prescottsouthern

Q: Issue with access being blocked to apple server. all ports open

Our apple server (static IP) is being blocked by our Cisco 2500 wireless controller.  All requests to this server are being blocked.  We have other access points not on the controller, which allow full access,  so i know the issue is with the Cisco.

 

I have already tried making an access control list which i left all ips and ports open,  however the issue still remains.

 

Is there something I have overlooked as to why the MDM requests are timing out, given that they are working on a different array of access points on the same network

below is a log from one of the ipads managed by the mdm

 

 

Jun  6 09:54:30 ipad02 mdmd[4863] <Notice>: (Note ) MDM: mdmd starting...

Jun  6 09:54:30 ipad02 mdmd[4863] <Notice>: (Note ) MDM: Network reachability has changed.

Jun  6 09:54:30 ipad02 mdmd[4863] <Notice>: (Note ) MDM: Network reachability has changed.

Jun  6 09:54:30 ipad02 mdmd[4863] <Notice>: (Note ) MDM: Push token received.

Jun  6 09:54:30 ipad02 mdmd[4863] <Notice>: (Note ) MDM: Received push notification.

Jun  6 09:54:30 ipad02 mdmd[4863] <Notice>: (Warn ) MDM: Ignoring extra keys in push dictionary: {

   time = "486865470.150255";

}

Jun  6 09:54:30 ipad02 mdmd[4863] <Notice>: (Note ) MDM: Polling MDM server https://mac-server.local/devicemanagement/api/device/mdm_connect for next command.

Jun  6 09:55:31 ipad02 mdmd[4863] <Notice>: (Error) MC: Connection to https://mac-server.local/devicemanagement/api/device/mdm_connect failed with error: NSError:

Desc   : The request timed out.

Domain : NSURLErrorDomain

Code   : -1001

Type   : MCFatalError

Jun  6 09:55:31 ipad02 mdmd[4863] <Notice>: (Note ) MDM: Could not send response to MDM server. Error: NSError:

Desc   : The request timed out.

Domain : NSURLErrorDomain

Code   : -1001

Type   : MCFatalError

Jun  6 09:55:31 ipad02 mdmd[4863] <Notice>: (Note ) MDM: mdmd stopping.

and a log of it working on another AP

========== 6 Jun 2016, 9:58:23 AM ==========
Jun 6 09:58:33 ipad02 mdmd[4865] <Notice>: (Note ) MDM: mdmd starting...
Jun 6 09:58:33 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Network reachability has changed.
Jun 6 09:58:33 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Network reachability has changed.
Jun 6 09:58:33 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Push token received.
Jun 6 09:58:33 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Received push notification.
Jun 6 09:58:33 ipad02 mdmd[4865] <Notice>: (Warn ) MDM: Ignoring extra keys in push dictionary: {
time = "486865713.324033";
}
Jun 6 09:58:33 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Polling MDM server https://mac-server.local/devicemanagement/api/device/mdm_connect for next command.
Jun 6 09:58:34 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Transaction completed. Status: 200
Jun 6 09:58:34 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Attempting to perform Supervised request: DeviceInformation
Jun 6 09:58:34 ipad02 mdmd[4865] <Notice>: (Note ) MC: Loaded SetupAssistant.framework
Jun 6 09:58:34 ipad02 mdmd[4865] <Notice>: (Note ) MC: Loaded FrontBoardServices.framework
Jun 6 09:58:34 ipad02 mdmd[4865] <Notice>: (Note ) MC: Loaded DataAccessExpress.framework
Jun 6 09:58:34 ipad02 findmydeviced[4866] <Warning>: findmydeviced has been launched
Jun 6 09:58:35 ipad02 mdmd[4865] <Notice>: (Note ) MC: Loaded BulletinBoard.framework
Jun 6 09:58:35 ipad02 mdmd[4865] <Notice>: (Note ) MC: Loaded Preferences.framework
Jun 6 09:58:35 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Command Status: Acknowledged
Jun 6 09:58:35 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Polling MDM server https://mac-server.local/devicemanagement/api/device/mdm_connect for next command.
Jun 6 09:58:35 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Transaction completed. Status: 200
Jun 6 09:58:35 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Attempting to perform Supervised request: Restrictions
Jun 6 09:58:35 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Handling request type: Restrictions
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Command Status: Acknowledged
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Polling MDM server https://mac-server.local/devicemanagement/api/device/mdm_connect for next command.
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Transaction completed. Status: 200
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Attempting to perform Supervised request: CertificateList
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Handling request type: CertificateList
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Command Status: Acknowledged
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Polling MDM server https://mac-server.local/devicemanagement/api/device/mdm_connect for next command.
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Transaction completed. Status: 200
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Attempting to perform Supervised request: ProvisioningProfileList
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Handling request type: ProvisioningProfileList
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Command Status: Acknowledged
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Polling MDM server https://mac-server.local/devicemanagement/api/device/mdm_connect for next command.
Jun 6 09:58:36 ipad02 mdmd[4865] <Notice>: (Note ) MDM: Transaction completed. Status: 200

