Profile installation failed.

Unfortunally when you use the push certs from apple, they generate a cert from the FQDN and if that FQDN doesn't match the cert for Open Directory then profile manager will cause issues.

Best thing would be to export open directory so you can save everything first, blow it away by telling it its a standalone server, change the hostname and fqdn, make sure both forward and reverse lookups are working and then setup open directory, and regenerate the certs for the push, and setup profile manager.

You then can import your records from open directory.

Profile manager is really picky on the certs, and it gets upset if certs are not consistent between the push and OD.

Hope this helps for future references!!!

I have a similar problem. I have a 2011 Mac Mini Server and a 2010 MBP 15". I was just trying to set up both with profile manager and was able to successfully enroll the MBP without too much difficulty. I am using a self-signed certificate, so I downloaded the Trust Profile and then enrolled the MBP. But when I went back over to the server, installed the Trust Profile, and then tried to try to enroll it, I got the following error:

"Profile Installation Failed. The certificate for this server is invalid. You might be connecting to a server that is pretending to be “server.flyer05.private” which could put your confidential information at risk."

Based on my understanding of certificates, since I am only going to be using this server for my own home use and as a VPN to connect to my home network when traveling, it seems unnecessary to pay for a CA-signed certificate, and I'd like to avoid the added unnecessary expense if I can. Does anyone have any suggestions for how to deal with this issue?

Miggl wrote:

Profile installation failed.

The profile "Remote Management (come.apple.config.rocking-mm.private.mdm)" could not be installed due to an unexpected error.

Same here 😟

Server was a clean install, and no upgrade from Snow Leopard.

Error Logs from Console.app:

12.09.11 15:48:04,361 com.apple.UserEventAgent-System: Sep 12 15:48:04 <servername> ProfileManager[5346] <Info>: CertUpdateHandler.run: replace/etc/certificates/MDM SCEP SIGNER.2AC3B0163956D237FCB1CF208CA5B9EBE28528BF.cert.pem0x00/etc/certificates/M DM SCEP SIGNER.0E1A80185764011A7C5CDE7E4880C26ADFF02C30.cert.pem0x00

12.09.11 15:48:04,492 com.apple.UserEventAgent-System: /usr/libexec/certupdate/certupdate_devicemgr.sh: line 30: exit: result: numeric argument required

12.09.11 15:48:20,455 com.apple.UserEventAgent-System: *** Error: certificate path does not exist: /etc/certificates/MDM SCEP SIGNER.0E1A80185764011A7C5CDE7E4880C26ADFF02C30.cert.pem

and a second error message:

12.09.11 15:55:28,217 System Preferences: *** ERROR *** [CPInstallerUI:501] Profile installation (Entfernte Verwaltung (com.apple.config.serverbook.test.intern.mdm)) (Checkin 'Authenticate' failed: 0 <InternalError:1>)

No, i'm pretty sure you can register the server with itself so you can manage things remotely if need be. This guy was able to: http://www.wegotserved.com/2011/09/07/os-lion-server-home-server-part-8-profile- manager-macs/2/

Miggi

No need for a clean install, the issues you described are cert issues bassed upon your OD setup and certs from apple for the push services.

If you need to destroy profile manager you can run this command and it will blow away everything in profile manager so its like starting over.

sudo /usr/share/devicemgr/backend/wipeDB.sh

Once that command is run, you can demote your OD server.

Change the hostname to the proper hostname you have and make sure you can do forward / reverse lookups.

Once you can, renew your push certs so they have the new hostname, and go into profile manager and chose configure, once you configure it, it will setup OD for you under the proper hostnames.

Once your OD hostname / Intermediate_CA Cert matches the hostnames on the push services, you should be able to download the trust profile and enroll.

I hope this helps!

I thought the same, but didn't get it working. Now i've made a new testing partition, installed new without changeing the hostname afterwards and: It's working fine now.

With the first installation I changed the name quite ofter for testing the renaming / DNS / hostname. Next time i'll have a look on your posibillity "burton" 🙂

This is a computer. The reason I'm asking is that I can enroll iOS devices without any problem at all. Macintosh computers can't be enrolled, whatever model or OS version. The certificate Profile Manager uses is 'verified' .

When enrolling wiht a mac, are you using the shorname or the FQDN? I would recomend using the FQDN that the cert has in it, as that could cause issues.

Another peice of info... I had our production server crash due to disk space, which I used profile manager for mac's only on this specific host. After the crash, I was forced to rebuild as specific services woudln't allow AD authentication to take place. I had exported the db for profile manager and re-imported it and it was corrupted.

I have never had issues exporting the collab db (wiki) and wiki calenders even with the funky permissions as it has to be re-imported back into collab.

Due to the impact of having to either re-enrolll all devices that were lost I decided to go back to legacy mode with work group maanger. I had decided that it was best to use workgroup maanger for any MAC's. It is much easier to export open directory and re-import it then having to muck wiht databases from profile maanger. Some of the things I have tried to deploy with profile manager wern't successful including profiles for 802.1x auth for wifi.

So for what proflie manager was really used for on the MAC's it wasn't worth it to put more devices on it incase of an issue in the future.

OSX 10.7 Server has a simple internet domainname such as server.domainname.com. I connect to that webserver running Profile Manager, login with the user credentials (not the admin's) and simply click 'Enroll' .

Download of ota_profile.mobileconfig and opes up System Preferences. The information in the profile shows the full FQDN and shows the certificate is 'Verified'. (I have the Trust Profile installed)

After all of this I still get the 'Profile installation failed' error. "Could not be installed due to an unexpected error". I'll try build up another server, see how this works out. Anyone perhaps know this is a glich in 10.7 and should I go for 10.8?

What version of 10.7 are you running. I didn't seem to have any major issues once I got it working wiht earlier releases of 10.7.

Normally the issues occur with iOS devices and macs are fine. Its odd your seeing so many issues with your mac. Can you do forward / reverse lookups of server.domainname.com from the client machines? Do you have any firewall policies applied between clients and the host?

I'm running 10.7.5. which worked flawlessly until I started Profile Manager. I'll be testing with another machine the next days and will post my experiences. I'll keep a copy of this server to see what the actual issue was, if I can find it.

I have a solution... I've created a new CA and requested a new certificate.

I used this manual:

https://discussions.apple.com/thread/3806276

Hope it helps!

I got the same error. When I updated to 10.7.2, the problem disappeared.