Unable to push profile manager to Macbooks

Similar Messages

• Firefox will not launch, unable to open profile manager.

  When I try to open Firefox, my (taskbar?) shows that firefox is trying to open, but then it disappears, does not open, and no error message is visible. I am unable to access the profile manager via terminal as directed on the troubleshooting guides.

  I don't think you did anything wrong.   You have the same symptoms that a number of us have seen.  Looks like a bug.  I am guessing that the beta testers for Lion Server were mostly power users that didn't make many changes through the new server.app.  Those of us that are rookies that are trying to setup home servers for iTunes, software updates, etc. are running into problems with the set-up.  No solutions that I am aware of have been found yet.

• Unable to push user profiles to AD groups with Profile Manager since upgrade to Server v3

  Since upgrading our OS X Mac server from 10.8.5 to 10.9.1, and OS X Server app to v3 (now 3.0.2) I have been unable to push or modify user profiles to AD groups (or AD users) using Profile Manager. This was working fine on OS X 10.8.5. Pushing device profiles is still working OK after the upgrade.
  From what I can see from the logs on the client side and server side, it seems related to a problem with the mdm authtoken.
  In the client console I can see this entry:
  27/01/14 14:30:15.844 mdmclient[38557]: *** ERROR *** [Agent:636102071] Unable to proceed with connection to: https://ourserver.ourdomain/devicemanagement/api/device/mdm_connect (com.apple.mdmconfig.mdm) because don't have valid MDM AuthToken
  On the server, in the php.log I can see the corresponding attempt to authenticate:
  1::Jan 27 14:29:50.930 [158] <192.168.28.171> {require_once (mdm_checkin.php:11)} vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv - PUT mdm_checkin
  0::Jan 27 14:29:50.931 [158] <192.168.28.171> checkin: 'UserAuthenticate'
  1::Jan 27 14:29:50.936 [158] <192.168.28.171> {Target_for_incoming_request (target.php:209)} Found target NETWORK LS: <User[156]@ourclientmachine>
  0::Jan 27 14:29:50.937 [158] <192.168.28.171> {LabSession_validate_auth_token (mdm_checkin.php:22)} Failed auth for target NETWORK LS: <User[156]@Device[1697]>, incoming_request={
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'MessageType'=>'UserAuthenticate',
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UDID'=>'17aff5c5a40f51acbbd78023d0028c80',
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UserID'=>'A5EA25B7-7CCD-4EF4-B240-F23DED275EEC'
  0::Jan 27 14:29:50.937 [158] <192.168.28.171> }
  1::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Sent Final Output (407 bytes)
  1::Jan 27 14:29:50.965 [158] <192.168.28.171> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/mdm/mdm_checkin
  0::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Completed in 34ms | 200 OK [https://ourserver.ourdomain/devicemanagement/api/device/mdm_checkin]
  So I can see there is a failure to authenticate, but don't really know how to troubleshoot this further. Or maybe this is just a bug in the new server app?
  I have tried to remove and re-enroll clients in Profile Manager but no joy there.
  In the client's Keychain I can see an MDM user AuthToken linked to the correct user account.
  Thanks in advance for any help or suggestions

  I just wanted to update my post, as this issue for me is resolved.
  I uninstalled and reinstalled the Server.app on our Mac server, since then I've been able to push profiles to AD Users and Groups. I guess that in my case the Server app got into a bit of a mess when it was upgraded to v3.
  Now the next headache I have is that my AD Groups which are displayed in Profile Manager are not syncing any recent changes. I think I'm probably seeing the same issue as described in this post
  https://discussions.apple.com/message/25420919#25420919

