Payload Variables in Profile Manager (iOS)

Similar Messages

• Profile Manager - iOS device limit?

  Has anyone found any information from Apple (or elsewhere) on approximately how many iOS devices Profile Manager can support?

  I would try demoting your Open Directory server from Master to Standalone in the Server Admin app - there's an assistant in Server Admin > Open Directory > Settings > General > click the change button.
  Once it's demoted to a standalone, restart.
  From there, don't create an OD Master again - go to Profile Manager in Server.app and run through the wizard again.  In the process, it will create an OD Master for you.
  Hope that helps,
  Chris

• Profile manager wildcard options

  Is it possible to use wildcards for such things as usernames in the profile manager for VPN? I'd like to preconfigure VPN for all Macbooks without having to setup a profile for each user. The username field is a required field so leaving it blank isn't an option.

  I haven't tried this for a VPN profile but have done variables with an Exchange email profile. The user logs into the My Devices web portal with credentials that are then used for the installation of the profile substituting their real information for the variable. See these articles:
  http://krypted.com/iphone/using-payload-variables-in-profile-manager/
  http://help.apple.com/profilemanager/mac/10.7/#apd073333AA-30C6-4FD2-B2E0-E0C956 58A2C4

• Payload variables not working & Profiles stuck on 'Sending'

  Hi all,
  I've been trying to use Profile Manager to specify user e-mail accounts on Mac devices (eg, MacBooks) but I've been encountering a couple of problems. I've tried searching around and didn't find any answers.
  First of all I'm running the latest Mountain Lion Sever. All clients have up-to-date Mountain Lion too.
  Problem 1: Payload variables not working
  I'd like to automatically setup Gmails on the MacBooks. Now the users' email addresses are already set to their gmail accounts. So all I have to be able to do is use the %email% payload variable as the username when I go set up the (IMAP) mail accounts in the Profile Manager. However, when I download the profile to the device, it does not convert the payload variable; ie, it tries to log into gmail with the username '%email%'. Other payload variables do not work either.
  Oddly enough, the payload variables work as they should with iOS devices...
  Problem 2: Profiles stuck on 'Sending'
  After enrolling the devices, it seems a hit and miss whether the MacBook downloads the correct profiles from the server... Is there a way to force on the MacBook to update/refresh its profiles? Also, when I update profiles within Profile Manager, the changes are pushed to iOS devices fine but not to MacBooks. Those tasks are all stuck on Sending... Logging in, restarting etc. sometimes helps but not always... Is there a reason why?
  Thanks in advance.

  Same problem here. Some profiles are being sent, some are stuck on the server. I have no idea why this difference.
  Any luck solving the issue?

• PKCS12 certificate payloads in OS X Server 10.9 Profile Manager

  Hi all,
  I'm unable to successfully push .p12 packaged certificate identities to devices managed by OS X Server 10.9 Profile Manager. The problem is that while the file is pushed to the device, it doesn't get unpacked and hence is unable to be used.
  I've identified the problem as Profile Manager setting the payload type incorrectly to "com.apple.security.pkcs1" in the profile rather than "com.apple.security.pkcs12". If I strip the profile signing data and edit it, the profile works perfectly when manually installed.
  So the questions I have:
  1) What's the best way of getting Apple's attention for someone to fix this bug, or is this possibly a browser JavaScript issue incorrectly identifying the payload type (using latest Safari though)?
  2) Does anyone know of a workaround to allow this to still be automatically pushed out without having to manually edit and install on each device?
  (SCEP is out at the moment due to another issue base64 decoding the SCEP request from Mac OS X devices that I'm taking up with the SCEP server vendor - but iOS works fine)
  Thanks!
  Al

  I'm new to OS X Server and Radius, and have just spent way too many hours trying to figure out what I was doing wrong. I could connect to our enterprise wifi perfectly fine when selecting the certificate from the keychain, but I just couldn't get it to work when I uploaded the .p12 file and used it as the WiFi identity. I tried so many combinations of passphrase, no passphrase, pem format, pkcs12 format, resetting Radius server, resetting whole PKI... But I'd always see Certificate: ?Error_-25257? in the Settings window while I was trying to install the profile, and I couldn't see anything useful in the Radius logs when I tried to connect.
  But it turns out, all I needed to do was:
     sed -i '' -e '1s/pkcs1/pkcs12/;t' -e '1,/pkcs1/s//pkcs12/' wifi_profile.mobileconfig
  (changes the first instance of pkcs1 to pkcs12 - don't change both! I was wondering why it was asking me for a password for our public certificate.)
  Will try to update and see if that fixes the problem.

