Currently Being ModeratedApr 16, 2012 7:42 PM (in response to Brian S. Campbell)
Have you assigned an SSL cert for your server to use with services? If not then there won't be a Trust Profile because there's no cert that the client needs trust.
Also if your cert has been signed by a certificate authority, the trust profile is also not needed because the cert is already trusted by clients. The only point of the trust profile is if you're using a self-signed certificate or maybe if you opt to sign profiles with default code-signing certificate.
Currently Being ModeratedApr 17, 2012 8:01 AM (in response to Jonathan Melville)
Thank you for the reply! I do have a valid SSL cert for services. When I added the first iPhone i still received a cert error (don't remember the wording exactly) so I assumed the trust profile was the missing piece. I just deleted the profile and enrolled again. This time it worked, however it's showing up as unsigned. I'm assuming I'll need to buy another cert if I want to sign the profiles?
I'm trying to manage a collection of MacBooks and iOS devices for my family and my brother's business and the process of setting up Server has been a little less "Mac-like" than I'm used to...very frustrating...I hope it's not a sign Apple's not going to take Server seriously going forward. It has the potential to make my life a lot easier!
Currently Being ModeratedApr 17, 2012 8:41 AM (in response to Brian S. Campbell)
Apple is attempting to make server easy for 'everyday folks' but I don't see it happening .
You are correct about profiles showing up as 'unverified' even though you have a signed SSL cert. Your SSL certificate actually has nothing to do with the profiles. Profiles have to be signed with something called a code-signing certificate. You can opt to 1: not sign profiles, 2: sign profiles with the default code-signing cert created for you when you set up Server or 3: purchase a code-signing cert form a certificate authority.
My opinion is you should spend the money to get a valid SSL cert but don't screw with a code-signing cert. A code-signing certificate is much more expensive than an SSL certificate and unless you're deploying profiles to hundreds of users in an enterprise, it's overkill.
Currently Being ModeratedMay 15, 2012 7:25 PM (in response to Brian S. Campbell)
I'm still confused in this regard, and all documentation / online courses use a self-signed ssl cert rather than actually purchasing one, so they do not show what the enrollment process should look like with a proper 3rd party root CA signed ssl cert installed. I have not seen consistent behaviour from the server in this regard, which is the problem.
My understanding was also that if an SSL cert signed by a "trusted" CA was installed (ie. a CA who is in the trusted CA list on every Mac shipped), the trust profile would not be required. However, I'm getting different results in this regard on three Lion server I have configured.
All have valid Push certs, and all 3 servers were set up with proper 3rd party trusted-CA signed SSL certificates, dns is happy, they are all OD masters.
Problem #1: Server 1 showed the "Trust Profile" for the first 3 client enrollments, then it disappeared. I could still enroll the machines and install user profiles, but they would show as "unverified" whicle the 3 machines I installed the trust profile on showed as "verified". Does it matter if the profiles are verified or unverified? After turning off Profile manager and restarting the service, the trust profile returned.
Problem #2: Server 2 and 3 also were set up in an identical manner. I have not been able to get these two to offer a trust profile. Same as with server 1, I have only installed a 3rd party signed ssl cert (they all work btw, https acces does not flag an error). I am using the self-generated code-signing certificate.
- What is the ramamfacation of using "unverified" vs "verified" profiles?
- If a Lion server has a proper trusted-CA signed SSL cert properly installed, should I still have the option to install the trust profile, and if so, should I? I am not using a 3rd-party signe Code Signing Cert.
Bottom line for me is I fdon't want to have to touch every machine, I want clients to be able to enroll themselves. However, I have taught them never, ever to accept a certificate if it's not accepted automatically as trusted my their Mac.