Solution: Server 3.2.1 "Invalid Profile" w/ Supervision-based Enrollment

After installing Server 3.2.1, I had been fighting an "Invalid Profile" error on Apple Configurator-supervised devices trying to auto-enroll with Profile Manager. Manual enrollment continued to work as expected. This morning, I found this gem in Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/mdm_enroll.php, right at the start of the handling logic in the 'try' block:
  // Bail immediately if DEP is not enabled
  $settings = GetSettings();
  if (empty($settings['dep_service_state'])) DieUnauthorized('DEP is not enabled on this server'); // We'll allow it for any non-zero value
I'm no PHP guru, nor do I have an inordinate amount of free time to try to fully understand this script and its includes, but since this appears to abort further processing if the server isn't participating in the Device Enrollment Program, I commented it out and restarted profile manager. Low and behold, my supervised devices can auto-enroll again!
I compared this file to the same one in the previous version of Server I was running and it looks to be the only change. I'm sure it's a bug caused by unintentional misplacement or hurried consideration, but it's egregious. It sure feels like every single step Apple has taken regarding device management since the introduction of Activation Lock has been carefully designed to punish businesses for not re-purchasing all of their devices through the Device Enrollment Program.

Also another place to look for this issue is in the profile manager web interface. We have an Everyone group which every user is a part of. It seems as in a recent server update they added a tick box for allowing enrolment during the setup assistant when supervised through Apple Configurator or DEP. For us, the tick box for Apple Configurator was unticked which was giving us the exact same issue with "Invalid profile."
Worth looking at your groups and checking that tick box.

Similar Messages

  • Profile Manager: Invalid profile druing supervise and Install iOS8 Devices

    Since the Update of the Mac OS X (Mavericks) Server-App to 3.2.1 we are no longer able to install Profiles on new supervised iPads with the Apple Configurator.
    Error Message on the iPad during the setup procedure "Invalid Profile".
    Before 3.2.1 and/or iOS8 this
    Any sugestions?
    Thanks
    Martin

    i tried the solution (Solution: Server 3.2.1 "Invalid Profile" w/ Supervision-based Enrollment), but the workaround did not solve my problems. The described mdm_enroll.php file is on my system, but this filed does not contain the check "if (emptyempty($settings['dep_service_state'])) DieUnauthorized('DEP isnotenabledonthisserver');".
    I found out, that there is another file called dep_mdm_enroll.php in the same folder with the the check. So i commented out the checks in this file.
    When i do no a new setup of a blank iOS 8.0.2 Device i get one step further, than before: Now the Ssetup fails when e enter the creditantials of the profile manager. The user/password combination i enter is definatley correct...
    Has someone another idea, how to continue?
    Kind Regards
    Martin

  • Unknown SQL Exception 208 occurred. Additional error information from SQL Server is included below.Invalid object name 'Webs'.

    SP 2013 Server + Dec 2013 CU. Upgrading from SharePoint 2010.
    We have a web application that is distributed over 7-8 content databases from SharePoint 2010. All but one database are upgradable. However, one database gives:
    Invalid object name 'Webs'.
    while running Test-SPContentDatabase or Mount-SPContentDatabase.
    EventViewer has the following reporting 5586 event Id:
    Unknown SQL Exception 208 occurred. Additional error information from SQL Server is included below.Invalid object name 'Webs'.
    After searching a bit, these links do not help:
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/fd020a41-51e6-4a89-9d16-38bff9201241/invalid-object-name-webs?forum=sharepointadmin
    we are trying PowerShell only.
    http://blog.thefullcircle.com/2013/06/mount-spcontentdatabase-and-test-spcontentdatabase-fail-with-either-invalid-object-name-sites-or-webs/
    In our case, these are content databases. This is validated from Central Admin.
    http://sharepointjotter.blogspot.com/2012/08/sharepoint-2010-exception-invalid.html
    Our's is SharePoint 2013
    http://zimmergren.net/technical/findbestcontentdatabaseforsitecreation-problem-after-upgrading-to-sharepoint-2013-solution
    Does not seem like the same exact problem.
    Any additional input?
    Thanks, Soumya | MCITP, SharePoint 2010

    Hi,
    “All but one database are upgradable. However, one database gives:
    Invalid object name 'Webs'.”
    Did the sentence you mean only one database not upgrade to SharePoint 2013 and given the error?
    One or more of the following might be the cause:
    Insufficient SQL Server database permissions
    SQL Server database is full
    Incorrect MDAC version
    SQL Server database not found
    Incorrect version of SQL Server
    SQL Server collation is not supported
    Database is read-only
    To resolve the issue, you can refer to the following article which contains the causes and resolutions.
    http://technet.microsoft.com/en-us/library/ee513056(v=office.14).aspx
    Thanks,
    Jason
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Jason Guo
    TechNet Community Support

