-
All replies
-
Helpful answers
-
Apr 27, 2015 6:26 AM in response to MickTonyGby Nickrichyrichardson,Hey Michael,
Could you provide us a bit more information about your environment setup? Any additional information can help diagnostic this.
Nick
-
Apr 30, 2015 3:14 PM in response to Nickrichyrichardsonby MickTonyG,Sure. Thanks for the reply and apologies on the slow response. Again, from what I can tell,
The environment is an XSAN deployment, so servers are on Yosemite 10.10.3, running Server 4.1. DNS, OD and XSAN are running well on both. Other services on this machine include Calendar, Messages and File Sharing, but all other services were set up after the failure of Profile Manager.
Basically I cannot enable device management for Profile Manager. Didn't work initially, so I tried the steps here: OS X Server: How to reset Profile Manager to its original state - Apple Support. Didn't work again. The log output makes me think it has a problem with the server's certificates, but server2 only has a SSL cert signed by server1.
I must be missing something, so any thoughts greatly appreciated.
devicemgrd.log output:
[67233] [2015/04/30 14:49:55.925] -[SULogFileCollection setGlobalLogLevelPrefix:]: YES
0:: [67233] [2015/04/30 14:49:55.928]
###############################################################################
devicemgrd-886.204 (PID:67233, OS:14D136, SERVER:14S1092, ARCH:x86_64) starting
LA: devicemgrd
Log verbosity level = 1
UID = 220, EUID = 220
###############################################################################
1:: [67233] [2015/04/30 14:49:55.936] Incoming request: readSettings
0:: [67233] [2015/04/30 14:49:56.059] +[PGConnection reloadPreferences]: DBDebug = NO, DBLogNotices = NO, DBLogSQL = NO, DBMonitor = NO
0:: [67233] [2015/04/30 14:49:59.048] Profile Manager service STOPPED
1:: [67233] [2015/04/30 14:49:59.068] Wrote MDM URL bag to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/MDMServiceConf ig.json
1:: [67233] [2015/04/30 14:49:59.068] Wrote DEP Anchor Certs to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/DEPAnchorCerts .json
1:: [67233] [2015/04/30 14:49:59.078] Ready to receive external socket requests.
1:: [67233] [2015/04/30 14:49:59.170] Incoming request: readAppDistributionSettings
1:: [67233] [2015/04/30 14:49:59.173] Incoming request: readSimplifiedDeviceEnrollmentSettings
[67337] [2015/04/30 14:50:35.699] -[SULogFileCollection setGlobalLogLevelPrefix:]: YES
0:: [67337] [2015/04/30 14:50:35.712]
###############################################################################
devicemgrd-886.204 (PID:67337, OS:14D136, SERVER:14S1092, ARCH:x86_64) starting
LA: devicemgrd
Log verbosity level = 1
UID = 220, EUID = 220
###############################################################################
0:: [67337] [2015/04/30 14:50:35.735] +[PGConnection reloadPreferences]: DBDebug = NO, DBLogNotices = NO, DBLogSQL = NO, DBMonitor = NO
0:: [67337] [2015/04/30 14:50:37.930] Profile Manager service STOPPED
1:: [67337] [2015/04/30 14:50:37.938] User 'nobody' not found, creating...
0:: [67337] [2015/04/30 14:50:38.431] Loaded strings from '/Applications/Server.app/Contents/ServerRoot/usr/share/servermgrd/bundles/serv ermgr_devicemgr.bundle/Contents/Resources/en.lproj/default.strings'.
1:: [67337] [2015/04/30 14:50:38.440] Incoming request: readSettings
0:: [67337] [2015/04/30 14:50:38.655] -[NSString(devicemgr_Additions) dateFromOpenSSLString]: 'Apr 26 20:57:28 2017 GMT'
1:: [67337] [2015/04/30 14:50:38.675] Wrote trust profile to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/Trust_Profile_ for_mdc02.mobileconfig
1:: [67337] [2015/04/30 14:50:38.686] Wrote MDM URL bag to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/MDMServiceConf ig.json
1:: [67337] [2015/04/30 14:50:38.688] Wrote DEP Anchor Certs to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/DEPAnchorCerts .json
0:: [67337] [2015/04/30 14:50:38.718] Parsing enterprise app icons
1:: [67337] [2015/04/30 14:50:38.718] Parsing enterprise apps with missing icons...
1:: [67337] [2015/04/30 14:50:38.720] Ready to receive external socket requests.
