Previous 1 2 Next 15 Replies Latest reply: Aug 30, 2012 1:55 PM by iToaster
InfoTech2012 Level 1 Level 1 (0 points)

I'm testing out Lion Server and having some issues with getting a Device Group Profile to show up in the My Devices section.

 

Here's what I've done:

 

  1. I created a Device Group called "Test Device Group" and I configured some settings for it.
  2. I created a Local Network User called "test".
  3. On a test MacBook Pro, I logged into the local administrator's account and logged into http://myserver.com/mydevices as the "test" user.
  4. I enrolled the MacBook Pro and installed the certificate.
  5. I logged into http://myserver.com/profilemanager as an admin and added the MacBook Pro to the Test Device Group.
  6. I can see that the MacBook Pro is a member of the Test Device Group.
  7. When I go to the "Profiles" tab when logged into myserver.com/mydevices as "test", I do not see the profile for the Test Device Group to download. The only profile I see is "Settings for Everyone". This is the problem.

 

I've logged out and logged back in as "test" on the mydevices page and it never shows up. I've stopped and restarted the Profile Manager service on the Server.app and still no change. I've de-enrolled and re-enrolled the MacBook Pro and that didn't help.

 

One thing I've noticed is that when logged into the profilemanager page, under the "Active Tasks" section, I can see there's 2 updates that never seem to finish. One says "1 of 1 in progress" and the other says "Sending". If this is the problem, why is it taking so long? There's not much traffic on our server or network.

 

Lastly, when I am connected to my server via Remote Desktop and I am working in the profilemanger page directly off the server, there's often a lag when I am typing or when I am saving. I find this odd since I'm working off the server itself. Anyone else have this problem?

 

By the way, I am running ML server but all the issues above also happened in Lion server. I upgraded to see if the problem would be fixed and I did a clean install of ML server. Problem persists.

 

Thanks in advance.


Mac mini, OS X Server
  • iToaster Level 3 Level 3 (720 points)

    If your profile  is set to push, you won't see it in /mydevices

    It will be sent out to all the devices in the group without user interaction

     

    As far as I'm aware your users should be network not local

     

    Restarting profile manager does not stop running "tasks"

    You have to cancel them within profile manager

     

    If your profiles never finish sending check and see if the device is on the network

    And turned on. If the device is outside your network  pushed profiles won't complete until the device returns to your network. or you make the nessesary changes to allow profile manager to work outside your network

     

    If  your'e inside your LAN you should not need to connect remotely to manage PM

     

    In PM do you see the device along with the user name you enrolled it with

  • InfoTech2012 Level 1 Level 1 (0 points)

    iToaster wrote:

     

    If your profile  is set to push, you won't see it in /mydevices

    It will be sent out to all the devices in the group without user interaction

     

    As far as I'm aware your users should be network not local

     

    Restarting profile manager does not stop running "tasks"

    You have to cancel them within profile manager

     

    If your profiles never finish sending check and see if the device is on the network

    And turned on. If the device is outside your network  pushed profiles won't complete until the device returns to your network. or you make the nessesary changes to allow profile manager to work outside your network

     

    If  your'e inside your LAN you should not need to connect remotely to manage PM

     

    In PM do you see the device along with the user name you enrolled it with

    Hi, thanks for your response.

     

    The Profile Distribution Type for the Test Device Group is set to Manual Download and not Automatic Push.

     

    The network users are now called "Local Network Users" in ML Server. The "test user" is a Local Network User and not a Local account.

     

    The test device I am using is sitting next to me at my desk and it is 100% turned on and connected to the network.

     

    I see the test user in the "Users" section of Profile Manager. I do see the test device in the "Devices" section and in the "Members" section of the "Test Device Group" that's in the "Device Group" section.

     

    Hope this helps. Any new ideas?

     

    Thanks.

  • iToaster Level 3 Level 3 (720 points)

    can you push any profiles to the device

    if you cancel running tasks can you update info on the device

    in PM devices click on the device on the right handside the cog at the bottom

    select update info

    then look at about, details last checking time should change to the time and date you updated the info

     

    Do you have any ACL restictions on PM

  • InfoTech2012 Level 1 Level 1 (0 points)

    iToaster wrote:

     

    can you push any profiles to the device

    if you cancel running tasks can you update info on the device

    in PM devices click on the device on the right handside the cog at the bottom

    select update info

    then look at about, details last checking time should change to the time and date you updated the info

     

    Do you have any ACL restictions on PM

    I cannot push any profiles to the device. Instead of attempting to download the profile for the Test Device Group, I created a profile for the computer itself (in Devices), logged back into myserver.com/mydevices as the Test user, clicked on profiles and the exact same thing is happening. I only see "Settings for Everyone".

     

    After clicking on Update Profile nothing happened. It just says "Sending" in the Activity section for the device.

     

    The last checkin time was 9:27am, it's now 9:44am and nothing new.

     

    I'm able to download the Remote management profile settings when I first log into myserver.com/mydevices but then none of the profiles get pushed, or show up in Profiles.

     

    I don't believe I have any ACLs on the PM. I'm not sure how to check. Can you explain how?

