Profile Manager - MDM identity certificate
Hello
I would like to know what exactly is the "certificate of identity MDM? I find in my managed devices (SETTINGS-> General-> management-> remote management-> details-> (identity device certificates)). It is issued by Mac OS x OpenDirectory intermediate CA.
I don't use signed code profiles (I read it is necessary to re-register device after expiry of cert).
I use current Apple configurator to connect to the Profile Manager. More high certificate is valid for one year from date of registration.
I would like to know it is possible to create more than a year instead of this certificate, and what I need to do before the expiry of this certificate to be able to update all of my devices in the Profile Manager without taking devices in my hand?
I have approximately 50 iphones (unattended) related to my Profile Manager. Now, I want to connect another 50 iPads, this time as devices supervised.
But I'm afraid what happens when the certificate expires, want to avoid this or at least to know what (and when) I need to do to avoid losing touch with my Profile Manager.
Kind regards
Kacper
While it is possible to create your own certificate for sustainable computer server any longer, and your own code signing certificate last longer, it is not possible to change the length of time for the certificate of Push Notifications generated Apple is also necessary for an MDM solution.
So you go without worrying about being stuck at a certificate that must be renewed annually and that you have to do before you run it really means more as every 11 months.
Tags: Servers and Enterprise Software
Similar Questions
-
Invalid certificate Motorola Device Manager (MDM)
I'm a software developer. We develop mobile applications for iOS and Android devices. A single device that allows us to develop and test is a Droid 4. Thus, we have installed Motorola Device Manager (MDM).
Recently, I tried to install an update of MDM.
I received an error message:
MDM Installer.pkg has been signed with a certificate that is not valid. This package can not install what you expect. Do you want to continue the installation?
The certificate expired on Wednesday, July 3.
Should proceed - or will assign you another update with a valid certificate?
Thank you
Chuck
-
Hi all
I am a COMPUTER administrator for a college and I am trying to fix what seems to be the last hurdle in getting the Profile Manager works correctly.
I worked for a while now trying to get the Profile Manager capable of pushing the device and profiles for Mac in our group network environment. I was able to operate intermittently, but not often. Most of the time I'm unable to install the remote management profile.
When you try to install the remote management profile, I give myself one of the two errors-
The first error is:
The Installation of the profile failed.
The «TeleManagement (com.apple.config. » profile (Server.FQDN.mdm:GUID) "could not be installed because of an unexpected error < MDMResponseStatus:500 >
(Obviously server.fqdn and GUID are placeholders for their actual values)
The second mistake is:
The Installation of the profile failed.
Failed to contact the Protocol SCEP server to ""http://server.fqdn: 1640/CEP / "."
The server Mac OS X 10.11.4 works
OS X Server is version 5.1
Client Mac is for most running 10.10.4
Here's a quick run down on the environment and the steps I have already taken to solve the problem.
- The network is an Active Directory with several networks multi-domain environment. I mainly work with two different networks, each associated with one of the two areas.
- The Mac server hosting the Profile Manager is a Mac Pro. The two network cards is used, each on one of the two networks. The Mac server is joined to the domain in the primary forest.
- I opened all the ports and IP ranges for Apple's Push Notification service for two on our firewall and tested networks between the two networks to ensure that the AFN is accessible.
- I created a static DNS entry for the server in the DNS zone for the main domain. I also have a separate DNS zone for the DNS record for the interface on the secondary network. I also confirmed that Macs see the correct IP address of the Mac server for their network.
- I tried to change the settings for network access for the Profile Manager. The first error seems to happen when the Profile Manager are restricted to the network the Mac client is not connected. This same error also occurs if I open Manager profile access to "all networks".
- I have experiemented with the different certificate types. In general, I use the self-signed certificates that are generated automatically. In this scenario, I install the profile Trust first (which works seamlessly regardless of network or domain). I also tried to use a certificate for Code signing signed with our own CA to sign the profile of remote management. The same errors will occur no matter what certificates are used.
