WPA2 problems with profile management

Similar Messages

• Problem with profile manager  lion server

  Good evening opening profile manager lion servers seem to me these 2 errors:
  1 SC.Error: sc4011: lengths of pendingStoreQueryPairsguidsFromRemoteand did not match!
  2 SC.Error: sc4012: lengths of pendingStoreQueryPairsguidsFromRemoteand did not match!
  How do I delete these 2 errors that I deny the use of profilemanager?

  Heres a follow up.
  As you can see.
  the enrolment profile should push through since the trust profile is already verified.
  Here are the screenshots of my device enrolment;
  then,
  I honestly dont know why...;-(

• Push profile with profile manager to two users on one mac

  I have been testing profile manager today. Very interesting setup.
  Unfortunately I ran into one problem:
  I have a profile for a group setup as a push profile.
  Two users of the group use the same mac.
  So I logged in as the first user, browsed to .../mydevices and installed the trust profile. Then I clicked enroll to enroll the Mac.
  Then I did the same with the second user on the same Mac.
  So far so good.
  When I log in again as the first user, the Mac isn't enrolled anymore. Strange but I went on.
  I made a change to the profile with Profile Manager on the server. I saved the settings and checked Active Tasks to see wether it pushed the settings.
  Displayed: Push Settings 1 of 2 in progress; 1 succeeded. first user sending, second user succeeded.
  Then I enrolled the mac with the first user again. Then the task completes completely. But when I make a change to the profile again and push the new profile, the same problem occurs: the user last enrolled the mac gets the updated profile. The other user will not get the update.
  Hopefully this wil be fixed in a next update.
  Anyone got this working the right way / workaround?

  Do not use a network or local user to "enroll" a device. Create a Enrolment profile in profile manager I have found that the way you are doing this will work fine. However I am having the problem that now that I have a OD with 350+ users with 100+ devices profile manager cannot keep up and cannot push the settings fast enough or just hangs on user profiles but not device profiles......

• Setting apn with Profile Manager

  apn profiles in Profile Manager seemes malformed.
  This is a snippet of how it looks when downloaded from Profile Manager:
  <dict>
            <key>DefaultsData</key>
            <dict>
                      <key>apns</key>
                      <array>
                                <dict>
                                          <key>apn</key>
                                          <string>mytestapn</string>
                                          <key>proxy</key>
                                          <string></string>
                                          <key>proxyPort</key>
                                          <string></string>
                                </dict>
                      </array>
            </dict>
  </dict>
  <dict>
            <key>DefaultsDomainName</key>
            <string>com.apple.managedCarrier</string>
  </dict>
  when I create a .mobileconfig file with IPCU, the xml looks like this:
  <dict>
            <key>DefaultsData</key>
            <dict>
                      <key>apns</key>
                      <array>
                                <dict>
                                          <key>apn</key>
                                          <string>mytestapn</string>
                                          <key>proxy</key>
                                          <string></string>
                                          <key>proxyPort</key>
                                          <integer></integer>
                                </dict>
                      </array>
            </dict>
            <key>DefaultsDomainName</key>
            <string>com.apple.managedCarrier</string>
  </dict>
  that is, in profile Manager, DefaultsDomainName key is contained within its own dict tag, and in IPCU it is located together with the DefaultsData key.
  when I try to deploy the profile to a device using profile manager, the job failed with MCPayloadErrorDomain
  Has anyone had any luck on setting apn settings with Profile Manager?

  Just updated OSX - problem solved

• Blocking Applications with Profile Manager

  At my workplace we recently upgraded to mountain lion and are attepting to use profile manager. After configuring a simple profile and pushing to a test device running 10.7 i decided to further test, i attepted blocking application with parental controls with profile manager through a device group, after pushing the profile and resarting (I know this isn't necessary) the computer the Administrator account is blocked from using every single application, how can i fix this? I even tried just allowing Safari butit still won't work, what should i do?

  Just updated OSX - problem solved

• How can I disable backup for managed app with profile manager?

