Server 5.3.1 Profile Manager enrollment stuck on "in progress"

Question

Bosco1983 Author

Level 1

79 points

Server 5.3.1 Profile Manager enrollment stuck on "in progress"

Upgraded from El Cap to Sierra and Server 5.3.1 and now when I try to enrol a client (mac mini running el cap for example) I can install the Trust profile fine, but when installing the remote management profile I can see on Profile Manager that the profile hasnt fully finished - it shows "in progress".

Sometimes I receive a "the request timed out" or "internal error -1 " when installing the remote management profile.

I have noticed that the trust profile now includes 2 certs, where it only included 1 previously on my El Cap server set up - is this normal for server 5.3?

To give you some info on my set up I do not use signed configuration profiles for PM and I do not sign my OD either - this was a result of a server headache a few years back. Im not against turning these back on, but I don't want to break things any further or have to re-enroll the entire estate.

My server is NAT'd to be visible externally and worked before the upgrade to Sierra and Server 5.3.

Any thoughts? 😟

SCEP_Helper.log doesnt seem to have updated since I upgraded to Server 5.3

Mac mini, OS X Server

Posted on Aug 2, 2017 8:04 AM

Reply

Answer 1

Top-ranking reply

mscott_mdm

Level 2

459 points

Dec 17, 2017 9:23 PM in response to Bosco1983

Sounds like maybe you need to open up port 80 to your server. Starting with Server 5.3, the SCEP exchange happens on port 80 instead of port 1640. (It's the only thing Server service that will operate on port 80, other than your own custom website, and the SCEP protocol was designed for use over a non-encrypted transport, so there are no added security concerns with this change.)

Also, as of Server 5.3, SCEP_Helper was renamed to dm_helper, and the SCEP functionality was moved into dmSCEPService, so SCEP transactions will be logged to dmSCEPService.log. If that file isn't updating (or is missing), then you almost certainly have a port forwarding issue.

The same applies to Server 5.4.

Reply

Answer 2

Dec 18, 2017 12:05 PM in response to essandess

One easy way to tell if the path to/from your server is opened correctly is to run this command in Terminal from another machine (both on your network and outside your network, if you want external enrollment to work):

curl http://host.example.com/mdm/scep?operation=GetCACaps

(Replacing "host.example.com" with your server's FQDN, of course.)

This should output the following:

POSTPKIOperation

SHA-512

SHA-256

SHA-1

DES3

If you get anything else, you probably still have a problem with your firewall and/or port forwarding.

Reply

Answer 3

Dec 18, 2017 6:20 AM in response to essandess

Follow up: I do see the log file /Library/Logs/ProfileManager/dmSCEPService.log, and it is being updated:

ls -l /Library/Logs/ProfileManager/dmSCEPService.log

-rw-r----- 1 _devicemgr admin 17794 Dec 18 09:10 /Library/Logs/ProfileManager/dmSCEPService.log

tail -2 /Library/Logs/ProfileManager/dmSCEPService.log

0:: [33154] [2017/12/18 09:10:29.672] +[PGConnection reloadPreferences]: DBDebug = NO, DBLogNotices = NO, DBLogSQL = NO, DBMonitor = NO

1:: [33154] [2017/12/18 09:10:29.672] Starting XPC listener com.apple.DeviceManagement.dmhttpd.dmSCEPService…

Reply

Answer 4

Dec 18, 2017 3:24 PM in response to mscott_mdm

That's exactly the response I get from curl. If this is a port issue, it's quite subtle.

I opened a case with enterprise support, but still no luck. Tried:

Trashing Server.app
Reinstalling Server.app
Completely wiping Profile Manager's PostgreSQL database (both wipeDB.sh command and removing postgres data directories)
Reinstalling the APNS certificate
Power cycling devices and rebooting the server.
Turning off all pf and app firewalls

None of that is working...

Are there other things that could cause this issue?

Searching the discussions for "Profile Manager pending" or "in progress" shows a huge number of hits.

Reply

Answer 5

Dec 18, 2017 6:02 AM in response to mscott_mdm

Thank for very much for the pointers!

I believe that port 80 is forwarded correctly, but I don't see the log file you point to. I'm still scratching my head about this.

Port 80 is forwarded, both on the LAN and from the internet. To sanity check, I edited and saved my router's port forwarding settings and confirmed from an external IP.

Nevertheless, I do not see the file dmSCEPService.log:

sudo find /var/log -name dmSCEPService.log

[No files found]

However, in Server.app>Logs>Profile Manager>Service Log, I do see updates, but on HTTPS (443) addresses. Are these the same?

Also, I do see devicemgr listening on port 80:

sudo lsof -i ':80'

devicemgr 56134 _devicemgr 10u IPv4 0xd5e3073ae12292ee 0t0 TCP localhost:65506->localhost:http (ESTABLISHED)

I use Service.app>Websites to open a private LAN-specific site, but this all appears to be configured correctly.