- The second error occurs when the access profile manager is limited to the same network that is connected to the Mac client
- I ran Wireshark captures on several client computers, as well as on the Mac server interfaces and haven't seen any traffic blocked or rejected that seemed related to the Profile Manager
- I've deleted and rebuilt my OD master
- I also scoured newspapers for clues Profile Manager and haven't found much
- In addition, I have also studied the problem and error codes/etc widely and have not found a lot of useful information
- I don't know there are any other troubleshooting steps I took as well, but I've been question bout this for awhile and I don't remember everyone.
That's a strange thing - I had it working for Mac on the main network and the domain. However, I discovered that the Mac on the secondary network and the field was unable to download the profile of remote management. This is when I started to change the Profile Manager, access network, which eventually introduce the problem on Macs connected to the primary/field of experimentation network. Change access return settings in Profile Manager does not restore functionality for pimps who worked.
Another thing odd in this test scenario all - Mac on the network high school/area would not install remote profile unless management I temporarily moved it to the main network (I do not untie / reassign to one the main domain on these Macs) I could get the profile of remote management to install and then pushing profiles has worked. Even more strange, it's the Mac that I had to move temporarily secondary network to the main network to allow remote management profile install only works always as long as the Profile Manager are restricted to the secondary network and 'the Mac'. However, Macs in the same room, on the same network in the same field, using the exact image even get the errors described above.
The only thing I have not yet done is delete/reconstruction Profile Manager. I would really like to avoid this if possible. Solutions that involve something like Casper or other software integration AD for Macs are also a non-starter.
I'm happy to elaborate if necessary. I appreciate the help.
Okay, I think I can find the root cause.
Before this discovery, I had completely rebuilt Profile Manager. Now, I managed by pushing the management profile remote for Mac in the two fields/networks. However, many of them still refuse to install remote management profile.
Macs who encounter the problem are all were imaged using NetRestore using an image captured from an another similar iMac. IMac even that was used to build the image has now been reassigned in a test of Mac. I found that when you attempt to register one of the Mac who had received this image it shows already as "registered" when you go to "mydevices" on my Mac server. I also noticed that they all have the serial number of the test Mac when viewing their "register". Among the issues of Macs, I activated the lock of the device from the page "mydevices" for the so-called problematic Mac registered (showing the serial number of the iMac used to create the image) and it locked the iMac used to create the image - not the Mac issue.
This tells me that the CID (or Mac equivalent) is set on the Mac CID used to create the image for all of the Mac said image was deployed to. If it's a Windows box I have a sysprep prior to deployment or could perform a rearm after the fact. I am unaware of how to perform similar functions in OS X.
I tested also since on some Macs that do not have this image, and they are able to register and install the profile of Managing remotely with success.
If anyone has any suggestions on how to reset the CID (the computer ID) under OS X, I'd appreciate it. Thank you.
-
Hello
I found the article how to register a certificate using Windows CA.
as I found the article presents the Profile Manager in OS X 10.11.
But how can I run it on OS X 10.11?
Thank you!
Isn't the profile one manager part of the OS X Server?
-
Can I have the Profile Manager uses the name of the device used when the placement of placeholders?
Can I have the Profile Manager uses the name of the device used when the placement of placeholders? Currently, all get renamed 'iPad' when the device through DEP configuration.
No, but
I was putting new devices in groups of temporary devices and renaming in bulk, once they are configured for the user, by using user variables / unit...
The other annoying problem would be the user modifies the device name when they connect it iTunes...
