Profile Manager Enrollment - iOS - Server Certificate Invalid

Can you please provide a screen shot of the error, or state the error message.

iOS have to use the cert inorder to enroll. The cert for OD has to be the same format for FQDN as where the server resides, and that same FQDN has to be where you enroll the devices.

Ex.

DNS Zone: lab.local

Servername: osx-app01.lab.local

OD will have to generate the cert osx-app01.lab.local so profile manager can use it and you can sign your profiles with this cert. Once everythign is said and done, you will enroll at https://osx-app01.lab.local/enroll If all of these paramaters are not correct you will get an error when trying to enroll about the cert saying something about an ota_service is invalid.

The error is simply 'invalid profile'

So what part does it fail to enroll the device? Can you be more specific with errors and details here. Do you get prompted to accept the cert on your device, and do you get prompted for the security agreement?

I'm having the same problem here with Mountain Lion Server.

I got my OSX devices enrolled on the profile manager, but my iOS don't want to work.

I logg on my iOS on: server.example.private/mydevices, then I log in with a user profile, not the adminstration one, but either one don't work, then I use the FQDN certificate, that works perfectly, but when I want to enroll my iPhone it says: "The Server certificate for https://server.example.private/devicemanagment/api/device/ota_service" is invalid.

I forwared all the Ports which have been listed before to my server lan ip adress and nothing is working.

I really need help there!

The certificate that was created with profile manager and OD have to be the same FQDN. I would suggust to going back earlier in the forumn, I had posted a bunch of steps on how to tare down everythying and rebuild it without re-installing the OS. It takes about 30 minutes.

Your other option would be to generate a RSA key and create a cert out on the internet and import the root CA for the cert and the signed cert from the 3rd party.

As I have not used mountain lion, and propbably wont be upgrading anything that is actually "important" until it is stable. But it seems to me like they pulled the Vista / Windows 7 trick with Lion / Mountain Lion. Im guessing the same issues are happening with the certs no matter if its 10.8 or 10.7 as everything needs certs now, and they have to be done correctly in order to get it to work.

My question follows on this thread but is somewhat different in that all my certs show valid on my new iphone once installed but the phone itself is not passing data to the PM.

What I get is New Device and the owner plus transfer of serial but thats it. The task starts to update settings but locks and wont continue.

On the other hand it will let me download the profiles so it works fine but just wont let me set it up automatically and wont let me wipe the phone etc.

Any thoughts/ help on the matter would be appreciated

Do you have the firewall enabled on the OSX server or do you have a firewall between the mobile devicdes your trying to enroll and the server?

What version of OSX are you running. I know 10.7.3 was fairly stable with profile manager, I had to rebuild our production server on tuesday as someone let filemaker logs crash the OS drive and it scrwed up authentication modules when trying to log in the wiki / profile manger. I will be able to vouch for 10.7.4 hopefully shortly.

Have you tried going on 3G / 4G to see if you can enroll / sync with the server? I have also seen some issues with our wireless network with older iOS devices, as I have a older iPhone and sometimes when I push something out it will take a little bit to get pushed (maybe a few hours). Other devices like the iPhone4 will get pushed much faster. I dont know if its something to do with the Aruba Controller or if it just has issues when pushing at peak hours.

check the profile you're using "settings for everyone" is download only

Hello

The enroll for my iOS Devices is okay, but i have now the problem how can make a push to a device that are not in my local net?

Example: When i send a push "LOCK" to a device that are not in my local network it's outside (3G), then i see the task in the Profilmanager (Active Tasks).

All tasks that i try in my local net are going. What i need it open ports on my router or settings on my server?

I hope i find here a answer

Thank you very much

Greeting

Roger

Does this server have port forwarding / nat rules in place to allow the specific tcp / udp ports open?

@burton11234

Yes i have open this TCP-Ports: 2195, 2196 and 5223 and make a forwarding to my server.

I don't know is it purhaps my hostname a problem (server.domain.private), is this only for inside my local net and not for outside (internet)?

Must re-install my server for a offical domain like "myname.com" and so also a new Apple certificate for this domain (myname.com)? And then i must make the enroll over the internet with the domain (myname.com)?

Greeting

You need 443 as well

Name needs to be able to revolve outside your network

Thank you very much for the feedback. I see the best way is when i re-install my mini server and then i make it with offical domain like 'myname.com' and open all the ports 2195, 2195, 5223, 1640 and 443. So i can make first the enroll over the offical domain and after that i can also send push to my devices, if the device inside my net and if it outside.

Greeting

Roger

Refrence to page 3 if your looking on how to re-configure everything without re-installing. Its best to verify that DNS is fully working with server / organization before you install open directory / profile manager.

I also believe one of the TCP ports you refrenced in your last message states there is 2 ports at 2195. One of those shoudl ber 2195 and one should be 2196. You can look at page 4 for all open tcp ports if needing to register / enroll from the public.

If you dont want to enroll devices publically and only internally, you can take out 1640 / 443 as 1640 should be SCEP only.

Please refrence the KB article on apples page if you want more info on what tcp/udp ports they use.

http://support.apple.com/kb/ts1629

@burton11234

Thank you very much for the help.

Now i have re-install my server and now everthing works, perfect!

Is this right ...

Port: 1640 and 443 is only for enroll over the internet

Port: 2195, 2196 and 5223 is only for push over the internet

If i want make the enroll only in my local net, then i can close the ports 1640 and 443, but for the push over the internet i will need the ports 2195, 2196 and 5223?

If this right and i want make the enroll in my local net, then i must use (http://myname.com/mydevices) that it's works, but how can do that with my Url (myname.com), i think it will going outside over the internet and then it's not going because the ports (1640, 443) are closed, but i want use the url only in my local net. Is this possible?

I type in my local net http://myname.com/mydevices it will go directly to ip of my local server and not over the internet.

Greeting

Roger