The promise of Lion’s Profile Manager seemed good: a nearly free way of managing all the macs and iPads on your network, pushing setting etc over air using Apple’s Push Notifications.
Except I can’t get it to work. The issue is that when you try and enrol an iOS device, it complains that the certificate is invalid. I’ve searched hi and low on the Interweb for solutions, and even tried out a few. However, the result has been even more of a mess, as far as I can tell!
45 iPads arrived at school today, just waiting for me to set them up ready for September. I was hoping to use Profile Manager as part of the setup process, but I think now I’ll just have to make do with Apple Configurator and iTunes. Hey ho.
Maybe more joy will be to had with Mountain Lion Server?
These guys at Amsys seem to have gotten it going, if anyone’s interested.
Primary ICT 
Hi Primary IT website,
What are the exact error you are getting? At which point does it complain about the certificate?
I had the same issue and I worked through the following list of steps:
1) You MUST install the ‘trust profile’ BEFORE you can enrol the device.
2) You should use a brand new Apple ID for your push certifications, that has NEVER been used to get a push notification before. If you have one, then revoked the certificates, it won’t work.
3) Ensure you have all of the relevant ports open, or use the internal address.
I’ve got a few blogs on it that might be worth a read:
http://www.amsys.co.uk/2012/blog/how-to-configure-lion-profile-manager/
http://www.amsys.co.uk/2012/blog/how-to-solve-profile-manager-configuration-problems/
Good Luck
Darren
Amsys plc
Hi Darren!
Thanks for your comment – I’ve found the Amsys posts really helpful, but haven’t managed to sort out the problems.
When I set up profile manager I get an ‘error-1’ at the end of the process. Then, when I try and tick the ‘sign configuration profiles’ button, it doesn’t give me any certificates, even though I’ve enabled Apple push notifications on the ‘hardware>settings’ tab.
What would be my next step?
Any help would be much appreciated!
Hi Tim,
Glad you find them helpful!
Right, the error you describe is one I had come across. Before I suggest a fix, please ensure you’ve got the entire server backed up (and the backup tested!) just in case this should break something else.
Try this:
“The first time I had this error, my only fix was to export my Open Directory contents, destroy the LDAP (by demoting the server in Server Admin), then re-run the configuration tool.
Once I started getting the error again, even after following the above steps. I found this to be due to some saved certificates and keys from a now decommissioned Open Directory. This was done by launching the Keychain Access application(/Applications/Utilities/Keychain Access.app), navigating to the system keychain and removing any and all certificates and keys that refer to Code Signing, CA, Certificate Authority and the server’s hostname. After this, I had to also recreate the SSL certificate I created.”
The key point is to then let the Profile Manager configuration tool create the Open Directory Master.
Give that a go!
Darren
Hi Darren.
Thanks for the advice.
Our server is running Workgroup Manager in the ‘golden triangle’ configuration, so I’m guessing if I destroy the LDAP, that’s going to destroy all of my carefully configured .plist preferences?
I did try deleting certificates and keys, but I’m not sure which ones I’m meant to be deleting….
Can I email you a screenshot of the system and login keychains?
Thanks
Tim
Hi Tim,
Firstly, I’m sorry to say we cannot accept any responsibility for any resulting loss in data, functionality, or working hours as a result of following this advice.
Please, please, please make sure you have your server fully backed up. I can’t stress this enough.
I’m sorry to say it will destroy them, yes. But you can export them using Workgroup Manager prior to this, followed by loading them back into the new LDAP.
In regards to the Keychain, anything that match Code Signing, CA, Certificate Authority and/or the server’s hostname should be ok to go, just remember to recreate a correct SSL certificate before carrying on.
To be honest, like some services in Lion Server, Profile Manager is very much a “version 1” product and can be pretty buggy. As a result, sometimes it’s better (a much quicker) to wipe and reconfigure. May I suggest that you try to configure a new server on a spare piece of kit (like another Mac Mini, or a spare laptop) first, before apply your knowledge to your working server?
Darren
That sounds like a good idea…I’m gonna try and build me a server! That way I can see if Profile Manager can, in theory, work on our network and then apply this over to our existing server once I’m more confident.
Thanks for all your advice – the Amsys blog is now blogrolled!
Ok. I’ve created a new Apple ID and then set it up for Push Notifications on the server (under hardware>settings). However, the push notification certificate isn’t showing up in my certificates. Hmmm. How would I get it there?
You’re very much welcome!
You never know, it might be an idea to have it on a second server. That way if your ‘main’ ever breaks, you could potentially use the spare and loss the profile manager for a while. I believe the devices will only check it for ‘new’ settings, not to renew the ones they already have.
Good luck!
Darren
Well, I installed Lion server on a different Mac and managed to get it working a little bit more… It now just comes up with an ‘Invalid Profile’ error instead. Aarrrrrrgh! Ever come across that?
Hi Tim,
The push certificates shouldn’t show up on the server as these are just used to push any changes you make to the machines connected to your profile management server. They are not available to use in Server Admin or Server.app as this is their one purpose.
Darren
Hi Tim.
I’m sorry to say that that is an error I have not come across.
I would suggest having the profile manager log files open as you try to enrol the device and see if it gives any clues.
Additionally, I’d also suggest checking the basics, forward and reverse DNS lookups of the server (both on the server and on the client) as well as your forwarded ports.
Darren
Thanks Darren
The DNS seems to working (as per the checks on your initial blog). However, I suspect ports might be part of the problem! Which ports need to be open? How do I check if they are or not? We’re on LGfL, which locks everything down behind a big old firewall…
Cheers
Tim
Hi Tim,
I’m sorry I do not have a 100% definitive list for profile manager but I’ve have thIs snippet from the blog comments:
“Hi Michael, at the risk of plagiarising information from other sources, a quick google search brought up the following two pages:
1 – Well known TCP and UDP ports used by Apple software products
http://support.apple.com/kb/TS1629
2 – SCEP enrolment process (Port 1640 TCP)
https://discussions.apple.com/thread/3224019?start=0&tstart=0
”
In regards to testing, you could try to ‘telnet’ into your school’s ip address on the ports that you need open but the best bet is to discuss it with whomever manages your network.
Darren
Would you happen to know which ones of these ports are incoming? I’m guessing for Apple Push Notifications to work, some will need to be incoming??
Ok…I’ve just realised that the ports were opened for the wrong IP range! Let’s see if Atomwide will open up the correct ports now and if that then makes a difference.
Hi Tim,
Apologies on the lack of replies, I’ve been away on leave.
Did you have any luck with Profile Manager?
Darren
Still no luck. We have managed to ascertain that the correct ports are open now. I might do a rebuild towards the end of the summer holidays and see if we can get it going then.
Thanks for your continued interest!
Hi Tim,
Good luck with it, bare in mind Mountain Lion is out soon and (not recommending you upgrade straight away or without testing) but they may be more stable.
I would suggest getting the server OS installed, up to date and with no services running, and then disk image it for an easy ‘reset’.
Thats not a problem at all, I’ve felt your pain!
Darren