wwdaher

Q: MDM registration fails with 'Failed to find CRL, unknown CA'

I'm setting up a few classes worth of iPads for a local school and have run into some issues getting the iPads registered on the Apple MDM server.

 

We have a mac mini running the latest version of El Capitan and the iPads connect to it using the Domain Name (theserver.mdm.theschool.edu).  The domain is registered and administered by a third party and they run the main web site (theschool.edu), but they have forwarded all requests on the mdm subnetwork (i.e. *.mdm.theschool.edu to our local network (ASM has managed to contact our server using theserver.mdm.theschool.edu, so we know it works). nslookup and ping from inside the local network finds theserver.mdm.theschool.edu without a problem.

 

Because we can't mess with the main DNS for this project, I'm running DNS on the mac mini and send all requests from our mdm subnet to this server.  All iPads use this server address as their DNS server and have no trouble accessing it. Any unknown requests are forwarded to the main DNS server.

 

I've created a domain in Open Directory for our local subnet (mdm.theschool.edu) and the master is this mac mini.

When I try to register an iPad via the server web site, it fails and I only see this in the log:
Jul 22 15:23:21 salome xscertd-helper[2261]: Failed to find CRL, unknown CA : F9D65C0B-42E7-4EBE-96A1-BB5F2EC0EF2C

 

I'm using self generated certificates.  The CA given in the message changes each time.

 

I can download the certificate I'm using to the iPad successfully, just can't actually register the device. I've had a look at all the certificates I can see and they all have what looks like the correct CA in them.

 

Where else can I find more diagnostic info?  Why does the CA keep changing (corruption, random data due something not specified...)?

Mac mini, iOS 9.3.3

Posted on Jul 30, 2016 5:24 AM

Close

Q: MDM registration fails with 'Failed to find CRL, unknown CA'

  • All replies
  • Helpful answers

  • by cdhw,

    cdhw cdhw Aug 2, 2016 6:21 PM in response to wwdaher
    Level 4 (2,623 points)
    Servers Enterprise
    Aug 2, 2016 6:21 PM in response to wwdaher

    I may be wrong, but AFAIK MDM won't work with self-generated certificates you need to get a push certificate from Apple linked to an Apple ID. You don't mention doing this in your question.

     

    Also, according to:

     

         https://help.apple.com/serverapp/mac/5.1.5/#/apd05B9B761-D390-4A75-9251-E9AD29A6 1D0C

     

    "To use Profile Manager as a mobile device management (MDM) service, OS X Server should have a static Internet network address, and a fully qualified domain name, and it can’t be on an isolated network."

     

    C.

  • by wwdaher,

    wwdaher wwdaher Aug 3, 2016 12:33 PM in response to cdhw
    Level 1 (4 points)
    Servers Enterprise
    Aug 3, 2016 12:33 PM in response to cdhw

    I had it working initially when I simply turned on Open Directory services and allowed the domain name to default to 'local' and used all the built in certificates.

     

    The IP address is static, though of course not on the open internet. In theory I'd expect if it was on an internal network that devices wouldn't be controllable outside the network as the server would be unreachable. There are are documents, however, which detail which ports to open on your firewall so there must be installations where it works without a single static internet address for the server.

  • by wwdaher,Solvedanswer

    wwdaher wwdaher Aug 6, 2016 5:27 AM in response to cdhw
    Level 1 (4 points)
    Servers Enterprise
    Aug 6, 2016 5:27 AM in response to cdhw

    I've now installed the latest update to OS X Server and it now all works.  I've not changed anything else, simply did the install (version 5.1.7) and though it took a long time to reconnect to the server once installed (close to an hour), after a reboot I managed to register two iPads without a problem.

     

    Thanks for your suggestions.