  • You cannot sign in to the Cisco Unified MeetingPlace Web Server interface using preconfigured system profiles

    Hi
    I recently upgrade tp 7.0.3  from 7.0.2.
    While upgrade i found that i am not able to login to the web server with the admin id "admin" default created in the application server.
    The same id i can login to application server  , but not in wewb server.
    I am getting the mentioned error "You cannot sign in to the Cisco Unified MeetingPlace Web Server interface using preconfigured system profiles".
    However if i create a new user in application server and tried logging with the  same in the web server it is working fine..
    is it a known behaviour wirh the upgrade or i m facing some issue.
    Hope i can find a solution here.
    Regards
    RC

    RC,
    This behavior is stemming from a change in MP 7.0 MR2 to disable the MPWeb login for system profiles.  This was an internal change made by the developers to restrict the log on to the MPWeb page by the default accounts created in MeetingPlace upon installation.  The change now displays this error when the admin account is attempted to be used for MPWeb login, as you experienced-
    Error:[22953] You cannot sign in to the Cisco Unified MeetingPlace Web Server interface using preconfigured system profiles.
    You should be able to log into MPWeb using any other user profile that you have either created manually or pulled in from LDAP/Active Directory.  You just cannot use the admin account.  This is reserved for login to the MP Application Server Administration page only.  I am going to work to get this information added to the MP 7.0 documentation with a note for changed behavior in MR2 and above.  Here is the note from MP 8.0 documentation-
    Note: You cannot use this preconfigured admin profile to access the Cisco Unified MeetingPlace Web Server interface. Instead enter the User ID and password information from one of the other user profiles that have system administrator privileges to sign in to the Web Server.
    Please let me know if you have any further questions.
    Thank You,
    Gerry

  • Report service Integration (sql 2012 and SharePoint 2013) error Report Server WMI Provider error: Invalid namespace

    Report Server WMI Provider Error: Invalid namespace
    Domain Server, Sql2012 server and SP2013 Server (3 vm servers)
    the sql server reporting services service application and applications Proxy are installed and started (SP2013 Sever)
    the sql server PowerPivot system Service and SQL server Reporting Services Service are Started (in Services on Server)
    in sql server 2012 sp1 reporting service configured (web service URL and Report Manager URL are configured and tested,  the database report server mode is native) (SQl 2012 Server)
    under general Application Settings .. trying to setup the "Reporting Service Integration" give us the above error message (Report Server WMI Provider Error: Invalid namespace)
    I was looking for all blogs and TechNet material but without success.

    Follow these steps:
    1) Uninstall SSRS from the Database Engine server (MSSQLSERVER instance).
    2) Install SSRS on the SharePoint server using the "Reporting Services - SharePoint" install option during SQL Feature selection, no other services are required (e.g. you do not need to install Database Engine services).
    3) You should then see SSRS as a Service Instance in Central Admin -> Manage Services on Server, at which point you can also create an SSRS Service Application.
    While this guide (http://msdn.microsoft.com/en-us/library/jj219068.aspx#bkmk_install_SSRS) walks you through it, this is for a single server install where the Database Engine is also installed on SharePoint, not something you want to do.
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • Oracle DataBase server component is in INVALID in 10.2.0.4

    Hi
    I took full RMAN backup from production two node RAC system. Production system is in Oracle 10.2.0.3. I tried to restore the backup in another system which is single node system Oracle 10.2.0.4. I restored and recovered database successfully. When I try to do 'alter database open resetlogs' I received following error:
    RMAN-03002: failure of alter db command at 11/05/2009 08:39:10
    ORA-01092: ORACLE instance terminated. Disconnection forced
    ORA-00704: bootstrap process failure
    ORA-39700: database must be opened with UPGRADE option
    Then I started database with upgrade option.
    SQL> STARTUP UPGRADE
    SQL> @?/rdbms/admin/catupgrd.sql
    Below shows the invalid objects.
    Oracle DataBase server component is in INVALID status
    COMP_TIMESTAMP UPGRD_END 2009-11-05 11:16:45
    Oracle Database 10.2 Upgrade Status Utility 11-05-2009 11:16:45
    Component           Status      Version HH:MM:SS
    Oracle Database Server                       INVALID           10.2.0.4.0  00:11:45
    JServer JAVA Virtual Machine      VALID      10.2.0.4.0 00:02:01
    Oracle XDK           VALID      10.2.0.4.0 00:00:20
    Oracle Database Java Packages VALID      10.2.0.4.0 00:00:20
    Oracle Text           VALID      10.2.0.4.0 00:00:14
    Oracle XML Database      VALID      10.2.0.4.0 00:03:05
    Oracle Real Application Clusters             INVALID           10.2.0.4.0  00:00:01
    Oracle Workspace Manager      VALID      10.2.0.4.3 00:00:55
    Oracle Data Mining      VALID      10.2.0.4.0 00:00:34
    OLAP Analytic Workspace      VALID      10.2.0.4.0 00:00:20
    OLAP Catalog      VALID      10.2.0.4.0 00:00:55
    Oracle OLAP API      VALID      10.2.0.4.0 00:00:41
    Oracle interMedia      VALID      10.2.0.4.0 00:06:49
    Spatial           VALID      10.2.0.4.0 00:01:45
    Oracle Expression Filter      VALID      10.2.0.4.0 00:00:14
    Oracle Enterprise Manager      VALID      10.2.0.4.0 00:01:19
    Oracle Rule Manager      VALID      10.2.0.4.0 00:00:09
    How do I resolve this issue ?

