Profile manager enrolled device names

Similar Messages

• Change Server URL in Profile Manager Enrollment Process?

  It appears devices learn the IP or URL of their MDM server during the Profile Manager enrollment process. It must be part of the configuration profile sent to the device. It also appears this is based on the machine's host name. Is there anyway to change that URL - as when the host name of the server changes? If so, where are the files located on the server.
  I believe in the previous iPhone Configuration Utility there was a "server URL" and "Check in URL" that could be set. We can't seem to find any parameters in Profile Manger to control the same. Thanks for any help.

  Hi Jonathan,
  I stumbled on your responses because I was looking for an answer to my own issues.
  I am like most just a lay user, although wth 20 years Mac experience.
  The issue is as folllows:
  I set up Lion Server and I host a Wiki page and I try to run Profile Manager.
  I do not have a registered host name. The hostname is server.name.private.
  In order to reach the server from the Internet my clients use a DynDNS hostname such as "name.dyndns.org".
  My clients can access the Wiki pages with no problems and Safari shows https://name.dyndns.org in the address line.
  However, if they want to connect to Profile manager, the server re-directs https://name.dyndns.org/profilemanager https://server.name.private/auth?redirect=https://server.name.private/devicemana gement/api/authentication/callback
  which the client's browser cannot resolve because the internal hostname is unknown to public DNS servers.
  Why does Profile Manager redirect in the first place ?
  Can this issue be resolved without obtaining an "officially registered" hostname ?
  Thank you for helping.
  Regards,
  Twistan

• Can Profile Manager Enroll the Server Itself?

  Hi all,
  I can successfully enroll clients, but when I try to enroll the server itself, I receive the error message, "Profile installation failed. The profile "Remote Management (com.apple.config.myserver.com.mdm)" could not be installed due to an unexpected error."
  I created a seperate local network user account (a different user name) for this purpose and did not use the local admin's account for device enrollment.  On the server machine itself, I logged into http://myserver.com/mydevices and used the admin's local network acount to begin enrollment.  The trust profile successfully installs first, but enrollment fails.
  I would like to group server machines using Profile Manager and I would like to setup a configuration payload is for Software Update.
  Many Thanks!

  I really doubt you can enroll your server in it's own MDM.
  If all you're trying to do is set the software update server, it's a lot easier to just do this...
  sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate
  CatalogURL http://myserver.com:8088/index.sucatalog

• Profile Manager Enrollment - iOS - Server Certificate Invalid

  I have been getting an error trying to enroll iOS devices into profile manager. My MacBook and iMac enroll just fine. However my iPhone and iPad do not.
  When I enroll my MacBook Pro, I first log into https://(FQDN)/mydevices, select profiles, Install Trusted Profile. I then go back to devices, and click 'Enroll now'. When I check the Profiles section of System Preferences, I see that the 'Trusted Profile' has added two certificates refering to my server. I can only assume one matches the Self Signed I generated shortly after making my hostname public, and the other Apple Push generated for me.
  However when I do this exact same process on my iPad/iPhone, when I attempt the 'Enroll Now' step, I get the error "The server certificate for "https://(FQDN)/devicesmanagement/api/device/ota_service" is invalid.
  My searches for this issue have turned up issues close to this, but never exactly this, and the solutions don't seem to work for me. Here are some key points to note:
  1. Tried demoting to standalone, re-promote to OD Master, then deleted all certificates, and regenerated all (including the Push cert from Apple)
  2. Ran sudo changeip -checkhostname
  3. DNS routes forward and reverse correctly in my local LAN
  4. I had been getting "Remote Verification failed: (os/kern) failure" / "TEAVerifyCert() returned NULL" in my logs every 3 seconds until I did the steps listed in '1'
  Looking forward to 10.7.1

