OS X Server 4.0.3 Profile Manager Settings for Mobile Users problems

Similar Messages

• Profile Manager Settings for Group does not display for individual members of the group

  Hi there,
  Can anyone confirm whether I am going mad or not, I and new to Mac Server and have set up Profile Manager on OSX Mavericks from scratch and have been using it successfully to deploy enterprise iPads. I have just gone to edit the profile as we wish to increase the timeout time to locking and have been greeted with something strange.
  We have all users in a Group which has settings applied for timeout, pass code change etc. however if I go to an individual account who is part of that group then it isn't showing any settings for that user and it would appear I need to set them again. Similarly if I go to a device belonging to a member of the group then its not showing any settings for that device.
  I would have assumed that if you set restrictions for a group then when you view the restrictions for a member of the group then it would be the same however it appears that you can have a separate payload for a group. Is this the case?
  I am grateful for any advice people can give me.
  Thanks again.
  Rob

  I would have assumed that if you set restrictions for a group then when you view the restrictions for a member of the group then it would be the same
  That was never the way it worked in older versions of 10.3, 10.4, 10.5, 10.6 Server.
  The restrictions for a Group were shown for a Group. The restrictions for a User (alone) were shown for that User.
  And the advantage is that if you see something wrong for a single user, you might be tempted to fix it there, in that user, and when you had changed six of them, you might remember that you meant that to be a group setting after all.
  And the software to implement them separately is simpler, but YOU have to test it to find out the end results of compositing Group and User settings.

• Mac Mini Server won't load Profile Manager

  My Mac Mini Server has stopped loading Profile Manager in a web browser, and gives me the following message:
  Caught exception "Connection to DB failed" [CSDatabaseError] executing route /auth/?redirect=https://stormforce.no-ip.biz/devicemanagement/api/authentication/callback:
  0 CoreFoundation 0x00007fff8f42d25c __exceptionPreprocess + 172
  1 libobjc.A.dylib 0x00007fff8f5b5e75 objc_exception_throw + 43
  2 CSService 0x0000000101f549bd -[CSConnectionPool openConnection] + 3309
  3 CSService 0x0000000101f5538a -[CSConnectionPool currentConnection] + 98
  4 CSService 0x0000000101fe313c -[CSAuthService _sessionForField:value:] + 96
  5 CSService 0x0000000101fd4bff +[CSHTTPRouteHelper setCurrentSessionForRequest:] + 150
  6 CSService 0x0000000101fdec09 __21-[CSAuthService init]_block_invoke + 367
  7 CSService 0x0000000101fd081a __53-[CSRoutingHTTPConnection httpResponseForMethod:URI:]_block_invoke + 95
  8 CSService 0x0000000101fd3d6c -[CSHTTPBackgroundResponse bounce:] + 286
  9 Foundation 0x00007fff8fa0e76b __NSThread__main__ + 1318
  10 libsystem_pthread.dylib 0x00007fff8d749899 _pthread_body + 138
  11 libsystem_pthread.dylib 0x00007fff8d74972a _pthread_struct_init + 0
  12 libsystem_pthread.dylib 0x00007fff8d74dfc9 thread_start + 13
  Anyone got any ideas how I fix this? My current plan is to try and re-install server.app, but I thought I'd post this to see if anyone had any ideas.

  I'm still trying to trace this fault - if anyone has any ideas they'd be much appreciated.

