Profile Manager Enrollment - iOS - Server Certificate Invalid

I was running into similar issues following Apple's sample SCEP server implementation in Ruby found here: https://developer.apple.com/library/ios/documentation/networkinginternet/concept ual/iphoneotaconfiguration/CompanionFiles.zip

I was able to make it get past the cert issue using local FQDN, e.g., mymachine.local

Their sample code was generating web server's SSL cert with 2 issues:

1. CN was set to the IP address of the machine. I changed that to mymachine.local
2. Subject Alternative Name extension was being added with the IP address of the machine. I removed that.

Hope this proves helpful for others.

Sorry for the late reply, i actually had to do some work :-)

Im guessing your certs are all screwed up, and thats why your having all these issues...

I took a screen shot of our certs so you can take a look. I blacked out a few things since I didn't want domain names to be visiable.

Something else I want you to try though as well, when you are enrolling in a device, are you using AD usersnames? Lets try using your local account on the server to see if that helps. It would be a good test to see if its a cert related issue or AD / OD

burton11234: no problem at all - you're doing me the favor so...

I tried the local login and got the same result unfortunately. Then I compared your certificate map to ours and saw several listed that looked like duplicates (they had the same names). Where we appear to differ:

- Your intermediate appears to list perhaps the local server name and FQDN (?)

mine only lists the FQDN

- You have 2 code signings: 1 listing the server name and the FQDN and one listing server name.local

I have one code signings which only lists the FQDN

- You have one (root ?) listing both the server name and the FQDN

I have 2 separate certs - 1 listing the server name - the other listing the FQDN

* Not sure which one is your OD certificate.

Either way, after deleting the three duplicate (older) certificates, I got the same problem.

So let's go back to basics. I think you're right - it's a certificate issue. Back to the error:

"The SERVER Certificate - blah blah blah DEVICEMANAGEMENT..." So if we go to the Profile Manager/Settings/Device Management (enabled and checked) - then click the EDIT button, the certificate that appears is my FQDN Code Signing certificate. What do you have showing there?

My guess is that it's NOT a code signing certificate... (?)

No OD isn't supporting any other services. What about Manage Devices, hardware network? One 3rd party guide says the Computer Name must be name.local for local network use and name.private "to ensure access to the server remotely". Mine is just set to computer name (no .local or .private). How about you?

that

I am Getting: https://macserver.school.wan/devicemanagement/api/device/auto_join_ota_service

Enrollment will happen when I go to /mydevices 'devices' and tap enroll.

Will get the error above when trying to install via 'Profiles' tab.

MacOS will enroll just fine via profile.

Sudo changeip- checkhostname gives me (success)

host macserver gives me macserver.domain.wan and IP.

hostname gives macserver.domain.wan

I am thinking it could be a WPAD thing.

Burton11234: https://myserver.mydomain.com/mydevices. Should have mentioned I'm doing internal testing before facing it towards the public and using a self-signed certificate.

Not sure of any relation but I'm also becomming aware of people reporting (and here) sucess at solving problems with certs issued by commercially trusted vendors as opposed to self signed - even for testing - and (I'm assumming) - even though a trust profile certificate is installed and verified. Sound similar to the problems you were having?

Not sure I understand why there might be a support issue because a machine happens to be AD integrated - a feature they've been laboring on perfecting/improving for quite some time now.

Yeah - it's on the device - verified and green. It contains two Certificates:

One is the OD certificate

The other is the FQDN certificate.

Other notes...

Here's a guy who rebooted to fix his problem...

Another interesting thread...

This thread suggests mailing a copy of the root certificate to the device first... More here about applying a "valid vs self-signed" ceritificate...

Note I also have "no services configured" in Profile Manager/Default Configuration Profile

These would be the steps I would take if I was going to rebuild everything.....

Verify OS is at 10.7.3 since there was major bug fixes done at each 10.7.x release....

