Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Can't Enable Device Management

I am getting the dreaded 'An error with code -1 occurred' when trying to enable device management on 2 different XSAN deployments. This is an secondary XSAN metadata controller. The primary metadata controller starts up Device Management fine. This is in the logs of the faulty system:


1:: [17200] [2015/04/26 12:23:02.166] EXCEPTION: Error <-[SCEPHelper odRootCertificate] (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-886.204/Compiled/Fr amework-Base/Support/SCEPHelper.m:61): "'((SCEPHELPER_GetODRootCertificate(self.connection, &root, &rootCnt)))' error 1">

USERINFO: {

NSLocalizedDescription = "Operation not permitted";

}


Any thoughts? Thanks!


Michael

Posted on Apr 26, 2015 12:37 PM

Reply
7 replies

Apr 30, 2015 3:14 PM in response to Nickrichyrichardson

Sure. Thanks for the reply and apologies on the slow response. Again, from what I can tell,


The environment is an XSAN deployment, so servers are on Yosemite 10.10.3, running Server 4.1. DNS, OD and XSAN are running well on both. Other services on this machine include Calendar, Messages and File Sharing, but all other services were set up after the failure of Profile Manager.


Basically I cannot enable device management for Profile Manager. Didn't work initially, so I tried the steps here: OS X Server: How to reset Profile Manager to its original state - Apple Support. Didn't work again. The log output makes me think it has a problem with the server's certificates, but server2 only has a SSL cert signed by server1.


I must be missing something, so any thoughts greatly appreciated.


devicemgrd.log output:


[67233] [2015/04/30 14:49:55.925] -[SULogFileCollection setGlobalLogLevelPrefix:]: YES

0:: [67233] [2015/04/30 14:49:55.928]

###############################################################################

devicemgrd-886.204 (PID:67233, OS:14D136, SERVER:14S1092, ARCH:x86_64) starting

LA: devicemgrd

Log verbosity level = 1

UID = 220, EUID = 220

###############################################################################

1:: [67233] [2015/04/30 14:49:55.936] Incoming request: readSettings

0:: [67233] [2015/04/30 14:49:56.059] +[PGConnection reloadPreferences]: DBDebug = NO, DBLogNotices = NO, DBLogSQL = NO, DBMonitor = NO

0:: [67233] [2015/04/30 14:49:59.048] Profile Manager service STOPPED

1:: [67233] [2015/04/30 14:49:59.068] Wrote MDM URL bag to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/MDMServiceConf ig.json

1:: [67233] [2015/04/30 14:49:59.068] Wrote DEP Anchor Certs to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/DEPAnchorCerts .json

1:: [67233] [2015/04/30 14:49:59.078] Ready to receive external socket requests.

1:: [67233] [2015/04/30 14:49:59.170] Incoming request: readAppDistributionSettings

1:: [67233] [2015/04/30 14:49:59.173] Incoming request: readSimplifiedDeviceEnrollmentSettings

[67337] [2015/04/30 14:50:35.699] -[SULogFileCollection setGlobalLogLevelPrefix:]: YES

0:: [67337] [2015/04/30 14:50:35.712]

###############################################################################

devicemgrd-886.204 (PID:67337, OS:14D136, SERVER:14S1092, ARCH:x86_64) starting

LA: devicemgrd

Log verbosity level = 1

UID = 220, EUID = 220

###############################################################################

0:: [67337] [2015/04/30 14:50:35.735] +[PGConnection reloadPreferences]: DBDebug = NO, DBLogNotices = NO, DBLogSQL = NO, DBMonitor = NO

0:: [67337] [2015/04/30 14:50:37.930] Profile Manager service STOPPED

1:: [67337] [2015/04/30 14:50:37.938] User 'nobody' not found, creating...

0:: [67337] [2015/04/30 14:50:38.431] Loaded strings from '/Applications/Server.app/Contents/ServerRoot/usr/share/servermgrd/bundles/serv ermgr_devicemgr.bundle/Contents/Resources/en.lproj/default.strings'.

1:: [67337] [2015/04/30 14:50:38.440] Incoming request: readSettings

0:: [67337] [2015/04/30 14:50:38.655] -[NSString(devicemgr_Additions) dateFromOpenSSLString]: 'Apr 26 20:57:28 2017 GMT'

1:: [67337] [2015/04/30 14:50:38.675] Wrote trust profile to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/Trust_Profile_ for_mdc02.mobileconfig

1:: [67337] [2015/04/30 14:50:38.686] Wrote MDM URL bag to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/MDMServiceConf ig.json

1:: [67337] [2015/04/30 14:50:38.688] Wrote DEP Anchor Certs to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/DEPAnchorCerts .json

0:: [67337] [2015/04/30 14:50:38.718] Parsing enterprise app icons

1:: [67337] [2015/04/30 14:50:38.718] Parsing enterprise apps with missing icons...