Also I tried rebuilding the database, but this didn't fix the issue:

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/config/migrate DB

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/config/refresh DB

Any follow-on pointers would be greatly appreciated.

Reply

Answer 6

Dec 18, 2017 5:03 PM in response to essandess

Threads of this issue. Please file bug reports:

There are dozens more threads on this issue.

Reply

Answer 7

Dec 17, 2017 6:29 PM in response to Bosco1983

I’m also having this apparentry same problem on High Sierra, Server.app Version 5.4.

Reply

Answer 8

Bosco1983 Author

Level 1

79 points

Aug 2, 2017 8:18 AM in response to Bosco1983

This is taken from a log from a client that recives the "internalerror 1" message when trying to install the Remote Managemt Profile

---\

02/08/2017 16:15:52.418 com.apple.preferences.configurationprofiles.remoteservice[445]: *** ERROR *** [CPInstallerUI:501] Profile installation (MMHS.Info Enrolment Profile (com.apple.ota.www.mmhs.info.bootstrap:9ba50ea0-3c5b-0134-ffb8-685b35ab951a)) (Status: 503 for OTA-Phase2 download from: https://www.mmhs.info/devicemanagement/api/device/auto_join_ota_service <InternalError:1> CallStack: (

"0 mdmclient 0x0000000108bd9cc4 mdmclient + 31940",

"1 mdmclient 0x0000000108bd9e2f mdmclient + 32303",

"2 mdmclient 0x0000000108be8591 mdmclient + 91537",

"3 mdmclient 0x0000000108be6f94 mdmclient + 85908",

"4 mdmclient 0x0000000108bf9e29 mdmclient + 163369",

"5 mdmclient 0x0000000108be9a63 mdmclient + 96867",

"6 mdmclient 0x0000000108bf9c3b mdmclient + 162875",

"7 mdmclient 0x0000000108bf63b9 mdmclient + 148409",

"8 libdispatch.dylib 0x00007fff84aa8e73 _dispatch_client_callout + 8",

"9 libdispatch.dylib 0x00007fff84ab7ee9 _dispatch_sync_f_invoke + 39",

"10 mdmclient 0x0000000108bf62e8 mdmclient + 148200",

"11 mdmclient 0x0000000108bf673d mdmclient + 149309",

"12 libxpc.dylib 0x00007fff88740d15 _xpc_connection_call_event_handler + 58",

"13 libxpc.dylib 0x00007fff88740893 _xpc_connection_mach_event + 1901",

"14 libdispatch.dylib 0x00007fff84aaeba8 _dispatch_client_callout4 + 9",

"15 libdispatch.dylib 0x00007fff84aafc9f _dispatch_mach_msg_invoke + 445",

"16 libdispatch.dylib 0x00007fff84aac3bc _dispatch_queue_drain + 571",

"17 libdispatch.dylib 0x00007fff84aae540 _dispatch_mach_invoke + 232",

"18 libdispatch.dylib 0x00007fff84aabbef _dispatch_root_queue_drain + 463",

"19 libdispatch.dylib 0x00007fff84aaba1c _dispatch_worker_thread3 + 91",

"20 libsystem_pthread.dylib 0x00007fff8d06ca9d _pthread_wqthread + 729",

"21 libsystem_pthread.dylib 0x00007fff8d06a3dd start_wqthread + 13"

))

Reply

Answer 9

Bosco1983 Author

Level 1

79 points

Aug 3, 2017 1:26 AM in response to Bosco1983

If a client is able to install the Remote Management profile, I can see this message in the logs. Looks like its timing out when trying to talk to the MDM server

03/08/2017 09:22:21.302 mdmclient[383]: *** ERROR *** [Agent:501] Sending 'Idle' request to server (Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={NSUnderlyingError=0x7fc2a3c9d400 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "(null)" UserInfo={_kCFStreamErrorCodeKey=-2102, _kCFStreamErrorDomainKey=4}}, NSErrorFailingURLStringKey=https://www.mmhs.info/devicemanagement/api/device/mdm_connect, NSErrorFailingURLKey=https://www.mmhs.info/devicemanagement/api/device/mdm_connect, _kCFStreamErrorDomainKey=4, _kCFStreamErrorCodeKey=-2102, NSLocalizedDescription=The request timed out.})

Reply

Answer 10

Bosco1983 Author

Level 1

79 points

Aug 3, 2017 5:35 AM in response to Bosco1983

Further testing...

enrolling iPads also have a problem, I assume its the same root cause.

Trust profile goes on fine, enrollment throws a wobbler

"A connection to the server could not be established. [MCInstallationErrorDomain – 0xFA1 (4001)]"

I re-migrated the PM Database using

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/config/migrate DB

which helped push through a few stuck tasks, but the problem still remains where clients time out when trying to connect with the server via profiles 😟

Reply