User profile for user: Kevin_2021
Kevin_2021 Author
User level: Level 1
8 points

Profile installation failed An SSL error has occurred and a secure connection to the server cannot be made

Hi, I'm having a difficult experience getting my new MBPs to install the profiles that I have created using OSX server. Both the server and client are running Big Sur.


I have my own enterprise CA (Microsoft Active Directory Certificate Services)

The OSX server certificate is installed and trusted by both the server and the client machine.

The Intermediate CA certificate, and the root CA certificate are both installed and trusted on the server and the client machines.


I can browser to safari, and the certificate shows as valid.


I was able to install the trust profile on both the server and client.


I was able to install the enrollment profile on the server without issue.


When I try to install the client device, I get the error: Profile installation failed An SSL error has occurred and a secure connection to the server cannot be made.


There is one promising error in the dmAuthService.log, but it might not be my problem:

[2021-04-28 11:59:47.717] <192.168.10.84> «SQ08-000001:AuthPage» WARNING: Received invalid redirect “https://myserver.mydomain.local/devicemanagement/webapi/authentication/device_callback”.


https://myserver.mydomain.local is the correct hostname, and the certificate is bound to this name (and it works without issue in safari to load the page and download the mdm_profile.mobileconfig file. the page at devicemanagement/webapi/authentication/device_callback, however, is not found.


If anyone has advice on how to troubleshoot and resolve my issue, I would be forever grateful.


Does anyone know of a log on the client that might be helpful??


Thanks,

Kevin




Posted on Apr 28, 2021 9:26 AM

Reply

Similar questions

5 replies
User profile for user: mscott_mdm2
mscott_mdm2
User level: Level 1
4 points

Apr 30, 2021 1:19 PM in response to Kevin_2021

You can view client messages by opening Console.app and searching for "mdmclient".


Also, just to be sure, are you trying to enroll by using the profile downloaded by clicking the "Enroll" button in the /mydevices web page, or by using an enrollment profile downloaded from either the Profile Manager web admin or the Profiles tab of /mydevices? If you are using the profile from clicking the "Enroll" button, be aware that those are one-time use only and expire after something like 10 minutes. These profiles also include the trust profile in them, so you would have to download a new one each time you change the certificate setting in Server.app.


If you are using an enrollment profile from the web admin, you would need to manually download and install a new trust profile each time you change your certificate setting.

Reply
User profile for user: mscott_mdm
mscott_mdm
User level: Level 2
459 points

Apr 29, 2021 5:25 PM in response to Kevin_2021

If you browse to https://myserver.mydomain.local/mydevices page from the client then click the lock icon to the left of the hostname/URL in the address bar and choose to view the certificate, is it displaying the expected certificate? If so, then I don't have anything to offer. But if not, double-check that your enterprise certificate is still selected in the Certificates pane of Server.app. Even if it looks correct, you might want to select a different certificate and then re-select the correct certificate. Finally, try rebooting your server or do `sudo killall -9 httpd` in Terminal to make sure Apache gets reloaded with the updated configuration.



Reply
User profile for user: Kevin_2021
Kevin_2021 Author
User level: Level 1
8 points

Apr 30, 2021 1:00 PM in response to XFox

I should have said "When I try to enroll the client device".


I have tried signed and unsigned. I spent 3 hours reconfiguring with apple support, to no avail.


Does anyone know of a client log for profile installation?


Neither of my enterprise support specialists knew of one.


Unfortunately, this might be the end of the road for managed MacOS machines in our org.


Thanks for you input.


Kevin

Reply
User profile for user: Kevin_2021
Kevin_2021 Author
User level: Level 1
8 points

Apr 30, 2021 1:05 PM in response to mscott_mdm

Thanks mscott, I have tried several certificate options, including trying self-signed ones, and adcs certificates. It's really easy to get them trusted by the browser, and enable trust in keychain access, but I still get an ssl error every time I try to enroll a device.


My assumption is that this is a problem with the Big Sur OS. Our server and clients worked just fine right up through Catalina.



Thanks for your ideas,

Kevin

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Profile installation failed An SSL error has occurred and a secure connection to the server cannot be made

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up