MickTonyG

Q: Can't Enable Device Management

I am getting the dreaded  'An error with code -1 occurred' when trying to enable device management on 2 different XSAN deployments.  This is an secondary XSAN metadata controller.  The primary metadata controller starts up Device Management fine.  This is in the logs of the faulty system:

 

1:: [17200] [2015/04/26 12:23:02.166] EXCEPTION:  Error <-[SCEPHelper odRootCertificate] (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-886.204/Compiled/Fr amework-Base/Support/SCEPHelper.m:61): "'((SCEPHELPER_GetODRootCertificate(self.connection, &root, &rootCnt)))' error 1">

    USERINFO: {

        NSLocalizedDescription = "Operation not permitted";

    }

 

Any thoughts?  Thanks!

 

Michael

Posted on Apr 26, 2015 12:37 PM

Close

Q: Can't Enable Device Management

  • All replies
  • Helpful answers

  • by Nickrichyrichardson,

    Nickrichyrichardson Nickrichyrichardson Apr 27, 2015 6:26 AM in response to MickTonyG
    Level 1 (0 points)
    Apr 27, 2015 6:26 AM in response to MickTonyG

    Hey Michael,

     

    Could you provide us a bit more information about your environment setup? Any additional information can help diagnostic this.

     

    Nick

  • by MickTonyG,

    MickTonyG MickTonyG Apr 30, 2015 3:14 PM in response to Nickrichyrichardson
    Level 1 (4 points)
    Apr 30, 2015 3:14 PM in response to Nickrichyrichardson

    Sure.  Thanks for the reply and apologies on the slow response.  Again, from what I can tell,

     

    The environment is an XSAN deployment, so servers are on Yosemite 10.10.3, running Server 4.1.  DNS, OD and XSAN are running well on both.  Other services on this machine include Calendar, Messages and File Sharing, but all other services were set up after the failure of Profile Manager.

     

    Basically I cannot enable device management for Profile Manager.  Didn't work initially, so I tried the steps here: OS X Server: How to reset Profile Manager to its original state - Apple Support.  Didn't work again.  The log output makes me think it has a problem with the server's certificates, but server2 only has a SSL cert signed by server1.

     

    I must be missing something, so any thoughts greatly appreciated.

     

    devicemgrd.log output:

     

    [67233] [2015/04/30 14:49:55.925] -[SULogFileCollection setGlobalLogLevelPrefix:]: YES

    0:: [67233] [2015/04/30 14:49:55.928]

        ###############################################################################

        devicemgrd-886.204 (PID:67233, OS:14D136, SERVER:14S1092, ARCH:x86_64) starting

        LA: devicemgrd

        Log verbosity level = 1

        UID = 220, EUID = 220

        ###############################################################################

    1:: [67233] [2015/04/30 14:49:55.936] Incoming request: readSettings

    0:: [67233] [2015/04/30 14:49:56.059] +[PGConnection reloadPreferences]: DBDebug = NO, DBLogNotices = NO, DBLogSQL = NO, DBMonitor = NO

    0:: [67233] [2015/04/30 14:49:59.048] Profile Manager service STOPPED

    1:: [67233] [2015/04/30 14:49:59.068] Wrote MDM URL bag to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/MDMServiceConf ig.json

    1:: [67233] [2015/04/30 14:49:59.068] Wrote DEP Anchor Certs to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/DEPAnchorCerts .json

    1:: [67233] [2015/04/30 14:49:59.078] Ready to receive external socket requests.

    1:: [67233] [2015/04/30 14:49:59.170] Incoming request: readAppDistributionSettings

    1:: [67233] [2015/04/30 14:49:59.173] Incoming request: readSimplifiedDeviceEnrollmentSettings

    [67337] [2015/04/30 14:50:35.699] -[SULogFileCollection setGlobalLogLevelPrefix:]: YES

    0:: [67337] [2015/04/30 14:50:35.712]

        ###############################################################################

        devicemgrd-886.204 (PID:67337, OS:14D136, SERVER:14S1092, ARCH:x86_64) starting

        LA: devicemgrd

        Log verbosity level = 1

        UID = 220, EUID = 220

        ###############################################################################

    0:: [67337] [2015/04/30 14:50:35.735] +[PGConnection reloadPreferences]: DBDebug = NO, DBLogNotices = NO, DBLogSQL = NO, DBMonitor = NO

    0:: [67337] [2015/04/30 14:50:37.930] Profile Manager service STOPPED

    1:: [67337] [2015/04/30 14:50:37.938] User 'nobody' not found, creating...

