Lion Server - MDM setup - Error in device enrollment

Similar Messages

• Is there any alternate solution for MDM setup without following Device Enrollment Program (DEP) ?

  Hi,
  Is there any alternate solution  for setting up the MDM Process, without following the Device Enrollment Program (DEP) and managing the devices by creating our own setup controlling through the server, Please let me know.
  Thanks for the help.

  Finally I found the solution for the MDM, after doing some research work with the Apple Configurator, iPhone configuration utility and came across with the Profile Manager after installing Mac OS Server and able to manage, configure, remote access and send the commands using push notifications.

• Lion Server Profile Management error reading settings

  After starting up Lion Server the profile management pane showed an error. It is also not possible to login via de browser to the profile manager. How can I fix this? Using the default httpd.conf file did not help.
  This is one of the many problems I have with Lion server that does not work as expected. So if someone has a solution to remove all profile settings from my client MBP than I can try to revert back to Lion on my server also.
  I hope this question is also read by someone of apple as this is not the quality I expected from apple. It lacks decent documentation and the setup of Portable Home Users is not possible. I thought apple product were self explaining and intuitive. This reminds me of the old Windows days: sitting days to figure it out and use a lot of terminal commands.

  Did you ever find a resolution? If not then this might help Server: An error with code -1 occurred while setting up Device Management

• Mountain Lion Server Profile Manager error

  I recently setup a Mountain Lion server (10.8.2) to manage multiple ipads and Macs with Profile Manager in a PC oriented Active Directory environment.
  I setup an SSL certificate and bound to the organization's active directory (with Directory Utility) and that all works fine.
  We are now simply trying to assign the rights to individual users to use Profile Manager and running into trouble.
  Using the Server app, we click on a user (or group) and then go to assign rights (with the gear menu).
  The list of items to assign is supposed to come up.
  Instead the list never comes up.
  Can anyone shed any light on what we have to do?

  What are you trying to do
  Assign what users can use the profile managers web interface
  or restrict what users can and can't have devices registered to their name in profile manager

• Microsoft SQL Server 2014 Setup error: Wait on the Database Engine recovery handle failed

  Hi,
  Having this annoying error trying to install SQL Server 2014 (RTM). I saw it's been asked several times... But each post seems a different cause and no definitive answer...
  I'm not doing an upgrade, so no "sa account" issue.
  Tried different media. Even three different distributions: trial, Standard and Enterprise.
  Tried disabling Microsoft antivirus/firewall.
  Of course tried restarting, updating, installing, uninstalling, repairing, etc., etc.
  I noticed the users folders under C:\Users weren't created. (Maybe something related to permissions?) After playing around, I managed for the users to be created and the service started. Though I couldn't log in.