• Os x Server 3.1 breaks Profile Manager

  Hi all,
  since i update to server 3.1, the Profile Manager wont start.
  In the ive got these Error:
  0:: [245] [2014/03/20 20:15:14.725] Waiting for postgres to startup....
  0:: [245] [2014/03/20 20:15:18.445] +[PGConnection reloadPreferences]: DBDebug = NO, DBLogNotices = NO, DBLogSQL = NO, DBMonitor = NO
  0:: [245] [2014/03/20 20:15:29.432] Profile Manager service STOPPED
  1:: [245] [2014/03/20 20:15:29.927] Incoming request: noOp
  1:: [245] [2014/03/20 20:15:29.928] Incoming request: getWebAppState
  1:: [245] [2014/03/20 20:15:29.963] Registering for network reachability notifications to "gateway.push.apple.com".
  0:: [245] [2014/03/20 20:15:29.981] Profile Manager service stopped.
  0:: [245] [2014/03/20 20:15:29.987] APNS topic = com.apple.mgmt.XServer.dcbf90a0-c0ba-4dee-bcb6-39de366d4e87
  1:: [245] [2014/03/20 20:15:30.681] >>> networkSettingsChanged: "gateway.push.apple.com" is apparently reachable (flags = 0x2)
  1:: [245] [2014/03/20 20:16:03.409] Incoming request: getWebAppState
  0:: [245] [2014/03/20 20:16:03.727] Profile Manager service stopped.
  1:: [245] [2014/03/20 20:16:07.547] Incoming request: readSettings
  1:: [245] [2014/03/20 20:16:07.798] Incoming request: readAppDistributionSettings
  1:: [245] [2014/03/20 20:16:07.856] Incoming request: readSimplifiedDeviceEnrollmentSettings
  1:: [245] [2014/03/20 20:25:39.511] Incoming request: readSettings
  1:: [245] [2014/03/20 20:25:39.578] Incoming request: readAppDistributionSettings
  1:: [245] [2014/03/20 20:25:39.637] Incoming request: readSimplifiedDeviceEnrollmentSettings
  1:: [245] [2014/03/20 20:25:40.054] Incoming request: readSettings
  1:: [245] [2014/03/20 20:25:40.116] Incoming request: readAppDistributionSettings
  1:: [245] [2014/03/20 20:25:40.170] Incoming request: readSimplifiedDeviceEnrollmentSettings
  1:: [245] [2014/03/20 20:25:41.165] Incoming request: writeSettings
  0:: [245] [2014/03/20 20:25:41.508] -[NSString(devicemgr_Additions) dateFromOpenSSLString]: 'Jan 27 19:45:36 2015 GMT'
  0:: [245] [2014/03/20 20:25:41.672] -[Settings setSigningState:]: self.signing_org = cgrx
  0:: [245] [2014/03/20 20:25:41.679] Loaded strings for locale 'de'.
  0:: [245] [2014/03/20 20:25:42.105] EXCEPTION:  Postgres <-[PGConnection executeSQL:withParams:] (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-864.18/Compiled/Fra mework-Models/Postgres/PGConnection.m:421): "Postgres error 23503 (ERROR:  insert or update on table "internal_tasks" violates foreign key constraint "internal_tasks_internal_task_id_fkey"
      DETAIL:  Key (internal_task_id)=(4) is not present in table "internal_tasks".
      CONTEXT:  SQL statement "INSERT INTO internal_tasks (internal_task_id, profile_substitution_cache_id) VALUES(p_it_id, psc.id) RETURNING id"
      PL/pgSQL function _dm_internal_psc_generation_task(profile_substitution_caches,integer,integer) line 19 at SQL statement
      SQL statement "SELECT _dm_internal_psc_generation_task(p, NEW.signing_certificate_id)
      FROM profile_substitution_caches AS p
      WHERE p.profile_cache IS NOT NULL
      AND p.signing_certificate_id <> NEW.signing_certificate_id"
      PL/pgSQL function _dm_trigger_after_settings_update() line 30 at PERFORM
      )">
  0:: [245] [2014/03/20 20:25:42.108] Caught unhandled exception -[PGConnection executeSQL:withParams:] (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-864.18/Compiled/Fra mework-Models/Postgres/PGConnection.m:421): "Postgres error 23503 (ERROR:  insert or update on table "internal_tasks" violates foreign key constraint "internal_tasks_internal_task_id_fkey"
      DETAIL:  Key (internal_task_id)=(4) is not present in table "internal_tasks".
      CONTEXT:  SQL statement "INSERT INTO internal_tasks (internal_task_id, profile_substitution_cache_id) VALUES(p_it_id, psc.id) RETURNING id"
      PL/pgSQL function _dm_internal_psc_generation_task(profile_substitution_caches,integer,integer) line 19 at SQL statement
      SQL statement "SELECT _dm_internal_psc_generation_task(p, NEW.signing_certificate_id)
      FROM profile_substitution_caches AS p
      WHERE p.profile_cache IS NOT NULL
      AND p.signing_certificate_id <> NEW.signing_certificate_id"
      PL/pgSQL function _dm_trigger_after_settings_update() line 30 at PERFORM
  1:: [245] [2014/03/20 20:25:53.541] Incoming request: readSettings
  1:: [245] [2014/03/20 20:25:53.605] Incoming request: readAppDistributionSettings
  1:: [245] [2014/03/20 20:25:53.664] Incoming request: readSimplifiedDeviceEnrollmentSettings

