Masters,
In the last two years we used Kaspersky MDM solution to manage our corporate Iphones. Unfortunatelly this MDM solution is untrustworthy so we would like to change to Apple Profile manager.
All devices supervised already with Apple configurator and Enroll to Kaspersky with url manually.
Question:
Is there any solution to enroll our devices to Profile manager without erase the devices?
Best Regards,
Krisztián
Oh, so you don't have DNS setup correctly then. Profile Manager absolutely will not work with raw IP addresses—you have to use a name, preferably a FQDN, but a Bonjour name can also work if you don't need to use PM outside of the local subnet.
Oh, so you don't have DNS setup correctly then. Profile Manager absolutely will not work with raw IP addresses—you have to use a name, preferably a FQDN, but a Bonjour name can also work if you don't need to use PM outside of the local subnet.
There are multiple ways to enrol to Profile Manager, using Apple Configurator is one, DEP is another but the following are also possible and do not require erasing.
Enrolment profiles can be installed by either double-clicking on them or using the profiles command in Terminal or via a script.
You should be able to remove the enrolment profile via System Preferences -> Profiles. You may have to enter a password to authorise this. Then you can enrol using the Profile Manager profile.
No erasure is needed.
If your using Device Enrolment Protocol - DEP then you need to make sure the Kaspersky MDM is no longer defined as the MDM for your devices.
What John said is correct, provided you're not wanting to use the features that come along with DEP. If you want to use DEP (and the features that are only available via DEP), you will have to erase the devices to re-enroll them via DEP.
Dear John,
I found a tutorial about profile manager and as I read I need to enroll to profile manager via Apple Configurator.
With Apple Configurator I can’t find any way to enroll without erase because in the enroll process Apple Configurator try to erase (in the last step)
May I miss something?
Best regards
Krisztián
Dear John,
Thank you very much. I really apperitiate.
May i ask you some help?
When i try to enroll my device i got "profile installation failed" network error occured...
My setup:
- we have an other server which is use 443 port so i applied one of our another IP
- add an A record but no reverse to this record yet
- set the firewall and NAT 443 the FIX IP to the Local IP (of the osx server LAN IP)
- set the firewall and NAT 1640 the FIX IP to the Local IP (of the osx server LAN IP)
- installed OSX Server
- manually changed the host name to the FIX IP (Host name, Internet reachable, Computer name is Green Led)
- cert generated automatically for the FIX IP
- enabled profile manager and i see reachable from my FIX IP
- i can open the profile manager site with browser but i get SSL warning
When i open the https://MYFIXIP/profilemanager or https://MYFIXIP/mydevices on my Iphone the page loaded. I login with the credential and than i see Enroll button. When hit, i have to install Remote management profile but it failed with the error message you see above.
Could you be so kind to help me fix this problem?
Regards,
Krisztián
There is an option to download a trust profile from Profile Manager which is sometimes needed if your using self-signed certificates.
If possible try having the client Mac on the same LAN as the Profile Manager server. You will need DNS to be setup on the LAN appropriately.
Dear John,
I can install Trust profile from externally via browser. But when i hit the enroll button on the devices tab, than i get error while try to install Mobile device management profile.
First i got "A network error has occurred.". I plug the phone one of my mac and check the consol. After a little googling i realised need to open the port 80 (i only opened the 1640 for SCEP but as i realized this port only for the earlier verision of OSX S).
So now, i see the packet on my firewall on port 80 when try to enroll and now i get this error:
S Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Nov 6 20:22:02 DX4RW0XLFF8 profiled[145] <Notice>: Cannot retrieve SCEP identity: NSError:Desc : A SCEP szerver \M-C\M-)rv\M-C\M-)nytelen v\M-C\M-!laszt k\M-C\M-<ld\M-C\M-6tt vissza.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Nov 6 20:22:02 DX4RW0XLFF8 profiled[145] <Notice>: Rolling back installation of profile \M-b\M^@\M^\com.apple.config.THISISMYIPIMASKEDIT.mdm\M-b\M^@\M^]...
Nov 6 20:22:02 DX4RW0XLFF8 profiled[145] <Notice>: Installation of profile \M-b\M^@\M^\com.apple.config.THISISMYIPIMASKEDIT.mdm\M-b\M^@\M^] failed with error: NSError:Desc : A(z) \M-b\M^@\M^^Remote Management\M-b\M^@\M^] profilt nem siker\M-C\M-<lt telep\M-C\M--teni.
Sugg : A SCEP szerver \M-C\M-)rv\M-C\M-)nytelen v\M-C\M-!laszt k\M-C\M-<ld\M-C\M-6tt vissza.
US Desc: The profile \M-b\M^@\M^\Remote Management\M-b\M^@\M^] could not be installed.