  @hombre7777
  Thanks for the info. That makes sence what you are telling me. Their instuctions are kind of bland and dont make sence as much as they should.
  The only thing that scares me on this one is now we need to put a device in the dmz....
  So now upgrading our xserv to 10.7 when it becomes stable would now be using the magic triangle, and trying to only have 1 to manage osx machines / and now ios devices. Edit our wiki's thats already in place, and have important databases on filemaker is now going to reside in the dmz....
  So someone wasn't thinking on this one!!! haha
  It looks like we will have to seperate things now, so ios devices are managed on their own machine in the dmz with now a hole leaked in the firewall for AD to authenticate so we can pull users down to associate profiles with them.
  Our osx machine will then contain a seperate spot to manage osx devices bound to user accounts, as well as manage filemaker and wiki's that are in use already.
  It would be nice if they had figured out a way to do this a little different so we wern't opening holes in the firewall.
  The funny thing is I was able to get the ipad to bind and enroll the very first time when i was on a vpn tunnel from my house trying things out.
  So I know you can do it, without having to go public, although the push service wasn't working properly and I was not able to bind osx and enroll. So i stared over.
  Ill play around to see what I can figure out later. Thanks for the help. If you find out the port numbers please let me know as well! Im not able to move the box to an outside firewall right now. I have to much to do. I can probably do that next week.

• How to deploy settings in Profile Manager through Device Groups

  When I go to the Profile Manager web page and create a device group and configure the payload settings it doesn't seem to send the profile settings to the Mac devices that are in the group. How do I go about getting this to work so when I get a new device that is enrolled all I have to do is throw it in the group so it will automatically push out the correct payload settings that I configured?

  What you're asking should work.  You should be able to create a Device Group and adjust the setting for that group.  Then when you add a device to that group, the settings will be pushed to the device automatically.  So, it leaves me with a few questions for you:
  Why don't you think it sends the payload?  When you look under "Activity" do you see tasks in the "Active" area or in the "Completed" area... or something else?
  What are you trying to change?  Setting up email accounts on iPhones will appear right away, but there are other changes (especially on computers) that don't take affect until it restarts (or the user at least logs out and back in).
  Are you sure you have devices in your device group?  Sorry, probably a really silly question, but under your device group, do you see the devices under the "Members" section?
  Are your devices "trusting" your server?  Did you add the trust profile to the device when you enrolled it? 
  Sorry I can't be more help... but I can tell you that you can do what you are asking.  We have it set up in our office, and it works really well.  We just add the new device to the device group and it does the rest.

• Profile Manager - iOS device limit?

  Has anyone found any information from Apple (or elsewhere) on approximately how many iOS devices Profile Manager can support?

  I would try demoting your Open Directory server from Master to Standalone in the Server Admin app - there's an assistant in Server Admin > Open Directory > Settings > General > click the change button.
  Once it's demoted to a standalone, restart.
  From there, don't create an OD Master again - go to Profile Manager in Server.app and run through the wizard again.  In the process, it will create an OD Master for you.
  Hope that helps,
  Chris

• Yosemite profile manager shortening computer names and serials

  If I prepare a placeholder in Yosemite profile manager, it shortens computer names and serials.
  I've added and removed the placeholder and the names and serials are getting smaller, to a point they are only one letter long now.
  Somehow, it suspect may be linked to the form fill feature but even if I try to type all, the placeholder names and serials shorten every time.
  Ever seen or solved that?
  François.

  I cleared Safari Form Filling in Safari > Preferences > Auto Fill > Other Forms, selected example.com, clear button and closed preferences.
  I went back to profile Manager, create the place holder again and all is good now.
  François

• Profile manager settings device management disabled error when enabling

  Hello,
  I have installed OS-X Lion on a mac mini. Everything is working fine, including open ldap as a master where other imac can connect and use this ldap server for login.
  However in profile management i try in the settings section to enable management of devices. When the wizard starts it asks me to enter the password for diradmin as this server needs a master ldap (is already there).
  The wizard then mentions that this computer already has a master ldap server and i cannot continue installing device management in profile manager.
  Probably because of this I cannot see devices in the profile manager portal.
  Does anyone have a solution to solve this issue.
  Thanks
  Paul Bot