• Push lock function Profile Manager not working

  Hello,
  I came to a problem setting up a test server 10.8.2 (before future deploy) and in this case i follow the example described at krypted (thanks Charles)
  http://krypted.com/iphone/configuring-using-profile-manager-2-in-os-x-mountain-l ion-server/ (also checked OS X Lion Server Essentials information)
  Setup Mini server and Macbook as client (in our AD/OD environment) the correct ports are open - check changeip -checkhostname is OK
  - use a self signed certificate - push changes works - until i will lock the mac, this failed. (in profile manager and my devices)
  When I look in the log file I see this message:
  Nov 14 11:30:06 srv-mac2.server.local ruby[12665] <Info>: Pruning certificate chain to 18446744073709551615
  Nov 14 11:30:06 srv-mac2.server..local ruby[12665] <Debug>: Trying to add a bogus certificate
  Nov 14 11:30:06 srv-mac2.server..local ruby[12665] <Debug>: An error occured while inserting an untrusted certificate into the chain
  Nov 14 11:30:06 srv-mac2.server..local ProfileManager[12665] <Info>: Pushed to <Device:"mlp-auto-001"> with token Nl6Ed4FOOR4fmFKJXiEMfGgvDQnyeCBHK09ctY5qQMI=, {"mdm":"","time":"1352889006.442850"}
  Nov 14 11:30:09 srv-mac2.server..local ProfileManager[12401] <Info>: Processing MagicController#do_magic (for 10.136.73.100 at 2012-11-14 11:30:09) [POST]
  Nov 14 11:30:09 srv-mac2.server..local ProfileManager[12401] <Info>: Completed in 243ms (View: 0, DB: 37) | 200 OK [https://srv-mac2.server.local/magic/do_magic]
  Nov 14 11:31:08 srv-mac2.server..local ProfileManager[12402] <Info>: Processing MagicController#do_magic (for 10.136.73.100 at 2012-11-14 11:31:08) [POST]
  Nov 14 11:31:08 srv-mac2.server..local ruby[12402] <Info>: Pruning certificate chain to 18446744073709551615
  Nov 14 11:31:08 srv-mac2.server..local ruby[12402] <Debug>: Trying to add a bogus certificate
  Nov 14 11:31:08 srv-mac2.server..local ruby[12402] <Debug>: An error occured while inserting an untrusted certificate into the chain
  Nov 14 11:31:08 srv-mac2.server..local ProfileManager[12402] <Info>: Pushed to <Device:"mlp-auto-001"> with token Nl6Ed4FOOR4fmFKJXiEMfGgvDQnyeCBHK09ctY5qQMI=, {"time":"1352889068.171044","mdm":""}
  I guess (but I'm not sure) the problem with lock had something do with this:
  Nov 14 11:30:06 srv-mac2.server.local ruby[12665] <Info>: Pruning certificate chain to 18446744073709551615
  Nov 14 11:30:06 srv-mac2.server..local ruby[12665] <Debug>: Trying to add a bogus certificate
  Nov 14 11:30:06 srv-mac2.server..local ruby[12665] <Debug>: An error occured while inserting an untrusted certificate into the chain
  So works the "lock" only with proper certificates? or is there something else not setup properly?
  (the lock function  is not imported for me but gives this error mayby more problems (now or in the future))
  thanks
  Peter

  the device logs gets 500 error code, you van see this in iphone configuration utility or in apple configurator.
  as follows in console:
  "US Desc: A transaction with the server at “https://server.com/devicemanagement/api/device/connect” has failed with the status “500”.
  Domain : MCHTTPTransactionErrorDomain
  Code   : 23001
  Type   : MCFatalError

• How do I push VPP managed apps to devices using Profile Manager silently?

  Here is my setup.
  100 to 150 Ipads in carts used by their departments in classrooms.
  OSX Mavericks Server running Profile manager
  I use Apple Configurator to push a wifi payload to the ipads as well as an auto enrollment profile to connect to Profile Manager.
  That part works like a dream.
  Now that I have that working. I am having a problem pushing apps to the Ipads. I downloaded some free apps, GDrive for example, using the managed distribution.
  But I cannot figure out how to push the apps to the iPads without having the iPads asking for an Apple ID and password.
  I just want to push VPP apps to the iPads silently.
  Thanks for any help.

  Sorry. Added this to the wrong section.

• Can I restrict OS version upgrades for client MacBook Airs through Profile Manager?

