macOS Server 5.12 fails to export public key from the Profile Manager

Question

Level 1

14 points

macOS Server 5.12 fails to export public key from the Profile Manager

The official doc says

Upload the public key certificate to the appropriate program and download the device enrollment token

https://support.apple.com/en-gb/guide/server/apd88446/mac

But It's not possible to retrieve the public key for registering MDM server on a clean installed macOS Monterey 12.1 with Server.app 5.12

Export option is just getting stuck in the disabled state

It worked fine on the Big Sur and even after updating from Big Sur to Monterey, but fails in 100% cases either after resetting Profile Manager or fresh Server install

Here are the Service Helper Logs

1:: [2796] [2021-12-24 04:04:26.318] Incoming request: readSimplifiedDeviceEnrollmentSettings
1:: [2796] [2021-12-24 04:05:38.124] Incoming request: getTokenEncryptionCertificate
1:: [2796] [2021-12-24 04:05:38.346] OpenSSLCreateSMIMEIdentity RESULT:
    ————————+———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————
    COMMAND | /usr/bin/openssl req -passin stdin -new -sha256 -key /Library/Server/ProfileManager/Config/ServiceData/Data/tmp/x_rdmtemp.rLwy1P,,,,8-pTDFYZ+tqjI.noindex.key -out /Library/Server/
            | ProfileManager/Config/ServiceData/Data/tmp/x_rdmtemp.rLwy1P,,,,8-pTDFYYToGpw.noindex.csr -config /Library/Server/ProfileManager/Config/ServiceData/Data/tmp/x_rdmtemp.rLwy1P,,,,8-pTDFYS1jOYs.
            | noindex.config -extensions v3_req
    WD      | /
    ————————+———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————
    STATUS  | 1
    ————————+———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————
    STDERR  | Error Loading extension section v3_req
    ————————+———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————
    STDOUT  | 
    ————————+———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————
1:: [2796] [2021-12-24 04:29:57.652] EXCEPTION:  !IF <NSString * _Nonnull OpenSSLCreateSMIMEIdentity(NSString * _Nullable __strong, NSString * _Nonnull __strong, NSString * _Nullable __strong, NSString * _Nonnull __strong, NSString * _Nonnull __autoreleasing * _Nonnull) (CryptoUtilities.m:1412): "'((status != 0))'">

So it seems like there's something wrong with a temporary generated openssl config. I've managed to catch the moment of its creation and there's no v3_req config here... just this

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
C = US
O = Example
CN = Profile Manager S/MIME Identity
emailAddress = example@mydomain.com

Does anyone know any workarounds?

Posted on Dec 23, 2021 7:23 PM

Reply

Answer 1

Top-ranking reply

TangoJulietCharlie

Level 1

8 points

Jan 11, 2022 3:24 AM in response to Arrrthur

Thank you everyone for sharing and for exploring this issue. This issue has now resolved the issue for our organisation, at least.

Apple released a new version (v5.12.1) of the Server app in the App Store yesterday.

I've updated our macOS server with the new version of the app. I can now export the Profile Manager public key and upload it in Apple Business Manager to get the token for Profile Manager, as before.

We've applied this to our production server and, as far as we can tell, all is working fine.

Thank you again.

Reply

Answer 2

Jan 10, 2022 6:53 AM in response to atilla1984

I have now the solution. I was on the phone with Apple Support for macOS Server. It's indeed a Bug. They are working to resolve it.

They told me, I han to reset the mac with the Internet Recovery modus to an older version than macOS 12 Monterey.

You need in the end macOS 11. After that you can install the Server application and finaly setup Apple Business Manager.

When you finished you can upgrade to macOS 12 Monterey.

I did it, without the upgrade. It worked!!

Hope I could help

Reply

Answer 3

jkirkit

Level 1

12 points

Jan 4, 2022 8:33 AM in response to Arrrthur

I have this same issue as well. Looks like it's been reported as early as Dec. 15, 2021. I spoke with business support yesterday; the person I was working with had seen the issue a couple times that day and found an open engineering case on it. He was unable to provide any sort of eta though. Anyone able to find success?

Running macOS 12.0.1 with Server 5.12.

Reply

Answer 4

Jan 9, 2022 11:45 AM in response to atilla1984

I spoke with an engineer this past friday. They are aware of it but have no eta. I did however have to point the engineer to a couple of discussions on here because he couldn’t find it in their list of problem.

Reply

Answer 5

Dec 31, 2021 6:48 AM in response to Arrrthur

We have the same issue. Thank you Arrrthur for the diagnosis.

Our Apple Business Manager token has now expired. Because I can not export the Public Key from Profile Manager, I can not obtain a new token from Apple Business Manager. This means I can not use our MDM Profile Manager for new devices enrolled through ABM for new employees.

This is a big issue for us. Apple please fix quickly!

Reply