  I would try demoting your Open Directory server from Master to Standalone in the Server Admin app - there's an assistant in Server Admin > Open Directory > Settings > General > click the change button.
  Once it's demoted to a standalone, restart.
  From there, don't create an OD Master again - go to Profile Manager in Server.app and run through the wizard again.  In the process, it will create an OD Master for you.
  Hope that helps,
  Chris

• Profile Manager on Devices on a Different Network

  Hello,
  I currently have profile manager setup and working on 266 iPads. After I set them all up, 66 of those iPads moved to a temporary location accross the street. They are using a different network then my server. (different line, gateway, firewall ect).
  My question is, is there any way I can push out apps / update profiles to those 66 iPads? I do not want to change any settingso on the iPads if possible. Please let me know any suggestions you guys have.
  I have a mac mini server 10.8.5
  iPads are running 7.0.2
  Profile mangager works completely fine on the devices in the network.

  I to am having this issue. My Mac mini server is hosted in a datacenter off-network from my other devices. Currently, the only way to grab updates is to VPN into the server to have them pull down to the client machines. I run a mix of MacBook Pros, iPhones and desktop Macs.
  A solution on this would be extremely helpful, as I do not want the end users to have to VPN in to pull an update from the Profile Manager all the time.

• Profile Manager - Why create Enrollment Profiles?