  Hello everyone,
  We have all our employees MacBook Airs (all on 10.9.3+) enrolled on Profile Manager as a group. When Mavericks first came out early adopters caused us no end of problems trying to work between 10.9 and those still on 10.8.
  We now have the Server App (3.1.2) running on our server (a Mac Mini running on OS X 10.9.4). Is it possible to restrict a group from installing the next OS X  release (I can't mention its name or Apple takes the question down as it's not released yet) through Profile Manager? We can restrict access to the App Store but this is too general for us as people still need to be able to update Apps just not OS version updates.
  Thanks,

  If your users are plain users, they can't install anything without Admin access.
  If your Users have Admin access, they can bypass anything, including whatever you THINK you gave them as restrictions with Profile Manager.

• Profile Manager, Push, Kerberos and other oddities

  Hey all,
  First time setting up a Mac Server on our network, thought we'd give Lion a try since we're seeing more and more Macs make their way into our ranks. I'm having issues with the following areas, hopefully someone could shed some light.
  Push
  I can't for the life of me get push to work behind our Firewall. I opened up TCP Port 5223 as outlined in the Apple Docs but that doesn't get me anywhere. Do I need to NAT that port to the lion server? I thought that push sent notifications down to individual machines and then they went and grabbed the new config from the server? How does a firewall with NAT know what machine to send the notification to? Any help would be appreciated.
  Also, what are you supposed to manage users with, the Work Group Manager or the Profile Manager. It seems like apple is moving away from the WGM style of management, although you can't do everything in PM, like setting up home folders etc. Very confusing to a novice.
  Email Addresses in Profile Manager configurations and Webmail.
  I might be missing something really simple here, but no matter what I do the Profile Manager spits out a default payload for email with our FQDN as the email address for the user ([email protected]). I have set the local alias and checked the checkbox to allow our example.com domain to work. Manually setting the email address to [email protected] works just find. I'm a bit bothered that everytime I push a configuration out to a device I'll have to go back in and manually change the email address. Has anyone figured out how to change that?
  In webmail it always lists the email address as [email protected] instead of [email protected]. You can go in and edit the identity and all is right with the world, but that's sort of a pain? Seems like common sense that you could set that as the default.
  Kerberos
  I was excited to get a Single Sign On solution going for our users since it would come in handy, however, straight out of the box it just doesn't work.I'm also not sure what to look for in the logs to make sure that things are working smoothly. I'm joinging the client machines to the server by going into users and clicking join. Selecting the server from the drop down and hitting submit. Do I have to set up a search order and all that jazz or is that set up automatically then.  I can see that I'm getting tickets with the Ticket Viewer but I'm still getting prompted for passwords in mail, ichat, AFP etc. Close to giving up on that front.
  Any help or general words of encouragement appreciated. 

  Push
  You've opened the secure iChat port to have push notifications working? Take a look here for the right ports:
  http://help.apple.com/advancedserveradmin/mac/10.7/#apdCA9A73CE-5F0C-4BDC-93E8-2 952C362FA3E.
  On that page are all port numbers you need to forward to your server.
  Email
  The addresses being displayed as [email protected] is a bug in Lion Server in my opinion, you can file a bug report at apple.com/feedback.
  Kerberos
  Is as poorly documented as invisible in OS X Lion Server. Single Sign-On is a great tool for making services more user-friendly, it should be top of mind at Apple. You can file an enhancement request at apple.com/feedback.
  Regards,
  Mark

• Push one new app and Profile Manager resends them all; turn this off?

  I manage the ipads for a medium sized school district. We're using Apple Configurator on Maverics to manage about 700 ipads most of which have been updated to iOS7 and supervised manually through the mini that functions as our MDM and server.
  So average day: a teacher requests a new app to be pushed out to the 30 ipads that are in one of the shared ipad carts. I have all the ipads in a device group in profile manager, so I go out to itunes, download the app, upload it to profile manager and add it to the device group, hit save, and I can see that a new active task has begun pushing that app out to all the devices in the cart.
  The active task used to just say "Push Apps to [device group] 30 of 30 in progress: [#] succeded" 30 copies of an app, one for each of 30 devices. Totally normal.
  Now since the update to iOS7/Maverics when I send one app to one cart configurator is erasing EVERY app on that cart and resending them ALL. So now the active task in the same situation looks like "Push apps to [device group] __ of 538; [#] succeded." Where the 538 is the total number of apps on all 30 ipads.
  As you can imagine this is a bit of a mess. Not only does it bring the mac server to its knees, but it makes the ipads in question useless until the apps have all redownloaded-- which can take hours, if not days, depending on other network traffic. At the very least with iOS7 one doesn't have to hit "confrim" on each app install, but still, small consolation there.
  Is there a way to turn this weird behavior off? Are other people experiencing this? Is it just a horrible bug that someone is planning to fix very soon?
  Any insight is much apreciated!