  Great, now i have a new problem:
  sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB .sh
  Password:
  ***    Failed to create/update new Profile Manager database!     ***
  *** Please check /Library/Logs/ProfileManager/migration_tool.log ***
  *** for more information. Profile Manager will be non-functional ***
  *** until a new database can be successfully created/updated.    ***
  [1034] [2014/03/23 09:56:07.266] -[SULogFileCollection setGlobalLogLevelPrefix:]: YES
  0:: [1034] [2014/03/23 09:56:07.268]
      migration_tool-864.18 (PID:1034, OS:13C64, SERVER:13S4138, ARCH:x86_64) starting
      LA: migration_tool --wipeDB
      Log verbosity level = 1
      UID = 220, EUID = 220
  1:: [1034] [2014/03/23 09:56:13.050] DropPostgresDatabase RESULT:
      ————————+—————————————————————————————————————————————————————————————————————— —————————————————————————————————————————————————————————————
      COMMAND | /Applications/Server.app/Contents/ServerRoot/usr/bin/dropdb devicemgr_v2m0 -h /Library/Server/ProfileManager/Config/var/PostgreSQL
      WD      | /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr
      ————————+—————————————————————————————————————————————————————————————————————— —————————————————————————————————————————————————————————————
      STATUS  | 1
      ————————+—————————————————————————————————————————————————————————————————————— —————————————————————————————————————————————————————————————
      STDERR  | dropdb: database removal failed: ERROR:  database "devicemgr_v2m0" is being accessed by other users
              | DETAIL:  There are 10 other sessions using the database.
      ————————+—————————————————————————————————————————————————————————————————————— —————————————————————————————————————————————————————————————
      STDOUT  |
      ————————+—————————————————————————————————————————————————————————————————————— —————————————————————————————————————————————————————————————
  0:: [1034] [2014/03/23 09:56:13.050] EXCEPTION:  !IF <void DropPostgresDatabase(NSString *__strong) (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-864.18/Compiled/Fra mework-Base/Support/PGUtilities.m:81): "'((status != 0))'">
  0:: [1034] [2014/03/23 09:56:13.052] Terminating on unhandled exception void DropPostgresDatabase(NSString *__strong) (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-864.18/Compiled/Fra mework-Base/Support/PGUtilities.m:81): "'((status != 0))'", ? | 140735467216501
      ? | 4437587723
      ? | 4437841481
      ? | 4437841694
      ? | 4437434900
      ? | 140735464949245
      ? | 2
  0:: [1034] [2014/03/23 09:56:13.053] ShutdownMigrator: 2014-03-23 08:56:13 +0000
  0:: [1034] [2014/03/23 09:56:13.053] BYE

• Remove previous Profile Manager settings

  Hi All!
  I have a Lion OS X Server running at home for my couple of Macs. Despite many issues i am still trying to get it going. 
  One of the issues I have right now is with Profile Manager. When I initially started using it I thought it was a good idea to setup a printer for all users. I added the printer to a profile and it showed up on all the systems eventually.
  Trouble is somehow it installed the printer in the system but no drivers so all I get is junk on the printer if somebody tries to print. To much hassle to solve so I removed the printer from the Profile Manager settings and manually installed the printer on each Mac.
  Now here comes the trouble: Even though the printer is removed from the profiles in Profile Manager it keeps on reappearing on the Macs!!!! 
  I have tried everything I can think of but I no change. I think deleting a setting on the Profile Manager does not remove this setting from the client Macs. I have the supsicion the client Macs store somewhere the intial profile and reload it.
  Anybody any ideas how to solve? Or does anybody know where the client Macs store the Profile Manager configuration profiles?

