Profile Manager - unable to install the Remote Access profile in multi-Active Directory domain & network environment
Hello All,
I'm an IT administrator for a college and I'm attempting to fix what appears to be the final hurdle in getting Profile Manager to work correctly.
I've been working for a while now trying to get Profile Manager able to push device and group profiles to Macs within our network environment. I have been able to get it to work intermittently, but not often. The majority of the time I'm unable to install the Remote Management profile.
When attempting to install the Remote Management profile I am given one of two errors -
The first error is:
Profile Installation Failed.
The profile "Remote Management (com.apple.config.server.fqdn.mdm:GUID)" could not be installed due to an unexpected error <MDMResponseStatus:500>
(Obviously server.fqdn and GUID are placeholders for their actual values)
The second error is:
Profile Installation Failed.
Unable to contact the SCEP server at "http://server.fqdn:1640/scep/".
The Mac Server is running OS X 10.11.4
OS X Server is version 5.1
Client Macs are mostly running 10.10.4
Here's a quick run down on the environment and the steps I've already taken to troubleshoot the issue.
- The network is a multi-domain Active Directory environment with multiple networks. I'm working primarily with two different networks, each associated with one of the two domains.
- The Mac Server that hosts Profile Manager is a Mac Pro. Both NICs are in use, each on one of the two networks. The Mac Server is bound to the primary domain in the forest.
- I have opened all the necessary ports and IP ranges for the Apple Push Notification service for both networks on our Firewall and tested from both networks to make sure that APN is reachable.
- I have created a static DNS entry for the server in the DNS zone for the primary domain. I've also created a separate DNS zone just for the DNS A record for the interface on the secondary network. I have also confirmed that Macs see the correct IP address for the Mac Server for their network.
- I've tested changing the network access settings for Profile Manager. The first error seems to occur when Profile Manager's access is restricted to the network that the client Mac is not connected to. This same error also occurs if I open up Profile Manager's access to "All Networks"
- I've experiemented with different certificate types. Generally, I'm using the self-signed certs that are generated automatically. In this scenario,I'm installing the Trust Profile first (which works seamlessly regardless of network or domain). I've also tried using a Code Signing certificate signed with our own CA to sign the Remote Management profile. The same errors occur regardless of which certificates are used.
- The second error occurs when Profile Manager's access is restricted to the same network that the client Mac is connected to
- I have run Wireshark captures on multiple client computers as well as on the Mac Server interfaces and didn't see any blocked or rejected traffic that appeared related to Profile Manager
- I have deleted and rebuilt my OD master
- I've also scoured the Profile Manager logs for any clues and haven't found much
- Additionally, I've also researched the problem/error codes/etc extensively and haven't found much useful information
- I'm sure there have been other troubleshooting steps I've taken as well, but I've been fighting issue this for a while and I don't remember every one.
Now here's an odd thing - I had it working for Macs on the primary network and domain. However, I discovered that Macs on the secondary network and domain were unable to download the Remote Management profile. That's when I began experimenting changing the Profile Manager network access settings, which ended up introducing the problem on the Macs connected to the primary network/domain. Changing the access settings back in Profile Manager did not restore functionality for the Macs that were working.
The other odd thing in this whole testing scenario - the Macs on the secondary network/domain would not install the Remote Management profile unless I temporarily moved it to the primary network (I did not unbind/rebind to a the primary domain on these Macs) I could get the Remote Management profile to install and then pushing profiles worked fine. Even stranger is that the Macs that I had to temporarily move from the secondary network to the primary network to allow the Remote Management profile to install still work as long as Profile Manger's access is restricted to the secondary network and "This Mac" only. However, Macs in the same room, on the same network, in the same domain, using the exact same image get the errors outlined above.
The only thing I haven't done yet is delete/rebuild Profile Manager. I'd really like to avoid that if possible. Also, solutions that involve something like Casper or some other AD integration software for Macs are a non-starter.
I'm happy to provide additional details if necessary. I appreciate the assistance.
Mac Pro, OS X El Capitan (10.11.4), OS X Server machine