  Here are the places to report bugs:
  Get an account at
  http://developer.apple.com/  then submit a bug report to http://bugreporter.apple.com/
  Developers:
  "Submitting Bugs and Feedback
  Your feedback goes a long way towards making our products even better. With Apple Bug Reporter, you can submit bug reports or request enhancements to APIs and developer tools."
  https://developer.apple.com/bug-reporting/
  Enterprise support:
  Call enterprise support  (866) 752-7753  to create  a case ID number

• Profile manager w/o Apple Push Certification

  Hello all.
  Is it possible to use Profile manager without using Apple Push Certification?
  The Mac Pro running Lion Server has no Internet access but i want to use it to manage network accounts for the lab (all iMac and Mac Mini systems).
  Can this be done or do I need to use Workgroup Manager?
  Cheers

  No.  You can still create and distribute profiles but not through a push solution.  Look at MCX in WGM or even Apple Configurator and manually distribute.
  If this is a lab with no internet, how much change management do you need?

• Why do I keep getting "Error getting push certificate" when trying to enable Profile Manager

  I keep getting this stupid error message!  The Stupid Workgroup manager doesn't work! Won't allow me to do anything!  What is the point in that! Sorry, just having a rant as I have just purchased this server which I can't do anything with.  Can't get Profile Manager working because I keep getting error getting push certificate and cannot associate any user with a group.  I can delete groups and users from AD but just wont allow me to create anything.  The padlock is open so am authenticated.  WHAT IS GOING ON WITH APPLE!

  And do you know what is really sad, 3 hours later and I am still waiting for a confirmation email from Apple.  No wonder the UK use mostly Windows!

• Push profile with profile manager to two users on one mac

  I have been testing profile manager today. Very interesting setup.
  Unfortunately I ran into one problem:
  I have a profile for a group setup as a push profile.
  Two users of the group use the same mac.
  So I logged in as the first user, browsed to .../mydevices and installed the trust profile. Then I clicked enroll to enroll the Mac.
  Then I did the same with the second user on the same Mac.
  So far so good.
  When I log in again as the first user, the Mac isn't enrolled anymore. Strange but I went on.
  I made a change to the profile with Profile Manager on the server. I saved the settings and checked Active Tasks to see wether it pushed the settings.
  Displayed: Push Settings 1 of 2 in progress; 1 succeeded. first user sending, second user succeeded.
  Then I enrolled the mac with the first user again. Then the task completes completely. But when I make a change to the profile again and push the new profile, the same problem occurs: the user last enrolled the mac gets the updated profile. The other user will not get the update.
  Hopefully this wil be fixed in a next update.
  Anyone got this working the right way / workaround?

  Do not use a network or local user to "enroll" a device. Create a Enrolment profile in profile manager I have found that the way you are doing this will work fine. However I am having the problem that now that I have a OD with 350+ users with 100+ devices profile manager cannot keep up and cannot push the settings fast enough or just hangs on user profiles but not device profiles......

• Pushing App Updates through Profile Manager

  We are currently using Lion Server's builtin Profile Manager to manage a variety of iPads. I have been able to use it to push out new apps to the end users however I have not figured out a way to push out app updates. Is this possible?
  For example our student iPads have Evernote ver. 4.1.9 currently installed. I would like to upgrade them to ver. 4.4.0. If I delete the the current Evernote app from the iPad I am able to then push the updated version. If I try to simply overwrite it the task appears to have worked from the view of the Profile Manager but the new version of the app is not installed on the iPad.
  Any help is greatly appreciated.