- the %destinataire% email - address email (the EMailAddress attribute)
- first_name % - first name (FirstName attribute)
- full_name % - full name (attribute RealName)
- % of guid guid (GeneratedID attribute)
- last_name % - last name (the LastName attribute)
- the title of the post (the JobTitle attribute) %
-% mobile_phone % the number of mobile (laptop attribute)
- short_name % name run (the RecordName, generally the name of the account attribute)
The variables of the unit are:
- % BuildVersion % - full OS version on the device
- ICCID % - ICCID (from the SIM card)
- IMEI % - IMEI (International Mobile Equipment Identity)
- OSVersion % - common version number of the operating system of the device
- ProductName % - name of the product
- SerialNumber % - serial number
- % WIFIMAC %-MAC address of the WiFi interface
-
Hello
We are studying the use of the Profile Manager of OS X as a way to manage our Enterprise macs.
One of the demands made by the team, is to create an administrator user, as part of the OS X Profile which is lowered to the customer. The rationale is that this would be a way for the it team get, if the fubar user had their Mac
I did not see this anywhere in the configuration options of the Profile Manager and so ask the people who use it as part of their everyday Toolbox, to find out if such an option is available.
Thank you and best regards,
Madan failed
No, not with the Profile Manager.
How you deploying your company Mac? As institutionally imagery or as BYOD devices? If image, then the image should contain a coherent local administrator account. If the active image also the Apple Remote Desktop or SSH, you have a method of mass, control and manage the devices. If BYOD style, then you are out of luck that the end user is the only one with the key of the device.
You can take a look at following JAMF Casper. Once devices are registered, you have the possibility to create accounts (However the common method is to create an account on registration). If you deploy a BYOD approach, you should also look into DEP program Apple (https://deploy.apple.com) as more DEP JAMF (or other MDM) is a very powerful tool for light to zero touch deployment of systems.
Reid
Apple Consultants Network
Author - "El Capitan Server - Foundation Services.
Author - "El Capitan Server - Collaboration & control»
Author - "El Capitan Server - Advanced Services '.
: IBooks exclusively available in Apple store
-
After update to 5.0.15 server, can not activate the OD service and the Profile Manager
Hi, I have recently updated my Server 5.0.15 under El capitan 10.11.3.
After that, Service OD and the Profile Manager can be activated server GUI.
Of course, all users on my network are missing from the list of users; just local users remain.
Reason: cannot be connected to the node 127.0.0.1
How can I recreate an OD without use of app server?
Thank you.
P. S.
Of course, even in the local server translates users preferences pane not connected.
Many Open Directory problems can be solved by taking the following measures. Please test after each of them that you have not already taken it and back up the data before making any changes.
1. the OD captain must have a static IP address on the local network, not a dynamic address. It must not be connected to the same network with more than one interface; for example, Ethernet and Wi - Fi.
2. you must have a working DNS serviceand the host name of the server must match the FQDN name. To confirm, select the server by its name in the sidebar of the window of the server application, and then select the Preview tab click the button change on the host name line. The access that your sheet of server, the domain name must be selected. Change the host name, if necessary. The server must have at least three levels (for example, "server.yourdomain.com") name, and the name must not be in the top-level ".local" domain, which is reserved for Hello.
3. the main DNS server used by the server must be itself, unless you use another internal DNS server. The only DNS server on the clients should be internal, they should get from the DHCP server, as appropriate.
4. If you have accounts with basic network directories, make sure that the URLS are correct in the user settings. A return status of 45 from the demon authorizationhost in the newspaper may mean that the URL for the installation directory was not being updated after a change in the host name or the file sharing protocol (AFP, SMB, or vice versa.) If the server and the clients run all OS X 10.10 or later, directories should be shared using SMB instead of AFP.
5. follow these instructions to recreate the Kerberos configuration on the server.
6. If you use authenticated connection, check the validity of the certificate of the master. The common name must match the host name and domain name. Unselection and then reselect the certificate in.app was reported to have an effect in some cases. Otherwise, delete all certificates and create new ones.
In the case of a self-signed certificate, create a trust profile in the Profile Manager and deploy it to the customers. On the server, you may need to create the folder
/etc/openldap/certs
and place a copy of the certificate of the server, for example:
/etc/openldap/certs/server-name
Also add a directive to the file
/etc/openldap/ldap.conf
of the form
TLS_CACERT /etc/openldap/certs/server-name
7 remove the link, then to connect customers in the preferences users and groups window. Use the FQDN of the master name.
