Can't enroll iOS device to profile manager

Question

Level 1

1 points

Can't enroll iOS device to profile manager

We have setup a apple server running 10.9 and mavericks server app. The server is joined to an active directory domain, which handles all user authentication, dns, dhcp, ect. Profile manager is setup and I can enroll iMac's and MacBooks without issue via the xxxx.mydomain.com/mydevices site. When we try to enroll an iPad or iPhone while logging into the my devices website using an AD account, we can get to the site, we can install the trust and remote profiles, both show installed on the iOS device, no errors happen during the install, however on the my devices page after enrolling, the iPad and iPhone never update, they continue to show the enroll option, they never communicate their details to the server and profile manager. The task shows up in profile manager that a new device enrolled but sits at pending and in devices a new generic device shows up with the user's AD name who registered it, but no device details appear, no serial number ect. So We can get to the server, open the my devices site, login with AD, but once we enroll there is basically no communication between the server/profile manager and the iOS device.

HELP!!! We are stuck!!

iPad 2 Wi-Fi, iOS 7.1.2

Posted on Sep 4, 2014 3:03 PM

Reply

Answer 1

SSI JDE

Level 1

135 points

Sep 17, 2014 4:22 AM in response to TRNSupport

We could solve this by opening the firewall for some ports (443, 1640, 2195, 2196, 5223, ) and ip addresses (17.0.0.0/8). Have a look at

OS X Server: Ports used by Profile Manager

Start Profile Manager

Reply

Answer 2

Nov 7, 2014 4:54 AM in response to SSI JDE

We are having the exact same problem.

The only ports on the firewall to the net open are 80 and 443, we do not permit other ports to be opened.. seeing as it's an internal connection, I fail to see why ports on the firewall need to be opened??

Reply

Answer 3

SSI JDE

Level 1

135 points

Nov 10, 2014 12:21 AM in response to RendcombITDept

The server and the iOS devices uses the Apple Push Notifications (APN). They communicate over the apple servers and need a internet connection with some open ports.

Reply

Answer 4

Nov 10, 2014 9:18 AM in response to TRNSupport

We are having the same issue except we cannot enroll new Macs, they just show up as "Placeholders". However there are a select few Macs that do enroll fine. We have port 5223 being blocked and I know that everyone is to allow those ports to be opened, but if some of the Macs enroll fine and others don't and port 5223 is blocked then how can this be a port issue? Obviously if some of them enroll ok it has nothing to do with Apples APN server. Im not sure why they are showing up as placeholders though.

Reply

Answer 5

SSI JDE

Level 1

135 points

Nov 10, 2014 11:15 PM in response to cpreasbeck

You can use tools like Wireshark to analyse the traffic for the enrolled mac and the server.

In a enterprise enviroment the server is logical between two firewalls (DMZ). You must also check the firewall logs for blocked traffic.

Reply

Answer 6

Nov 12, 2014 8:22 AM in response to SSI JDE

Yes I have used Wireshark and the only port that is being blocked is 5223, however this port doesnt seem to have anything to do with the enrollment process. I have some Macs that will enroll fine even though it is being blocked, and I have others that do not. Im not sure what else we should try here.

Reply

Answer 7

SSI JDE

Level 1

135 points

Nov 13, 2014 12:47 AM in response to cpreasbeck

If the firewall blocks traffic from the internet to your server, you can not log this with Wireshark on your server. You have to check the firewall logs too. If nothing helps reconfigure your firewalls for testing.

If some devices enroll fine, search for differences at the network settings, dns, proxy etc. If you use a active directory check the Trust-Levels, access rights etc.

Reply

Answer 8

SSI JDE

Level 1

135 points

Nov 13, 2014 4:33 AM in response to cpreasbeck

Also have a look at Well known TCP and UDP ports used by Apple software products.

Reply

Answer 9

Apr 7, 2015 8:45 AM in response to SSI JDE

I have same issue but without firewall.

I have configure profile manager, I can access to the profile manager website, but when I want to enrol an iOS device I get "Profile Installation Failled" "The request timed out"

Can you help me

Reply

Answer 10

Apr 12, 2015 12:01 AM in response to TRNSupport

We had this same issue, and for us the problem was a profile installed on the device for a GoDaddy email account. We deleted the profile and voila the device completed the enrollment process perfectly. Hope this helps somebody else with the same problem.

Reply