Profile Manager Enrollment Profile - SCEP Challenge failed

Question

Level 1

10 points

Profile Manager Enrollment Profile - SCEP Challenge failed

Greetings,

Need help. All requisites are in order for Profile Manager and can install a profile and restrictions are applied.

The problem is we are unable to install an Enrollment Profile via email or https://x.x.x/mydevices login for managing profiles. I've researched for 2 days and failed to resolve. Can anyone please help/comment/point in right direction/answer how to resolve the SCEP challenge failure?

iOS and MAC client devices:

Login to: https://x.x.x/mydevices

Select Install for Enrollment Profile

Signed Profile is downloaded, select Install Now

fails: 'Profile Installation Failed A connection to the server could not be established'

Server side OS X 10.10, Server 4.0:

apsn.log: no errors

profilemanager.log: no errors

php.log:

1::Mar 06 14:12:52.775 [1147] <x.x.x.x> {LogElapsedTime (common.php:82)} Time since script start: 62185us [https://x.x.x/devicemanagement/api/device/auto_join_ota_service]

1::Mar 06 14:12:52.800 [1147] <x.x.x.x> {require_once (auto_join_ota_service.php:11)} vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv - POST auto_join_ota_service

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> {LogException (common.php:470)} EXCEPTION: 500 Internal Server Error - Could not retrieve SCEP challenge. at

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> #0 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/ot a_service_common.php(198): DieInternalError('Could not retri...')

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> #1 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/ot a_service_common.php(314): _generate_scep_profile(Array)

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> #2 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/au to_join_ota_service.php(15): OTAServiceCommon()

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> #3 {main}

1::Mar 06 14:12:53.411 [1147] <x.x.x.x> {SendFinalOutput (common.php:477)} Sent Final Output (26 bytes)

1::Mar 06 14:12:53.411 [1147] <x.x.x.x> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/api/device/auto_join_ota_service

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> {SendFinalOutput (common.php:477)} Completed in 698ms | 500 Internal Server Error [https://x.x.x/devicemanagement/api/device/auto_join_ota_service]

scep_helper.log:

0:: [1111] [2015/03/06 14:28:28.407] getSCEPURL: hostname = '127.0.0.1', urlString = 'http://127.0.0.1:1640/scep/'

1:: [1111] [2015/03/06 14:28:28.426] EXCEPTION: Error <NSString *GetChallengeFromSCEP(NSString *__strong, NSString *__strong, NSString *__strong) (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-883.16/Compiled/sce p_helper/main.m:438): "'((SCEPGetCACert(session, ((void*)0), 0)))' error -18">

USERINFO: {

NSLocalizedDescription = "Carbon error -18";

}

0:: [1111] [2015/03/06 14:28:28.460] SCEPHELPERS_GetSCEPChallenge: Caught exception NSString *GetChallengeFromSCEP(NSString *__strong, NSString *__strong, NSString *__strong) (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-883.16/Compiled/sce p_helper/main.m:438): "'((SCEPGetCACert(session, ((void*)0), 0)))' error -18"

Thanks

Mac mini, OS X Yosemite (10.10), clean 10.10 install then Server 4.0

Posted on Mar 6, 2015 11:47 AM

Reply

Answer 1

Mar 1, 2017 8:20 PM in response to Cerniuk

Have a similar issue, wiping Open Directory and Profile Manager is not an option unless all devices can stay intact.

Have Open Directory and PM installed on a Mac mini server (server app 5.2) with Sierra 10.12.1.

Linked to DNS on a Windows Server.

Current linked devices can get apps and settings (however currently having the 'no copies available' problem with new apps recently, but I do not think that is related.)

Any ideas?

Reply

Answer 2

Jun 29, 2017 7:09 AM in response to ICS Ed-Tech

What version of Server are you using? Profile Manager changed its SCEP implementation in Server 5.3, and it doesn't use the OpenDirectory certs any more, so if you're having issues with SCEP on Server 5.2 or earlier, you might want to consider upgrading to Server 5.3 or later.

If you're having issues with Server 5.3 or later, you want to look in /Library/Logs/ProfileManager/dmSCEPHelper.log for any errors/exceptions.

Reply

Answer 3

Mar 7, 2015 11:29 AM in response to jlittle3369

A few guesses

Are certificates in order on the server, none that has expired?

At least older versions of Mac OS (e g 10.8) do not automatically renew their enrolment identity certificate which means they will keep most kind of settings but not accept changes to profiles or new profiles. Are those certificates in order on the clients?

Have you tried restarting the services (Profile Manager and Open Directory (handels certificates))

Have you tried reboot the whole server. It feels like a thing you shouldn't have to do but it's an easy way to be sure every process is actually restarted. I have had some profile problems that I haven't been able to track down but that has been solved by restarting services or the whole server (e g after upgrade from MOS 10.9.5 + Server 3.2.2 to MOS 10.10.x + Server 4.0.3).

Reply

Answer 4

jlittle3369 Author

Level 1

10 points

Mar 10, 2015 11:03 AM in response to theFerret

Thanks theFerret, turned out all certs were in order.

My problem resulted from changing the host name after Open Directory installed. Relatively lucky in that this is a new install without many users so i was able to destroy without consequence. This solved the problem after identifying it:

Destroy Open Directory

sudo slapconfig -destroyldapserver

sudo slapconfig -setstandalone

Reboot

Stop Profile Manager

sudo serveradmin stop devicemgr

sudo killall -9 -u _devicemgr

sudo serverctl disable service=com.apple.DeviceManagement.devicemgrd

sudo serverctl disable service=com.apple.DeviceManagement.postgres

sudo mv /Library/Server/ProfileManager/Config/ServiceData/Data/PostgreSQL ~/.Trash/PostgreSQL_$RANDOM

sudo mv /Library/Server/ProfileManager/Config/ServiceData/Data/backup ~/.Trash/backup_$RANDOM

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/deviceManagerCommon.sh

Reconfigure Device Management, enable Profile Manager

Reply

Answer 5

Cerniuk

Level 1

27 points

May 3, 2016 3:07 PM in response to jlittle3369

This did it for me. It would be terrible if I had the serve in use with all manner of account to have to do this though as it flushes all the accounts. Never the less, now have a usable Profile Manager. Thanks!

Reply

Answer 6

Jun 6, 2017 10:37 PM in response to jlittle3369

method not working

Reply

Answer 7

Jun 28, 2017 8:14 PM in response to Apple_Tech85

i have similar issues too!

Reply