Skip navigation

Problem with MDM Setup

2665 Views 12 Replies Latest reply: Oct 2, 2013 10:54 PM by amangautam RSS
KocharTech Level 1 Level 1 (10 points)
Currently Being Moderated
Sep 2, 2012 11:41 PM

I'm trying to setup an MDM server. Here's what I've done till now.

  1. Configured a Windows 2008 server with an SSL certificate from a CA. ie. The server can be accessed ashttps://abc.com
  2. Hosted a .Net webservice that listens to PUT.
  3. Generated an MDM certificate from the iOS Developer portal.
  4. Generated a Push certificate from Apple. The topic is something like com.apple.mgmt.External.035e7xxxxx
  5. Added the server certificate to the Credentials payload of iPCU. This was done by
    • Exporting the server side SSL as a .pfx file
    • Adding this file to the Windows Certificate store
    • Selecting this certificate in the credentials payload.

 

I've hosted this profile on the server. When I download it on the device, I'm presented with Profile Installation on the device. When I install this profile, I end up with an error saying "The profile MDM could not be installed". On looking at the device logs, I found

 

<Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
    Desc   : A transaction with the server at “https://abc.com” has failed with the status “400”

 

 

I suspect something wrong is selecting the certificate in the Credentials payload (Step 5).

Also when the Profile Installation screen is presented, I get "Not Verified" just below the the profile name.

 

Need help with the configuration.

  • iStayWinning Level 1 Level 1 (10 points)
    Currently Being Moderated
    Sep 3, 2012 7:55 AM (in response to KocharTech)

    You need to configure your web server to accept HTTP PUT and respond with a HTTP 200 OK header.

  • iStayWinning Level 1 Level 1 (10 points)
    Currently Being Moderated
    Sep 3, 2012 11:13 AM (in response to KocharTech)

    Make sure you push the entire certificate chain to the device (root, intermediate, etc) and also push a cert signed by the chain to use for authentication.

  • iStayWinning Level 1 Level 1 (10 points)
    Currently Being Moderated
    Sep 4, 2012 9:12 AM (in response to KocharTech)

    You have the MDM certificate, which is used to communicate with APNS.

     

    The identity certificate needs to be an authentication certificate for the device itself, issued by the root chain of the webserver.

  • jafuller Level 1 Level 1 (0 points)
    Currently Being Moderated
    Oct 1, 2012 1:44 PM (in response to KocharTech)

    Use your 3rd Party SSL certificate to sign the configuration profiles.  As long as the chain can be validated by the device that is enrolling (typically over the internet so you must have a trusted SSL issued by a known party), then the profiles that are downloaded would be trusted.

     

    Self signed machine SSL doesn't work so well.  If you have an internal CA, the devices connecting to the machine will need that chain.

  • Thoths Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 7, 2013 7:26 AM (in response to KocharTech)

    @KocharTech,

     

    I am trying to install mdm server in windows 2008 server.  I am stuck at creating the push certification from the apple cert site.

     

    We are vendor as well as the customer. we have the enterprise license as well.  The following are the steps I tried.

     

    • Generate a CSR from Keychain. I have used a Mac to create this. Is it required that I wil have to do this from windows server? 
    • Use this CSR to generate an MDM certificate from Provisioning portal. When I double click this certificate, I get it in the keychain. 
    • Export this certificate. Keychain>>Login>>My Certificates>>Expand the certificate>>Export the private key as vendor.p12 
    • Generate pList for Push certificate. Source: Softhinker
    • After I upload the plist_encoded file to the apple site, I get a file with the following error mentioned.

    {"ErrorCode":-80018,"ErrorMessage":"Certificate Signature Verification failed","ErrorDescription":"Certificate Signature Verification failed because the <a href=\"http://www.apple.com/business/mdm\" target=\"_blank\">signature<\/a> is invalid."}

     

    Any idea whats going on? There arent much help for this error. I double checked my encoding and plist xml format and everything seems to be okay.

  • Thoths Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 7, 2013 11:10 AM (in response to Thoths)

    The certificate signature issue is fixed. Using the wrong mdm certificate was the cause.

  • eyal83 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 20, 2013 1:56 AM (in response to Thoths)

    Hi,

    Using KocharTech certificate my push cert is now valid but it doesn't have a private key.

     

    Suggestions?

  • amangautam Level 1 Level 1 (0 points)
    Currently Being Moderated
    Oct 2, 2013 10:54 PM (in response to KocharTech)

    Hi,

    I am getting error

    Certificate Signature Verification failed because the signature  is invalid.

    on https://identity.apple.com/pushcert/

     

    The following are the steps I tried.

     

    • Generate a CSR from Keychain. I have used a Mac to create this. Is it required that I wil have to do this from windows server?
    • Use this CSR to generate an MDM certificate from Provisioning portal. When I double click this certificate, I get it in the keychain.
    • Export this certificate. Keychain>>Login>>My Certificates>>Expand the certificate>>Export the private key as vendor.p12
    • Generate pList for Push certificate. Source: Softhinker

     

    If I try to upload this file on https://identity.apple.com/pushcert/ it gives me above error.

    Any help will be appreciated ....

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.