Pierre Froelicher1
Level 1 (118 points)
Servers Enterprise

Q: Enroll Lion 10.7.5 client

Hi,

I have a group of minis in our company and use server 10.11 to manage them remotely .

 

Recently I upgraded a mini 2007 do LION 10.7.5 and would like to enroll it in our server to have mobile accounts and push some settings onto it.

 

When I Enroll it it gives me error that enrollment failed due to an unexpected erro.

Any hints where to look?

Yours

Pierre

Mac mini Server (Mid 2010), OS X Server

Posted on Jul 7, 2016 9:30 AM

by donovanm21,Solvedanswer
donovanm21 donovanm21
Level 1 (63 points)
Servers Enterprise
A:

Did you install the Trust Certificate on the 10.7 client?

Posted on Jul 7, 2016 1:14 PM

Close
Pierre Froelicher1

Q: Enroll Lion 10.7.5 client

  • All replies
  • Helpful answers

  • by Pierre Froelicher1,

    Pierre Froelicher1 Pierre Froelicher1 Jul 7, 2016 1:10 PM in response to Pierre Froelicher1
    Level 1 (118 points)
    Servers Enterprise
    Jul 7, 2016 1:10 PM in response to Pierre Froelicher1

    and the server says

    07/07/16 17:07:07,176 System Preferences: *** ERROR *** [CPInstallerUI:501] Profile installation (Remote Management (com.apple.config.access.embatek.com.br.mdm)) (Checkin 'Authenticate' failed: 0 <InternalError:1>)

  • by donovanm21,Solvedanswer

    donovanm21 donovanm21 Jul 7, 2016 1:14 PM in response to Pierre Froelicher1
    Level 1 (63 points)
    Servers Enterprise
    Jul 7, 2016 1:14 PM in response to Pierre Froelicher1

    Did you install the Trust Certificate on the 10.7 client?

  • by Pierre Froelicher1,

    Pierre Froelicher1 Pierre Froelicher1 Jul 7, 2016 3:02 PM in response to donovanm21
    Level 1 (118 points)
    Servers Enterprise
    Jul 7, 2016 3:02 PM in response to donovanm21

    Donovan,

    yes I did. That worked.

    Yours

    Pierre

  • by donovanm21,

    donovanm21 donovanm21 Jul 7, 2016 11:34 PM in response to Pierre Froelicher1
    Level 1 (63 points)
    Servers Enterprise
    Jul 7, 2016 11:34 PM in response to Pierre Froelicher1

    Client and Server on the same network? or you trying to enrol the client via the internet to the MDM?

  • by Pierre Froelicher1,

    Pierre Froelicher1 Pierre Froelicher1 Jul 8, 2016 7:35 AM in response to donovanm21
    Level 1 (118 points)
    Servers Enterprise
    Jul 8, 2016 7:35 AM in response to donovanm21

    Donovan,

    My trust certificate is self signed. I have a Go Daddy certificate for my site.. but it seems I cannot use it for Profile Manager to reasons beyond me. I cannot register this certificate and neither a self signed one in the profile manager.

     

    I checked and a Code Signing Certificate cost about 300USD/year and therefore is totally beyond my scope.

     

    When I request enrollment the server says

    devicemanagement/mdm/mdm_enroll]

    1:: [17255] [2016/07/08 11:07:06.139] <10.0.117.26> >>> Processing POST mdm_enroll

    1:: [17255] [2016/07/08 11:07:06.322] <10.0.117.26> OSX version 10.7.5

    0:: [17255] [2016/07/08 11:07:06.815] <10.0.117.26> No signing certificate specified, unable to sign.

    1:: [17255] [2016/07/08 11:07:06.817] <10.0.117.26> <<< Sent Final Output (6634 bytes) - POST mdm_enroll

    0:: [17255] [2016/07/08 11:07:06.817] <10.0.117.26> Completed in 715ms | 200 OK [https://access.embatek.com.br/

    Any suggestions?

  • by donovanm21,

    donovanm21 donovanm21 Jul 8, 2016 7:44 AM in response to Pierre Froelicher1
    Level 1 (63 points)
    Servers Enterprise
    Jul 8, 2016 7:44 AM in response to Pierre Froelicher1

    When you setup Profile Manager it sets up Open Directory as part of the process. When it sets up Open Directory it creates a Code Signing Certificate for you, it's the server's FQDN with OD Intermediate CA appended at the end. You have to use this certificate to sign the profiles if you not using a 3rd party certificate. I use a Rapid SSL certificate for the Web server so that client trust the server automatically and don't need to install the trust.

     

    Short answer, check the "Sign Configuration Profiles" box under Profile Manager and select the OD code sign certificate. Then recreate your enrolment profile on the profile manager web console and try to enrol the device again using the new profile.

     

    Hope this helps.

  • by Pierre Froelicher1,

    Pierre Froelicher1 Pierre Froelicher1 Jul 21, 2016 11:28 AM in response to donovanm21
    Level 1 (118 points)
    Servers Enterprise
    Jul 21, 2016 11:28 AM in response to donovanm21

    Donovan,

    I did a new OD Intermediate certificate. I sent the trust profile to the LION Client but still. The %&$# thing will not Enroll.

    They are both on the same intranet with Ethernet..

    When I look at the profile to be Enrolled all the "wipe remotely" features are in red.. does LION not support them and therefore cannot be enrolled? Has anyone enrolled a 10.7 client ever?