• I can't find a way to upload applications to iOS via Profile Manager

  I have Mac OS X Lion Server 10.7.2 and multiple devices. I added them to the Profile Manager and now I can create different profiles for them. But I have not found a way of moderation of installed applications on iOS. Please tell me how to do this?

  CFax, I am experiencing the same problem.  I see your solution, but I am unsure how to "install the main language English".
  My system uses English.  Is there a particular setting?
  Thanks a bunch.

• Do I need internet access on my iOS devices to enroll with Profile Manager?

  Hi, I'm trying to configure Profile Manager on a closed network. The Mac Server does have Internet access, but the network for the iOS devices can only have communication with the server, but not to the internet because of company policies. Is there a way around to make it work or do I need internet access on the iOS devices as well?
  I've made the enrollment process in another network with internet access for every device and everything works well, but on the other network(no internet for iOS devices)  everything seems ok (from conection to the server, profile certifiacation and stuf) but the devices can't send or receive anything else, like pushed configurations and device info. Ports and everything is ok, I even read that they need to be on an open network so I know it all comes down to having internet access, but just wanted to ask if there's another way around?? Suggestions?
  Thanks!

  You can share internet connection with your XP-PC using a router(as I do with XP-old MAC's,connected via cable).You may look for more info at:
  http://homepage.mac.com/car1son/mylinksyssetup.html
  and
  http://homepage.mac.com/car1son/os9xnet_nfilesharing.html
  Did you ever use a MAC before? Have you got Airport at your PC?Which?
  Good luck

• OS X Server 3 - Profile manager - I can't enroll any iOS devices

  OS X Server 3 - Profile manager - I can't enroll any iOS devices
  I have OS X Server setup on a Mac Mini and an Airport Extreme.
  Airport is 10.0.1.1 and server is 10.0.1.3.
  Server is setup to use DNS itself by server.mydomain.com
  Airport is setup to use the server as DNS and the server then routes DNS queries onward to the internet.
  Essentially anyone on my internal network thinks server.mydomain.com is the server itself. This is what I want.
  From the outside, anyone searching for server.mydomain.com get's some page on a free hosting site with "Server is not accessible from the internet"
  I also use a self-signed certificate to secure communications. It's valid.
  Now this configuration has worked for the past two years. Out of curiosity in Server 3.1.1 I decided to give Profile manager a shot. Set it up, no worries.
  Installed the Trust Profile first and then the Enroll profile. Done.
  I can enroll and wipe, lock any mac in my firm remotely. Everything works, except iOS devices.
  Any iOS device I try it fails at "Installing profile", I tried friend's phones, my own iPad... every iPad in my firm. It fails consistently at the same step, with no error code what so ever.
  Is there  a checklist I need to go through? Do I need some kind of weird certificate setup?
  PS. Is it a problem if my devices are enrolled as development devices, thei UUID is in Apple's device list for beta software and iOS development?

  The Problem is your DNS is being pushed locally to the iOS Device from your Airport Extreme and the DNS on your Airport extreme is undoubtedly a public form of DNS that does not recognize your private server's ip address or HQDN, in Airport Utility point the DNS at your server and let your Server provide the public DNS mapping and allow your Router to provide your Server's DNS.  This should resolve your issue and allow you to enroll your iOS Devices by logging into the Profile Manager Web Portal from the iOS Device. 

• Can an IOS device be enrolled through profile manager when the server is set as .private?  If so what steps?

  I have my server set as server.xxxxxx.private, and need to know if it is possible to enroll it using profile manager.  I assume this would have to be done when the IOS device is on the same network, and subsequently the DNS server would have to be added to the WiFi configuration.  When I do this it tells me that Safari can't open the page.  I manually installed the self signed certificate.

  Same issues here.
  Buggy as ****..
  Also after some time, the Profile Manager PAne doesn't even fill in Server.app.....stays at Loading...
  Nevertheless, the service itself works with the bug you outlined, plus enroll is impossible for me (check my post here: Can't enroll devices with Profile Manager - invalid key  )
  I hope all these get fixed in 10.7.1   !!!

• Profile Manager Enrollment - iOS - Server Certificate Invalid

  I have been getting an error trying to enroll iOS devices into profile manager. My MacBook and iMac enroll just fine. However my iPhone and iPad do not.
  When I enroll my MacBook Pro, I first log into https://(FQDN)/mydevices, select profiles, Install Trusted Profile. I then go back to devices, and click 'Enroll now'. When I check the Profiles section of System Preferences, I see that the 'Trusted Profile' has added two certificates refering to my server. I can only assume one matches the Self Signed I generated shortly after making my hostname public, and the other Apple Push generated for me.
  However when I do this exact same process on my iPad/iPhone, when I attempt the 'Enroll Now' step, I get the error "The server certificate for "https://(FQDN)/devicesmanagement/api/device/ota_service" is invalid.
  My searches for this issue have turned up issues close to this, but never exactly this, and the solutions don't seem to work for me. Here are some key points to note:
  1. Tried demoting to standalone, re-promote to OD Master, then deleted all certificates, and regenerated all (including the Push cert from Apple)
  2. Ran sudo changeip -checkhostname
  3. DNS routes forward and reverse correctly in my local LAN
  4. I had been getting "Remote Verification failed: (os/kern) failure" / "TEAVerifyCert() returned NULL" in my logs every 3 seconds until I did the steps listed in '1'
  Looking forward to 10.7.1