    Hi Srini
    I did the following steps and could resolve Databas server invalid to valid.
    SQL>sqlplus / as sysdba
    SQL>drop table plan_table;
    SQL>@?/rdbms/admin/utlxplan
    SQL>@?/rdbms/admin/prvtspao.plb
    SQL>@?/rdbms/admin/utlrp.sql
    Oracle Database 10.2 Upgrade Status Utility 11-05-2009 16:41:55
    Component Status Version HH:MM:SS
    Oracle Database Server                    VALID      10.2.0.4.0  00:12:05
    JServer JAVA Virtual Machine VALID 10.2.0.4.0 00:02:09
    Oracle XDK VALID 10.2.0.4.0 00:00:20
    Oracle Database Java Packages VALID 10.2.0.4.0 00:00:20
    Oracle Text VALID 10.2.0.4.0 00:00:14
    Oracle XML Database VALID 10.2.0.4.0 00:03:04
    Oracle Real Application Clusters        INVALID      10.2.0.4.0  00:00:01
    Oracle Workspace Manager VALID 10.2.0.4.3 00:00:59
    Oracle Data Mining VALID 10.2.0.4.0 00:00:33
    OLAP Analytic Workspace VALID 10.2.0.4.0 00:00:21
    OLAP Catalog VALID 10.2.0.4.0 00:00:56
    Oracle OLAP API VALID 10.2.0.4.0 00:00:41
    Oracle interMedia VALID 10.2.0.4.0 00:06:52
    Spatial VALID 10.2.0.4.0 00:01:59
    Oracle Expression Filter VALID 10.2.0.4.0 00:00:16
    Oracle Enterprise Manager VALID 10.2.0.4.0 00:01:29
    Oracle Rule Manager VALID 10.2.0.4.0 00:00:09
    Is there any way can resolve ORacle Real Application Cluster Invalid

  • Virus scan server error: "No virus scan profile is selected as the "default"

    Hi Team,
    I  try to upload Fiori Code into SAP Netweaver Gateway server .
    i can able to share Project.
    But when i try to submit code
    then at the end of Process i got error message.
    Virus scan server error: "No virus scan profile is selected as the "default"
    Please Guide me
    Regards
    Pankaj Kamble
    Tags edited by: Michael Appleby

    Hi Abraham,
                 Thank you very much. My problem resolved.
    I  have one Query Please guide me.
    whenever  we run Server URL from The  Browser,   first we must need run    "chrome.exe --args --disable-web-security"  command on   CMD.   on located directory the Chrome has installed.
    to disable  web security.
    if I did not run that command on CMD,  then Fiori Apps not worked.
    Why it's compulsory to disable web security.
    Regards,
    Pankaj Kamble

  • Apple Configurator: The configuration for your iPad could not be downloaded from organisation . Invalid Profile.

    Good afternoon,
    I am really struggling with a deployment of 10 iPad Minis.
    The iPads are brand new and I have downloaded and installed Apple Configurator onto our Apple Air laptop.
    I have configured Apple Configurator in the following way:
    Under Prepared:
    Settings
    Name is ticked with 'Number sequentially starting at 1'.
    Supervision is ticked to on, Allow devices to connect to other Macs is also ticked.
    Update iOS is set to "When update is available". Erase before installing is ticked.
    Restore is set to "Don't restore backup".
    No profiles are listed in the profiles section.
    Apps
    I have copied in some appropriate apps.
    Setup
    Skip: Restore, Passcode, Siri, Touch ID, Apple Pay, App Analytics all ticked.
    I have not configured Device Enrollment.
    In "Configure Settings..." Device Enrollment is not configured.
    After preparing my iPads, they all connect and prepare correctly. When I select any iPad and unlock it, the following happens:
    Hello, slide to setup
    Select language, UK selected
    Select Your Country or Region, UK selected
    Choose a Wi-Fi Network, correct network selected and authenticated
    Location Services: Enabled
    Configuration, "<organisation> can automatically configure your iPad". Apply Configuration or Skip Configuration. Apply selected.
    Configuration, "The configuration for your iPad could not be downloaded from <organisation>. Invalid Profile.
    Apple Configurator is showing no errors, have tried Supervise>Reset, makes no difference.
    Have skipped configuration and erased iPad before trying again, same problem.
    Any suggestions would be really appreciated.