  I found the problem.  The device group that the laptop in question was assigned to also has an option for fast user switching that was not enabled.  I enabled it there and the problem was resolved.

• Self-Published iBook Profile Manager Push?

  Is there a way to push a self-published iBook through the 10.7 Profile Manager to deliver it to iPads/iPods? If so, how?

  I've solved my own issue, but hope this helps someone else.
  On opening the following ports suddenly the queue vanished and all pending actions were pushed.
  5223
  2195
  2196
  443
  I'm imagining it was something to do with APN requiring these ports.

• Pushing Paid apps via 10.8 Profile Manager (working solution!)

  Hello,
  It seems the profile manager solution leaves a lot to be desired. I am quite disappointed there are several limitations that make the software a real deal breaker for it's price. The number one issue other than black/white listing non productive apps is of course, the PAID app Deployment. One would think they would totally OWN this process, but as they have done so many times before, left it up to a 3rd party solution. THANKS @pPl3! only no thanks.
  Well I have created a solution that I believe works and would like to share it with everyone.
  The model is simple, use Apple configurator to image and deploy the devices, and then manage them via Profile manager with 1 shared apple ID
  1. The Master iPad we used was configured with 1 apple id:[email protected]. We set up all the Free applications we liked with our settings inputted. We then deleted any unique information such as usernames, wifi networks, etc. so it's a clean image with some custom configuration. We then connected to Apple configurator and created a back up.
  2. We loaded any Free apps we wanted preinstalled into the Apple Configurator software and then when prompted used the same apple id as the ipad:[email protected]. These free apps were downloaded through itunes on the server using the same apple id. We also added one profile to be loaded, the trust profile and also have a web clip taking us to the "Enroll Device" page on
  3. We then connected a brand new ipad, choose to wipe and restore from back up along with updating to the newest IOS. After that configured Wifi and Enrolled the device to the Profile manager server. Then added the device to the proper groups to get policy information downloaded.
  4. Now the paid app Test, we purchased one application on the OSX Server's itunes. In order to be compliant with the test, we only purchased one licence, therefore we could only push it out to one device. We uploaded the App into the profile manager and deployed OTA to one of the iPads.
  5. We accepted the install and then the App loaded and was able to launch. We removed it and the pushed it to another device freshly configured by profile manager, it worked as well.
  6. For future purchases we use the VPP, buy as many apps as we want but only redeem ONE of the codes on the osx server, using the same apple ID as before. We then upload it to profile manager and deploy it to as many devices as we are licensed to.
  The only problems I can imagine:
  1. If apple doesn't like it, I am under the opinion we are not breaking any licensing compliance. We still have the apps paid for and legally have the licensing for auditing purposes.
  2. IF after 10 devices the apple id starts giving us issues. I read there is a limit but it appears the options to manage your devices has been removed from itunes which makes me think, No this will never happen.

  Wonder what went wrong...
  Also do you find another solution?
  Right I am looking at three companies that run on the OSX server.
  Absolute Manage
  nuVizz enterprise MDM
  FileWave

• Profile management push setting always sending

  Hello everyone.
  I'm newbie for mac administrator. I was configure my mac mini server and looks like works. But i've a problem with profile management. It's always sending.
  When the task is complete, the device is not included in the devices list. In the user portal for enroolment device, it's not shown wipe and lock options. Just the server can be shown in device list in profile manager.
  I'm use mac mini server with OSX mountain lion 10.8.2, and my clients running 10.8.3 and 10.7.2.
  Anyone heeelpp mee~~

  Push
  You've opened the secure iChat port to have push notifications working? Take a look here for the right ports:
  http://help.apple.com/advancedserveradmin/mac/10.7/#apdCA9A73CE-5F0C-4BDC-93E8-2 952C362FA3E.
  On that page are all port numbers you need to forward to your server.
  Email
  The addresses being displayed as [email protected] is a bug in Lion Server in my opinion, you can file a bug report at apple.com/feedback.
  Kerberos
  Is as poorly documented as invisible in OS X Lion Server. Single Sign-On is a great tool for making services more user-friendly, it should be top of mind at Apple. You can file an enhancement request at apple.com/feedback.
  Regards,
  Mark