  Mac's Profiles are stored in System Preferences > Profiles AFAIK.
  I've not played too much with Profile Manager on Macs.. but have a look there?

• Color management settings for the best print output

  Color Management while Printing has been one of the challenging areas which has been discussed a lot over user forums and has been a painful area in terms of clear understanding while taking print outputs.
  Here is an easy-to-understand KB (Knowledge Base) article ‘Color management settings for the best print output’ to help you get the best from your printers using PSE and bridge that knowledge gap.
  This article explains color management in Photoshop Elements, how to get better prints, and addresses some of the following issues like horizontal/vertical streaks in print output, too dark or too light print output, ICC profile problems and Color differences between prints from PSE and other applications.
  Thanks,
  Garry

  Thanks Noel.
  Yes have shared in PSE forum as well. But I usually drop such posts on PS General forum so community moderators as well as our power users who mostly use both PS or PSE or are aware about can communicate to their students, audiences etc.
  The idea is to reach out the message to as many as folks via relevant forums. Most of my otehr posts have found mentioned only on PSE forum.
  Thanks for the feedback Nice to hear such a great feedback within 5 mts of publishing
  Regards,
  Garry

• HT4864 I am getting a triangle with an exclamation point next to my inbox...it says: There may be a problem with the mail server or network. Verify the settings for account "MobileMe" or try again.  The server returned the error: Mail was unable to log in

  I can send but cannot recieve email
  This is the messege I am gewtting:
  There may be a problem with the mail server or network. Verify the settings for account “MobileMe” or try again.
  The server returned the error: Mail was unable to log in to the IMAP server “p02-imap.mail.me.com” using “Password” authentication. Verify that your account settings are correct.
  The server returned the error: Service temporarily unavailable

  Also if I go to system preferences accounts and re-enter the password it fixes the glitch sometimes.

• Win7 and Reader X - default settings for ALL users/profiles

  I have a custom browser/app that opens PDF's within the app which can sometimes cause issues. I found that if I set Reader X to not open in the browser (Edit>Preferences>Internet - uncheck "Display PDF in Browser") that this does resolve most issues. My problem...when changed this only affects the current user/profile that's logged in. Potentially there can be dozens of users on these laptops. The other setting is when opening a PDF, I get the warning about Protected Mode not being able to be used due to the current configuration. I can select "Always open with Protected Mode disabled" and I no longer get the message; but again, current user/profile only.
  Is there a way to set these settings for ALL users/profiles? Running Win7 (32bit) with Reader X.

  I do not know why you experience this; what exactly happens when a non-admin users attempts to highlight something?
  You are talking about highlighting in the same document?

• Need color management settings for photoshop version 8.0

  I need to reset the color management settings for photoshop 8.0. Can someone let me know what are the correct defaults?

  Probably the most commonly used is "North American Prepress 2" but which you choose depends entirely on the kind of work you are currently doing.

• OSX Server 10.8.5 (Server 2.2.1) Profile Manager

  Hello all, wondering if somebody can help.  I have a Mac Mini server (2011) running OSX Server 10.8.5 (Server 2.2.1).  I have a fully signed Certificate for the Web/OD services etc.. and its using the self assigned certificate for Profile manager.  Profile manager is running and I can add place holders for iPads, users/groups and apps etc...  Problem is the iPads running iOS6 and 7 simply will not enrol.  You goto the servers web page, then profile manager my devices and it downloads the trust certificate fine.  You click enroll and you see the browser access OTA BOOTSTRAP or something (it goes off way to quick) and does nothing.  If I try and use the Enrollment Profile I get "The Profile SECENROLL com.apple.ota blah blah blah .bootstrap could not be installed due to an unexpected error.  Can anybody help?