These steps were done off the top of my head, so they should be fairly easy, although not exact step by step, i went through this process numerous times, and every time it was cert related.

The important thing here is that the FQDN Host Name matches the push certs and OD Intermediate certs.

Remove OD / Profile Manager

1) Stop all services

sudo serveradmin stop devicemgr

2) download Serveradmin tools http://support.apple.com/kb/HT5050

3) Launch Serveradmin and connect to your server.

- Go into Settings and change the server to a standalone server.

4) Kill profile manager.

sudo /usr/share/devicemgr/backend/wipeDB.sh

5) Launch Apple Push Cert Portal

- Server.app

- Hardware -> Select Server -> Settings -> Edit Enable apple push notifications -> Manage Certs

- Revoke All Certs

6) Adjust Hostnames...

- Server.app

- Hardware -> Select Hardware -> Network -> Edit Computer Name (Computer / Local should both be shortnames without .local)

- Hostname should corespond to the FQDN of your organization (ex. abc.company.com)

7) Open Keychain access and make sure the OD and code signing certs are removed, as well as any others, that involve the FQDN.

Reboot.

1) Open Server.app

2) Select Profile Manager -> Edit .... (you should be prompted to enter a diradmin password to create open directory)

This will also create your certs needed.

3) I would suggust removing kerberos, and binding it to the AD realm.

- verify AD is pulling usernames open terminal (id jsmith) or what ever username you want to use, you will see the AD groups be pulled.

- remove the OD realm (sudo sso_util remove -k -a diradmin -p "diradmin-password" -r "OD.FQDN.REALM"

(the realm needs to be exactly "CAPS" what it says if you open up serveradmin and go to open directory -> overview, and under kerberos realm)

- join to the AD realm (sudo dsconfigad -enablesso)

Now that OSX is in the AD realm we can move to the next step. You will see that kerberos is stoped in OD overview unlike before. This is recommended if your using the Magic Triangle.

4) Obtain the Push Certs

Launch Apple Push Cert Portal

- Server.app

- Hardware -> Select Server -> Settings -> Edit Enable apple push notifications -> Manage Certs

- Login, and acquire new certs, they should all match your FQDN when your in the web portion

5) Sign Config Profiles

- Open Server.app

- Edit Profile Manager

- Make sure "Sign Config Profiles" is checked and make sure your using your OD Intermediate Code Signing Cert.

6) Verify the Cert being used on the server is the correct cert. (***If you are using HTTPS***)

- Open Server.app

- Hardware (Select Server Name)

- Settings

- Edit SSL Cert

- Make sure Server.FQDN Intermediate CA is selected.

7) Restart Services if you change anything involving Certs.

Take a client, and download the trust cert first, and then enroll, it should work.

Here is a link to another kb article of people having similar issues, and that some of my recomdations have helped reguarding rip out OD revoke all certs obtaining to OD / Push, run the script to wipe the DB, and start over.

https://discussions.apple.com/thread/3292024?answerId=17528893022#17528893022

When I first got this working, and from the support I had with apple it was a tough one, I must had reformatted over 6 times, what ever I did I had issues, and couldn't get things to work properly. In the end it was pretty simple, I just dont have much experience with certs. I came from more of a network / security background.

Let me know how you make out though!!!

ALL Hail burton11234! It Worked! :-D MANY MANY THANKS!

Burton: your steps were, as stated, "off the top of your head" but 98% accurate. I took the time to comment/note my experiences to make up the 2% clarity I needed below. Very aware that all users will likely not have the same experience through this given my personal level of experience with Lion Server rebuilds and the particulars of our server. None the less, your fix does support your claim... "CERT RELATED". So I am now able to enroll my iPad.

(Note: I still have one error when loading the default "Settings for Everyone" in My Devices - Profiles Tab. Error reads: Cannot Install Profile: Safari could not install a profile dure to an unknown error" There are possible solutions here or here but I'll submit a different post for that if necessary. May also be because the server isn't public facing and can't talk to the APNS service..)