  Summary for last "repair" attempt:
  Overall summary:
  Final result: Failed: see details below
  Exit code (Decimal): -2068578302
  Start time: 2014-04-27 23:54:21
  End time: 2014-04-27 23:59:48
  Requested action: Repair
  Setup completed with required actions for features.
  Troubleshooting information for those features:
  Next step for SQLEngine: Use the following information to resolve the error, and then try the setup process again.
  Next step for DQ: Use the following information to resolve the error, and then try the setup process again.
  Next step for FullText: Use the following information to resolve the error, and then try the setup process again.
  Next step for LocalDB: Use the following information to resolve the error, and then try the setup process again.
  Machine Properties:
  Machine name: CHARLY13C
  Machine processor count: 4
  OS version: Windows 8
  OS service pack:
  OS region: United States
  OS language: English (United States)
  OS architecture: x64
  Process architecture: 64 Bit
  OS clustered: No
  Product features discovered:
  Product Instance Instance ID Feature Language Edition Version Clustered Configured
  SQL Server 2012 DENALI MSSQL11.DENALI Database Engine Services 1033 Enterprise Edition 11.1.3128.0 No Yes
  SQL Server 2012 LocalDB 1033 Express Edition 11.1.3128.0 No Yes
  SQL Server 2014 HEKATON MSSQL12.HEKATON Database Engine Services 1033 Enterprise Edition 12.0.2000.8 No Yes
  SQL Server 2014 HEKATON MSSQL12.HEKATON Full-Text and Semantic Extractions for Search 1033 Enterprise Edition 12.0.2000.8 No Yes
  SQL Server 2014 HEKATON MSSQL12.HEKATON Data Quality Services 1033 Enterprise Edition 12.0.2000.8 No Yes
  SQL Server 2014 Management Tools - Basic 1033 Enterprise Evaluation Edition 12.0.2000.8 No Yes
  SQL Server 2014 Management Tools - Complete 1033 Enterprise Evaluation Edition 12.0.2000.8 No Yes
  SQL Server 2014 Client Tools Connectivity 1033 Enterprise Evaluation Edition 12.0.2000.8 No Yes
  SQL Server 2014 LocalDB 1033 Express Edition 12.0.2000.8 No Yes
  Package properties:
  Description: Microsoft SQL Server 2014
  ProductName: SQL Server 2014
  Type: RTM
  Version: 12
  SPLevel: 0
  Installation location: F:\x64\setup\
  Installation edition: Enterprise
  User Input Settings:
  ACTION: Repair
  AGTDOMAINGROUP: <empty>
  AGTSVCACCOUNT: <empty>
  AGTSVCPASSWORD: <empty>
  AGTSVCSTARTUPTYPE: Manual
  ASCONFIGDIR: Config
  ASSVCACCOUNT: <empty>
  ASSVCPASSWORD: <empty>
  CLTSTARTUPTYPE: 0
  CLTSVCACCOUNT: <empty>
  CLTSVCPASSWORD: <empty>
  CONFIGURATIONFILE: C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Log\20140427_235420\ConfigurationFile.ini
  CTLRSTARTUPTYPE: 0
  CTLRSVCACCOUNT: <empty>
  CTLRSVCPASSWORD: <empty>
  ENU: true
  FAILOVERCLUSTERGROUP: <empty>
  FAILOVERCLUSTERNETWORKNAME: <empty>
  FTSVCACCOUNT: NT Service\MSSQLFDLauncher$HEKATON
  FTSVCPASSWORD: <empty>
  HELP: false
  IACCEPTSQLSERVERLICENSETERMS: false
  INDICATEPROGRESS: false
  INSTANCENAME: HEKATON
  ISSVCACCOUNT: NT AUTHORITY\Network Service
  ISSVCPASSWORD: <empty>
  ISSVCSTARTUPTYPE: Automatic
  QUIET: false
  QUIETSIMPLE: false
  SQLSVCACCOUNT: NT Service\MSSQL$HEKATON
  SQLSVCPASSWORD: <empty>
  UIMODE: Normal
  X86: false
  Configuration file: C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Log\20140427_235420\ConfigurationFile.ini
  Detailed results:
  Feature: Management Tools - Complete
  Status: Passed
  Feature: Client Tools Connectivity
  Status: Passed
  Feature: Management Tools - Basic
  Status: Passed
  Feature: Database Engine Services
  Status: Failed: see logs for details
  Reason for failure: An error occurred during the setup process of the feature.
  Next Step: Use the following information to resolve the error, and then try the setup process again.
  Component name: SQL Server Database Engine Services Instance Features
  Component error code: 0x84B40002
  Error description: The SQL Server feature 'SQL_Engine_Core_Inst' is not in a supported state for repair, as it was never successfully configured. Only features from successful installations can be repaired. To continue, remove the specified SQL Server feature.
  Error help link: http://go.microsoft.com/fwlink?LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=12.0.2000.8&EvtType=0x2841E06E%401204%402&EvtType=0x2841E06E%401204%402
  Feature: Data Quality Services
  Status: Failed: see logs for details
  Reason for failure: An error occurred for a dependency of the feature causing the setup process for the feature to fail.
  Next Step: Use the following information to resolve the error, and then try the setup process again.
  Component name: SQL Server Database Engine Services Instance Features
  Component error code: 0x84B40002
  Error description: The SQL Server feature 'SQL_Engine_Core_Inst' is not in a supported state for repair, as it was never successfully configured. Only features from successful installations can be repaired. To continue, remove the specified SQL Server feature.
  Error help link: http://go.microsoft.com/fwlink?LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=12.0.2000.8&EvtType=0x2841E06E%401204%402&EvtType=0x2841E06E%401204%402
  Feature: Full-Text and Semantic Extractions for Search
  Status: Failed: see logs for details
  Reason for failure: An error occurred for a dependency of the feature causing the setup process for the feature to fail.
  Next Step: Use the following information to resolve the error, and then try the setup process again.
  Component name: SQL Server Database Engine Services Instance Features
  Component error code: 0x84B40002
  Error description: The SQL Server feature 'SQL_Engine_Core_Inst' is not in a supported state for repair, as it was never successfully configured. Only features from successful installations can be repaired. To continue, remove the specified SQL Server feature.
  Error help link: http://go.microsoft.com/fwlink?LinkId=20476&ProdName=Microsoft+SQL+Server&EvtSrc=setup.rll&EvtID=50000&ProdVer=12.0.2000.8&EvtType=0x2841E06E%401204%402&EvtType=0x2841E06E%401204%402
  Feature: SQL Browser
  Status: Passed
  Feature: SQL Writer
  Status: Passed
  Feature: LocalDB
  Status: Failed: see logs for details
  Reason for failure: An error occurred during the setup process of the feature.
  Next Step: Use the following information to resolve the error, and then try the setup process again.
  Feature: SQL Client Connectivity
  Status: Passed
  Feature: SQL Client Connectivity SDK
  Status: Passed
  Feature: Setup Support Files
  Status: Passed
  Rules with failures:
  Global rules:
  There are no scenario-specific rules.
  Rules report file: C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Log\20140427_235420\SystemConfigurationCheck_Report.htm