  I use Server App 3.1.2 to manage iOS devices with profile manager.
  Is it possible to exclude managed app's backup from users iCloud or iTunes backup?
  thanks
  Paolo

  Hi,
  Please use the following link (under "Manage Print Apps" to cancel/remove it:
    http://h10025.www1.hp.com/ewfrf/wc/document?docname=c02940901&cc=us&dlc=en&lc=en&product=5058336&tmp...
  Regards.
  BH
  **Click the KUDOS thumb up on the left to say 'Thanks'**
  Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem.

• Logon problem with oracle management server

  I have problem with Oracle Management Server when I connect to the OMS message comes
  The exception (java.lang.NullPointerException) occurred.
  if any body have any idea pls tell us

  Hi,
  Oracle has changed the Enterprise Manager from version 1.5 to 2.0 .
  With the new Oracle8i dataase server another service has been added.
  If you want to user the OEM you have to install The Managment Server.
  The Managment server has its own user and privileges and is recommended when using OEM.

• Problem with discovering Managed Servers

  Hi,
  I got problem with discovering managed servers, when I restart only administration
  server while managed servers are running. During restart of admin server everything
  seems to be ok (the directive: Starting discovery of managed server... appears
  on the screen).
  However when I start admin console through http, I cannot monitor performance,
  browse logs etc. I can only shutdown managed server and I can see in a server
  tag that particular managed servers are running.
  I'm looking forward for any clues
  Michal

  Sorry,
  i cannot stop those managed server - in Control tab I have active only option
  to start those server but they are running. In logging tab when I want to browse
  the log the message that probably this server is not running appear. However in
  the tab when all servers are listened there is a message that they are running
  "Michal" <[email protected]> wrote:
  >
  Hi,
  I got problem with discovering managed servers, when I restart only administration
  server while managed servers are running. During restart of admin server
  everything
  seems to be ok (the directive: Starting discovery of managed server...
  appears
  on the screen).
  However when I start admin console through http, I cannot monitor performance,
  browse logs etc. I can only shutdown managed server and I can see in
  a server
  tag that particular managed servers are running.
  I'm looking forward for any clues
  Michal

• I have a problem with session manager session files because of the invalid json storage data submited by firefox

  Hi, i have problem with session manager's session files. The problem is: the submitted storage data from firefox which is put between "storage":{ and its matching closing brace } But in some of my session files there is non equal { and } under storage's braces. I need to get storage data but in my case it is very hard to do. My question is there any char put before or after { and } like /{ or \{ to avoid confusion? If there is not such thing, i think there could be different solution but i am not sure: i look couple of my session files; after "storage":{...} there is ,_"formDataSaved" so i can get storage data in this example ... by looking between "storage":{ and ,"_formDataSaved" easily. Is there every time ,"_formDataSaved" after "storage":{ ?  Thank you.

  Well, it seems waiting is not my strong suit..! I renamed a javascript file called recovery to sessionstore. This file was in the folder sessionstore-backups I had copied from mozilla 3 days ago, when my tabs were still in place. I replaced the sessionstore in mozilla's default folder with the renamed file and then started mozilla. And the tabs reappeared as they were 3 days ago!
  So there goes the tab problem. But again when I started mozilla the window saying "a script has stopped responding" appeared, this time the script being: chrome//browser/contenttabbrowser.xml2542
  If someone knows how to fix this and make firefox launch normally, please reply! Thank you

• Having issues with profile manager on 10.9 loosing users/device assignments.

  I'm having issues with profile manager on 10.9 loosing users/device assignments. Luckly I only have arround 70 devices added so far. The first time it happened I thought it was just a freak thing, but it has just happened again. What I find weird is nothing on the server was changed, no devices added. So when this happens my users phones lose access to email, because I'm using variables, which rely on the user being assigned to the device. Anyone know how to fix this, and if not. Does anyone know how to backup and restore just profile manager in 10.9. Thanks.

  I enabled all users in my AD "Domain Users" group access to "Profile Manager". I had also initially enabled "Profile Manager" access for a few individual users. Those users did not loss the device assignments. I'm not absolutely sure why/if allowing access for a group is causing this issue. Enabling access for each person would be very time consuming.... Maybe adding access to the individual users is importing that user into OD?