    FYI - This is an iPad user to user forum. Apple doesn't read the forum posts.
    iPad: Basic troubleshooting
    http://support.apple.com/kb/TS3274
    iTunes: Specific update-and-restore error messages and advanced troubleshooting
    http://support.apple.com/kb/TS3694
     Cheers, Tom

  • Add mobile broadband profile using netsh gives "Invalid Profile XML" error

    We're trying to create an automated installation to upgrade to 8.1 Pro soon and since we have our own APN at our provider, we'd like to add this using a script. However when I try to add my XML profile using
    netsh mbn add profile interface="Mobile broadband" name="profile.xml"
    I receive the following error: Add Profile Failure: Invalid Profile XML.
    I've found some Windows 7 topics regarding this issue, pointing at the encoded Subscriber and ICC id's in these XML files. I have already found the unencoded values with
    netsh mbn show ready * and added them to the XML file, but still no dice :-(
    This is my XML file:
    <?xml version="1.0"?><MBNProfile xmlns="http://www.microsoft.com/networking/WWAN/profile/v1">
    <Name>My Company Name</Name>
    <IsDefault>true</IsDefault>
    <ProfileCreationType>UserProvisioned</ProfileCreationType>
    <SubscriberID>123451234512345</SubscriberID>
    <SimIccID>1234123412341234567</SimIccID>
    <HomeProviderName>vodafone NL</HomeProviderName>
    <ConnectionMode>auto-home</ConnectionMode>
    <Context>
    <AccessString>custom.provider.nl</AccessString>
    <UserLogonCred>
    <UserName>username</UserName>
    <Password>p4ssw0rd</Password>
    </UserLogonCred>
    <Compression>DISABLE</Compression>
    <AuthProtocol>NONE</AuthProtocol>
    </Context>
    <DisplayProviderName xmlns="http://www.microsoft.com/networking/WWAN/profile/v2">My Company Name</DisplayProviderName>
    </MBNProfile>
    I've removed all existing mobile broadband profiles from the system, netsh mbn show profiles
    shows an empty list so it's not a naming issue. I tried removing the XML version header from the file (a lot of examples of these XML files don't have it), leaving the Subscriber and/or ICC ID empty, removed them from the XML file but nothing seems to
    work.
    Does anyone have some other suggestions?

    Hi,
    I'm sorry for have no idea with your problem. Since those methods you tried but failed, in my opinion, it would be better to use Process Monitor to capture the trace of excuting this XML file.
    Start Process Monitor, close as much unrelated process as possible, then run command to enable this XML file.
    After error occures, stop capture.
    Process Monitor:http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
    Roger Lu
    TechNet Community Support

  • Receive: "Add Profile Failure: Invalid Profile XML" error when adding WWAN profile - Windows 7

    I'm trying to import below XML profile to Windows 7 machine and no matter what profile i use (even the one it was on that computer originally it gives me an error.
    Command:
    netsh mbn add profile interface="Mobile Broadband Connection" name="test.xml"
    test.xml is in c:\temp folder.
    <MBNProfile xmlns="http://www.microsoft.com/networking/WWAN/profile/v1">
    <Name>TestProfile</Name>
    <IsDefault>true</IsDefault>
    <ProfileCreationType>UserProvisioned</ProfileCreationType>
    <SubscriberID>01.........................00000</SubscriberID>
    <SimIccID>89480............9713302</SimIccID>
    <HomeProviderName>02</HomeProviderName>
    <AutoConnectOnInternet>true</AutoConnectOnInternet>
    <ConnectionMode>manual</ConnectionMode>
    <Context>
    <AccessString>Internet</AccessString>
    <Compression>DISABLE</Compression>
    <AuthProtocol>NONE</AuthProtocol>
    </Context>
    </MBNProfile>
    Tried these steps:
    - configured the setting using UI and test connection - it worked.
    - copied that profile from path: C:\ProgramData\Microsoft\WwanSvc\Profiles to
    c:\temp and renamed it to test.xml
    - closed the connection and run command: netsh mbn delete profile interface="Mobile Broadband Connection" name=TestProfile
    - and then tried to add the profile under changed name (no profile changes made): netsh mbn add profile interface="Mobile Broadband Connection" name="test.xml"
    - received very nice message: Add Profile Failure: Invalid Profile XML
    I'm stuck, help?

