Can't install devices through "my devices" web interface?

No help, but I have this exact problem also.

I'm having this problem also--can't enroll my laptop now. The log messages on the laptop make me think it doesn't like the self-signed intermediate certificate. If you run "tail -F /var/log/system.log" inside a Terminal.app window on the machine you're enrolling, you should see a bunch of lines scroll by when it fails. Buried in there is an obscure reference to "OSStatus error -67688". If you google that, you find out it means "An invalid signature was encountered."

The funny thing is, this same signature worked for me before on this same laptop. I simply made the mistake of removing it from the list of devices. What happened was I locked myself out of the laptop by unchecking my admin privilieges in Server.app (something System Preferences would never let you do!) so I had to reinstall it. So now this is a complete fresh clean install of lion on the laptop that's refusing to enroll...

So yeah, anyway, "me too."

I can confirm that it IS the certificate causing this. The easiest and probably best way around it is purchasing a cheapo SSL certificate through somebody like comodo (I used their reseller namecheap for a lower price). Apply that certificate to your webserver. Also, be 100% sure that the domain you're registering with is exactly the one that you will be using for device enrollment. I purchased a wildcard certificate to get around that limitation, though it's significantly more expensive.

The free way to do this is by setting your phone to trust the certificate before you attempt to enroll. I've not done that manually on iOS but I know for Mac it's trivial.

The free way to do this is by setting your phone to trust the certificate before you attempt to enroll. I've not done that manually on iOS but I know for Mac it's trivial.

I tried that, and this is on my laptop, not my iphone (I've given up on the iphone working without a paid cert).. I even went into Keychain Access.app and changed the trust settings for the cert to always trust, but enrollment is still failing.

I thought maybe DNS had something to do with it, but I've got that working now and still nothing...

Sorry if this has been covered already, but are you installing the Trust Profile from the 'Profiles' tab on the 'My Devices' page before you try to enroll?

I had to install this profile first before I could successfully enroll a device.

Yep, I have both the Trust Profile and the Settings For Everyone installed successfully. Still won't enroll. Pretty sure the hostname is correct. "changeip -checkhostname" is happy.

In my case I can install profiles on devices from Profile Manager page but I cannot enroll devices.

The certificate I download to enroll is reject by my MacBook Pro Lion: Says Invalid blablabla at the end.

Now I have done log research and I now exactly and understand why it doesn't work:

the scep_helper daemon is supposed to listen to port 1640 TCP (which you should forward to your server by the way, if you want to be able to enroll devices) and provide the requsting client the root CA that signed the certificate. In my case, it can't find the root CAT to provide the client with so it can finalize the cert validation process.

In my case, that's what I see in the log:

Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:727 'status = SCEPGetCACert(session, NULL, 0)' = -25300

Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:513 'SCEPGetCACert(session, NULL, 0)' = -25300

Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:819 'challenge = GetChallengeFromSCEP(password, guid, hostURL)' is NULL

Jul 29 02:12:44 teknologism ProfileManager[516]: Could not retrieve root certificate from open directory server.

No , as for the bad news: I have no idea on how to fix. Have dug into scep_helper, googled etc. Not a single clue on how to check it's configuration or even why it can't find the root CA. By the way everyhting else (I really mean everything, ical,cardav,web,wiki etc.) work great. And profile manager too, it's just the enroll thingy that doesn't work.

Hmm, my DNS settings in Server Admin tools look good. And changeip -checkhostname is happy:

nyx$ sudo changeip -checkhostname

Password:

Primary address = 192.168.0.6

Current HostName = nyx.vpn.desert.net

DNS HostName = nyx.vpn.desert.net

The names match. There is nothing to change.

dirserv:success = "success"

nyx$

Here's what system.log has to say when I try to install the Device Management Identity Certificate:

Jul 28 19:21:35 nyx com.apple.DeviceManagement.SCEPHelper[1834]: 1834:error:2107106C:PKCS7 routines:PKCS7_signatureVerify:unable to find message digest:/SourceCache/OpenSSL098/OpenSSL098-41/src/crypto/pkcs7/pk7_doit.c:930:

Jul 28 19:21:35 nyx scep_helper[1834]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:518 'SCEPRequestChallengePassword(session, username, password, requestDict, &challenge)' = -67688

Jul 28 19:21:35 nyx scep_helper[1834]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:819 'challenge = GetChallengeFromSCEP(password, guid, hostURL)' is NULL

Jul 28 19:21:41 nyx com.apple.mdmclient.agent[43290]: 43290:error:2107106C:PKCS7 routines:PKCS7_signatureVerify:unable to find message digest:/SourceCache/OpenSSL098/OpenSSL098-41/src/crypto/pkcs7/pk7_doit.c:930:

Jul 28 19:21:41 nyx mdmclient[43290]: *** ERROR *** [Agent:501] <: [MDM_SCEP] Calling SCEPRequestCertSignature --> <NSOSStatusErrorDomain:-67688>

Jul 28 19:21:41 nyx mdmclient[43290]: *** ERROR *** [Agent:501] ExtractOTAIdentity ( <NSOSStatusErrorDomain:-67688>)

Jul 28 19:21:41 nyx mdmclient[43290]: *** ERROR *** [Agent:501] ProcessOTABootstrapPayload ( <NSOSStatusErrorDomain:-67688>)

Jul 28 19:21:41 nyx System Preferences[43275]: *** ERROR *** [CPInstallerUI:501] Profile installation (Device Enrollment (com.apple.ota.nyx.vpn.desert.net.bootstrap)) (<NSOSStatusErrorDomain:-67688> The operation couldn’t be completed. (OSStatus error -67688.)

UserInfo: {

CallStackSymbols = (

"0 mdmclient 0x000000010fa1cb19 mdmclient + 15129",

"1 mdmclient 0x000000010fa3b78b mdmclient + 141195",

"2 mdmclient 0x000000010fa26ce9 mdmclient + 56553",

"3 mdmclient 0x000000010fa32e1b mdmclient + 106011",

"4 mdmclient 0x000000010fa29ef9 mdmclient + 69369",

"5 mdmclient 0x000000010fa3315a mdmclient + 106842",

"6 mdmclient 0x000000010fa31119 mdmclient + 98585",

"7 libxpc.dylib 0x00007fff8cd7694a _xpc_connection_recv_message + 688",

"8 libxpc.dylib 0x00007fff8cd76ab7 _xpc_connection_recv_message + 1053",

"9 libxpc.dylib 0x00007fff8cd77387 _xpc_connection_wakeup_recv + 179",

"10 libxpc.dylib 0x00007fff8cd77257 _xpc_connection_wakeup2 + 1580",

"11 libxpc.dylib 0x00007fff8cd7746b _xpc_connection_wakeup + 116",

"12 libdispatch.dylib 0x00007fff983582f1 _dispatch_source_invoke + 614",

"13 libdispatch.dylib 0x00007fff98354fc7 _dispatch_queue_invoke + 71",

"14 libdispatch.dylib 0x00007fff98355124 _dispatch_queue_drain + 210",

"15 libdispatch.dylib 0x00007fff98354fb6 _dispatch_queue_invoke + 54",

"16 libdispatch.dylib 0x00007fff983547b0 _dispatch_worker_thread2 + 198",

"17 libsystem_c.dylib 0x00007fff96da63da _pthread_wqthread + 316",

"18 libsystem_c.dylib 0x00007fff96da7b85 start_wqthread + 13"

);

IsInternalError = 1;

})