1 2 Previous Next 24 Replies Latest reply: May 1, 2012 8:30 PM by Punctual Diva
bobbydmarriott Level 1 Level 1 (0 points)

Each time I try to add a device to my lion server (on a mac mini) I get the error "The profile “Device Enrollment (com.apple.ota.media-server.local.bootstrap)” could not be installed due to an unexpected error."  I have tried turning the profile manager on and off, and changing from a simple local network to a private network with VPN and back to a simple local network.  No matter what I get this error on my macs, and I get an SCEP error at the end of the profile installation on an iOS device.   Anybody have any ideas how I get this reset?


Mac mini, Mac OS X (10.7)
  • 1. Re: Can't install devices through "my devices" web interface?
    Pelorus1 Level 1 Level 1 (35 points)

    No help, but I have this exact problem also.

  • 2. Re: Can't install devices through "my devices" web interface?
    bobbydmarriott Level 1 Level 1 (0 points)

    I can't believe we are the only two.  I have also had problems with the web interface to start with, but have figured out how to reset that with some instructions from this forum.  It seems like Lion Server really wasn't ready for prime time.  Its very easy to get in an unuseable state.

  • 3. Re: Can't install devices through "my devices" web interface?
    superstantial Level 1 Level 1 (5 points)

    I'm having this problem also--can't enroll my laptop now.  The log messages on the laptop make me think it doesn't like the self-signed intermediate certificate.  If you run "tail -F /var/log/system.log" inside a Terminal.app window on the machine you're enrolling, you should see a bunch of lines scroll by when it fails.  Buried in there is an obscure reference to "OSStatus error -67688".  If you google that, you find out it means "An invalid signature was encountered."

     

    The funny thing is, this same signature worked for me before on this same laptop.  I simply made the mistake of removing it from the list of devices.  What happened was I locked myself out of the laptop by unchecking my admin privilieges in Server.app (something System Preferences would never let you do!) so I had to reinstall it.  So now this is a complete fresh clean install of lion on the laptop that's refusing to enroll...

     

    So yeah, anyway, "me too."

  • 4. Re: Can't install devices through "my devices" web interface?
    NeoNet Tim Level 1 Level 1 (0 points)

    I can confirm that it IS the certificate causing this.  The easiest and probably best way around it is purchasing a cheapo SSL certificate through somebody like comodo (I used their reseller namecheap for a lower price).  Apply that certificate to your webserver.  Also, be 100% sure that the domain you're registering with is exactly the one that you will be using for device enrollment.  I purchased a wildcard certificate to get around that limitation, though it's significantly more expensive.

     

    The free way to do this is by setting your phone to trust the certificate before you attempt to enroll.  I've not done that manually on iOS but I know for Mac it's trivial.

  • 5. Re: Can't install devices through "my devices" web interface?
    bobbydmarriott Level 1 Level 1 (0 points)

    I have an SSL certificate on order with Comodo.  I am waiting for it to be verified.  It will be worth a try once I have it.  Is this really necessary for a local network?  Or did this screwed up because I originally set it up as a private network, and then tried to go  back to a local network, and something in the settings or configuration got stuck... (I know, a very technical term).

  • 6. Re: Can't install devices through "my devices" web interface?
    superstantial Level 1 Level 1 (5 points)

    The free way to do this is by setting your phone to trust the certificate before you attempt to enroll.  I've not done that manually on iOS but I know for Mac it's trivial.

     

    I tried that, and this is on my laptop, not my iphone (I've given up on the iphone working without a paid cert)..   I even went into Keychain Access.app and changed the trust settings for the cert to always trust, but enrollment is still failing.

     

    I thought maybe DNS had something to do with it, but I've got that working now and still nothing...

  • 7. Re: Can't install devices through "my devices" web interface?
    Thezez Level 1 Level 1 (30 points)

    Sorry if this has been covered already, but are you installing the Trust Profile from the 'Profiles' tab on the 'My Devices' page before you try to enroll?

     

    I had to install this profile first before I could successfully enroll a device.