1:: [67337] [2015/04/30 14:50:38.720] Ready to receive external socket requests.

0:: [67337] [2015/04/30 14:50:39.519] Created default profile 'Settings for Everyone'

1:: [67337] [2015/04/30 14:50:39.523] Incoming request: readAppDistributionSettings

1:: [67337] [2015/04/30 14:50:39.526] Incoming request: readSimplifiedDeviceEnrollmentSettings

1:: [67337] [2015/04/30 14:50:45.889] Incoming request: writeSettings

1:: [67337] [2015/04/30 14:50:45.911] EXCEPTION: Error <-[SCEPHelper getIdentityDataForPersistentRef:encryptedWithPassword:] (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-886.204/Compiled/Fr amework-Base/Support/SCEPHelper.m:217): "'((SCEPHELPER_GetIdentityFromRef(self.connection, mCertRef, mCertRefCnt, mPassword, mPasswordCnt, &mPKCS12Data, &mPKCS12DataCnt)))' error 1">

USERINFO: {

NSLocalizedDescription = "Operation not permitted";

}

1:: [67337] [2015/04/30 14:50:54.400] Completed parsing enterprise apps with missing icons!

1:: [67337] [2015/04/30 14:51:21.438] Incoming request: activateOD

1:: [67337] [2015/04/30 14:51:21.438] EXCEPTION: Error <-[SCEPHelper odRootCertificate] (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-886.204/Compiled/Fr amework-Base/Support/SCEPHelper.m:61): "'((SCEPHELPER_GetODRootCertificate(self.connection, &root, &rootCnt)))' error 1">

USERINFO: {

NSLocalizedDescription = "Operation not permitted";

}

Jul 13, 2016 11:21 AM in response to AppleGrapple

Having the EXACT same issue with a fresh install of OS X and OS X Server 5.1.5.


Yes, I wiped the partition clean. I joined OD to my master server. As soon as i try to turn on device management, i get the dreaded error message :


1:: [462] [2016/07/13 14:16:32.573] Incoming request: informWebAppState
1:: [462] [2016/07/13 14:16:32.621] Incoming request: readSettings
1:: [462] [2016/07/13 14:16:32.626] Incoming request: readAppDistributionSettings
1:: [462] [2016/07/13 14:16:32.629] Incoming request: readSimplifiedDeviceEnrollmentSettings
1:: [462] [2016/07/13 14:16:57.468] Apache SSL configuration was changed, check for updated SSL certificate....
1:: [462] [2016/07/13 14:16:57.475] EXCEPTION:  Error <-[SCEPHelper odRootCertificate] (/BuildRoot/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManagement-895.19/Compiled/Framework-Base/Support/SCEPHelper.m:74): "'((SCEPHELPER_GetODRootCertificate(self.connection, &cert, &certCnt)))' error 1">
    USERINFO: {
        NSLocalizedDescription = "Operation not permitted";
    }
0:: [462] [2016/07/13 14:16:57.475] Unable to fetch OD Root CA Cert. -[SCEPHelper odRootCertificate] (/BuildRoot/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManagement-895.19/Compiled/Framework-Base/Support/SCEPHelper.m:74): "'((SCEPHELPER_GetODRootCertificate(self.connection, &cert, &certCnt)))' error 1"
0:: [462] [2016/07/13 14:16:57.831] -[NSString(devicemgr_Additions) dateFromOpenSSLString]: 'Apr 11 12:00:00 2018 GMT'
1:: [462] [2016/07/13 14:16:57.958] Wrote MDM URL bag to /Library/Server/ProfileManager/Config/ServiceData/Data/FileStore/MDMServiceConfig.json
1:: [462] [2016/07/13 14:17:01.263] Incoming request: activateOD
1:: [462] [2016/07/13 14:17:01.269] EXCEPTION:  Error <-[SCEPHelper odRootCertificate] (/BuildRoot/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManagement-895.19/Compiled/Framework-Base/Support/SCEPHelper.m:74): "'((SCEPHELPER_GetODRootCertificate(self.connection, &cert, &certCnt)))' error 1">
    USERINFO: {
        NSLocalizedDescription = "Operation not permitted";
    }

Jul 14, 2016 8:25 AM in response to MickTonyG

Hi MickTonyG,


I finally found the answer after wasting an entire day yesterday over this same issue.


1) PM requires to run on an OD MASTER not on a OD replica.

If you already have it running on an OD MASTER, make sure your have your 3 Identity preferences showing up in the keychain :


OPENDIRECTORY_SSL_IDENTITY

OPENDIRECTORY_ROOT_CA_IDENTITY

OPENDIRECTORY_INT_CA_IDENTITY


If you have it running on a replica, destroy that replica and let PM create a brand new dummy OD Master and then using Directory Utility, just join the serer to your real OD Master so it can grab the users/groups.


That's it.

Can't Enable Device Management

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.