    Hey,
    Got an answer. It required some debugging, but I end up finding it.
    When you add that profile, system executes a function which compares Subscription ID tag with the one it has in system already. If one is already there then overwrites the profile, if NULL adds the profile. Problem is, as soon as any of
    the profiles are configured manually to redistribute later, the Subscription ID tag is encoded. And window doesn't know how to decode it, so it fires an error. 
    The Subscription tag is an IMSI number, when you right click it on your connection and go to properties, you will see it there, 15 digits. Copy it and paste it to the XML file replacing encoded number.
    It works as a charm.
    I leave deployment methods to you... :)
    Not so happy to answer my own question, but what a heck... glad to help even one person :)

  • Afeter install ffx 4, google maps not loading: If start ffx.exe -profile , says 'missing or invalid profile '

    I installed 3.x.16 and then installed 4.0 .
    Now my google maps is not working. Main map page doesn't load.
    One suggestion was to start-run firefox.exe -profile .
    First time I did this a message came back: 'missing or invalid profile' .
    Second time no message about profile, but the google map failure persists (main map page faisl to load).
    Can you help?
    Thanks!
    [email protected]

    Thanks TreoAide....
    I Did a Reset All, Before I Got Your Post, as I Was Worried that Waiting Past the Scheduled BackUp Profile Time, Might Mess Up the BackUp Like Using BackupBuddyVFS on PalmOS.
    If You Could Clarify If There is a time Limit the Profile Needs to Be Restored By.
    Thank You For Letting Me Know Which Reset To Use, In Future, if I have Difficulties.
    All My Applications, Except One (Expess News, I think, as I accidentaly cancelled before it got to a setting window, and know says updating, or a circle turning (I Think).
    Before Reset, I Copied Photos, etc, to Laptop, After the Reset, I avoided messing about, but connected WIFI.
    At This Moment, I Have Hotsynched WIFI With Palm Desktop 6.2 Access, Contacts to Contacts, and Memos and Tasks to Echo Memos and Echo Tasks, Successfully, And I Am Currently Hotsynching nearly 8500 Appointments with Notes over a Ten Year Period, Which appears to be working and am around three quarters of the way through, and has taken a number of hours, maybe 4-6 but still a quarter left of the appointments. I Am Happy, though, because this time, Echo Appointments did not stop working after 2 or 3 k, as likely works better due to cleaned up Pre, or Improvements that were promised by Chapura for the error.
    Thanks Again, and All the Best....
    Ralph :-)
    PS Sorry for Typos.

  • Profile Manager - Why create Enrollment Profiles?