  Hello all, wondering if somebody can help.  I have a Mac Mini server (2011) running OSX Server 10.8.5 (Server 2.2.1).  I have a fully signed Certificate for the Web/OD services etc.. and its using the self assigned certificate for Profile manager.  Profile manager is running and I can add place holders for iPads, users/groups and apps etc...  Problem is the iPads running iOS6 and 7 simply will not enrol.  You goto the servers web page, then profile manager my devices and it downloads the trust certificate fine.  You click enroll and you see the browser access OTA BOOTSTRAP or something (it goes off way to quick) and does nothing.  If I try and use the Enrollment Profile I get "The Profile SECENROLL com.apple.ota blah blah blah .bootstrap could not be installed due to an unexpected error.  Can anybody help?

• Server 3.1 Breaks Profile Manager (PM won't start)

  Hi All,
  Updated to server 3.1 this am and now Profile manager will not start. When I go to turn it on via the server app, its simple hangs on "starting" for a few minutes then reverts to "Off".
  I tried reverting to my backup of 3.0.3, but of course the service updates that are done by 3.1 prevent this.
  I'm also not seeing any devicemgr logs in the console.
  Any suggestions?

  When starting devicemgr from the terminal I get the following errors:
  2014-03-18 09:30:40.264 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:30:42.294 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:30:44.334 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:30:46.366 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:30:50.800 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:30:52.834 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:30:55.487 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:30:57.514 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:30:59.563 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:31:01.588 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:31:03.600 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:31:05.613 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:31:07.625 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:31:09.642 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  2014-03-18 09:31:14.284 serveradmin[3097:4e1f] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
  Thanks

• Upgrade Server 4 - stalled at profile manager

  Am trying to upgrade to Server 4.0 from 3.2.1
  The server install process stalls at about halfway across the blue line - with the statement "updating profile manager service".
  This is odd because we don't use the profile manager service, and it was disabled in the 3.2.1 configuration (i.e. set to not start in the Server app)
  No obvious errors in the system log.
  Anyone got any suggestions about what I can do to kick it along?
  Thanks in advance for any help.

