Skip navigation

Profile Manager Enrollment - iOS - Server Certificate Invalid

60385 Views 125 Replies Latest reply: Nov 4, 2013 4:12 PM by Phil_O RSS
1 2 3 ... 9 Previous Next
John B Portland Level 1 Level 1 (0 points)
Currently Being Moderated
Aug 10, 2011 12:38 PM

I have been getting an error trying to enroll iOS devices into profile manager. My MacBook and iMac enroll just fine. However my iPhone and iPad do not.

 

When I enroll my MacBook Pro, I first log into https://(FQDN)/mydevices, select profiles, Install Trusted Profile. I then go back to devices, and click 'Enroll now'. When I check the Profiles section of System Preferences, I see that the 'Trusted Profile' has added two certificates refering to my server. I can only assume one matches the Self Signed I generated shortly after making my hostname public, and the other Apple Push generated for me.

 

However when I do this exact same process on my iPad/iPhone, when I attempt the 'Enroll Now' step, I get the error "The server certificate for "https://(FQDN)/devicesmanagement/api/device/ota_service" is invalid.

 

My searches for this issue have turned up issues close to this, but never exactly this, and the solutions don't seem to work for me. Here are some key points to note:

 

1. Tried demoting to standalone, re-promote to OD Master, then deleted all certificates, and regenerated all (including the Push cert from Apple)

2. Ran sudo changeip -checkhostname

3. DNS routes forward and reverse correctly in my local LAN

4. I had been getting "Remote Verification failed: (os/kern) failure" / "TEAVerifyCert() returned NULL" in my logs every 3 seconds until I did the steps listed in '1'

 

Looking forward to 10.7.1

Mac mini, Mac OS X (10.7), Server
  • macuseroftheuk Level 1 Level 1 (0 points)

    Did you find a resolution for this? I have the same error.

    I have recreated the OD, certs etc but it makes no difference.

  • macuseroftheuk Level 1 Level 1 (0 points)

    Try

     

    1 turn off server firewall

    2 download trust cert

    3 try to enrol

    4 tern on firewall

  • macuseroftheuk Level 1 Level 1 (0 points)

    That worked for me. I haven't tried pushing any updates to the client yet. If that doesn't work I will have to explore fire wall port settings.

  • Anthony Mitchell Level 2 Level 2 (160 points)

    I was having an issue with my ios device if I left out the end of FQDN.  The Macs would enroll if I used https://server/mydevices but not the ipads.  I have my search base populated from DHCP.  They would get to the webpage fine.  Download and install trust certificate.  Click enroll would give me the ota cert not valid.    I had to goto https://server.doman/mydevices.  Then it would enroll.

  • burton11234 Level 1 Level 1 (0 points)

    I agree with you I do not have any issues with getting my OSX machine bound to the server, and to trust the profile and push down settings. Although I am not able to get the IOS device to do the same.

     

    Upon the first time booting lion server up, i had got the ios device to enroll although there was many cert issues and the server just was to buggy, so i ended up reformating.

     

    Profile manager crashed after enabling the wiki admin part and i had to run some commands to clean everything up. By then I was sick of playing games so i reformated. After that the push service worked and I had my certs straightened out. Although now Im not able to get any ios devices enrolled.

     

    Any other idea's anyone?

     

    I have even exported the certs, and trusted them, and emailed them to my device hoping this would help if the cert was already trusted, but nope....

  • hombre7777 Level 1 Level 1 (0 points)

    the Problem is the cert, witch selected when activating devicemanagement, the used cert for singing profiles and registering by internet.

     

    at my own it worked that way:

     

    1 - setting up OD with registered FQDN Internet hostname (server.company.com)

    2 - activating Devicemanagement before starting Profilemanager and selecting OD Intermediate cert

    3 - setting up profilemanager and always using the OD Intermidiate cert, when cert was asked

    4 - goto your internet router and define your server as DMZ target or deactivate your firewall

    5 - calling https://server.company.com/mydevices and login with valid credencials

    6 - got Profiles tab, click and install Trust Certificate. It must been showen as valid, after installing

    7 - got to device tab back and click enroll. follow steps on screen. all should been done and ok

    8 - refresh your profilemanager to see the device

    9 - deactivate your Server vom DMZ an/or schwitch on the firewall

     

    I have not find out wich ports on the firewall must be opend to do it without DMZ setting. I have to watch the fireall logs. I'm working on it.

     

    hombre7777

  • burton11234 Level 1 Level 1 (0 points)

    @hombre7777

     

    Thanks for the info. That makes sence what you are telling me. Their instuctions are kind of bland and dont make sence as much as they should.

     

    The only thing that scares me on this one is now we need to put a device in the dmz....

