using profile manager.  I assume this would have to be done when the IOS device is on the same network, and subsequently the DNS server would have to be added to the WiFi configuration.  When I do this it tells me that Safari can't open the page.  I manually installed the self signed certificate.

  Same issues here.
  Buggy as ****..
  Also after some time, the Profile Manager PAne doesn't even fill in Server.app.....stays at Loading...
  Nevertheless, the service itself works with the bug you outlined, plus enroll is impossible for me (check my post here: Can't enroll devices with Profile Manager - invalid key  )
  I hope all these get fixed in 10.7.1   !!!

• Set or Change Device Name in Profile Manager

  Hello,
  Is it possible to set or change the device name of an enrolled device using profile manager?
  I notice WGMs old 'Set computer name to computer record name' is still there under Login Window options, but I couldn't find away to actually change the record name.
  Am I missing something obvious?

  The only way I have found to change the device name in Profile Manager is to change it on the device itself, then wait for the updated info to reach PM.
  The option to "set the computer name to computer record name" will set the computer name to the name of a computer record that matches in Open Directory (based on MAC). This option would allow you to change the device name in Profile Manager in a round about way... change the computer record name in OD, wait for the change to make it's way to the computer, then back up to the Profile Manager. In my experience, this doesn't take too long.

• Profile Manager Device Pending

  Hello. I am new to OS X Server and have come up against a problem with profile manager. I can enroll devices into profile manager but when I try and do anything (e.g. move them into a device group or update info) the task sits in active tasks as pending.
  I am not sure where to even start debugging this. I am running OS X Server 3.1.2 and OS X 10.9.4.
  Any help would be great.
  Richard

  We could solve this by opening the firewall for some ports (443, 1640, 2195, 2196, 5223, ) and ip addresses (17.0.0.0/8). Have a look at
  OS X Server: Ports used by Profile Manager
  Start Profile Manager

• Got Profile Manager working with Mtn Lion, but Apple's new deployment methodology has complicated things substantially - need help!

  Hello,
  We recently (a month or so ago) were able to set up OSX Server/Profile Manager/Workgroup Manager on Mtn Lion, and deploy to Mac desktops (deploy 802.1x settings and certs)
  When we upgraded the OSX Server to Mavericks, everything changed - PM is different in this version.  In order to enroll devices in PM it seems you need a Device Enrollment token, to get one you need to export a public key & add it to an MDM server on Apples website & in order to do that you need to create an account with Apple.  To create that account you need your Apple Customer # & a ‘work email address’ that is not already used.  Then you have to fill out a form & wait for Apple to approve it.
  We have plans to utilize MDM at some point in the future, but for now, Profile Manager works fine - are we forced to utilize MDM in order enroll devices using profile manager with Mavericks/OSX Server 3.1.1?
  Thanks for any and all help,
  -Drew

  Can anyone help with this?
  Do I *have* to use MDM with OSX Server 3.1.1 in order to use PM?
  Thanks,
  -Drew