  • InfoTech2012 Level 1 Level 1 (0 points)

    Another odd behavior I'm noticing is that all the tasks I've cancelled (6 of them) are still sitting in Active Tasks section and all of them say "Cancelled" whereas before when I've cancelled a task it got moved to Completed Tasks.

     

    This is my first experience using and testing Profile Manager. I'm so used to the old way of management with MCXs so I am not familiar with the way this is supposed to work but clearly it's not working for me. lol!

  • InfoTech2012 Level 1 Level 1 (0 points)

    Ok I figured out how to check the SACLs for Profile Manager.

     

    The test user account has access to Profile Manager service. The test user is a member of Workgroup. Workgroup also has access to Profile Manager but it's still not working. Initially, when I checked Workgroup, it did not have access to PM but then I enabled it, and started over again only to get the same result.

  • InfoTech2012 Level 1 Level 1 (0 points)

    Ok, I am almost at my wits end. I cannot figure this out. Profile Manager is not working for me the way it's supposed to.

     

    The only way I got this to work is to log into myserver.com/profilemanager as an admin on the test device itself, click on Test Device Group, click on Profile, and then click the Download button. No other way works and this is not an ideal way to get profiles onto our machines.

     

     

  • InfoTech2012 Level 1 Level 1 (0 points)

    Sorry for the blasts of updates. I hope that it may shed some light on my problem.

     

    One new bit of information I've noticed is that in all the profiles for; Users, Groups, Devices, and Devices Group - "The name of the organization" field is blank and I cannot edit it. It's greyed out.

     

    Not sure if this matters or not.

     

    I can say that it is working for Groups. I just tested settings for Workgroup and now when I log in as the test user to myserver.com/mydevices i can see the "Settings for Workgroup" in the "Profiles" section in "My Devices" and I can download it.

     

    So, I don't know why this isn't working for Device Groups.

  • iToaster Level 3 Level 3 (720 points)

    do you have a itunes account setup on the server to send the push notifications out

    server,hardware, settings enable apple push notifications

     

    is sign configuration profiles enabled

     

    organization name grayed out is normal PM gets that from your setup certs etc

     

    sounds like your making progress now that you can see the group profiles and download them

  • iToaster Level 3 Level 3 (720 points)

    Sorry I just re read your post .

    Your orginsation name should not be blank in the profiles and it's. Normal to be greyed out

    Providing you filled in the orginsation name when setting up PM

  • InfoTech2012 Level 1 Level 1 (0 points)

    iToaster wrote:

     

    Sorry I just re read your post .

    Your orginsation name should not be blank in the profiles and it's. Normal to be greyed out

    Providing you filled in the orginsation name when setting up PM

    I remember entering our company's iTunes Apple ID to allow push notifications. But if I set the profile to be manually downloaded, is the push notifications from Apple still necessary?

     

    I also remember entering the Organization Name when setting this up.

     

    When I am in PM in Server.app, under the "Default Configurtaion Profile", I see "Include configuration for services: No Services Enabled" - the check box is checked off and "No Services Enabled" is greyed out.

     

    Also, in one of the PM logs I have been seeing "PushSettings' (prio:0) for nil" - not sure if this is related.

  • InfoTech2012 Level 1 Level 1 (0 points)

    Sign configuration profiles is enabled.

  • iToaster Level 3 Level 3 (720 points)

    push from apple is necessary for the device to check in to "update info" and to push out changes, wipe, lock etc

     

    in the profiles you've downloaded is your organization name there

     

    default configuration profile = settings for everyone profile

    include configuration for services enabled, the services enabled on the server will appear in /mydevices/profiles

    "setting for everyone" for users to download

    in PM it's in the user group "everyone"  "setting for everyone"

     

    pushsettings prio for nil,l not sure, might be because your profile is download not push

    I had a look in my PM logs var/log/devicemanager/profile manager

    most of mine look like (DN is not the real one)

    to IOS device

    Aug 13 15:18:45 my.server.com ProfileManager[353] <Info>: Pushed to <Device:"132"> with token Bifgei22ijw9hsh/dnsjis9922gsjd=, {"time":"1344827924.256160","my":"982NF2228-90837-8415-82753-0393HI12495279G"}

    to macbook

    Aug 16 11:56:40 my.server.com ProfileManager[354] <Info>: Pushed to <LabSession:'user name @Administrator’s MacBook Pro'> with token 9882dbsajduwns928261ob852qhs9jaa861=, {"time":"1345074998.401284","my":""}

     

    do you have a firewall blocking PM ports

    http://support.apple.com/kb/HT5302

     

    my server is behind a NAT router using same FQDN on lan and net

  • InfoTech2012 Level 1 Level 1 (0 points)

    Thanks for the firewall tip. Those ports ended up being blocked after all in addtion to a couple of other settings on our firewall that was preventing the Push Notifications to be sent to and from Apple.

     

    I really appreciate your help.

     

    Things seem to be "working" for the most part although now I am having trouble with Profiles with Mobile Home Account settings not being applied unitl the 2nd time they log into the Mac. But I'll save that for another post.

     

    Thanks again.

Previous 1 2 Next