Profile Manager Enrollment - iOS - Server Certificate Invalid

Your welcome!

In a nutshel yes thats how it would work, but then in the end its all about DNS. If you have myname.com dns zone in your production dnz server and the dns record myname.com points to your internal IP of the osx server then it will only go inside. If you change that DNS record to the public IP and the nat rule your using is not using the same public IP (only in cases that port forwarding are used and you have 1 public IP) then it will work as well.

Otherwise if you want to test the public connection you could go on 3g and test that way. If ports 443 is open and your on 3g you will be able to hit the URL. If the port 443 is closed and your on 3g it wont work. Port 1640 is used for SCEP which is basically the process of the certificates getting pushed down so your device is a trusted device.

As everything with profile manager and mobile devices is all related to FQDN's and Certificates.

Hi burton11234,

I followed the steps you have given in page3 (https://discussions.apple.com/thread/3253751?start=30&tstart=0). Except step3.

I ran in intranet and i used self signed certficate. I mentioned DNS as "server.local". Not having any firewall.

When i tried to enroll my Mac i got the below error.

Profile installation failed.

The profile "Remote Management (come.apple.config.server.local.mdm)" could not be installed due to an unexpected error.

Error log:

System Preferences: *** ERROR *** [CPInstallerUI:501] Profile installation (Entfernte Verwaltung (com.apple.config.server.local.mdm)) (Checkin 'Authenticate' failed: 0 <InternalError:1>)

I regenerated the push certificate it is pointed to "server.local". Please help.

To fix this, I went to

1. HTTPS://my.server.com/mydevices

2. Clicked on profiles tab

3. downloaded and installed trust profile from my iOS

after that go back to the devices tab

4. Enroll device.

This took two tries but it worked.

Hi Mr burton11234

Im following this thread and I think you can help me with my problem.

As youve said from your earlier post. Once the trust profile is accepted by the iOS device, the device enrollment will follow. I've been figuring a cure for this in dayas but to no avail. As I've said in the link below, all of the profile configuration are running smoothly and also the trust profile push through without any problem. Just the device enrollment.

Heres the link ----> https://discussions.apple.com/thread/4919305

Thanks in advance.

I am having the same issue on multiple servers. My problem started after I renewed the code signing cert.

https://discussions.apple.com/thread/4856919

I am working with an enterprise advisor however I still do not have a resolution.

Thanks,

ebrind

I, too, have been experiencing this issue and have never got the profile manager working properly until yesterday. I'm on a home network with mavericks server running on a mac mini, although I had the same issue with Lion and I passed on Mountain Lion.

After several clean installs, and failed enrollments on iphones, ipod touches and macbook airs I noticed an error message saying something about the hostnames for the certs not matching.

I then remembered that the first thing I did after a clean install was create the OD and later changed the hostname to server.local.

When the os is installed, both the computer name and host name are "server" only, so I did ANOTHER clean install and the first thing I did was make the hostname server.local and THEN create the OD, which in turn creates the self-signed cers, but this time with the matching hostname.

It worked like a champ and every device in the house enrolled in profile manager first try 😮

I hope you get the same mileage, good luck !!

p.s. I found out you can do a clean install from a time machine backup in about 10 minutes, rather than 50 minutes or so if you have the mavericks installer on a thumb drive. That took a lot of the pain away too 🙂

I was running into similar issues following Apple's sample SCEP server implementation in Ruby found here: https://developer.apple.com/library/ios/documentation/networkinginternet/concept ual/iphoneotaconfiguration/CompanionFiles.zip

I was able to make it get past the cert issue using local FQDN, e.g., mymachine.local

Their sample code was generating web server's SSL cert with 2 issues:

1. CN was set to the IP address of the machine. I changed that to mymachine.local
2. Subject Alternative Name extension was being added with the IP address of the machine. I removed that.

Hope this proves helpful for others.

Hello,

Could you please elaborate on this?

"CN was set to the IP address of the machine. I changed that to mymachine.local"

How and where do I change this? Terminal commands etc??

The full DNS name of my server is servername.schoolname.local. And what is happening is, the enrolment cert and the trust cert are installing fine on OSX. I am getting the original post error when I try to apply the enrolment profile on IOS.

From original post.

"However when I do this exact same process on my iPad/iPhone, when I attempt the 'Enroll Now' step, I get the error "The server certificate for "https://(FQDN)/devicesmanagement/api/device/ota_service" is invalid."

Thanks