  So a similar question was asked previously:
  Why use an enrollment profile?
  I've read through it and I don't think the answers provided tell the whole story, so I'd like to ask again adding some of my own thought and clarifications on the previous thread.  This may be considered a "primer" by some - though I am certainly not the expert on Profile Manager.  I'm laying it out there to explain my understanding and off of that, ask a question.  If you are an expert, and understand how all this works, please just skip to my question below!
  First, my experience and understanding.  (I urge others to correct/clarify where they see fit):
  The previous thread attempted to make a distinction between the 3 different types of profiles:  Trust, Enrollment.and Remote Management Profiles.
  I believe the proper 3 distinctions should be: Trust, Remote Management/Enrollment, and Configuration Profiles.
  - The Trust Profile is basically a Profile (.mobileconfig file) that contains the Server Certificate that needs to be present to validate other signed Profiles.  It's a fancy way of packaging up the Root certificates.
  - The Remote Management/Enrollment Profile is a Profile (.mobileconfig file) that delivers the Remote Management "connection".  It registers the device with the Profile Manager server and facilitates the ability to use PM/APNS to push various Configuration Profiles as well as commands (wipe/lock/etc).  It is *only* called an Enrollment Profile when you explicitly create one (more on that below).  Because an Enrollment Profile does not need to exist to enroll (or rather it will use the implicit "unseen" enrollment), this is the most confusing of the 3 Profile types.  It is further confusing because the term "Profile" is used almost elusively on the device and not within Profile Manager.  In fact the "Enrollment Profile" is the only one explicitly called a "Profile" within the management interface!
  IOW: While it is not shown anywhere in Profile Manager, I believe that "Remote Management" (called a Profile on the device) is basically the *default* Enrollment Profile that is only inferred and seen when you use the Enroll function on MyDevices.  This means you don't need to create any Enrollment Profile to enroll your devices interactively via the MyDevices page.
  - The Configuration Profile is a Profile (.mobileconfig file) that delivers specific settings.  These Profiles are applied to either Users, Groups, Devices, or Device Groups.  They can be automatically pushed to an enrolled device, or they can be manually downloaded from the MyDevices page (seems to apply to User configuration only) for devices even if they are not enrolled (this would allow the end user the 'choice' to pull down settings).
  Having outlined that, the simplest steps to enrollment...:
  When you setup Profile Manager, you can go right to the MyDevices page on your device, login, and choose "Enroll." (sample device is let's say an iPad)
  Doing so will prompt you to install the "Remote Management" profile.
  Note that when enrolling in this way it does not appear necessary to install the "Trust Profile" for your server, even when using a Self-signed Cert.  It would appear that this "Remote Management" profile contains not only the SCEP Enrollment Request and the Device Management payload, but also the Certificates that would be installed with the "Trust profile"
  So we have seen here that one can enroll a device without explicitly creating any "Enrollment Profile."
  So why use an Enrollment Profile?
  Well according to https://help.apple.com/profilemanager/mac/3.1/#apd6DD5E89E-2466-4D3C-987E-A4FF05 676EB7, the answer is pretty straightforward:
  "The user does not need to authenticate or log in to Profile Manager’s user portal"
  This is a great feature.  For one, you can create an Enrollment Profile and send it via e-mail and the user doesn't need to visit a web page and login to enroll a device.  In fact, based on my experience Enrollment Profiles can't even be accessed via the MyDevices page unless you are a Server Admin.
  However, when distributing an Enrollment Profile you seemingly *must* install the Trust Profile prior to this, or you will get an error about communicating with the server.  Several docs/tutorials you can google explain how to set up your deployment systems (specifically OSX machines) to deploy systems with both the Trust and Enrollment profiles to facilitate automatic enrollment when a new system is deployed so it can instantly be managed.
  However, since a device that is already deployed will/may not have the Trust Profile installed, one would have to visit the MyDevices page to install that prior to being able to import a delivered Enrollment Profile.  Because of that it seems that from a distribution approach (as opposed to a deployment scenario) there is not much advantage of using an explicit Enrollment Profile anyway since we already need to visit the MyDevices page to get the Trust Profile, we might as well just use the standard MyDevices implicit Enrollment.
  All devices that have enrolled themselves via a defined/explicit Enrollment Profile will be listed under that Profile in Profile Manager.  Devices that have enrolled via MyDevices will not be listed under any Profile, but rather just under Devices (where *all* devices will be shown regardless of how they enrolled).
  So, now the questions:
  So, the idea of an Enrollment Profile makes perfect sense - it is basically the only way to create an exportable profile that can be distributed and configured to automatically enroll a device without interactive enrollment via the MyDevices page.
  What I don't get is WHY is there the ability to create multiple Enrollment Profiles rather than simply providing a default exportable profile?
  The reason it makes no sense to me is there is absolutely no correlation (that I can deduce) between an Enrollment Profile and the devices that used it to enroll.  While I can see a (non-exportable) list of each device enrolled via each Enrollment Profile, it ends there.  I can't, for instance, create Configuration Settings that I link to an Enrollment Profile.  Or dynamically populate a Device Group with all devices enrolled from a specific Enrollment Profile.  If I could do these things, it might make sense to me and I have spent much time looking at the interface and scouring documentation to see where the connection is.  I have simply determined that there isn't one.
  I can go ahead and create several Enrollment Profiles such as:
  iPads
  Lab Systems
  Main Office Systems
  High Security Systems
  And I can deploy these Profiles (either via mail/file or via initial deployment) to the respective devices.  I can then see under each Profile which devices enrolled.  But, since I can't actually do anything to correlate those systems to a configuration, why would I want to do this segregation?  Sure it gives me a listing of iPads apart from OSX machines, but I can't do anything with this listing!
  Now, of course, I can still pre-stage devices and add them into particular device groups so that as soon as they are enrolled (via any Enrollment Profile) they will get the Configuration Profile(s) attached to them.  This makes the inclusion of multiple Enrollment Profiles even more suspect.
  Am I missing something?  Can someone enlighten me as to what the purpose of creating more than one Enrollment Profile would be?
  We can easily say "Well it's not hurting having them there" but, in terms of complexity and confusion I believe it is.  Had they simply provided a single Enrollment Profile ("Remote Management") that was downloadable/exportable it would have been sufficient.
  Thoughts?

