MDM Profile install fails outside our LAN

Question

MDM Profile install fails outside our LAN

I'm attempting to enroll an iPad outside our organization's LAN. It's connected to the ATT cell network and is able to see our Profile Manager just fine. It sees our certificates and shows the various warnings, I go ahead and tap 'Install'. Then I tap 'Trust'. A key is generated. The certificate is enrolled. Then at the 'install profile' step it fails with a non-descript message of "Profile installation failed".

I monitor the logs on our MDM server and can see the iPad communicating.

The server log for devicemgrd.log reports incoming requests.

But something is happening after that. And, there's no log file indicating what's going on.

Before I go down the rabbit hole and trace TCP packets on our firewall, is there something more simple to check?

For example, is there something about our self-signed certificates? Or something else?

Thanks in advance.

iPad 2, iOS 9.3.5

Posted on Sep 15, 2016 1:25 PM

Reply

Answer 1

Sep 16, 2016 8:20 AM in response to JDLoren

In this case the MDM provider is myself. We're using the OSX Server and Profile Manager.

Enrolling devices within our LAN works great.

Enrolling devices outside the LAN doesn't. It fails to install the profile. Though, I can install the Trust profile from outside the LAN. I cannot Enroll a device.

I've observed various log files on our OS X server. They're not very helpful. They show positive connections but no errors. I've tried observing the logs files related to our server's connection to Apple's APNS servers with debugging on. There's nothing odd there, at least that I can discern.

I've watched packets on our firewall to see if something is being blocked or dropped. Nothing there seems out of place.

It's quite mysterious and I'm unsure whom to turn to at this point.

Reply

Answer 2

Sep 16, 2016 8:39 AM in response to JDLoren

Yep. That's what I started with and was excited with the results. If I enroll my device in-house the process is smooth and I can manage the iPad nicely.

However, all our iPads are on the road and use the cell network at least 90% of the time. They're rarely used in-house after deployment. Thus the need to manage via the cell network.

Reply

Answer 3

a.agulto

Level 1

9 points

Sep 20, 2016 1:13 PM in response to childandfamilyagency

Our organization is running its own MDM (OS X Server) as well, and I had the same issue as you. I was trying to Google a solution for almost 6 months now, but still no luck.

Here's my temporary solution, it's a bit complicated but it's 100% working. Use VPN connection from your device, that way the network will detect your device is connected in the network (in-house) so the enrolling process will go through. Then after the enrollment, you can remove the VPN configuration or let it stay there, so it's up to you!

I hope you find this information useful, and of course I am still hoping that we both find better a solution for this 😐

Reply

Answer 4

Sep 20, 2016 1:13 PM in response to a.agulto

Thank you for the suggestion regarding the VPN. I'd prefer to avoid such messiness particularly if I need to reenable the VPN in the future to properly manage the devices. Better to have the MDM simply work properly.

Today I brought the device to another of our WAN locations. That location has its own firewall and must pass through an additional firewall to access our Apple MDM Server. Even with those firewalls in place the device was able to successfully enroll in our MDM.

So, it would seem the enrollment problem isn't related to our firewalls blocking something.

I'm at a loss for the difference in the enrollment process via the cell network VS our external WAN sites.

Perhaps I'll call Enterprise support and see what they can suggest.

Reply

Answer 5

JDLoren

Level 1

9 points

Sep 16, 2016 8:09 AM in response to childandfamilyagency

Have you contacted the MDM provider? What do your server side error logs say? We generally have trouble installing the profile if the speed of the connection is poor or degraded.

JD

Reply