0:: [67337] [2015/04/30 14:50:39.519] Created default profile 'Settings for Everyone'
1:: [67337] [2015/04/30 14:50:39.523] Incoming request: readAppDistributionSettings
1:: [67337] [2015/04/30 14:50:39.526] Incoming request: readSimplifiedDeviceEnrollmentSettings
1:: [67337] [2015/04/30 14:50:45.889] Incoming request: writeSettings
1:: [67337] [2015/04/30 14:50:45.911] EXCEPTION: Error <-[SCEPHelper getIdentityDataForPersistentRef:encryptedWithPassword:] (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-886.204/Compiled/Fr amework-Base/Support/SCEPHelper.m:217): "'((SCEPHELPER_GetIdentityFromRef(self.connection, mCertRef, mCertRefCnt, mPassword, mPasswordCnt, &mPKCS12Data, &mPKCS12DataCnt)))' error 1">
USERINFO: {
NSLocalizedDescription = "Operation not permitted";
}
1:: [67337] [2015/04/30 14:50:54.400] Completed parsing enterprise apps with missing icons!
1:: [67337] [2015/04/30 14:51:21.438] Incoming request: activateOD
1:: [67337] [2015/04/30 14:51:21.438] EXCEPTION: Error <-[SCEPHelper odRootCertificate] (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-886.204/Compiled/Fr amework-Base/Support/SCEPHelper.m:61): "'((SCEPHELPER_GetODRootCertificate(self.connection, &root, &rootCnt)))' error 1">
USERINFO: {
NSLocalizedDescription = "Operation not permitted";
}
-
Apr 30, 2015 4:34 PM in response to MickTonyGby cdhw,Did you remember to get a 'push' certificate from Apple for your server?
C.
-
Apr 30, 2015 5:03 PM in response to cdhwby MickTonyG,Yes, the server has push notifications enabled and I verified the certs are on Apple Push Certificates Portal.
Michael
-
Aug 25, 2015 6:38 AM in response to MickTonyGby AppleGrapple,Was there any resolution to this?
I am having exactly the same issue, and it's making me loose hair, sleep... both of which I am short of anyway.
The server I am having trouble with used to be an OD replica, which was then promoted to a Master, but still seems to share the same certificate - I'm sure this is a certificate issue...
Any thoughts?
-
Jul 13, 2016 11:21 AM in response to AppleGrappleby adisor19,Having the EXACT same issue with a fresh install of OS X and OS X Server 5.1.5.
Yes, I wiped the partition clean. I joined OD to my master server. As soon as i try to turn on device management, i get the dreaded error message :
1:: [462] [2016/07/13 14:16:32.573] Incoming request: informWebAppState 1:: [462] [2016/07/13 14:16:32.621] Incoming request: readSettings 1:: [462] [2016/07/13 14:16:32.626] Incoming request: readAppDistributionSettings 1:: [462] [2016/07/13 14:16:32.629] Incoming request: readSimplifiedDeviceEnrollmentSettings 1:: [462] [2016/07/13 14:16:57.468] Apache SSL configuration was changed, check for updated SSL certificate.... 1:: [462] [2016/07/13 14:16:57.475] EXCEPTION: Error <-[SCEPHelper odRootCertificate] (/BuildRoot/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManagement-895.19/Compiled/Framework-Base/Support/SCEPHelper.m:74): "'((SCEPHELPER_GetODRootCertificate(self.connection, &cert, &certCnt)))' error 1"> USERINFO: { NSLocalizedDescription = "Operation not permitted"; } 0:: [462] [2016/07/13 14:16:57.475] Unable to fetch OD Root CA Cert. -[SCEPHelper odRootCertificate] (/BuildRoot/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManagement-895.19/Compiled/Framework-Base/Support/SCEPHelper.m:74): "'((SCEPHELPER_GetODRootCertificate(self.connection, &cert, &certCnt)))' error 1" 0:: [462] [2016/07/13 14:16:57.831] -[NSString(devicemgr_Additions) dateFromOpenSSLString]: 'Apr 11 12:00:00 2018 GMT' 1:: [462] [2016/07/13 14:16:57.958] Wrote MDM URL bag to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/MDMServiceConfig.json 1:: [462] [2016/07/13 14:17:01.263] Incoming request: activateOD 1:: [462] [2016/07/13 14:17:01.269] EXCEPTION: Error <-[SCEPHelper odRootCertificate] (/BuildRoot/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManagement-895.19/Compiled/Framework-Base/Support/SCEPHelper.m:74): "'((SCEPHELPER_GetODRootCertificate(self.connection, &cert, &certCnt)))' error 1"> USERINFO: { NSLocalizedDescription = "Operation not permitted"; } -
Jul 14, 2016 8:25 AM in response to MickTonyGby adisor20,Hi MickTonyG,
I finally found the answer after wasting an entire day yesterday over this same issue.
1) PM requires to run on an OD MASTER not on a OD replica.
If you already have it running on an OD MASTER, make sure your have your 3 Identity preferences showing up in the keychain :
OPENDIRECTORY_SSL_IDENTITY
OPENDIRECTORY_ROOT_CA_IDENTITY
OPENDIRECTORY_INT_CA_IDENTITY
If you have it running on a replica, destroy that replica and let PM create a brand new dummy OD Master and then using Directory Utility, just join the serer to your real OD Master so it can grab the users/groups.
That's it.