Here are my comments/notes to your steps:

Step 1: “Stop All Services:”

(I Had to Log in - in Terminal - as local admin to do this – even though I was already logged in on the machine as such)

Step 3: Launch Serveradmin and connect to your server.

(…by choosing the OD Service/General Tab/Change Button)

Step 4: Kill profile manager.

(Stops devicemgr also before running but restarts it after)

(Ran sudo serveradmin stop devicemgr again before proceeding)

Step 7: (2) “Select Profile Manager ->”

Choose configure, once you configure it, it will setup OD for you under the proper host names.

“This will also create your certs needed”. Chose the intermediate SSL certificate at the end of this wizard. You can’t go forward w/o. Got a “This certificate isn’t signed warning – mobile devices will not be able to enroll in device management until they have been configured to trust your certificate”. Clicked NEXT – saw the big green check mark. Then DONE.

Step 7: (3) “I would suggust removing Kerberos and binding it to the AD realm…” I wasn’t clear on this and skipped the step.

“…join to the AD realm (sudo dsconfigad -enablesso)” Wasn’t sure about this either but (took a risk) and ran it anyway… All I got was:

>

>

>

Instinct told me to Quit Terminal before it returned to prompt and restart. (My machine was AD bound throughout)

Step 7: (4) “Login, and acquire new…”

(through Server App – not the web site)

Step 6: “- Make sure Server.FQDN Intermediate CA is selected.”

(In the pull down Menu)

The ports I listed were Edge Firewall Ports, not server bassed firewall rules.

Those Ports will allow an iOS device to enroll remotly over 3g, and allow push services to work from the outside.

Here is a few good URL's for Apple TCP / UDP ports if interested.

http://support.apple.com/kb/ts1629

https://help.apple.com/advancedserveradmin/mac/10.7/#apdCA9A73CE-5F0C-4BDC-93E8- 2952C362FA3E

Refrence to page 3 if your looking on how to re-configure everything without re-installing. Its best to verify that DNS is fully working with server / organization before you install open directory / profile manager.

I also believe one of the TCP ports you refrenced in your last message states there is 2 ports at 2195. One of those shoudl ber 2195 and one should be 2196. You can look at page 4 for all open tcp ports if needing to register / enroll from the public.

If you dont want to enroll devices publically and only internally, you can take out 1640 / 443 as 1640 should be SCEP only.

Please refrence the KB article on apples page if you want more info on what tcp/udp ports they use.

http://support.apple.com/kb/ts1629

Hi burton11234,

I followed the steps you have given in page3 (https://discussions.apple.com/thread/3253751?start=30&tstart=0). Except step3.

I ran in intranet and i used self signed certficate. I mentioned DNS as "server.local". Not having any firewall.

When i tried to enroll my Mac i got the below error.

Profile installation failed.

The profile "Remote Management (come.apple.config.server.local.mdm)" could not be installed due to an unexpected error.

Error log:

System Preferences: *** ERROR *** [CPInstallerUI:501] Profile installation (Entfernte Verwaltung (com.apple.config.server.local.mdm)) (Checkin 'Authenticate' failed: 0 <InternalError:1>)

I regenerated the push certificate it is pointed to "server.local". Please help.

Hi Mr burton11234

Im following this thread and I think you can help me with my problem.

As youve said from your earlier post. Once the trust profile is accepted by the iOS device, the device enrollment will follow. I've been figuring a cure for this in dayas but to no avail. As I've said in the link below, all of the profile configuration are running smoothly and also the trust profile push through without any problem. Just the device enrollment.

Heres the link ----> https://discussions.apple.com/thread/4919305

Thanks in advance.

I am having the same issue on multiple servers. My problem started after I renewed the code signing cert.

https://discussions.apple.com/thread/4856919

I am working with an enterprise advisor however I still do not have a resolution.

Thanks,

ebrind