  So a similar question was asked previously:
  Why use an enrollment profile?
  I've read through it and I don't think the answers provided tell the whole story, so I'd like to ask again adding some of my own thought and clarifications on the previous thread.  This may be considered a "primer" by some - though I am certainly not the expert on Profile Manager.  I'm laying it out there to explain my understanding and off of that, ask a question.  If you are an expert, and understand how all this works, please just skip to my question below!
  First, my experience and understanding.  (I urge others to correct/clarify where they see fit):
  The previous thread attempted to make a distinction between the 3 different types of profiles:  Trust, Enrollment.and Remote Management Profiles.
  I believe the proper 3 distinctions should be: Trust, Remote Management/Enrollment, and Configuration Profiles.
  - The Trust Profile is basically a Profile (.mobileconfig file) that contains the Server Certificate that needs to be present to validate other signed Profiles.  It's a fancy way of packaging up the Root certificates.
  - The Remote Management/Enrollment Profile is a Profile (.mobileconfig file) that delivers the Remote Management "connection".  It registers the device with the Profile Manager server and facilitates the ability to use PM/APNS to push various Configuration Profiles as well as commands (wipe/lock/etc).  It is *only* called an Enrollment Profile when you explicitly create one (more on that below).  Because an Enrollment Profile does not need to exist to enroll (or rather it will use the implicit "unseen" enrollment), this is the most confusing of the 3 Profile types.  It is further confusing because the term "Profile" is used almost elusively on the device and not within Profile Manager.  In fact the "Enrollment Profile" is the only one explicitly called a "Profile" within the management interface!
  IOW: While it is not shown anywhere in Profile Manager, I believe that "Remote Management" (called a Profile on the device) is basically the *default* Enrollment Profile that is only inferred and seen when you use the Enroll function on MyDevices.  This means you don't need to create any Enrollment Profile to enroll your devices interactively via the MyDevices page.
  - The Configuration Profile is a Profile (.mobileconfig file) that delivers specific settings.  These Profiles are applied to either Users, Groups, Devices, or Device Groups.  They can be automatically pushed to an enrolled device, or they can be manually downloaded from the MyDevices page (seems to apply to User configuration only) for devices even if they are not enrolled (this would allow the end user the 'choice' to pull down settings).
  Having outlined that, the simplest steps to enrollment...:
  When you setup Profile Manager, you can go right to the MyDevices page on your device, login, and choose "Enroll." (sample device is let's say an iPad)
  Doing so will prompt you to install the "Remote Management" profile.
  Note that when enrolling in this way it does not appear necessary to install the "Trust Profile" for your server, even when using a Self-signed Cert.  It would appear that this "Remote Management" profile contains not only the SCEP Enrollment Request and the Device Management payload, but also the Certificates that would be installed with the "Trust profile"
  So we have seen here that one can enroll a device without explicitly creating any "Enrollment Profile."
  So why use an Enrollment Profile?
  Well according to https://help.apple.com/profilemanager/mac/3.1/#apd6DD5E89E-2466-4D3C-987E-A4FF05 676EB7, the answer is pretty straightforward:
  "The user does not need to authenticate or log in to Profile Manager’s user portal"
  This is a great feature.  For one, you can create an Enrollment Profile and send it via e-mail and the user doesn't need to visit a web page and login to enroll a device.  In fact, based on my experience Enrollment Profiles can't even be accessed via the MyDevices page unless you are a Server Admin.
  However, when distributing an Enrollment Profile you seemingly *must* install the Trust Profile prior to this, or you will get an error about communicating with the server.  Several docs/tutorials you can google explain how to set up your deployment systems (specifically OSX machines) to deploy systems with both the Trust and Enrollment profiles to facilitate automatic enrollment when a new system is deployed so it can instantly be managed.
  However, since a device that is already deployed will/may not have the Trust Profile installed, one would have to visit the MyDevices page to install that prior to being able to import a delivered Enrollment Profile.  Because of that it seems that from a distribution approach (as opposed to a deployment scenario) there is not much advantage of using an explicit Enrollment Profile anyway since we already need to visit the MyDevices page to get the Trust Profile, we might as well just use the standard MyDevices implicit Enrollment.
  All devices that have enrolled themselves via a defined/explicit Enrollment Profile will be listed under that Profile in Profile Manager.  Devices that have enrolled via MyDevices will not be listed under any Profile, but rather just under Devices (where *all* devices will be shown regardless of how they enrolled).
  So, now the questions:
  So, the idea of an Enrollment Profile makes perfect sense - it is basically the only way to create an exportable profile that can be distributed and configured to automatically enroll a device without interactive enrollment via the MyDevices page.
  What I don't get is WHY is there the ability to create multiple Enrollment Profiles rather than simply providing a default exportable profile?
  The reason it makes no sense to me is there is absolutely no correlation (that I can deduce) between an Enrollment Profile and the devices that used it to enroll.  While I can see a (non-exportable) list of each device enrolled via each Enrollment Profile, it ends there.  I can't, for instance, create Configuration Settings that I link to an Enrollment Profile.  Or dynamically populate a Device Group with all devices enrolled from a specific Enrollment Profile.  If I could do these things, it might make sense to me and I have spent much time looking at the interface and scouring documentation to see where the connection is.  I have simply determined that there isn't one.
  I can go ahead and create several Enrollment Profiles such as:
  iPads
  Lab Systems
  Main Office Systems
  High Security Systems
  And I can deploy these Profiles (either via mail/file or via initial deployment) to the respective devices.  I can then see under each Profile which devices enrolled.  But, since I can't actually do anything to correlate those systems to a configuration, why would I want to do this segregation?  Sure it gives me a listing of iPads apart from OSX machines, but I can't do anything with this listing!
  Now, of course, I can still pre-stage devices and add them into particular device groups so that as soon as they are enrolled (via any Enrollment Profile) they will get the Configuration Profile(s) attached to them.  This makes the inclusion of multiple Enrollment Profiles even more suspect.
  Am I missing something?  Can someone enlighten me as to what the purpose of creating more than one Enrollment Profile would be?
  We can easily say "Well it's not hurting having them there" but, in terms of complexity and confusion I believe it is.  Had they simply provided a single Enrollment Profile ("Remote Management") that was downloadable/exportable it would have been sufficient.
  Thoughts?

