Profile Manager iMacs auto-enrollment issue: Only ‘placeholders’ being added? (but manual enrollment with My devices portal works fine)

New in version 5.4 no configure Open Directory, and the method does not help.

We just started heavily using Profile Manager in the last few months, finally switching from Workgroup Manager/Server 10.6.8.

We use method #2 and figured that placeholders are by design. For us, between faculty/staff, labs in different locations across campus and so on, we want new machines to not automatically be assigned anywhere. You'd need to manually put them in a group or groups once, at least that is what we do.

I've noted, once done, that even after reimage with DeployStudio and auto (re)enrollement, they'll rememeber their group assignments and not be placeholders again (unless of course you remove them from Profile Manager.)

Does that make sense? It seems to work for us.

Whoops, I was a little off on my previous post. I'm actually at work doing some deployments, so I'm watching it.

They seem to remain placeholders until the machine that is enrolled makes contact with the server after DeployStudio enrolls it.

For us, that's the first reboot after DeployStudio when their computer is registered for network access (but that's specific to us.)

Because our network relies on that registration for the computer to be able to talk to OS X server (or anything at all) I can't tell you if it is the act of just a first reboot that makes the place holder turn into a real machine record or the first login.

They'll still need to manually be put in a group the first time after that as I described above.

Do the client devices have an active internet connection when the profiles are being installed?

So I'm sort of new to PM, but I thought I would offer my advice so far.

First, I don't *think* this could have anything to do with internet/network connection or not having a first communicade. Assuming that your device isn't present in Profile Manager at all, when you enroll it - that's something happening from the client side. The server doesn't know you are applying an Enrollment Profile until the enrolled device reaches out to the server and says "hey enroll me with this!"

Therefore, the fact that even a Placeholder is getting created seems to be evidence that communication is happening between client/server.

I am going to assume that in your 3 scenarios above that all else is equal. For instance all machines are on the same subnet/network etc and that can't be playing a factor. What I would be interested in seeing is for you to do one of two things:

1) Manually run the Trust Profile and Enrollment Profile .mobileconfig that you download from MyDevices. This isn't exactly the same as just clicking on "Enroll" in my devices.

2) Login to the MyDevices portal as an admin user and you should see all the Enrollment Profiles listed there - Enroll from there and see how it goes.

If they are working by manually running, but not via your deployment task, that might be somewhat telling.

I suppose there is a slight possibility that different ports are used when you just click "Enroll" vs use the .MobileConfig files and that somehow there is enough communication to create the Placeholder, but not to fully register it? I think that's a longshot though.

On this same topic, I'm also going to throw a related question in the mix:

When you go to delete a device from within your list is has the options "Unenroll" or "Revert to Placeholder."

If you choose Unenroll, it reaches out to the device and removes the profile and ALSO reverts it to Placeholder.

If you choose "Revert to Placeholder" it seems to leave it in a state where the server thinks its just a Placeholder, but the client still has the policies applied and from the client end all looks well. I can't see a great reason why to use this option?

Update:

So I read a couple other things that may be germane to your situation.

1) I might not be wrong with my suspicion of only some firewall ports being open...so confirm that all the required ones are.

2) I read about a similar problem and the solution was making sure the device was registered to a user. This might make sense because when you login to MyDevices you are doing it as a user account, but when you just Deploy Enroll it is "user-less." I'm not fully sure the full ramifications of this yet, but it is something to try(?)

Hi Chris,

Finally, after calling with Apple etc. I've managed to figure out what the problem was.

Obviously you need to check the basics: Network and IP Addresses. DNS and Firewall.

Also, on the mac itself, go to http://"servername"/mydevices (I.E. alpha.company.local/mydevices) and try to manually enroll.

If this doesn't work, I've founded out that my solution was due to an error with my Open Directory. It couldn't load the master server and that caused my devices to not be able to fully-enroll since there was no Open Directory that could save the devices in a proper way.

I disabled all services in my Server App and then I opened Terminal to run the following command: sudo slapconfig -destroyldapserver

Then I went back into my server app and enabled Open directory by creating a new Master Controller. This all worked and then my devices were able to be deleted and fully enrolled.

Hope this helps you!

Hello, I have re-done open directory. But the devices still appear as placeholders?

^^ I can only add devices (albeit as placeholders) when I manually go to \mydevices and hit the enrol button.

I also ge the following when I try to add devices via the profile method \mydevices 'profile' tab

Profile installation failed: The server certificate for https://mymacserver.wan/devicemanagement/api/device/auto_join_ota_service is invalid.

Any ideas?

Thanks "Office IT Support",

You saved me from lots of hair pulling. Once I turned on "open directory" service, the enrolment profiles started working. What I don't understand is where the proper documentation for this. Such a strange error compared to the solution.