US Sugg: The SCEP server returned an invalid response.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"Remote Management"
)
...Underlying error:
NSError:
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Extra info:
{
isPrimary = 1;
}
US Desc: Profile Failed to Install
US Sugg: The SCEP server returned an invalid response.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError:
US Desc: The profile \M-b\M^@\M^\Remote Management\M-b\M^@\M^] could not be installed.
US Sugg: The SCEP server returned an invalid response.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"Remote Management"
)
...Underlying error:
NSError:
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Extra info:
{
Take a look in /Library/Logs/ProfileManager/dmSCEPService.log on your server to see if there are any errors logged there when you try to enroll. If nothing is getting logged there, look in dmhttpd.log in the same directory. Note any lines added while attempting to enroll. Feel free to paste those lines here.
Dear mscott_mdm,
Thank you for you reply.
I check dmscepservice.log, you can see the content below, but when i try to enroll device the log content not change:
[2299] [2018/11/05 22+04+45.977] -[SULogFileCollection setGlob@lLogLevelPrefix:]: YES 0:: [2299] [2018/11/05 22+04+46.026] ########################################################### ########################################################### ########################################################### ####################### dmSCEPService-926.25 (PID+2299, OS+18A391, SERVER+18S1178, ARCH:x86_64) st@rting Log verbosity level = 1 UID = 220, EUID = 220 ########################################################### ########################################################### ########################################################### ####################### 0:: [2299] [2018/11/05 22+04+46.691] +[PGConnection relo@dPreferences]: DBDebug = NO, DBLogNotices = NO, DBLogSQL = NO, DBMonitor = NO 1:: [2299] [2018/11/05 22+04+46.692] St@rting XPC listener com.@pple.DeviceM@n@gement.dmhttpd.dmSCEPService… [302] [2018/11/06 12+51+13.983] -[SULogFileCollection setGlob@lLogLevelPrefix:]: YES 0:: [302] [2018/11/06 12+51+13.984] ########################################################### ########################################################### ########################################################### ####################### dmSCEPService-926.25 (PID+302, OS+18A391, SERVER+18S1178, ARCH:x86_64) st@rting Log verbosity level = 1 UID = 220, EUID = 220 ########################################################### ########################################################### ########################################################### ####################### 0:: [302] [2018/11/06 12+51+14.056] +[PGConnection relo@dPreferences]: DBDebug = NO, DBLogNotices = NO, DBLogSQL = NO, DBMonitor = NO 1:: [302] [2018/11/06 12+51+14.056] St@rting XPC listener com.@pple.DeviceM@n@gement.dmhttpd.dmSCEPService… 0:: [302] [2018/11/06 20+22+02.353] Certific@te pl@ceholder with ch@llengeP@ssword not found 0:: [302] [2018/11/06 20+22+02.353] EXCEPTION: FORBIDDEN USERINFO: { NSLoc@lizedDescription = "Unknown error 403"; } 0:: [302] [2018/11/06 20+22+02.356] C@ught unh@ndled exception FORBIDDEN 0:: [302] [2018/11/06 20+22+27.696] Certific@te pl@ceholder with ch@llengeP@ssword not found 0:: [302] [2018/11/06 20+22+27.696] EXCEPTION: FORBIDDEN USERINFO: { NSLoc@lizedDescription = "Unknown error 403"; } 0:: [302] [2018/11/06 20+22+27.697] C@ught unh@ndled exception FORBIDDEN 1:: [302] [2018/11/06 21+53+03.112] EXCEPTION: !IF <-[SCEPService _processSCEPRequest:] (SCEPService.m:212): "'((!IsV@lidNSString(op)))'"> 0:: [302] [2018/11/06 21+53+03.113] -[DMHTTPDB@seServiceProvider processRequest:selectorN@me:withH@ndler:]_block_invoke: C@ught unh@ndled exception -[SCEPService _processSCEPRequest:] (SCEPService.m:212): "'((! IsV@lidNSString(op)))'" 1:: [302] [2018/11/06 21+53+38.842] EXCEPTION: !IF <-[SCEPService _processSCEPRequest:] (SCEPService.m:212): "'((!IsV@lidNSString(op)))'"> 0:: [302] [2018/11/06 21+53+38.842] -[DMHTTPDB@seServiceProvider processRequest:selectorN@me:withH@ndler:]_block_invoke: C@ught unh@ndled exception -[SCEPService _processSCEPRequest:] (SCEPService.m:212): "'((! IsV@lidNSString(op)))'" 1:: [302] [2018/11/06 21+53+54.422] EXCEPTION: !IF <-[SCEPService _processSCEPRequest:] (SCEPService.m:212): "'((!IsV@lidNSString(op)))'"> 0:: [302] [2018/11/06 21+53+54.422] -[DMHTTPDB@seServiceProvider processRequest:selectorN@me:withH@ndler:]_block_invoke: C@ught unh@ndled exception -[SCEPService _processSCEPRequest:] (SCEPService.m:212): "'((! IsV@lidNSString(op)))'" [288] [2018/11/07 11+30+33.533] -[SULogFileCollection setGlob@lLogLevelPrefix:]: YES 0:: [288] [2018/11/07 11+30+33.535] ########################################################### ########################################################### ########################################################### ####################### dmSCEPService-926.25 (PID+288, OS+18A391, SERVER+18S1178, ARCH:x86_64) st@rting Log verbosity level = 1 UID = 220, EUID = 220 ########################################################### ########################################################### ########################################################### ####################### 0:: [288] [2018/11/07 11+30+33.611] +[PGConnection relo@dPreferences]: DBDebug = NO, DBLogNotices = NO, DBLogSQL = NO, DBMonitor = NO 1:: [288] [2018/11/07 11+30+33.613] St@rting XPC listener com.@pple.DeviceM@n@gement.dmhttpd.dmSCEPService…
And the httpd:
1:: [242] [2018/11/07 21:26:59.785] <8.15.203.2> «AuthService» Received request [GET /auth]
0:: [242] [2018/11/07 21:27:00.111] <8.15.203.2> «AuthService» Completed in 325.881ms | 200 [GET /auth]
1:: [242] [2018/11/07 21:27:08.567] <8.15.203.2> «AuthService» Received request [POST /auth/user]
0:: [242] [2018/11/07 21:27:08.637] <8.15.203.2> «AuthService» Completed in 69.582ms | 401 [POST /auth/user]
1:: [242] [2018/11/07 21:27:38.381] <8.15.203.2> «AuthService» Received request [POST /auth/user]
0:: [242] [2018/11/07 21:27:38.526] <8.15.203.2> «AuthService» Completed in 145.023ms | 200 [POST /auth/user]
1:: [242] [2018/11/07 21:29:52.704] <8.15.203.2> «DeviceService» Received request [POST /devicemanagement/enroll/mdm_enroll]
0:: [242] [2018/11/07 21:29:53.255] <84.225.203.2> «DeviceService» Completed in 550.235ms | 200 [POST /devicemanagement/enroll/mdm_enroll]
1:: [242] [2018/11/07 21:30:11.708] <84.225.203.2> «DeviceService» Received request [POST /devicemanagement/enroll/mdm_enroll]
0:: [242] [2018/11/07 21:30:11.723] <84.225.203.2> «DeviceService» Completed in 14.672ms | 200 [POST /devicemanagement/enroll/mdm_enroll]
1:: [242] [2018/11/07 21:30:59.440] <___.___.___.___> «SCEPService» Received request [GET /mdm/scep]
0:: [242] [2018/11/07 21:30:59.560] <___.___.___.___> «SCEPService» Completed in 120.607ms | 200 [GET /mdm/scep]
1:: [242] [2018/11/07 21:30:59.685] <___.___.___.___> «SCEPService» Received request [GET /mdm/scep]
0:: [242] [2018/11/07 21:30:59.685] <___.___.___.___> «SCEPService» Completed in 0.705ms | 200 [GET /mdm/scep]
1:: [242] [2018/11/07 21:30:59.878] <___.___.___.___> «SCEPService» Received request [POST /mdm/scep]
0:: [242] [2018/11/07 21:31:00.081] <___.___.___.___> «SCEPService» Completed in 202.717ms | 200 [POST /mdm/scep]
Do you see something which is help?
Best regards
If no new lines are added to either of these files with you attempt to enroll, then you probably have a problem routing port 80 to your server. You can put this URL into your browser from a device on the device you're trying to enroll:
http://server.example.com/mdm/scep?operation=GetCACaps
Be sure to change the hostname in the URL to your server's hostname.
This should give you the following output:
POSTPKIOperation
SHA-512
SHA-256
SHA-1
DES3
If you get any error response, it's probably because port 80 isn't being propertly directed to your Profile Manager server.
Dear mscott,
Its work. I get:
POSTPKIOperation
SHA-512
SHA-256
SHA-1
DES3
I'm not sure if its matter but because i have no PTR record yet i use my IP instead of domain. In the osx server i manually change the host to IP address... So now i use http://myipaddress/mdm/scep?operation=GetCACaps
I just wrote this because i'm not sure if its cause any problem if use IP address for testing purpose....later i will add A record and PTR also to my DNS...
Thank you for your help! That was the problem. Its works now like a charm....
Dear Scott,
Sorry for this off topic but may i ask you to check my other question with the following topic name:
Can't add some app in the restriction payload
Maybe you can help me also
Best regards
Enroll to profile manager without erase