    So a similar question was asked previously:
    Why use an enrollment profile?
    I've read through it and I don't think the answers provided tell the whole story, so I'd like to ask again adding some of my own thought and clarifications on the previous thread.  This may be considered a "primer" by some - though I am certainly not the expert on Profile Manager.  I'm laying it out there to explain my understanding and off of that, ask a question.  If you are an expert, and understand how all this works, please just skip to my question below!
    First, my experience and understanding.  (I urge others to correct/clarify where they see fit):
    The previous thread attempted to make a distinction between the 3 different types of profiles:  Trust, Enrollment.and Remote Management Profiles.
    I believe the proper 3 distinctions should be: Trust, Remote Management/Enrollment, and Configuration Profiles.
    - The Trust Profile is basically a Profile (.mobileconfig file) that contains the Server Certificate that needs to be present to validate other signed Profiles.  It's a fancy way of packaging up the Root certificates.
    - The Remote Management/Enrollment Profile is a Profile (.mobileconfig file) that delivers the Remote Management "connection".  It registers the device with the Profile Manager server and facilitates the ability to use PM/APNS to push various Configuration Profiles as well as commands (wipe/lock/etc).  It is *only* called an Enrollment Profile when you explicitly create one (more on that below).  Because an Enrollment Profile does not need to exist to enroll (or rather it will use the implicit "unseen" enrollment), this is the most confusing of the 3 Profile types.  It is further confusing because the term "Profile" is used almost elusively on the device and not within Profile Manager.  In fact the "Enrollment Profile" is the only one explicitly called a "Profile" within the management interface!
    IOW: While it is not shown anywhere in Profile Manager, I believe that "Remote Management" (called a Profile on the device) is basically the *default* Enrollment Profile that is only inferred and seen when you use the Enroll function on MyDevices.  This means you don't need to create any Enrollment Profile to enroll your devices interactively via the MyDevices page.
    - The Configuration Profile is a Profile (.mobileconfig file) that delivers specific settings.  These Profiles are applied to either Users, Groups, Devices, or Device Groups.  They can be automatically pushed to an enrolled device, or they can be manually downloaded from the MyDevices page (seems to apply to User configuration only) for devices even if they are not enrolled (this would allow the end user the 'choice' to pull down settings).
    Having outlined that, the simplest steps to enrollment...:
    When you setup Profile Manager, you can go right to the MyDevices page on your device, login, and choose "Enroll." (sample device is let's say an iPad)
    Doing so will prompt you to install the "Remote Management" profile.
    Note that when enrolling in this way it does not appear necessary to install the "Trust Profile" for your server, even when using a Self-signed Cert.  It would appear that this "Remote Management" profile contains not only the SCEP Enrollment Request and the Device Management payload, but also the Certificates that would be installed with the "Trust profile"
    So we have seen here that one can enroll a device without explicitly creating any "Enrollment Profile."
    So why use an Enrollment Profile?
    Well according to https://help.apple.com/profilemanager/mac/3.1/#apd6DD5E89E-2466-4D3C-987E-A4FF05 676EB7, the answer is pretty straightforward:
    "The user does not need to authenticate or log in to Profile Manager’s user portal"
    This is a great feature.  For one, you can create an Enrollment Profile and send it via e-mail and the user doesn't need to visit a web page and login to enroll a device.  In fact, based on my experience Enrollment Profiles can't even be accessed via the MyDevices page unless you are a Server Admin.
    However, when distributing an Enrollment Profile you seemingly *must* install the Trust Profile prior to this, or you will get an error about communicating with the server.  Several docs/tutorials you can google explain how to set up your deployment systems (specifically OSX machines) to deploy systems with both the Trust and Enrollment profiles to facilitate automatic enrollment when a new system is deployed so it can instantly be managed.
    However, since a device that is already deployed will/may not have the Trust Profile installed, one would have to visit the MyDevices page to install that prior to being able to import a delivered Enrollment Profile.  Because of that it seems that from a distribution approach (as opposed to a deployment scenario) there is not much advantage of using an explicit Enrollment Profile anyway since we already need to visit the MyDevices page to get the Trust Profile, we might as well just use the standard MyDevices implicit Enrollment.
    All devices that have enrolled themselves via a defined/explicit Enrollment Profile will be listed under that Profile in Profile Manager.  Devices that have enrolled via MyDevices will not be listed under any Profile, but rather just under Devices (where *all* devices will be shown regardless of how they enrolled).
    So, now the questions:
    So, the idea of an Enrollment Profile makes perfect sense - it is basically the only way to create an exportable profile that can be distributed and configured to automatically enroll a device without interactive enrollment via the MyDevices page.
    What I don't get is WHY is there the ability to create multiple Enrollment Profiles rather than simply providing a default exportable profile?
    The reason it makes no sense to me is there is absolutely no correlation (that I can deduce) between an Enrollment Profile and the devices that used it to enroll.  While I can see a (non-exportable) list of each device enrolled via each Enrollment Profile, it ends there.  I can't, for instance, create Configuration Settings that I link to an Enrollment Profile.  Or dynamically populate a Device Group with all devices enrolled from a specific Enrollment Profile.  If I could do these things, it might make sense to me and I have spent much time looking at the interface and scouring documentation to see where the connection is.  I have simply determined that there isn't one.
    I can go ahead and create several Enrollment Profiles such as:
    iPads
    Lab Systems
    Main Office Systems
    High Security Systems
    And I can deploy these Profiles (either via mail/file or via initial deployment) to the respective devices.  I can then see under each Profile which devices enrolled.  But, since I can't actually do anything to correlate those systems to a configuration, why would I want to do this segregation?  Sure it gives me a listing of iPads apart from OSX machines, but I can't do anything with this listing!
    Now, of course, I can still pre-stage devices and add them into particular device groups so that as soon as they are enrolled (via any Enrollment Profile) they will get the Configuration Profile(s) attached to them.  This makes the inclusion of multiple Enrollment Profiles even more suspect.
    Am I missing something?  Can someone enlighten me as to what the purpose of creating more than one Enrollment Profile would be?
    We can easily say "Well it's not hurting having them there" but, in terms of complexity and confusion I believe it is.  Had they simply provided a single Enrollment Profile ("Remote Management") that was downloadable/exportable it would have been sufficient.
    Thoughts?