• Lion Server and TimeMachine Error 13

  Hello,
  I have a problem with a Lion Server and TimeMachine service.  I have enabled the service and selected a volume for it.  The server creates the share and does not report aby errors.  If I go to a client machine and open TM I can see the "Backups" share and select it.  The users credentials are validated witout a problem but when the backup is started it will end with the error "Cannot create sparseimage error 13"
  I have checked that the share is visible to the client machine and the client has write permissions for the share.
  Any ideas why this is happening?
  MM

  Hello,
  I have a problem with a Lion Server and TimeMachine service.  I have enabled the service and selected a volume for it.  The server creates the share and does not report aby errors.  If I go to a client machine and open TM I can see the "Backups" share and select it.  The users credentials are validated witout a problem but when the backup is started it will end with the error "Cannot create sparseimage error 13"
  I have checked that the share is visible to the client machine and the client has write permissions for the share.
  Any ideas why this is happening?
  MM

• HP Photosmart C4795 Wireless Setup (Error Messege: Device Not Connected) Help?!?

  I've had my HP Photosmart C4795 since 2009. I've haven't had any major issues with the printer until recently (probably time to get a new one).
  This is my issue; the printer can't connect to my network. I'm able to print via USB from my Mac or PC. But I'd like to be able to print from any computer on my home network. In the past I've setup the printer to network with minor issue. I've had issues ever since the Mountain Lion Update (running version 10.8.3).
  I've attempted to try once again to connect the printer to the network and I get an error message from my the HP Installer software (Device Not Connected). I've tried to troubleshoot the printer with no luck. These are solutions I've tried
  1) Uninstalled HP Installer Software/Setup via Mac  - I added the printer using the latested instructions provide from HP Supports section. I set up the printer but I can't it isn't showing up on any other computer.
  2) WPS - My router (supplied by Comcast) couldn't find the printer. I used routers login website to connect the printer but it didn't work.
  3) I've printed out the HP Network Configuration Page and manually add the printer's MAC Address to list on my router's devices list. I still can't connect wirelessly to the printer.
  I've connected this printer wirelessly in the past before the Mountain Lion Update. Can anyone help?