    0:: [67337] [2015/04/30 14:50:38.431] Loaded strings from '/Applications/Server.app/Contents/ServerRoot/usr/share/servermgrd/bundles/serv ermgr_devicemgr.bundle/Contents/Resources/en.lproj/default.strings'.

    1:: [67337] [2015/04/30 14:50:38.440] Incoming request: readSettings

    0:: [67337] [2015/04/30 14:50:38.655] -[NSString(devicemgr_Additions) dateFromOpenSSLString]: 'Apr 26 20:57:28 2017 GMT'

    1:: [67337] [2015/04/30 14:50:38.675] Wrote trust profile to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/Trust_Profile_ for_mdc02.mobileconfig

    1:: [67337] [2015/04/30 14:50:38.686] Wrote MDM URL bag to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/MDMServiceConf ig.json

    1:: [67337] [2015/04/30 14:50:38.688] Wrote DEP Anchor Certs to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/DEPAnchorCerts .json

    0:: [67337] [2015/04/30 14:50:38.718] Parsing enterprise app icons

    1:: [67337] [2015/04/30 14:50:38.718] Parsing enterprise apps with missing icons...

    1:: [67337] [2015/04/30 14:50:38.720] Ready to receive external socket requests.

    0:: [67337] [2015/04/30 14:50:39.519] Created default profile 'Settings for Everyone'

    1:: [67337] [2015/04/30 14:50:39.523] Incoming request: readAppDistributionSettings

    1:: [67337] [2015/04/30 14:50:39.526] Incoming request: readSimplifiedDeviceEnrollmentSettings

    1:: [67337] [2015/04/30 14:50:45.889] Incoming request: writeSettings

    1:: [67337] [2015/04/30 14:50:45.911] EXCEPTION:  Error <-[SCEPHelper getIdentityDataForPersistentRef:encryptedWithPassword:] (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-886.204/Compiled/Fr amework-Base/Support/SCEPHelper.m:217): "'((SCEPHELPER_GetIdentityFromRef(self.connection, mCertRef, mCertRefCnt, mPassword, mPasswordCnt, &mPKCS12Data, &mPKCS12DataCnt)))' error 1">

        USERINFO: {

            NSLocalizedDescription = "Operation not permitted";

        }

    1:: [67337] [2015/04/30 14:50:54.400] Completed parsing enterprise apps with missing icons!

    1:: [67337] [2015/04/30 14:51:21.438] Incoming request: activateOD

    1:: [67337] [2015/04/30 14:51:21.438] EXCEPTION:  Error <-[SCEPHelper odRootCertificate] (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-886.204/Compiled/Fr amework-Base/Support/SCEPHelper.m:61): "'((SCEPHELPER_GetODRootCertificate(self.connection, &root, &rootCnt)))' error 1">

        USERINFO: {

            NSLocalizedDescription = "Operation not permitted";

        }

  • by cdhw,

    cdhw cdhw Apr 30, 2015 4:34 PM in response to MickTonyG
    Level 4 (2,623 points)
    Servers Enterprise
    Apr 30, 2015 4:34 PM in response to MickTonyG

    Did you remember to get a 'push' certificate from Apple for your server?

     

    C.

  • by MickTonyG,

    MickTonyG MickTonyG Apr 30, 2015 5:03 PM in response to cdhw
    Level 1 (4 points)
    Apr 30, 2015 5:03 PM in response to cdhw

    Yes, the server has push notifications enabled and I verified the certs are on Apple Push Certificates Portal.