    So a similar question was asked previously:
    Why use an enrollment profile?
    I've read through it and I don't think the answers provided tell the whole story, so I'd like to ask again adding some of my own thought and clarifications on the previous thread.  This may be considered a "primer" by some - though I am certainly not the expert on Profile Manager.  I'm laying it out there to explain my understanding and off of that, ask a question.  If you are an expert, and understand how all this works, please just skip to my question below!
    First, my experience and understanding.  (I urge others to correct/clarify where they see fit):
    The previous thread attempted to make a distinction between the 3 different types of profiles:  Trust, Enrollment.and Remote Management Profiles.
    I believe the proper 3 distinctions should be: Trust, Remote Management/Enrollment, and Configuration Profiles.
    - The Trust Profile is basically a Profile (.mobileconfig file) that contains the Server Certificate that needs to be present to validate other signed Profiles.  It's a fancy way of packaging up the Root certificates.
    - The Remote Management/Enrollment Profile is a Profile (.mobileconfig file) that delivers the Remote Management "connection".  It registers the device with the Profile Manager server and facilitates the ability to use PM/APNS to push various Configuration Profiles as well as commands (wipe/lock/etc).  It is *only* called an Enrollment Profile when you explicitly create one (more on that below).  Because an Enrollment Profile does not need to exist to enroll (or rather it will use the implicit "unseen" enrollment), this is the most confusing of the 3 Profile types.  It is further confusing because the term "Profile" is used almost elusively on the device and not within Profile Manager.  In fact the "Enrollment Profile" is the only one explicitly called a "Profile" within the management interface!
    IOW: While it is not shown anywhere in Profile Manager, I believe that "Remote Management" (called a Profile on the device) is basically the *default* Enrollment Profile that is only inferred and seen when you use the Enroll function on MyDevices.  This means you don't need to create any Enrollment Profile to enroll your devices interactively via the MyDevices page.
    - The Configuration Profile is a Profile (.mobileconfig file) that delivers specific settings.  These Profiles are applied to either Users, Groups, Devices, or Device Groups.  They can be automatically pushed to an enrolled device, or they can be manually downloaded from the MyDevices page (seems to apply to User configuration only) for devices even if they are not enrolled (this would allow the end user the 'choice' to pull down settings).
    Having outlined that, the simplest steps to enrollment...:
    When you setup Profile Manager, you can go right to the MyDevices page on your device, login, and choose "Enroll." (sample device is let's say an iPad)
    Doing so will prompt you to install the "Remote Management" profile.
    Note that when enrolling in this way it does not appear necessary to install the "Trust Profile" for your server, even when using a Self-signed Cert.  It would appear that this "Remote Management" profile contains not only the SCEP Enrollment Request and the Device Management payload, but also the Certificates that would be installed with the "Trust profile"
    So we have seen here that one can enroll a device without explicitly creating any "Enrollment Profile."
    So why use an Enrollment Profile?
    Well according to https://help.apple.com/profilemanager/mac/3.1/#apd6DD5E89E-2466-4D3C-987E-A4FF05 676EB7, the answer is pretty straightforward:
    "The user does not need to authenticate or log in to Profile Manager’s user portal"
    This is a great feature.  For one, you can create an Enrollment Profile and send it via e-mail and the user doesn't need to visit a web page and login to enroll a device.  In fact, based on my experience Enrollment Profiles can't even be accessed via the MyDevices page unless you are a Server Admin.
    However, when distributing an Enrollment Profile you seemingly *must* install the Trust Profile prior to this, or you will get an error about communicating with the server.  Several docs/tutorials you can google explain how to set up your deployment systems (specifically OSX machines) to deploy systems with both the Trust and Enrollment profiles to facilitate automatic enrollment when a new system is deployed so it can instantly be managed.
    However, since a device that is already deployed will/may not have the Trust Profile installed, one would have to visit the MyDevices page to install that prior to being able to import a delivered Enrollment Profile.  Because of that it seems that from a distribution approach (as opposed to a deployment scenario) there is not much advantage of using an explicit Enrollment Profile anyway since we already need to visit the MyDevices page to get the Trust Profile, we might as well just use the standard MyDevices implicit Enrollment.
    All devices that have enrolled themselves via a defined/explicit Enrollment Profile will be listed under that Profile in Profile Manager.  Devices that have enrolled via MyDevices will not be listed under any Profile, but rather just under Devices (where *all* devices will be shown regardless of how they enrolled).
    So, now the questions:
    So, the idea of an Enrollment Profile makes perfect sense - it is basically the only way to create an exportable profile that can be distributed and configured to automatically enroll a device without interactive enrollment via the MyDevices page.
    What I don't get is WHY is there the ability to create multiple Enrollment Profiles rather than simply providing a default exportable profile?
    The reason it makes no sense to me is there is absolutely no correlation (that I can deduce) between an Enrollment Profile and the devices that used it to enroll.  While I can see a (non-exportable) list of each device enrolled via each Enrollment Profile, it ends there.  I can't, for instance, create Configuration Settings that I link to an Enrollment Profile.  Or dynamically populate a Device Group with all devices enrolled from a specific Enrollment Profile.  If I could do these things, it might make sense to me and I have spent much time looking at the interface and scouring documentation to see where the connection is.  I have simply determined that there isn't one.
    I can go ahead and create several Enrollment Profiles such as:
    iPads
    Lab Systems
    Main Office Systems
    High Security Systems
    And I can deploy these Profiles (either via mail/file or via initial deployment) to the respective devices.  I can then see under each Profile which devices enrolled.  But, since I can't actually do anything to correlate those systems to a configuration, why would I want to do this segregation?  Sure it gives me a listing of iPads apart from OSX machines, but I can't do anything with this listing!
    Now, of course, I can still pre-stage devices and add them into particular device groups so that as soon as they are enrolled (via any Enrollment Profile) they will get the Configuration Profile(s) attached to them.  This makes the inclusion of multiple Enrollment Profiles even more suspect.
    Am I missing something?  Can someone enlighten me as to what the purpose of creating more than one Enrollment Profile would be?
    We can easily say "Well it's not hurting having them there" but, in terms of complexity and confusion I believe it is.  Had they simply provided a single Enrollment Profile ("Remote Management") that was downloadable/exportable it would have been sufficient.
    Thoughts?

