Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Profile Manager Enrollment - iOS - Server Certificate Invalid

I have been getting an error trying to enroll iOS devices into profile manager. My MacBook and iMac enroll just fine. However my iPhone and iPad do not.


When I enroll my MacBook Pro, I first log into https://(FQDN)/mydevices, select profiles, Install Trusted Profile. I then go back to devices, and click 'Enroll now'. When I check the Profiles section of System Preferences, I see that the 'Trusted Profile' has added two certificates refering to my server. I can only assume one matches the Self Signed I generated shortly after making my hostname public, and the other Apple Push generated for me.


However when I do this exact same process on my iPad/iPhone, when I attempt the 'Enroll Now' step, I get the error "The server certificate for "https://(FQDN)/devicesmanagement/api/device/ota_service" is invalid.


My searches for this issue have turned up issues close to this, but never exactly this, and the solutions don't seem to work for me. Here are some key points to note:


1. Tried demoting to standalone, re-promote to OD Master, then deleted all certificates, and regenerated all (including the Push cert from Apple)

2. Ran sudo changeip -checkhostname

3. DNS routes forward and reverse correctly in my local LAN

4. I had been getting "Remote Verification failed: (os/kern) failure" / "TEAVerifyCert() returned NULL" in my logs every 3 seconds until I did the steps listed in '1'


Looking forward to 10.7.1

Mac mini, Mac OS X (10.7), Server

Posted on Aug 10, 2011 12:38 PM

Reply
128 replies

Oct 26, 2017 5:52 PM in response to Apple_Tech85

I am Getting: https://macserver.school.wan/devicemanagement/api/device/auto_join_ota_service


Enrollment will happen when I go to /mydevices 'devices' and tap enroll.


Will get the error above when trying to install via 'Profiles' tab.


MacOS will enroll just fine via profile.


Sudo changeip- checkhostname gives me (success)


host macserver gives me macserver.domain.wan and IP.


hostname gives macserver.domain.wan


I am thinking it could be a WPAD thing.

Aug 16, 2011 12:13 PM in response to John B Portland

I was having an issue with my ios device if I left out the end of FQDN. The Macs would enroll if I used https://server/mydevices but not the ipads. I have my search base populated from DHCP. They would get to the webpage fine. Download and install trust certificate. Click enroll would give me the ota cert not valid. I had to goto https://server.doman/mydevices. Then it would enroll.

Aug 17, 2011 7:31 AM in response to Anthony Mitchell

I agree with you I do not have any issues with getting my OSX machine bound to the server, and to trust the profile and push down settings. Although I am not able to get the IOS device to do the same.


Upon the first time booting lion server up, i had got the ios device to enroll although there was many cert issues and the server just was to buggy, so i ended up reformating.


Profile manager crashed after enabling the wiki admin part and i had to run some commands to clean everything up. By then I was sick of playing games so i reformated. After that the push service worked and I had my certs straightened out. Although now Im not able to get any ios devices enrolled.


Any other idea's anyone?


I have even exported the certs, and trusted them, and emailed them to my device hoping this would help if the cert was already trusted, but nope....

Aug 18, 2011 4:20 AM in response to John B Portland

the Problem is the cert, witch selected when activating devicemanagement, the used cert for singing profiles and registering by internet.


at my own it worked that way:


1 - setting up OD with registered FQDN Internet hostname (server.company.com)

2 - activating Devicemanagement before starting Profilemanager and selecting OD Intermediate cert

3 - setting up profilemanager and always using the OD Intermidiate cert, when cert was asked

4 - goto your internet router and define your server as DMZ target or deactivate your firewall

5 - calling https://server.company.com/mydevices and login with valid credencials

6 - got Profiles tab, click and install Trust Certificate. It must been showen as valid, after installing

7 - got to device tab back and click enroll. follow steps on screen. all should been done and ok

8 - refresh your profilemanager to see the device

9 - deactivate your Server vom DMZ an/or schwitch on the firewall


I have not find out wich ports on the firewall must be opend to do it without DMZ setting. I have to watch the fireall logs. I'm working on it.


hombre7777

Aug 18, 2011 5:47 AM in response to hombre7777

@hombre7777


Thanks for the info. That makes sence what you are telling me. Their instuctions are kind of bland and dont make sence as much as they should.


The only thing that scares me on this one is now we need to put a device in the dmz....