     

    Michael

  • by AppleGrapple,

    AppleGrapple AppleGrapple Aug 25, 2015 6:38 AM in response to MickTonyG
    Level 1 (0 points)
    Aug 25, 2015 6:38 AM in response to MickTonyG

    Was there any resolution to this?

    I am having exactly the same issue, and it's making me loose hair, sleep... both of which I am short of anyway.

     

    The server I am having trouble with used to be an OD replica, which was then promoted to a Master, but still seems to share the same certificate - I'm sure this is a certificate issue...

     

    Any thoughts?

  • by adisor19,

    adisor19 adisor19 Jul 13, 2016 11:21 AM in response to AppleGrapple
    Level 1 (14 points)
    Jul 13, 2016 11:21 AM in response to AppleGrapple

    Having the EXACT same issue with  a fresh install of OS X and OS X Server 5.1.5.

     

    Yes, I wiped the partition clean. I joined OD to my master server. As soon as i try to turn on device management, i get the dreaded error message :

     

    1:: [462] [2016/07/13 14:16:32.573] Incoming request: informWebAppState
    1:: [462] [2016/07/13 14:16:32.621] Incoming request: readSettings
    1:: [462] [2016/07/13 14:16:32.626] Incoming request: readAppDistributionSettings
    1:: [462] [2016/07/13 14:16:32.629] Incoming request: readSimplifiedDeviceEnrollmentSettings
    1:: [462] [2016/07/13 14:16:57.468] Apache SSL configuration was changed, check for updated SSL certificate....
    1:: [462] [2016/07/13 14:16:57.475] EXCEPTION:  Error <-[SCEPHelper odRootCertificate] (/BuildRoot/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManagement-895.19/Compiled/Framework-Base/Support/SCEPHelper.m:74): "'((SCEPHELPER_GetODRootCertificate(self.connection, &cert, &certCnt)))' error 1">
        USERINFO: {
            NSLocalizedDescription = "Operation not permitted";
        }
    0:: [462] [2016/07/13 14:16:57.475] Unable to fetch OD Root CA Cert. -[SCEPHelper odRootCertificate] (/BuildRoot/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManagement-895.19/Compiled/Framework-Base/Support/SCEPHelper.m:74): "'((SCEPHELPER_GetODRootCertificate(self.connection, &cert, &certCnt)))' error 1"
    0:: [462] [2016/07/13 14:16:57.831] -[NSString(devicemgr_Additions) dateFromOpenSSLString]: 'Apr 11 12:00:00 2018 GMT'
    1:: [462] [2016/07/13 14:16:57.958] Wrote MDM URL bag to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/MDMServiceConfig.json
    1:: [462] [2016/07/13 14:17:01.263] Incoming request: activateOD
    1:: [462] [2016/07/13 14:17:01.269] EXCEPTION:  Error <-[SCEPHelper odRootCertificate] (/BuildRoot/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManagement-895.19/Compiled/Framework-Base/Support/SCEPHelper.m:74): "'((SCEPHELPER_GetODRootCertificate(self.connection, &cert, &certCnt)))' error 1">
        USERINFO: {
            NSLocalizedDescription = "Operation not permitted";
        }
    
  • by adisor20,

    adisor20 adisor20 Jul 14, 2016 8:25 AM in response to MickTonyG
    Level 1 (4 points)
    Jul 14, 2016 8:25 AM in response to MickTonyG

    Hi MickTonyG,

     

    I finally found the answer after wasting an entire day yesterday over this same issue.

     

    1) PM requires to run on an OD MASTER not on a OD replica.

    If you already have it running on an OD MASTER, make sure your have your 3 Identity preferences showing up in the keychain :

     

    OPENDIRECTORY_SSL_IDENTITY

    OPENDIRECTORY_ROOT_CA_IDENTITY

    OPENDIRECTORY_INT_CA_IDENTITY

     

    If you have it running on a replica, destroy that replica and let PM create a brand new dummy OD Master and then using Directory Utility, just join the serer to your real OD Master so it can grab the users/groups.

     

    That's it.