  @hombre7777
  Thanks for the info. That makes sence what you are telling me. Their instuctions are kind of bland and dont make sence as much as they should.
  The only thing that scares me on this one is now we need to put a device in the dmz....
  So now upgrading our xserv to 10.7 when it becomes stable would now be using the magic triangle, and trying to only have 1 to manage osx machines / and now ios devices. Edit our wiki's thats already in place, and have important databases on filemaker is now going to reside in the dmz....
  So someone wasn't thinking on this one!!! haha
  It looks like we will have to seperate things now, so ios devices are managed on their own machine in the dmz with now a hole leaked in the firewall for AD to authenticate so we can pull users down to associate profiles with them.
  Our osx machine will then contain a seperate spot to manage osx devices bound to user accounts, as well as manage filemaker and wiki's that are in use already.
  It would be nice if they had figured out a way to do this a little different so we wern't opening holes in the firewall.
  The funny thing is I was able to get the ipad to bind and enroll the very first time when i was on a vpn tunnel from my house trying things out.
  So I know you can do it, without having to go public, although the push service wasn't working properly and I was not able to bind osx and enroll. So i stared over.
  Ill play around to see what I can figure out later. Thanks for the help. If you find out the port numbers please let me know as well! Im not able to move the box to an outside firewall right now. I have to much to do. I can probably do that next week.

• Can I use OS X Server 4.0 Profile Manager to distribute iOS apps with iOS Developer Enterprise Program (iDEP)?

  We are developing an iOS and complementary Mac OS X app for in house use by about 1500 users. I need to manage the devices and distribute the in-house app to these users.
  We have an iOS Developer Enterprise Program (iDEP) licence.
  Can I combine OSX Server and iDEP to distribute and manage the app? Or do I nee dot move to something like Air Watch?

  You should not have to do anything the user/group import should be automatic and you should not have to manually create any accounts and it does onging syncs automatically but I do not know how often.
  Once you are install and connect to profile manager all the accounts should show up just by clinking on users or the groups icons and they will work with that. You should not need to mess with them in the actual server application Although I would assume the other services all ink into the OD directory I don't know exactly how services like email, file sharing or VPN work as we have other more full featured better scaling services for that like MS Exchange for email/calendar and Cisco VPN.
  We are only using OD, Profile Manager and Software Update.
  Just a note I am using Server 3.2 on OS 10.9.5 if you are using Server 4.X your mileage will probably vary slightly as I am not sure what the areas of major change are.

• IOS 8.1.1 devices "pending" after enrollment in Profile Manager

  Setup:
  OS X Yosemite with server 4.0
  After installing the trust certificate and enrolling an iOS 8.1.1 client, I can see the specific device in Profile Manager. However the status of the device stays "Pending". It seems that the enrollment proces can't proceed.
  When I enroll a device with iOS 7.1.1 there are no issues. Everything works fine!
  Any suggestions?
  Thx

  The devices had been running ios 8.1 for a number of days.
  We've had two more do this since my last post.  In each occasion, the devices are running iOS 8.1, have been turned off and turned back on again to boot to the Apple logo and remain there indefinitely.
  Hard resets don't solve the issue, the only remedy is a full restore via iTunes resulting in complete data loss.
  Surely others are seeing this issue if we've had 6-7 devices in the past few days?
  iOS 8.1 + reboot = brick?

• Tasks to iOS devices stuck sending in Profile Manager

  I am managing about 30 iPads and 10 iPhones through Profile Manager.
  I installed iOS 7 on a freshly wiped iPad and enrolled it with the server and everything works as expected (including locking, updating info, pushing settings, etc)
  I then updated an already enrolled iPad from iOS 6.1.3 to iOS 7. Everything appears to still be intact (all settings, apps, profiles, etc) but it will not longer accept commands (lock, clear passcode, push settings, etc) from the Profile Manager. When I try to send a task it just shows sending and never fails or completes. The iPad has internet access (it is on the same wifi network as the above mentioned iPad that is working fine)
  Other already enrolled devices that have not yet updated to iOS 7 seem to complete tasks (Update info) just fine.
  I was running 10.8.4 with OS X Server 2.2.1 when this began, and have since updated to 10.8.5 and Server 2.2.2 with no change in behavior.
  How can I troubleshoot why this iPad is not completing commands. I'm worried that as my users update to iOS 7 other iPads will not recieve commands and I will need to have them re-enroll with the server in order to manage them. (Which I would like to avoid if possible)