  First, on the printer go to Setup [Scan] > Wireless > Restore Defaults.
  Then, set the printer up using WPS (pushbutton) - start it in the printer (Wireless menu) first, then the router within 2 minutes of starting it on the printer.
  There is no HP software for 10.8, so you need to uninstall it.   Uninstall the software using the 'scrubber' option:
  Go to Applications/Hewlett Packard/ click on HP Uninstaller
  Click on Continue
  Highlight your device on the left pane
  Press and hold Control + Alt + Cmd keys on the keyboard simultaneously while you click on Uninstall This IS the Scrubber Option, there is no button labeled "Scrubber"
  There will be a pop up that asks if you are sure you want to uninstall ALL hp software. (At this point, if you continue, any HP printers you have installed will need to be reinstalled)
  Click Continue and let it finish
  Download and install this: http://support.apple.com/kb/DL907
  Restart your Mac.
  Now reset the printing system:
  - Sys Prefs, Print & Fax
  - Right (control) click in the rectangle listing your printers and select Reset Printing System.
  WARNING - this will delete ALL of your printers!
  - Select the plus sign to re-add it. Look for the printer, select it and wait until the "Add" button becomes available. Click it.
  Say thanks by clicking "Kudos" "thumbs up" in the post that helped you.
  I am employed by HP

• Mountain Lion server vpn setup

  I have OSX Mountain Lion with server.  I use dynamic dns with dyndns.org.  I have a Virgin Media Router in modem only mode connected to a Time Capsule that provides DHCP and NAT.  I have all the correct ports open on the Time Capsule (500, 1701, 1723 and 4500).
  I have set up the Server VPN but every time I try to connect wither from within my LAN or externally I get the message:
  The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.
  I have tried everything I can think of (including trying VPN Configurator) but cannot get the VPN to work.  Any advice welcome.

  I had the same issue: 
  The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.
  PPTP was connecting from a PC without problem but trying to use L2TP (IPSec) from an iMac gave the above message.  I resolved this by:
  I went into Server > VPN and turned the service off for 30 seconds and turned it back on, all working.
  The wonder of OSX Server.  Lots of buggy problems.
  Steve H

• Ios7 Device enrollment program mdm api's

  Hi,
  The mdm api's (for device enrollment program) like disown Devices, define profile etc..Return responses with a dictionary of devices along with a string value like SUCCESS, NOT_ACCESSIBLE, FAILED ...What would be the reason for NOT_ACCESSIBLE and FAILED...caused based on the true reason our server would need to react differently...can we assume that NOT_ACCESSIBLE and failed means apple no longer has any information about the device in the device enrollment program?...
  Appreciate a response,
  Thanks,
  -Vikram.

  I am also getting NOT_ACCESSIBLE when trying to upload a serial number for an iPad. I was able to get 280 serial numbers uploaded successfully, but I am not able to get one particular serial number into DEP.
  Any thoughts or suggestions?
  Help here would be appreciated also..

• SQL Server 2008 R2 setup error

  installing the above, I get an error just before the end of the setup saying - Attempted to perform an unathorized operation.  Click retry or cancel.
  Any ideas why this is doing this?

  Hello,
  Please try the following resources:
  http://blogs.msdn.com/b/petersad/archive/2009/08/08/sql-server-2008-could-not-fix-registry-key-issue-and-how-to-resolve.aspx
  http://social.technet.microsoft.com/Forums/sqlserver/en-US/3649e3f7-e726-4bc7-854f-0b436756dad0/sql-server-2008-installation-problem
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/61d56f64-2575-4a58-9503-84579476afaf/sql-server-2008-setup-error-attempted-to-perform-an-unauthorized-operation
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/cfab9cdd-eb89-4e70-a255-4f4bff3def8e/sql-server-2008-r2-setup-fails-with-error-attempted-to-perform-an-unauthorized-operation
  If the above resources do not help, please share with us the Detail.txt log file. The following
  article may help you locate the file:
  http://technet.microsoft.com/en-us/library/ms143702(v=sql.105).aspx
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• HT200088 Error Reading Settings in Lion Server Profile Manager

  Whenever I try to use Profile Manager in Lion Server, it says "Error Reading Settings". Can anybody help?