     

    So now upgrading our xserv to 10.7 when it becomes stable would now be using the magic triangle, and trying to only have 1 to manage osx machines / and now ios devices. Edit our wiki's thats already in place, and have important databases on filemaker is now going to reside in the dmz....

     

    So someone wasn't thinking on this one!!! haha

     

    It looks like we will have to seperate things now, so ios devices are managed on their own machine in the dmz with now a hole leaked in the firewall for AD to authenticate so we can pull users down to associate profiles with them.

     

    Our osx machine will then contain a seperate spot to manage osx devices bound to user accounts, as well as manage filemaker and wiki's that are in use already.

     

    It would be nice if they had figured out a way to do this a little different so we wern't opening holes in the firewall.

     

    The funny thing is I was able to get the ipad to bind and enroll the very first time when i was on a vpn tunnel from my house trying things out.

     

    So I know you can do it, without having to go public, although the push service wasn't working properly and I was not able to bind osx and enroll. So i stared over.

     

    Ill play around to see what I can figure out later. Thanks for the help. If you find out the port numbers please let me know as well! Im not able to move the box to an outside firewall right now. I have to much to do. I can probably do that next week.

  • hombre7777 Level 1 Level 1 (0 points)

    Hi. I have already got it.

     

    Registering and enrollment all my devices works from inside LAN an from internet.

     

    For sure its no option to place the server in the DMZ. It was only for testing and failure exploring.

     

    Now I configured my enviroment as follow:

     

    - adding a A record on internal DNS Server (server.company.com:my.local.ip.address), so the server will by routed inbound LAN direct and not by internet. outbound - Internet - it will be routed by FQDN to my Internet IP Address.

     

    - activating port-forwarding on the router/firewall to my local server IP address

         - Port TCP 443 -> my.local.ip.address

         - Port TCP 1640 -> my.local.ip.address

         - Port TCP 5223 -> my.local.ip.address

     

    there was no more need to define access rules on dthe firewall for this ports.

     

    After finishing this config it was possible to register all my devices, no care if in local network or thrue internet.

     

    the only restriction is to install the true cert manually as I described in my last posting. Cause of self signed trust cert.

     

    Hope this solution is helpfull for you.

     

    hombre7777

  • burton11234 Level 1 Level 1 (0 points)

    Ill let you know how things turn out then.

     

    Our DMZ is set up a little different then the normal. We still lock down all ports in the DMZ and then anyone in production can talk to DMZ but not the other way around.

     

    This was done so incase something gets comprimised we will not be affecting our production network.

     

    I will go through this first to see if we can get iOS devices enrolled just inside the network. Next week i'll have to re-ip and move to dmz so that way we can test out iOS devices on the outside then.

     

    Thanks for the tip's they were much appreciated!

  • Rob B. Campbell Level 1 Level 1 (60 points)

    Still not working for me, although I finally got my Mac Enrolled, yet just not iOS ...

     

    I have all four ports enabled through AirPort

  • burton11234 Level 1 Level 1 (0 points)

    You need to enroll the device by its FQDN thats associated with the cert.

     

    If you dont use the FQDN then you will will get a cert error when trying to enroll.

     

    I would suggest trying to enroll with the device on the wifi before putting out in the wild just to rule out the firewall.

     

    I have osx setup with the magic triangle and AD / OD is working and profile manager is working between iOS and MAC devices.

     

    I will be getting another mac server to put in the dmz since virtualization is not supported with ESX 4.0 and we would have to upgrade our infrastructure to ESXi 5.0, and we are not doing that right now.

     

    Once it is in I will update again and let anyone know if something doesn't work.

     

    If you need any support just PM me if your allowed to do it through this forumn.

  • ajvankesteren Level 1 Level 1 (0 points)

    I've had this exact same problem, my Macs (iMac, MacBook) would enroll without a hitch, but any iOS device would give a certificate invalid message. Then, tonight, I finally figured it out: on all my OS X machines, I would connect to server.domain.lan/mydevices, which wouldn't resolve on my iPhone or iPad. I could reach the mydevices page but only through the direct IP address or the external domain name I have setup for the server - basically it's what burton11234 asserted: enrollment will only succeed if the domainname from where you're trying to enroll matches, exactly, the one on the certfifcate

     

    What I had to do was edit the DNS list on my iOS devices, so that the server's IP address was first in line (on my iPhone, there were DNS servers, but not my Lion server; on my iPad the list was completely empty - just tap the DNS field under Settings - Network - Wi-Fi, then hit the little blue arrow next to the SSID). After that I switched to Safari, surfed to server.domain.lan/mydevices, and I could finish the enrollment.

     

    I should perhaps mention that the trust certificate could be installed before changing the DNS settings, dunno why this is.

1 2 3 ... 9 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (13)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.