  Hi
  This is the last block of entries in a log called "ServerSetup_DeviceManager.log" in /Library/Logs.  Is this what you are looking for?  It contains an error at least...
  2014-10-17 20:32:22 deviceManagerCommon.sh: A postgres cluster appers to already exist at /Library/Server/ProfileManager/Config/ServiceData/Data/PostgreSQL
  2014-10-17 20:32:22 deviceManagerCommon.sh: Pre-flight starting postgres...
  2014-10-17 20:32:22 deviceManagerCommon.sh: Started xpostgres with PID 10294
  2014-10-17 20:32:22 XPG.10297:  Process parent is PID 10294
  2014-10-17 20:32:22 XPG.10297:  Excluding data directory.
  2014-10-17 20:32:22 XPG.10297:  Turning on archive logging.
  2014-10-17 20:32:22 XPG.10297:  Cleaning up any existing postmaster.pid file
  2014-10-17 20:32:22 XPG.10297:  Starting postgres.
  2014-10-17 20:32:22 XPG.10297:  Waiting for data directory: /Library/Server/ProfileManager/Config/ServiceData/Data/PostgreSQL
  2014-10-17 20:32:22 XPG.10297:  Data directory exists.
  2014-10-17 20:32:22 XPG.10297:  Spawning postgres now.
  2014-10-17 20:32:22 XPG.10297:  Waiting for socket to appear in socket directory: /Library/Server/ProfileManager/Config/var/PostgreSQL
  2014-10-17 20:32:23 deviceManagerCommon.sh: Stopping postgres pre-flight instance...
  2014-10-17 20:32:23 XPG.10297:  Decremented reference count. Count is now: 0
  2014-10-17 20:32:23 XPG.10297:  Reference count reached zero.  Shutting down.
  2014-10-17 20:32:23 XPG.10297:  Killing idle connections...
  2014-10-17 20:32:23 XPG.10297:  Spawning... ('/Applications/Server.app/Contents/ServerRoot/usr/bin/psql', '-q', '-h', '/Library/Server/ProfileManager/Config/var/PostgreSQL', '-d', 'postgres', '-c', "SELECT pid, (SELECT pg_terminate_backend(pid)) as killed from pg_stat_activity WHERE state LIKE 'idle';")
  pid | killed
  -----+--------
  (0 rows)
  2014-10-17 20:32:23 XPG.10297:  Socket available; starting should now be complete.
  2014-10-17 20:32:24 XPG.10297:  log receiver: pg_receivexlog: could not connect to server: FATAL:  the database system is shutting down
  pg_receivexlog: disconnected; waiting 5 seconds to try again
  2014-10-17 20:32:24 XPG.10297:  Postgres exited.
  2014-10-17 20:32:24 XPG.10297:  pg_receivexlog still running; terminating.
  2014-10-17 20:32:24 XPG.10297:  log receiver: pg_receivexlog: could not connect to server: could not connect to server: No such file or directory
    Is the server running locally and accepting
    connections on Unix domain socket "/Library/Server/ProfileManager/Config/var/PostgreSQL/.s.PGSQL.5432"?
  2014-10-17 20:32:24 deviceManagerCommon.sh: Starting postgres under launchd...
  2014-10-17 20:32:24 deviceManagerCommon.sh: Migrating PM SACL in OD...
  PM SACL group has already been migrated
  2014-10-17 20:32:24 deviceManagerCommon.sh: Preparing/migrating database...
  2014-10-17 20:32:29 deviceManagerCommon.sh: Done!
  Oct 17 20:32:55.009 Applying DeviceManager<7fca7144d750> Profile Manager
  Oct 17 20:32:55.010 DeviceManager<7fca7144d750> Running '/Applications/Server.app/Contents/ServerRoot/usr/libexec/deviceManagerCommon.s h'
  2014-10-17 20:32:55 deviceManagerCommon.sh: Starting...
  2014-10-17 20:32:55 deviceManagerCommon.sh: Ensuring Profile Manager services are unloaded and terminated...

• Server 3.1 and Profile Manager woes

  I was hoping the 3.1 upgrade would resolve the Profile Manager not working with "real" Code Signing certificates, but it seems to have made things even worse. (I swear there's no Q/A on this product.)
  I readded my Digicert code signing certificate after upgrading (they have been amazing and have even issued me a special certificate to match all of the extensions and critical flags that the self-signed one Apple generates has).
  With 3.1, it lets me pick the Digicert certificate for Profile Manager, but silently doesn't actually honour the preference. The self-signed certificate continues to be used. The logs are full of errors that I believe are related:
  scep_helper.log after picking the certificate:
  0:: [738] [2014/03/18 10:39:44.942] EXCEPTION:  Error <NSData *ExportIdentityToPKCS12Data(SecIdentityRef, NSString *__strong) (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-864.18/Compiled/Fra mework-Base/Support/CryptoUtilities.m:483): "'((SecItemExport((__bridge CFTypeRef)items, kSecFormatPKCS12, 0, &keyParams, &pkcs12Data)))' error -25308">
  0:: [738] [2014/03/18 10:39:44.943] SCEPHELPERS_GetIdentity: Caught exception NSData *ExportIdentityToPKCS12Data(SecIdentityRef, NSString *__strong) (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-864.18/Compiled/Fra mework-Base/Support/CryptoUtilities.m:483): "'((SecItemExport((__bridge CFTypeRef)items, kSecFormatPKCS12, 0, &keyParams, &pkcs12Data)))' error -25308"
  2014-03-18 10:34:41.330 AM sandboxd[442]: ([67306]) xscertd(67306) deny file-read-metadata /Library/Preferences/com.apple.security.plist
  2014-03-18 10:34:41.352 AM sandboxd[442]: ([67306]) xscertd(67306) deny file-read-data /Library/Preferences/com.apple.security.plist
  2014-03-18 10:36:04.224 AM servermgrd[148]: servermgr_certs[148] -[CertsRequestHandler(HelperAdditions) certificateForIdentity:]:  SecIdentityCopyCertificate (err = -25304)
  And every 4 seconds:
  2014-03-18 10:30:36.155 AM devicemgrd[210]:  SecOSStatusWith error:[-25291] The operation couldn’t be completed. (com.apple.security.xpc error 3 - <connection: 0x7fd3ed309e40> { name = com.apple.securityd.xpc, listener = false, pid = 0, euid = 4294967295, egid = 4294967295, asid = 4294967295 }: Connection invalid)
  *sighs*