• Push config files made in Server app with Profile manager

  As I understand the manual you can distribuate configuration files with Profile manager.
  A bit confused now when I want to use Profile manager to distribuate a configuration file I´ve made in Server app.
  I saved a VPN configuration file and want to distribuate it with Profile manager but how do I import or add that file into the settings pane for my devices in profile manager?

  Hi,
  I have the same issue, very frustrating. Using a Win 2003 AD and 10.8.2 server and clients. If i use WGM I can see all users and groups correctly, but Server.app and Profile Manager does not show them correct.
  Strange that we see issues like this since Profile Manager has been around for a while, really interested to hear other peoples experiences.
  PS I see a similar thing here: https://discussions.apple.com/thread/4417085?start=0&tstart=0

• Unable to push user profiles to AD groups with Profile Manager since upgrade to Server v3

  Since upgrading our OS X Mac server from 10.8.5 to 10.9.1, and OS X Server app to v3 (now 3.0.2) I have been unable to push or modify user profiles to AD groups (or AD users) using Profile Manager. This was working fine on OS X 10.8.5. Pushing device profiles is still working OK after the upgrade.
  From what I can see from the logs on the client side and server side, it seems related to a problem with the mdm authtoken.
  In the client console I can see this entry:
  27/01/14 14:30:15.844 mdmclient[38557]: *** ERROR *** [Agent:636102071] Unable to proceed with connection to: https://ourserver.ourdomain/devicemanagement/api/device/mdm_connect (com.apple.mdmconfig.mdm) because don't have valid MDM AuthToken
  On the server, in the php.log I can see the corresponding attempt to authenticate:
  1::Jan 27 14:29:50.930 [158] <192.168.28.171> {require_once (mdm_checkin.php:11)} vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv - PUT mdm_checkin
  0::Jan 27 14:29:50.931 [158] <192.168.28.171> checkin: 'UserAuthenticate'
  1::Jan 27 14:29:50.936 [158] <192.168.28.171> {Target_for_incoming_request (target.php:209)} Found target NETWORK LS: <User[156]@ourclientmachine>
  0::Jan 27 14:29:50.937 [158] <192.168.28.171> {LabSession_validate_auth_token (mdm_checkin.php:22)} Failed auth for target NETWORK LS: <User[156]@Device[1697]>, incoming_request={
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'MessageType'=>'UserAuthenticate',
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UDID'=>'17aff5c5a40f51acbbd78023d0028c80',
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UserID'=>'A5EA25B7-7CCD-4EF4-B240-F23DED275EEC'
  0::Jan 27 14:29:50.937 [158] <192.168.28.171> }
  1::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Sent Final Output (407 bytes)
  1::Jan 27 14:29:50.965 [158] <192.168.28.171> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/mdm/mdm_checkin
  0::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Completed in 34ms | 200 OK [https://ourserver.ourdomain/devicemanagement/api/device/mdm_checkin]
  So I can see there is a failure to authenticate, but don't really know how to troubleshoot this further. Or maybe this is just a bug in the new server app?
  I have tried to remove and re-enroll clients in Profile Manager but no joy there.
  In the client's Keychain I can see an MDM user AuthToken linked to the correct user account.
  Thanks in advance for any help or suggestions

  I just wanted to update my post, as this issue for me is resolved.
  I uninstalled and reinstalled the Server.app on our Mac server, since then I've been able to push profiles to AD Users and Groups. I guess that in my case the Server app got into a bit of a mess when it was upgraded to v3.
  Now the next headache I have is that my AD Groups which are displayed in Profile Manager are not syncing any recent changes. I think I'm probably seeing the same issue as described in this post
  https://discussions.apple.com/message/25420919#25420919