  • Unable to activate Client Profile within Client-Based Groupware Integration

    Experts - Please help us!
    We are trying to activate a new Client Profile wiithin Client Based Groupware Integration. We are receiving an error message that 
    "Multiple profiles not allowed for same role, country, language combination."
    We believe we are receiving this message because there was an incomplete profile already saved in this table. We can not move forward without completing that record, however it is not editable for us.
    Has anyone run into this problem before? Any ideas how we can move forward? I would appreciate any information anyone is able to provide.
    Thank you!
    Jami Shircel

    I have one idea If you want to do this for your future records then you should create a specific transaction type meant only for GWI and assign it to groupware spro settings and that transaction type should not be used from SAP CRM WebUI. In this way all the appointment/task created in Outlook have that special TType and can be differentiated from others. Will that be of any use ?
    Rgds,
    Shobhit

  • Select AVC profile on WLC based via ACS

    Hi there
    I just saw the AVC feature in WLC version 7.4.100.0 and wonder, if there is a possibility to select a AVC profile per user, based on it's RADIUS authentication via ACS.
    For example:
    - A user in group teacher can access youtube on SSID A
    - A user in group student can not access youtube on SSID A
    Thanks a lot in advance and best regards
    Dominic

    Well I don't know if this will come in the future for ACS or ISE, but in order for this to work also in other radius servers, it would have to be a new radius standard attribute others have to implement and also the WLC would have to be able to see that attribute. So if its anytime soon, well.... Maybe not:)
    Sent from Cisco Technical Support iPhone App

  • Server 2012 R2 RDS, User Profile Disks are created but local profiles are created as well. The UPDs aren't mounting correctly.

    2012 R2 RDS Deployment with RDCB HA and UPDs enabled. Everything was working fine with no issues until users started getting temporary profiles. Around the same time UPDs were being created but at the same time a user profile was created in C:\Users. 
    I actually rebuilt the entire RDS configuration except the SQL Server. It took about 5 hours and was not that big a deal but.... we still have the same issue! 
    Does anybody have the solution for this?

    Hi,
    In most cases, the issue is caused by locked UPD. And the workaround is to log off the user. Please check if it is the case.
    For example:
    RDS user profile disks - getting error temporary profile are being used as UPD are not accessible
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d4b66fc-b53f-435e-b036-142b6ed15d0b/rds-user-profile-disks-getting-error-temporary-profile-are-being-used-as-upd-are-not-accesible?forum=winserverTS
    Also, please check if you will get the temporary profile when logging on with a local account of the session host server.
    If issue persists, please check if there is any related error in Event Viewer and provide us for further research.
    Hope this helps.
    Jeremy Wu
    TechNet Community Support

Maybe you are looking for

  • Adobe Media Encoder CS6 trial...  AMT Subsystem Error

    I downloaded CS6 yesterday and Friday (pretty much all day both days) and now recieve a message that the program that downloaded it must be opened before CS6 will open.  I only understand that Download Assistant was involved.  Please explain as I don

  • Lost messages in Mail?

    Hello, I just realized my Mail has not sent all the message I wrote this morning between 8am and 11am! people have not received them. The messages are not in the Sent forlder, neither in the Drafts, or Spam, or Trash. They just deseappeared them! one

  • How to convert iDocs in flat format to Xml

    Hi, I'm getting iDocs in my .NET application using the SAP .NET Connector. But SAP Connector I receive the iDocs in flat format that is very difficult to read, it would be much easier if I had them in xml format. Do you know an easy way for transform

  • What's the max RAM for W500?

    Does anyone know the max RAM a W500 can take? W500 T9900 8GB + TBs imageries

  • Reports to Powerpoint

    I am trying to dump reports to powerpoint but in only dumps one word per slide using Desformat=rtf and mimetype application/ppt HELP Thank you