• Profile manager not working? iOS 6

  I have mac mini working as Mountain Lion Server 10.8.2, Server.app 2.1 (upgraded from 10.7.4 Server)
  (All services are using 3rd party ssl certificates)
  previously enrolled devices are getting push changes.
  I got a new iphone 4 (service upgrade) with ios6, and when i enroll it, it gets a name: New Device in profile manager
  Not the name that it has been named. And the push settings arent pushed. Other devices do get changes.
  I got the right name for the iphone to profile manager, by filling the data as a place holder device. Then it got the
  right name for the device. But push payloads are not working.

  the device logs gets 500 error code, you van see this in iphone configuration utility or in apple configurator.
  as follows in console:
  "US Desc: A transaction with the server at “https://server.com/devicemanagement/api/device/connect” has failed with the status “500”.
  Domain : MCHTTPTransactionErrorDomain
  Code   : 23001
  Type   : MCFatalError

• Lion Server Profile Manager Configuration

  Hi Guys,
  Currently have been testing Lion Server and Profile Manager Configuration.
  So Far Have setup
  Lion with Server App and Server Admin Tools
  Configured Open Directory Master and enabled SSL on LDAP
  Once Configured OD has created a CA Certificate can use for Profile Manager
  Have Enabled in Server.app Web and Profile manager
  In SSL Certificate Configuration have set CA Certificate for Web and Enabled Apple push notifications with my apple ID
  In Profile Manager Enabled Device Management and Enabled Sign configuration profiles and selected CA Open Directory Certificate Created when setting up OD Master.
  On Server Originally could install Trust Profile OK and Enroll Server OK with no issues, but on any other 10.7 Devices could install Trust Profile OK but would always say unsigned and Enroll would never work or just hang.
  Now Since Played around with settings on 10.7 Server can no longer enroll but trust OK.
  Questions have is
  For SSL and Profile Manager to work properly as well as Certificates do you require to purchase a proper SSL Certificate or can we use the OD Master Certificate that gets created. All we are testing is on the Local LAN so don't want to get a SSL certificate from the internet.
  Also why cannot 10.7 clients trust profile and enroll Devices Properly? How do I get this working properly?
  Any ideas?
  Regards,
  Shane

  taubmas wrote:
  Not sure if its that as finally got Lion Server working on a VM setup so network shouldn't be an issue...
  Had 1 OSX Lion Server VM and 1 OSX Lion Client VM and OSX Lion Server VM gets profile and enrolls device fine but again OSX client doesn't get enroll just sits again at installing..... even if set keychain to trust and make trust profile verified..
  any other ideas? I think need to somehow get the server to trust trust profile by default instead of going to keychain all the time.
  Shane
  Did you get this to work in an ESXI envrionment? If so, which version are you running?

