The following article also applies to issues after re-setting the severs' hostname. It also applies to situations where re-setting the Code Signing Certifictateas described by Apple has not resolved the issue.
I have been plagued with Profile Manager and Device Manager issues since day one.
I would like to share my experience and to suggest a way how to resolve issues such as device cannot be enrolled or Code Signing Certificate not accepted.
I shall try to be as brief as possible, just giving an overview of the steps that resolved my issues. The individual steps have been described elsewhere in this forum. For users who have purchased commercial SSL certs the following may not apply.
In my view many of these issues are caused by missing or faulty certificates. So let us first touch on the very complex matter of certificates.
Certificates come in many flavours such as CA (Certificate Authority), Code Signing Certificate, S/MIME and Server Identification.
(Mountain?) Lion Server creates a so-called Intermediate CA certificate (IntermediateCA_hostname_1") and Server Identification Certificate ("hostname") when it installs first. This is critical for the operation of many server functionalities, including Open Direcory. These certs together with the private/public keys can be found in your Keychain. Profile and Device Manager may need a Code Signing Certificate.
The most straightforward way to resolve the Profile Manaher issues is in my view to reset the server created certicates.
The bad news is that this procedure involves quite a few steps and at least 2 hours of your precious time because it means creating a fresh Direcory Master.
I hope that I have not forgotten to mention an important step. Readers' comments and addenda are welcome.
I shall outline a sensible strategy:
1. Clone your dysfunctional server to an external harddrive (SuperDuper does a reliable job)
2. Start the server fom the clone and shut down ALL services.
3. It may be sensible to set up a root user access.
4. Back-up all user data such as addess book, calendar and other data that you *may* need to set up your server.
5. Open Workgroup Manager and export all user and workgroup accounts to the drive that you using to re-build your server (it may cause problems if you back-up to an external drive).
6. Just in case you may also want to back-up the Profile Manager database and erase user profiles:
In Terminal (this applies to Lion Server - paths may be diferent in Mountain Lion !)
Backup: sudo pg_dump -U _postgres -c device_management > $HOME/device_management.sql
7. Note your Directory (diradmin) password for later if you want to re-use it.
8. Open Open Server Admin and demote OD Master to Standalone Directory.
9. In Terminal delete the old Certificate Authority
sudo rm -R /var/root/Library/Application\ Support/Certificate\ Authority/
This step is crucial because else re-building you OD Master will fail.
9. Go back to Server Admin and promote the Standalone Directory to OD Master. You may want to use the same hostname.
10. When the OD Master is ready click on Overview and check that the LDAP and Keberos Realm reflect your server's hostname.
11. Go back to Workgroup Manager and re-import users and groups.
NOTE: passwords are not being exported. I do not know how to salvage user passwords. (Maybe passwords can be recovered by re-mporting an OD archive - comments welcome! ).
12. Go to Server App and reset passwords and (not to forget) user homefolder locations, in particular if you want to login from a network account!
If the home directory has not been defined you cannot login from a network account.
13. You may now want to restore Profile Manager user profiles in Terminal. Issue the following commands:
sudo serveradmin stop devicemgr
sudo serveradmin start postgres
sudo psql -U _postgres -d device_management -f $HOME/device_management.sql
sudo serveradmin start devicemgr
14. You can now switch back on your services, including Profile Manager.
In Profile Manager you may have to configure Device Management. This creates a correct Code Signng Certicate.
15. Check the certificate settings in Server App -> Hadware -> Settings-> SSL Certificates.
16. Check that Apple Push Notifications are set.(you easily check if they are working later)
17. You may want to re-boot OS Server from the clone now.
18. After re-boot open Server App and check that your server is running well.
19. Delete all profiles in System Preferences -> Profiles.
19. Login to Profile Manager. You should have all users and profiles back. In my experience devices have to be re-enrolled before profiles can be pushed and/or devices be enrolled. You may just as well delete the displayed devices now.
20. Grab one of your (portable) Macs that you want to enrol and go to (yourhostname)/mydevices and install the server's trust profile. The profile's name should read "Trust Profile for...) and underneath in green font "Verified".
21. Re-enrol that device. At this stage keep your finger's crossed and take a deep breath.
22. If the device has been successfully enrolled you may at last want to test if pushing profiles really works. Login to Profile Manager as admin, select the newly enrolled device. Check that Automatic Push is enabled (-> Profile -> General). Create a harmless management profile such as defining the dock's position on the target machine. (Do not forget to click SAVE at the end - this is easily missed here). If all is well Profile Manager will display an active task (sending) and the dock's position on the target will have changed in a few seconds if you are on a LAN (Note: If sending seems to take forever: check on the server machine and/or on your router that the proper ports are open and that incoming data is not intercepted by Little Snitch or similar software).
Note: if you intend to enrol an Apple iPhone you may first need to install the proper Apple Configuration software.
Now enjoy Profile and Device Manager !