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Can't enroll devices with Profile Manager - invalid key

  n my case I can install profiles on devices from Profile Manager page but I cannot enroll devices.
  The certificate I download to enroll is reject by my MacBook Pro Lion: Says Invalid blablabla at the end:
  Now I have done log research and I now exactly and understand why it doesn't work:
  the scep_helper daemon is supposed to listen to port 1640 TCP (which you should forward to your server by the way, if you want to be able to enroll devices) and provide the requsting client the root CA that signed the certificate. In my case, it can't find the root CAT to provide the client with so it can finalize the cert validation process.
  In my case, that's what I see in the log:
  Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:727 'status = SCEPGetCACert(session, NULL, 0)' = -25300
  Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:513 'SCEPGetCACert(session, NULL, 0)' = -25300
  Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:819 'challenge = GetChallengeFromSCEP(password, guid, hostURL)' is NULL
  Jul 29 02:12:44 teknologism ProfileManager[516]: Could not retrieve root certificate from open directory server.
  No , as for the bad news: I have no idea on how to fix. Have dug into scep_helper, googled etc. Not a single clue on how to check it's configuration or even why it can't find the root CA. By the way everyhting else (I really mean everything, ical,cardav,web,wiki etc.) work great. And profile manager too, it's just the enroll thingy that doesn't work. And the root CA cert is in /etc/certificates. My server a legit Class 1 SSL cert signed by a system trsuted CA (Startfiel to name it)
  I have tried with other certs etc... It's a no go.
  Can anyone help ??
  How can I add that missing CA Cert in opendirectory ?

  Here is some more infos...
  teknologism:root root# serveradmin settings devicemgr
  devicemgr:SSLAuthorityChain = "/etc/certificates/trinity.teknologism.org.C1D19D55699B48C94A18787E4F53B4C3230E 91FE.chain.pem"
  devicemgr:od_active = yes
  devicemgr:ssl_active = yes
  devicemgr:enableCodeSigning = yes
  devicemgr:updated_at = 2011-07-28 16:04:52 +0000
  devicemgr:email_delivery_method = ""
  devicemgr:CodeSigningPrivateKey = "/etc/certificates/teknologism.org Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.key.pem"
  devicemgr:apns_active = yes
  devicemgr:CodeSigningAuthorityChain = "/etc/certificates/teknologism.org Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.chain.pem"
  devicemgr:default_profile_created_at_least_once = yes
  devicemgr:knob_sets_enabled:com.apple.mail.managed = yes
  devicemgr:knob_sets_enabled:com.apple.vpn.managed = yes
  devicemgr:knob_sets_enabled:com.apple.carddav.account = yes
  devicemgr:knob_sets_enabled:com.apple.jabber.account = yes
  devicemgr:knob_sets_enabled:com.apple.caldav.account = yes
  devicemgr:email_authentication = ""
  devicemgr:email_port = 25
  devicemgr:email_username = ""
  devicemgr:id = 1
  devicemgr:last_modified_guid = ""
  devicemgr:SSLPrivateKey = "/etc/certificates/trinity.teknologism.org.C1D19D55699B48C94A18787E4F53B4C3230E 91FE.key.pem"
  devicemgr:od_master = "127.0.0.1"
  devicemgr:apns_topic = ""
  devicemgr:email_password = ""
  devicemgr:mdm_acl = 2047
  devicemgr:user_timeout = 43200
  devicemgr:server_organization = ""
  devicemgr:SSLCertificate = "/etc/certificates/trinity.teknologism.org.C1D19D55699B48C94A18787E4F53B4C3230E 91FE.cert.pem"
  devicemgr:created_at = 2011-07-24 11:47:33 +0000
  devicemgr:email_address = ""
  devicemgr:email_domain = ""
  devicemgr:CodeSigningCertificate = "/etc/certificates/teknologism.org Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.cert.pem"
  devicemgr:email_server_address = ""
  devicemgr:admin_session = ""
  The 3 CodeSigning certs/keys are in /etc/certificates and their permissions are correct.
  Also, don't ask me why but my ProfileManager pane in Server.app is working again. It shows all the config...but can't modify anything....as soon as I try to modify it spins the waiting whell forever... I guess it's the same error as command line serveradmin...