• OSX Server 10.8.5 (Server 2.2.1) Profile Manager

  Hello all, wondering if somebody can help.  I have a Mac Mini server (2011) running OSX Server 10.8.5 (Server 2.2.1).  I have a fully signed Certificate for the Web/OD services etc.. and its using the self assigned certificate for Profile manager.  Profile manager is running and I can add place holders for iPads, users/groups and apps etc...  Problem is the iPads running iOS6 and 7 simply will not enrol.  You goto the servers web page, then profile manager my devices and it downloads the trust certificate fine.  You click enroll and you see the browser access OTA BOOTSTRAP or something (it goes off way to quick) and does nothing.  If I try and use the Enrollment Profile I get "The Profile SECENROLL com.apple.ota blah blah blah .bootstrap could not be installed due to an unexpected error.  Can anybody help?

  Hello all, wondering if somebody can help.  I have a Mac Mini server (2011) running OSX Server 10.8.5 (Server 2.2.1).  I have a fully signed Certificate for the Web/OD services etc.. and its using the self assigned certificate for Profile manager.  Profile manager is running and I can add place holders for iPads, users/groups and apps etc...  Problem is the iPads running iOS6 and 7 simply will not enrol.  You goto the servers web page, then profile manager my devices and it downloads the trust certificate fine.  You click enroll and you see the browser access OTA BOOTSTRAP or something (it goes off way to quick) and does nothing.  If I try and use the Enrollment Profile I get "The Profile SECENROLL com.apple.ota blah blah blah .bootstrap could not be installed due to an unexpected error.  Can anybody help?

• Profile manager 3.1.2

  I am experimenting with iPads for approx 430 students so I have installed an OSX server vs 3.1.2 on Mavericks 10.9.3.
  When I try to enroll an ipad via the url https://mysite.something.etc/mydevices the ipad gets the option to enroll but after installing Remote Management successfully I go straight back to the Enroll button and in profile manager the device is only added as a place holder.
  The user has the rights to add a device in profile manager.
  The server is tied to Active Directory and the user / group accounts come from AD.
  Any ideas would be apprecaiated.
  Geoff

  Back up all data.
  Quit the Server application and drag it to the Trash, but don't empty. You'll be prompted to confirm that you want to stop all services. You won't lose any data.
  Put the app back where it was and launch it. Test.

• Profile Manager Tasks Queue up without completing

  I've got a fresh Lion server, fully-qualified, publicly-addressable DNS, brand-new SSL Cert installed and working, ready for Profile Manager.  I can enroll the iPad just fine, and it shows up in Profile Manager as a New Device.  Unfortunately, it never makes it past that point.  The initial tasks that Profile Manager performs on new devices (the "Update Info: New Device" tasks) just queue up, and never complete.  If I do anything else with the iPad (setting restrictions, attempting to lock it, etc), those tasks just get added to the end of the queue and don't go anywhere.
  I've got all the ports open for the Lion server (in fact, at the moment, I opened the firewall completely for the server).  I also opened what I believe are the relevant ports for my LAN subnets as well (though in theory, that shouldn't be necessary, since the iPads only talk to the APNS servers and shouldn't need anything special beyond that).
  Am I missing something?

  Hi Josh,
  I don't know if this fits with what you are doing!  But, instead of automatic push, try manual download of profiles.  You open profile manager/my devices in safari and log in as the user on your client machine.  From there you can enroll and download profiles.  You will have to configure the General payload for each device/group etc., to manual though on your server.
  I've found this to be the easiest option because of all the hassles with auto push etc..  This means you can reapply your firewalls and close your ports.
  LS 10.7.2 doesn't improve on any of the issues either.  Very buggy indeed!
  I hope this helps.
  Paul.