  I've already asked people to hold off on updating, but without any way to prevent them from updating, I just have to hope...
  I installed the iPCU and have looked at the console but I'm not seeing anything relevant. It's like the the command isn't being recieved by the iPad at all (even though Profile Manager shows it as sending, the iPad has internet access, and another iPad on the same network has no problem recieving commands)
  Looking at the logs on an iPad that is receiving commands (the iPad with a fresh iOS 7 install, enrolled with Profile Manager after iOS 7 was installed)  I see entries related to MDM:
  Sep 19 07:18:05 iPad-iOS7 mdmd[99] <Notice>: (Note ) MDM: mdmd starting...
  Sep 19 07:18:06 iPad-iOS7 mdmd[99] <Notice>: (Note ) MDM: Looking for managed app states to clean up
  Sep 19 07:18:08 iPad-iOS7 mdmd[99] <Notice>: (Note ) MDM: Network reachability has changed.
  Sep 19 07:18:08 iPad-iOS7 mdmd[99] <Notice>: (Note ) MDM: Push token received.
  Sep 19 07:18:13 iPad-iOS7 mdmd[99] <Notice>: (Note ) MDM: mdmd stopping.

• Errors deploying Enterprise iOS app through Profile Manager

  We manage about 35 iPads through Profile Manager, including deploying a custom made app.
  We first deployed this app in July and had no problems with it. Our third party developers have released an update for iOS 7 and we are running into problems pushing it out through Profile Manager.
  When I try to upload the IPA file through the web interface I get the attached error. Looking at the logs I see the following errors:
  Sep 16 14:42:50 mdm.servername.com ProfileManager[210] <Info>: Unable to find icon file for '/var/devicemgr/ServiceData/Data/tmp/temp_extracted_folder_for_data_file_30/Pay load/Hope.app/Icon-72.png'
  Sep 16 14:42:50 mdm.servername.com ProfileManager[210] <Info>: Unable to find icon file for '/var/devicemgr/ServiceData/Data/tmp/temp_extracted_folder_for_data_file_30/Pay load/Hope.app/Icon.png'
  This is the first time we've tried to update our custom app. In trying to narrow down whether it was a problem with Profile Manager or the app I uploaded an older version of Apple's Podcast app, and pushed it out to a test iPad, then uploaded the current version through Profile Manager and pushed it out to the iPads with no problems.
  Our developers say that nothing has changed from the original version to the new version.
  Any ideas?

  We could solve this by opening the firewall for some ports (443, 1640, 2195, 2196, 5223, ) and ip addresses (17.0.0.0/8). Have a look at
  OS X Server: Ports used by Profile Manager
  Start Profile Manager

• Profile Manager cannot set ibooks as single app mode in iOS

  Right now I had updated all my iPad to iOS 8.0.2, and the server is updated to the newest version,too.
  Sadly, When I want to setup the iPad to single app mode with iBooks, I cannot find it in the list.
  Is this means ibooks is no long support on the single app mode? Then why give us the new function about push ibooks?
  I have try the assistant function on my iPhone (8.0.2) itself, it can be locked in iBooks.
  Any one can tell me what is the problem?
  Many many thanks!

  HI Hines,
  I had the same problems after the 3.0.2 update: enrolling of devices not working, unable to push configurations from Profile Manager, etc.
  The update was a simple 3.0.1 => 3.0.2 on already updated OSX Mavericks to 10.9.1 and it seemed that all was ok, not like this situation: https://discussions.apple.com/message/24450438
  Services used:
  -Web
  -Profile Manager with 20 iPads/iPhones already enrolled and with some in-house app pushed
  I followed a solution similar to what suggested from Hines, apart from point #6. I was unable to re-download Server.app from App Store, greyed-out button.
  So I was very happy to have another mac to download a fresh copy of Server.app.
  Then:
  -Deleted and thrashed the old version
  -Message "all services stopped"
  -Reboot
  -Copied fresh "Server.app" to /Applications
  -Started "Server.app" that made some initial auto configuration
  -Services restarted
  I just had to restart the postgres service and seems that I didn't lost any data/config (I hope, I'm already checking!)
  =begin RANT
  I know that Apple is essentially an hardware manufacter manly for consumer target now but that a simple minor update broke an entire software meant to be solid, like a server must be, is just plain unacceptable.
  I know that OSX Server is very cheap and we can't pretend too much....but F**K...i loosed my sleep tonight!
  =end RANT