Profile Manager Fails To Deploy

I can add my experience to this.

I have this week set up a fresh OS X 10.8.3 Server 2.2.1 setup. After having tackled a few interesting problems (e.g. how an unconfigured (but also inactive) wireless interface in the server's network profile more or less killed the server by triggering network changes on every timeout of the wireless interface, or how a domain DNS zone setup leads to weird postfix errors).

I tried Profile Manager. I have given up on it. All in all I have been able to enroll only one of my devices (iMac) only once, and all the devices were on my LAN. I tried rebooting, resetting Profile Manager, working without firewalls, more rebooting, etc. etc. but in the end Profile Manager is just as good as dead: no device can be succesfully enrolled, let alone managed.

Rant. I find it unbelievable how a company with so much capital and so many good people can't get this sorted. Some of the things I encounter are even plain naive (like the postfix stuff I ran into) and certainly not designed with 'robustness under uncertainty' in mind. Apple seems to develop this stuff by testing (which is like design-by-debugging and bad enough), and testing against a limited set of setups at that (which is even worse). You don't get the feeling all of it is actually designed and under architecture. They need better software designers in the area of systems management (the people creating this do not give the impression of being all that good at (unix) systems maintenance and technical infrastructure, they are clearly unaware of the complexities involved and create naive solutions). End rant.

I add here for the record...

Found another idiotic incompatibility problem regard config push, if I add a cert payload to the profile the installation fails and clears all the other payloads.

The cert I will add is exported as .p12 from keychain, and install flawlessly if I open from Mail as attachment.

I tried to import the profile on my Mac and all payloads shows up but next to the certificate it shows up a not encouraging "?Error_-25257?" (probably related to the code-signing utiliy)

I'm on Mavericks 10.9.1 and OSX Server 3.0.2 ... update that caused me other headaches (if you want to read you can find them here: https://discussions.apple.com/thread/5762561?answerId=24452305022#24452305022)

Hello ionepoch,

i found your post when researching issues with Server.app 5.0 while attempting to deploy a passcode policy, which failed, behaving a lot as you described back then in 2012.

It fails with:

"params"=>"[{"ErrorCode":-43,"ErrorDomain":"ConfigProfilePluginDomain","Localize dDescription":"The password policy could not be set up because either the account record could not be found, or the policy information could not be saved."}]"

and that in a two-edged-sword manner, since it not just fails to deploy, it also renders the entire group configuration inactive, leaving the group and all it's members unconfigured - evil!!!

Although i am keen to follow the advances APPLE makes (here: moving away from MCX to MDM), i also have to deliver a stable production ready deployment, which must have priority. And that makes me wanting to switch back to Workgroupmanager for the time being, until ProfileManger would be as predictable and reliable as MCX once was.

If i got your post back then rigth, you did exactly that. Fast forward to 2015, this is not an option anymore (i really don't want to switch back to OS X Server 10.9 just for running MCX) - how did you tackle this situation in the meantime?

Any ideas highly appreciated,

best

Personally, I've remained on 10.8.5 with Server (and now 10.10 clients) as this is a combination that still works (with issues that can be worked around). At some point in time I'll have to move on and I dread that moment as I fear that much of my setup (especially mobile accounts) will stop working at all.

Apple, please, fix this mess and hire a few decent software designers and engineers for this part of OS X which has seen an unbelievable level of neglect.

Hello Gerben,

i followed your stragtegy with my 10.6 deployment. This strategy failed with the arrival of i*-processors, when clients required a recent OS to be installed.

That was the time when ProfileManagement entered the scene, and i did everything to jump that train, but really havn't been able to get it running in a predictable and stable manner throughout all version until Server.app 4.0 (i need to be able to change configurations often, scientific environment).

As i now see things matured a lot in Server 5.0, but still face that issue with the passcode configuration and the locked-out syndrom around, i seriously flirt with the possibly historically last option to switch back to Workgroup-Manager - temporarily, in order to give the entire transitioning process a break, until that Server.app software is production ready.

Thus:

1) run Server on 10.9.5, Server 4.0 (i guess Server 5.0 requires at least OSX 10.10?), use ProfileManager for device management and WorkgroupManager for user-/group-management.

2) Keep the hope, Server 6.0 will be mature and not out before 10.12 (when 10.9 is likeley getting dropped from service).

Does anyone of you have experience with running ProfileManager and Workgroup-Manager side by side?

Would this infrastructure also serve 10.11 clients?

Best

Hi osxhag,

Does WGM work on higher versions than 10.8.5? I did not know that.

Are higher Server versions capable of supporting mobile accounts with portable home directories?

Hello,

yes, there is version 10.9 available, and it looks like it may even work on a yosemite OS (while not officially supported).

The catch22 for me is: still be able to use WGM 10.9 while already using Server 5.0.

Server 5.0 obviously depends on 10.10...

I monitor Profile Manager development since Server 2 came out. Every year I made a fresh install and checked if it is mature enough to be used in a productive environment. Until Server 5 I had to deny this.

With Server 5 overall stability improved and we decided to use it in production!

BUT

- There is still unpredictive behaviour

- An old, already deleted, configuration profile is always deployed to manually enrolled Macs. Deploying other configuration profiles to those machines fails without getting a detailed error message from Profile Manager!!!

- With nearly 200 devices in Profile Manager the scrolling through the devices list became slow

I think that current Profile Manager is not mature enough to be used in a professional environment unless the first two points are fixed. I created a bug report maybe that helps.