So now upgrading our xserv to 10.7 when it becomes stable would now be using the magic triangle, and trying to only have 1 to manage osx machines / and now ios devices. Edit our wiki's thats already in place, and have important databases on filemaker is now going to reside in the dmz....


So someone wasn't thinking on this one!!! haha


It looks like we will have to seperate things now, so ios devices are managed on their own machine in the dmz with now a hole leaked in the firewall for AD to authenticate so we can pull users down to associate profiles with them.


Our osx machine will then contain a seperate spot to manage osx devices bound to user accounts, as well as manage filemaker and wiki's that are in use already.


It would be nice if they had figured out a way to do this a little different so we wern't opening holes in the firewall.


The funny thing is I was able to get the ipad to bind and enroll the very first time when i was on a vpn tunnel from my house trying things out.


So I know you can do it, without having to go public, although the push service wasn't working properly and I was not able to bind osx and enroll. So i stared over.


Ill play around to see what I can figure out later. Thanks for the help. If you find out the port numbers please let me know as well! Im not able to move the box to an outside firewall right now. I have to much to do. I can probably do that next week.

Aug 19, 2011 4:36 AM in response to burton11234

Hi. I have already got it.


Registering and enrollment all my devices works from inside LAN an from internet.


For sure its no option to place the server in the DMZ. It was only for testing and failure exploring.


Now I configured my enviroment as follow:


- adding a A record on internal DNS Server (server.company.com:my.local.ip.address), so the server will by routed inbound LAN direct and not by internet. outbound - Internet - it will be routed by FQDN to my Internet IP Address.


- activating port-forwarding on the router/firewall to my local server IP address

- Port TCP 443 -> my.local.ip.address

- Port TCP 1640 -> my.local.ip.address

- Port TCP 5223 -> my.local.ip.address


there was no more need to define access rules on dthe firewall for this ports.


After finishing this config it was possible to register all my devices, no care if in local network or thrue internet.


the only restriction is to install the true cert manually as I described in my last posting. Cause of self signed trust cert.


Hope this solution is helpfull for you.


hombre7777

Aug 19, 2011 5:42 AM in response to hombre7777

Ill let you know how things turn out then.


Our DMZ is set up a little different then the normal. We still lock down all ports in the DMZ and then anyone in production can talk to DMZ but not the other way around.


This was done so incase something gets comprimised we will not be affecting our production network.


I will go through this first to see if we can get iOS devices enrolled just inside the network. Next week i'll have to re-ip and move to dmz so that way we can test out iOS devices on the outside then.


Thanks for the tip's they were much appreciated!

Sep 23, 2011 2:01 PM in response to Rob B. Campbell

You need to enroll the device by its FQDN thats associated with the cert.


If you dont use the FQDN then you will will get a cert error when trying to enroll.


I would suggest trying to enroll with the device on the wifi before putting out in the wild just to rule out the firewall.


I have osx setup with the magic triangle and AD / OD is working and profile manager is working between iOS and MAC devices.


I will be getting another mac server to put in the dmz since virtualization is not supported with ESX 4.0 and we would have to upgrade our infrastructure to ESXi 5.0, and we are not doing that right now.


Once it is in I will update again and let anyone know if something doesn't work.


If you need any support just PM me if your allowed to do it through this forumn.

Sep 23, 2011 2:30 PM in response to John B Portland

I've had this exact same problem, my Macs (iMac, MacBook) would enroll without a hitch, but any iOS device would give a certificate invalid message. Then, tonight, I finally figured it out: on all my OS X machines, I would connect to server.domain.lan/mydevices, which wouldn't resolve on my iPhone or iPad. I could reach the mydevices page but only through the direct IP address or the external domain name I have setup for the server - basically it's what burton11234 asserted: enrollment will only succeed if the domainname from where you're trying to enroll matches, exactly, the one on the certfifcate


What I had to do was edit the DNS list on my iOS devices, so that the server's IP address was first in line (on my iPhone, there were DNS servers, but not my Lion server; on my iPad the list was completely empty - just tap the DNS field under Settings - Network - Wi-Fi, then hit the little blue arrow next to the SSID). After that I switched to Safari, surfed to server.domain.lan/mydevices, and I could finish the enrollment.


I should perhaps mention that the trust certificate could be installed before changing the DNS settings, dunno why this is.

Profile Manager Enrollment - iOS - Server Certificate Invalid

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.