User profile for user: ljf0021
ljf0021 Author
User level: Level 1
12 points

Unable to enroll ios12 devices on Profile Manager

We have over 30 ios devices enrolled on our Apple Server. Recently with the update to ios12 we can no longer enroll the devices. I can install the trust certificate and go into General->About-Trust Settings and switch on root certificates, but to no avail. I get a "profile installation failure network failure". I have redone every certificate except the ios distribution cert. I can enroll ios11 devices with no problem. If the device was already enrolled before changing to ios12 it works fine. If I unenroll the device then reenroll device I get a "Profile installation Error: again. Help

iPad Pro Wi-Fi, iOS 12.0.1

Posted on Nov 7, 2018 2:05 PM

Reply
Question marked as Top-ranking reply
User profile for user: simonwolton
simonwolton
User level: Level 1
4 points

Posted on Mar 28, 2019 4:31 AM

They finally fixed this!


Made an account just to say: I upgraded our mac server to the latest version of macOS 10.14.4 (Build 18E226) and Server 5.8 (Build 18S2071) and didn't seem to make a difference, then updated a test iPad to iOS 12.2 and we can now enroll devices!


Only taken about 5 months!

View in context
52 replies
User profile for user: ljf0021
ljf0021 Author
User level: Level 1
12 points

Nov 28, 2018 5:35 AM in response to mb0742

After making the hostname all lowercase and renewing all the apple server certificates on apple server. I can now enroll new ios12 devices with the profile manager. Pushing out apps is taking an extremely long time, but it's working now. Quite a few of the old devices had to be reset back to factory settings with changes, but I'm back up and running.

Reply
User profile for user: DanDemers007
DanDemers007
User level: Level 1
4 points

Jan 3, 2019 9:51 AM in response to A.Baker

I fixed the issue by going to the Server Manager and changed the Computer Name field, originally it was MDM, I changed it to mdm. I rebooted the server and IPads can now connect without issue (old ones also seem good to go).


What a stupid issue... Managing IPads in a business environment already leaves a lot to be desired... add stupid bugs like this only makes us want to avoid Apple even more.




Reply
User profile for user: A.Baker
A.Baker
User level: Level 1
8 points

Jan 14, 2019 2:15 AM in response to YvanV74

In the end for us I found out we were not using the latest version of OS X server because we were not on OS X Mojave, our Mac mini could not run Mojave so upgraded Mac, updated OS X and updated server app. Have to unsupervise all the iOS devices and put them on the new system. Have notice some nice new features mind you.


This is worked for me, your mileage may vary.

Reply
User profile for user: mscott_mdm
mscott_mdm
User level: Level 2
459 points

Nov 14, 2018 8:42 AM in response to ljf0021

This appears to be due to an unfortunate interaction between ATS (App Transport Security) and your camelcase hostname. This breaks the SCEP enrollment, which is why you can't enroll any new devices, but it doesn't affect any other parts of the MDM protocol, so once a device is enrolled, it's fine.


I don't know of a workaround at this point, but camelcase hostnames, while entirely valid, are not really the norm. However, changing your hostname is very likely to break the rest of Profile Manager, so I definitely wouldn't recommend doing that. If I learn of a workaround, I'll post it here.

Reply
User profile for user: ljf0021
ljf0021 Author
User level: Level 1
12 points

Nov 14, 2018 8:37 AM in response to robfromsugarcamp

So far, I have not found a definite answer. Mac OS server 5.7 has change more to a mobile device management tool. This has limited it to just two options Apple School or Business Manager. I am not sure if the old Apple Device Enrollment Program (DEP) is no longer available for Mac OS Server and hence maybe why it does not allow enrollment of ios12 devices. But that would explain why ios11 easily enrolls and ios12 enrollment causes profile installation error, because it is looking for different program certs of Apple School or Business . When I use Apple Configurator 2 to add apps to ios12 devices, it works because it is still using DEP and not Mac OS server.


I have asked the boss to upgrade to Apple Business Manager, but I have to find out first what ramifications of what that would do the some devices we have deployed. That could arrange from redoing every certificate and device, to making some devices obsolete, because everything has to be 2011 or later.

Reply
User profile for user: ljf0021
ljf0021 Author
User level: Level 1
12 points

Nov 8, 2018 8:52 AM in response to mscott_mdm

We have used a localhost server for in house which does not have neither a https or ssl certificate. Is ios 12 and server 5.7 requiring us to use this now? I went into the /etc/var/log/service_proxy_error.log and got the following:


ssl input filer read failed

requesting connection re-negotiation

connection to child 6 established (server AAAAppleMgr.local:443)

HTTP: attempt to connect to 127.0.0.1:3328 failed

ap_proxy_connect_backend disabling worker for 60s

HTTP: failed to make connection to backend: 127.0.0.1 referer: https://aaaapplemgr./profilemanager/

connection to child 34 established (server AAAAppleMgr.local:443)

connection to child 14 established (server AAAAppleMgr.local:443)

requesting connection re-negotiation

awaiting re-negotiation handshake

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Unable to enroll ios12 devices on Profile Manager

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up