• Problem with Connection Manager. Can't change connection string / Server name

  p.MsoNormal, li.MsoNormal, div.MsoNormal
  {margin-top:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:0cm;line-height:115%;font-size:11.0pt;font-family:'Calibri','sans-serif';}
  .MsoChpDefault
  {font-size:10.0pt;}
  .MsoPapDefault
  {line-height:115%;}
  @page Section1
  {size:612.0pt 792.0pt;margin:72.0pt 72.0pt 72.0pt 72.0pt;}
  div.Section1
  {page:Section1;}
  Hi,
  I have copied a number of SSID packages from a live server to my test server and am trying to get them up and running but I have a problem with the connection. The only thing that is different is the server name. I decided to keep the same connection in the connection manager as it is referenced in a dtsConfig file. I changed the dtsConfig file to reference the new servername [Data Source= new test server name]. I also check my paths and they are pointing to the correct config locations etc.
  I found this post which was similar to my problem but I still get problems with the connection
  http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1319961&SiteID=1
  I updated the connection by changing the server name in the actual connection. I did this from the data flow tab in the Connection Managers sections (MS Visual Studio). Right clicked - Edit - changed the name of the server name to my test server and selected the database. Test connection was fine, and saved this.
  Once I saved this, the connection string changed to my current test server in the properties of the connection. However when I run the package I get the following error:
  Error: 0xC0202009 at ReportsImport, Connection manager "myconnectionstring": SSIS Error Code DTS_E_OLEDBERROR.  An OLE DB error has occurred. Error code: 0x80004005.
  An OLE DB record is available.  Source: "Microsoft SQL Native Client"  Hresult: 0x80004005  Description: "Login timeout expired".
  An OLE DB record is available.  Source: "Microsoft SQL Native Client"  Hresult: 0x80004005  Description: "An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.".
  An OLE DB record is available.  Source: "Microsoft SQL Native Client"  Hresult: 0x80004005  Description: "Named Pipes Provider: Could not open a connection to SQL Server [53]. ".
  Error: 0xC020801C at Myprocess import from file, BuyAtReportsImport [79]: SSIS Error Code DTS_E_CANNOTACQUIRECONNECTIONFROMCONNECTIONMANAGER.  The AcquireConnection method call to the connection manager "myconnectionstring" failed with error code 0xC0202009.  There may be error messages posted before this with more information on why the AcquireConnection method call failed.
  Error: 0xC0047017 at Myprocess import from file, DTS.Pipeline: component "ReportsImport" (79) failed validation and returned error code 0xC020801C.
  Error: 0xC004700C at Myprocess import from file, DTS.Pipeline: One or more component failed validation.
  Error: 0xC0024107 at Myprocess import from file: There were errors during task validation.
  So even if I change the existing connection properties and save and Build my package again, my connection properties (connectionstring, servername etc) all revert back to its original data source when I re-open the package. Simply it does not seem to be saving the connection properties i put in.
  What am I doing wrong or how can I change the existing connection manager to look at the new server. The database is  the same and I have full admin privilege on the server.
  I don't want to recreate my packages as there are alot and they are not simple.
  After changing the connection properties, saving and reloading I get a connection error. But this is because it is not retaining the new connection manger setting i entered.
  Incidentally - I created a new SSID to perform a simple connection and write to the the server and it was OK so there is no problem with actually seeing the my test server.
  Thanks in advance

  Yes, the package is in visual studio and I have executed it. There are no errors but in the output i have the error message about my connection. My dtsConfig file is added to the project in the 'Package Configuration Organizer' and path and files are correct. This is the output error:
  Error: 0xC020801C at xx import from file, xxReportsImport [79]: SSIS Error Code DTS_E_CANNOTACQUIRECONNECTIONFROMCONNECTIONMANAGER.  The AcquireConnection method call to the connection manager "myconnectionname" failed with error code 0xC0202009.  There may be error messages posted before this with more information on why the AcquireConnection method call failed.
  I will try and run it using dtexec.exe. if I have two config files do i use
  dtsexec.exe /f <packagename> /conf <configfile> /conf <secondconfigfile>