  • 8. Re: Can't install devices through "my devices" web interface?
    bobbydmarriott Level 1 Level 1 (0 points)

    I did.  Didn't work.

     

    Another symptom I saw last night.  The server host name is screwed up.  If I go to preferences - file sharing, the host name matches on the file sharing tab, but on the Remote Management tabs it is stuck on an the first private server name I gave the server.  Changing host name through preferences or the server app won't correct this.  I am close to doing a clean install.  Very, very frustrating.

  • 9. Re: Can't install devices through "my devices" web interface?
    superstantial Level 1 Level 1 (5 points)

    Yep, I have both the Trust Profile and the Settings For Everyone installed successfully.  Still won't enroll.  Pretty sure the hostname is correct.  "changeip -checkhostname" is happy.

  • 10. Re: Can't install devices through "my devices" web interface?
    The Teknologist Level 1 Level 1 (15 points)

    In my case I can install profiles on devices from Profile Manager page but I cannot enroll devices.

     

    The certificate I download to enroll is reject by my MacBook Pro Lion: Says Invalid blablabla at the end.

     

    Now I have done log research and I now exactly and understand why it doesn't work:

     

    the scep_helper daemon is supposed to listen to port 1640 TCP (which you should forward to your server by the way, if you want to be able to enroll devices) and provide the requsting client the root CA that signed the certificate. In my case, it can't find the root CAT to provide the client with so it can finalize the cert validation process.

     

    In my case, that's what I see in the log:

     

    Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:727 'status = SCEPGetCACert(session, NULL, 0)' = -25300

    Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:513 'SCEPGetCACert(session, NULL, 0)' = -25300

    Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:819 'challenge = GetChallengeFromSCEP(password, guid, hostURL)' is NULL

    Jul 29 02:12:44 teknologism ProfileManager[516]: Could not retrieve root certificate from open directory server.

     

     

    No , as for the bad news: I have no idea on how to fix. Have dug into scep_helper, googled etc. Not a single clue on how to check it's configuration or even why it can't find the root CA. By the way everyhting else (I really mean everything, ical,cardav,web,wiki etc.) work great. And profile manager too, it's just the enroll thingy that doesn't work.

  • 11. Re: Can't install devices through "my devices" web interface?
    bobbydmarriott Level 1 Level 1 (0 points)

    Ok... Got a little farther (or fixed somethng else I broke along the way......

     

    I used sudo changeip -checkhostname to realize that my hostname and DNS Hostname were out of sync.  Not sure when this happened, but it will stop you from being able to even get to the web application pages for my devices and profile manager.  Getting them the two host names matched again got me back to being able use the pages.... but alas, still can't register devices.

  • 12. Re: Can't install devices through "my devices" web interface?
    bobbydmarriott Level 1 Level 1 (0 points)

    And now a little farther.  Downloaded System Admin tools for Lion 10.7.  Under the DNS subtab under my server tab on the right hand column, I found that I had two irrelevant zones created from earlier configurations.  Cleared those out, and it seems the server admin and server app are more responsive....

     

    Unfortunately, still can't register a device.... 

  • 13. Re: Can't install devices through "my devices" web interface?
    superstantial Level 1 Level 1 (5 points)

    Hmm, my DNS settings in Server Admin tools look good.  And changeip -checkhostname is happy:

     

    nyx$ sudo changeip -checkhostname

    Password:

     

    Primary address     = 192.168.0.6

     

    Current HostName    = nyx.vpn.desert.net

    DNS HostName        = nyx.vpn.desert.net

     

    The names match. There is nothing to change.

    dirserv:success = "success"

    nyx$

     

     

    Here's what system.log has to say when I try to install the Device Management Identity Certificate:

     

    Jul 28 19:21:35 nyx com.apple.DeviceManagement.SCEPHelper[1834]: 1834:error:2107106C:PKCS7 routines:PKCS7_signatureVerify:unable to find message digest:/SourceCache/OpenSSL098/OpenSSL098-41/src/crypto/pkcs7/pk7_doit.c:930:

    Jul 28 19:21:35 nyx scep_helper[1834]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:518 'SCEPRequestChallengePassword(session, username, password, requestDict, &challenge)' = -67688