  I did a clean install of Lion/Lion Server, but I ran ino the same problem too with "Error Reading Settings" for both the profile manager and the wiki.
  INVESTIGATION: I checked to see if the postgres database (which I presumed was were the settings were being read from).
  # sudo serveradmin fullstatus postgres
  postgres:dataDirHasBeenInitialized = yes
  postgres:PG_VERSION = "9.0.4"
  postgres:dataDir = "/var/pgsql"
  postgres:postgresIsResponding = no     # !!! why isn't it responding???
  postgres:dataDirIsDirectory = yes
  postgres:PGserverVersion = 0
  postgres:dataDirExists = yes
  postgres:setStateVersion = 1
  postgres:state = "RUNNING"
  PROBLEM: The postgres service hadn't been started properly; I found this by doing the following:
  # sudo serveradmin stop postgres
  postgres:state = "STOPPED"
  # sudo serveradmin start postgres
  postgres:error = "CANNOT_START_SERVICE_TIMEOUT_ERR"
  FIX: The postgres service couldn't create the log file because it didn't have permission. I did this to fix it, then simply restarted it and all was well:
  # sudo chmod 777 /Library/Logs/
  # sudo serveradmin start postgres
  postgres:state = "RUNNING"
  I hope this helps someone.

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Lion server VPN not working away from network

  Hey everyone,
  So I have a mac mini setup with lion server, and setup a VPN, however after I setup the profile and installed it on my iphone and ipad, it worked great wile I was connected to the same network, but once I connect to either 3G or to a different network (than the server is based) it says,
  "The L2TP-VPN server did not respond.  Try reconnecting.  If the problem continues, verify your settings and contact your administrator." 
  I have check the port mapping settings, as I have a airport extreme and have the VPN setting checked for the extreme from the server app.  I have also disabled mobileme "back to my mac" on the computer, and also on the airport extreme just to make sure that wasn't causing the issue.  I'm out of ideas, I know it has to do with the incoming connection, and I have setup a dyndns for the ip address.  Any ideas would be really appriciated.

  I also had the same issues but managed to fix it.
  My airport extreme DHCP settings were conflicting with the VPN servers assigned addresses.
  For example, the DHCP on the extreme was set to the range 10.0.1.200 - 10.0.1.254
  And the VPN was set to the same range of 10.0.1.200 - 10.0.1.254
  I then changed the DHCP range on the extreme to 10.0.1.100 - 10.0.1.229
  and i set the VPN to give out IP addresses between 10.0.1.230 - 10.0.1.254
  Reset both the extreme and VPN server, then boom. It started working, internally and externally.

• Problem with lion server - profile, wiki , postgresql

  I have problem with lion server:
  - Profile Manager Error Reading Setting
  - Wiki Error Reading Setting
  org.postgresql.postgres[3163]: postgres_real cannot access the server configuration file "/var/pgsql/postgresql.conf": No such file or directory

  I have problem with lion server:
  - Profile Manager Error Reading Setting
  - Wiki Error Reading Setting
  org.postgresql.postgres[3163]: postgres_real cannot access the server configuration file "/var/pgsql/postgresql.conf": No such file or directory

• Device Enrollment - Error: The server certificate for "myserver" is invalid?

  Hello,
  I am attempting to enroll my iPhone in the Lion Server Profile Manager.  I have aquires and SSL certificate on my Lion Server but do not have a code signing certificate. From my iPhone, I can log into http://myserver.mydomain.lan/mydevices and log in using my AD credentials when I try to install the Device Enrollment Profile I am prompted with the following message: The server certificate for "https://myserver.mydomain.lan/devicemanagment/api/device/ota_service" is invalid.
  Not sure how to get around this...
  I am using AD with an extended schema and was not sure if MDM absolutely requires OD credentials or if I could use my AD credentials when enrolling a device.  I was also unsure if I needed the code signing certificate which appears to be a bit pricey from Go-Daddy.  I am just test bedding MDM and do not wish to go through the expense of a code signing certificate at this point.
  Has anyone else encountered this problem?
  Thanks,
  Ray

  Not sure if this will help, but we encountered the same problem.  Our workaround was to click on the "Profiles" tab & install the Trust Profile first (not the Everyone Profile) and then enroll the device.  That seemed to work, but I don't know what's causing that error message.  Hopefully someone with more knowledge than me can answer that one.