Posted on Jun 5, 2016 10:58 PM

Close

Q: Issue with access being blocked to apple server. all ports open

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Jun 6, 2016 8:25 AM in response to prescottsouthern
    Level 10 (207,990 points)
    Applications
    Jun 6, 2016 8:25 AM in response to prescottsouthern

    I wouldn't know about the router, but you're using a domain name in the "local" TLD, which is reserved for multicast DNS. For Profile Manager, you need a working unicast setup.

     

    OS X Server: Resolving issues with Profile Manager - Apple Support

  • by prescottsouthern,

    prescottsouthern prescottsouthern Jun 6, 2016 3:35 PM in response to Linc Davis
    Level 1 (4 points)
    Servers Enterprise
    Jun 6, 2016 3:35 PM in response to Linc Davis

    hi thanks for the response.  Yeah the mac server is called mac-server.local, do you think this may be the cause of the issue?   It seems strange that it would work fine over one wireless array but then not over the WLC.

    It is worth mentioning that the apple server is not not one of our main servers it is simply there for mdm management.  What would be a better naming convention for the macserver aside from the .local (only option i thought it had when setting up)

  • by Linc Davis,

    Linc Davis Linc Davis Jun 6, 2016 5:32 PM in response to prescottsouthern
    Level 10 (207,990 points)
    Applications
    Jun 6, 2016 5:32 PM in response to prescottsouthern

    In the Server app, please select the server icon at the top of the sidebar, then select the Overview tab. Click the button labeled

              Edit Host Name...

    In the sheet that drops down, click through to the screen headed

              Choose how users will access your server

    Make sure the right option is selected.

    Unless you choose Local Network, the server needs a static IP address on the local network, and you need a working DNS setup with at least a three-level FQDN for the server; for example:

              server.yourdomain.com

    Something like this won't work:

              servername.com

    and neither will this:

              anything.local

    The .local TLD is reserved for multicast DNS (Bonjour.)

  • by prescottsouthern,

    prescottsouthern prescottsouthern Jun 6, 2016 5:58 PM in response to Linc Davis
    Level 1 (4 points)
    Servers Enterprise
    Jun 6, 2016 5:58 PM in response to Linc Davis

    currently the apple server is setup with a static ip address on out network (mac-server.local)

     

    our local network domain is a .local  (e.g. ourdomain.local)  (this is unfortunate i know)

     

    so the apple server should be named something like macserver.ourdomain.local?

  • by Linc Davis,

    Linc Davis Linc Davis Jun 6, 2016 6:05 PM in response to prescottsouthern
    Level 10 (207,990 points)
    Applications
    Jun 6, 2016 6:05 PM in response to prescottsouthern

    The .local top-level domain is reserved for multicast DNS, which Apple calls "Bonjour." The restriction wasn't enforced before OS X 10.10, but it is now. Unicast domain names with that TLD will not resolve with the system in its default configuration.

    If you have an Active Directory setup that can't be changed, and you absolutely must use unicast names in the .local TLD, please disable Bonjour on all Mac clients as described in the mDNSResponder(8) manual page:

    sudo defaults write /Library/Preferences/com.apple.mDNSResponder NoMulticastAdvertisements -bool YES

    Important networking features that users may expect will be lost.

  • by prescottsouthern,

    prescottsouthern prescottsouthern Jun 6, 2016 7:08 PM in response to Linc Davis
    Level 1 (4 points)
    Servers Enterprise
    Jun 6, 2016 7:08 PM in response to Linc Davis

    unfortunately there is no way that i can change our .local domain name.

     

    I just need the apple server to act as a MDM for the iPads here, just managing apps and settings.

     

    So if i disable bonjour on the mac server machine, and keep the .local name it should work?

     

    If i changed the host name of the apple server, would that affect devices currently enrolled? (not ideal but I'm willing to do it for a better solution)

  • by Linc Davis,

    Linc Davis Linc Davis Jun 6, 2016 7:49 PM in response to prescottsouthern
    Level 10 (207,990 points)
    Applications
    Jun 6, 2016 7:49 PM in response to prescottsouthern

    So if i disable bonjour on the mac server machine, and keep the .local name it should work?

    I can't be sure of that. I am sure that the setup you have now is wrong.

    If i changed the host name of the apple server, would that affect devices currently enrolled?

    You need a three-part FQDN, such as server.domain.tld, and you will need to redo the server certificates. Good luck.