  The private key already had the "Allow all applications to access this item". I went in there and hit Save anyway, and tried again. Still the same issue. Profile Manager lets me pick the certificate, but if leave the Profile Manager section and go back in, I find that it has been reverted.
  And interestingly enough, if I set the values from the command line:
  serveradmin settings devicemgr devicemgr:devicemgr:CodeSigningPrivateKey = /etc/certificates/Coverall\ Crew\ Corporation.5504F8C4DA768FC0253A9E8264EDAFC29AC75328.key.pem
  serveradmin settings devicemgr devicemgr:CodeSigningCertificate = /etc/certificates/Coverall\ Crew\ Corporation.5504F8C4DA768FC0253A9E8264EDAFC29AC75328.cert.pem
  serveradmin settings devicemgr devicemgr:CodeSigningAuthorityChain = /etc/certificates/Coverall\ Crew\ Corporation.5504F8C4DA768FC0253A9E8264EDAFC29AC75328.chain.pem
  It's as if it completely ignores any updates.
  I guess I may have to contact Apple for support.

• Is there a way in 10.8 Profile Manager to assign certain users the sole right of adding/removing users to user groups?

  Hello,
  I want to assign certain network users the ability to login via browser to the profile manager for 10.8.x server and add/remove other users from user groups.  Think teachers managing their class rosters, if the class was a group and the users their students.  I do not want any other admin funtionality beyond that for them.
  Suggestions?

  Well thank you for being so polite.  Yes, on looking on my 10.8 server, I have the same thing.  How annoying.  I have no idea how to answer your question.  If the management abilities are no longer in Workgroup Manager then there's a change that the server doesn't pay any attention to the settings, so manually changing settings in LDAP won't have any effect either.
  At least I can verify that it's not just you who gets that result.  I wonder what happened and how we're meant to do this now.

• Profile Manager Mavericks & Active Directory Users.

  I have recently being trying to implement MDM Profile Manger to facilitate the deployment of Mavericks OSX on our domain.
  We currently run a mixed environment of Windows 7 and OSX Mountain Lion. Using Workgroup Manager with Active Directory created users. The old Workgroup manager works brilliantly the way we want it to do for Snow Leopard OSX.
  MDM however does not work in the same fashion. It might be my understanding of MDM that is misconstrued and that it doesn't do what I want or I'm not setting it up correctly.
  MDM works fine for mobile devices. The issue is with iMac's. I can send 'device' settings to my test mac and they get automatically implemented. However if I sign on as a domain user that is assigned to a group created in MDM. None of the 'profile' settings get applied.
  The test iMac I am using is first joined to AD then the OD of the MDM server.
  To enroll a device on MDM. I use the OD administrator account. I then remove the device from the OD Admin account. As each iMac needs to be logged into by various users with different levels of access. So our iMacs cannot be associated to just one user account.
  I then login to the test iMac using an AD user that is assigned to a User Group created on the MDM server. No User Group settings get applied to the test user.
  Also which is a little weird. If I assign the test iMac device to My AD user. The profile settings get applied to the local account that I accessed profile manager to enroll the device. Even though the account is not linked to the MDM in any way.
  I’m just wondering if anyone has had any success with AD users and MDM.

  Hi,
  first you should consult http://support.apple.com/kb/HT4837
  and then you have to import the specific users. You can do this in the Server.app by adding a new user an then select not new user but instead import the user from the Active Directory. I hope this helps. It is confusing
  that Lion Server does not uses the Active Directory to store the information, but instead creates a new Open Directory Master an uses augumented entries for the ADS users.
  Bye