    Jul 28 19:21:35 nyx scep_helper[1834]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:819 'challenge = GetChallengeFromSCEP(password, guid, hostURL)' is NULL

    Jul 28 19:21:41 nyx com.apple.mdmclient.agent[43290]: 43290:error:2107106C:PKCS7 routines:PKCS7_signatureVerify:unable to find message digest:/SourceCache/OpenSSL098/OpenSSL098-41/src/crypto/pkcs7/pk7_doit.c:930:

    Jul 28 19:21:41 nyx mdmclient[43290]: *** ERROR *** [Agent:501] <: [MDM_SCEP] Calling SCEPRequestCertSignature -->  <NSOSStatusErrorDomain:-67688>

    Jul 28 19:21:41 nyx mdmclient[43290]: *** ERROR *** [Agent:501] ExtractOTAIdentity ( <NSOSStatusErrorDomain:-67688>)

    Jul 28 19:21:41 nyx mdmclient[43290]: *** ERROR *** [Agent:501] ProcessOTABootstrapPayload ( <NSOSStatusErrorDomain:-67688>)

    Jul 28 19:21:41 nyx System Preferences[43275]: *** ERROR *** [CPInstallerUI:501] Profile installation (Device Enrollment (com.apple.ota.nyx.vpn.desert.net.bootstrap)) (<NSOSStatusErrorDomain:-67688> The operation couldn’t be completed. (OSStatus error -67688.)

              UserInfo: {

                  CallStackSymbols =     (

                      "0   mdmclient                           0x000000010fa1cb19 mdmclient + 15129",

                      "1   mdmclient                           0x000000010fa3b78b mdmclient + 141195",

                      "2   mdmclient                           0x000000010fa26ce9 mdmclient + 56553",

                      "3   mdmclient                           0x000000010fa32e1b mdmclient + 106011",

                      "4   mdmclient                           0x000000010fa29ef9 mdmclient + 69369",

                      "5   mdmclient                           0x000000010fa3315a mdmclient + 106842",

                      "6   mdmclient                           0x000000010fa31119 mdmclient + 98585",

                      "7   libxpc.dylib                        0x00007fff8cd7694a _xpc_connection_recv_message + 688",

                      "8   libxpc.dylib                        0x00007fff8cd76ab7 _xpc_connection_recv_message + 1053",

                      "9   libxpc.dylib                        0x00007fff8cd77387 _xpc_connection_wakeup_recv + 179",

                      "10  libxpc.dylib                        0x00007fff8cd77257 _xpc_connection_wakeup2 + 1580",

                      "11  libxpc.dylib                        0x00007fff8cd7746b _xpc_connection_wakeup + 116",

                      "12  libdispatch.dylib                   0x00007fff983582f1 _dispatch_source_invoke + 614",

                      "13  libdispatch.dylib                   0x00007fff98354fc7 _dispatch_queue_invoke + 71",

                      "14  libdispatch.dylib                   0x00007fff98355124 _dispatch_queue_drain + 210",

                      "15  libdispatch.dylib                   0x00007fff98354fb6 _dispatch_queue_invoke + 54",

                      "16  libdispatch.dylib                   0x00007fff983547b0 _dispatch_worker_thread2 + 198",

                      "17  libsystem_c.dylib                   0x00007fff96da63da _pthread_wqthread + 316",

                      "18  libsystem_c.dylib                   0x00007fff96da7b85 start_wqthread + 13"

                  );

                  IsInternalError = 1;

              })

  • 14. Re: Can't install devices through "my devices" web interface?
    bobbydmarriott Level 1 Level 1 (0 points)

    Seems like this is something simple related to a configuration issue of some sort.  I was able to get it add devices initally right after install, but everything went south when I started tinkering with my computer name and hostname.  That resulted in DNS Zone problems (fixed), and I suspect something else having to do with authentication that we haven't gotten around yet.  There is no reason why I should need a SSL Certificate for an in-house media server controlling 3 home computers, 2 iPhones, and 2 iPads that isn't serving outside of the home network.

1 2 Previous Next