8 restart the master and clients.
9. do not connect you to the server with the account of the user of a network.
10 turn off the internal firewall in use, including third-party "security" software
11. If you have created replica servers, remove them.
12. If OD has recently stopped working while it was working before, you can be able to restore automatic backup in/var/db/backups, or a snapshot of the time of this backup Machine.
13. If there is slapd errors in the log, try the following steps.
Disable the Open Directory in the server application.
Enter in a shell:
cd /var/db/openldap
sudo -s
db_recover -c -h authdata
db_recover -c -h openldap-data
Turn on Open Directory.
14 reset database password strategy:
sudo pwpolicy -clearaccountpolicies
15. as a last resort, export all users od. In the Open Directory of the server pane, delete the OD server. In some cases, you may need to use the shell to remove the server. Then recreate it and import the users. Make sure that the UID is in the range 1001 +.
-
Profile Manager - will not communicate with devices
Hello
The profile manager worked until January 26, but he has not worked since. I tried to re-adding devices (it won't register their), and pushing the settings does not work either. I did 2 full reset of the particles, but the two did nothing to solve the problem.
I am on a network with an AirPort Extreme 192.168. 80, 1640, 5223, 2195-2196 ports are open.
Thanks in advance!
David
Check expired certificates and see if the console connects - available through Console.app - show anything relevant to the Profile Manager and related errors.
-
What is needed to install the Apple Profile Manager
I am trying to use the Profile Manager as our MDM solution for a roll-out of iPads. Anyone knows what is needed to install the Profile Manager? I tried to contact the guy through my Representative, who introduced me to the MPA but haven't heard anything back. Any help would be great.
Well, a mac.
Last Profile Manager requires el Capitan. El Capitan requires 2 gigabytes of memory. A reasonable minimum is 4gig. You prefer get 8gig. you prefer to get an external hard drive to back up your machine. The Profile Manager is a separate download? -No - I think. Thus, you prefer to buy the el Capitan Server version.
El CAP requirements are a little convoluted.
OS X El Capitan - technical specifications
may be easier to read hear.
http://osxdaily.com/2015/06/09/OS-x-El-Capitan-system-requirements-compatible-Ma c.
-
How can I get my device to the Profile Manager list to a .csv file?
Hello
I have Apple Profile Manager configured as my MDM solution and I have created dozens of groups of devices for about 500 aircraft.
Now, I need to get a list of my devices (names, serial numbers and groups) for a file that I can read and edit with Excel. As a ratio of registered MDM devices by device groups...
I've not found tools in the server itself for this report. I looked on the internet and I managed to run a console command that created a .sql dump of the database, but this is where I am stuck. I can't seem to find a way to correctly convert this .sql file into a .csv or .xhtml or whatever it is readable.
Can someone help me how to do this?
I've got covered you. You must connect to the database and clear the records you want. It's easy. Follow these steps:
1: connect to the database
sudo psql - U _devicemgr d devicemgr_v2m0 h/Library/Server/ProfileManager/Config/var/PostgreSQL
This allows you to enter the interactive shell.
2: select the database you want to interact with
\c devicemgr_v2m0;
3: dump all the data on your devices.
Select * from devices;
4: If you want the names and serial numbers, use:
Select "DeviceName", "SerialNumber" of devices;
5: when to leave the shell
\Q
Many data are there. Be careful. Don't use that selects them.
Reid
Apple Consultants Network
Author of "El Capitan Server" - Foundation Services: available exclusively in Apple iBooks Store
Author of "El Capitan Server - Collaboration & control": available exclusively in Apple iBooks Store
Author of books of Yosemite server and server Mavericks
-
How to export the list of devices in the Profile Manager?
Hello
is there a way to export the list of devices in the Profile Manager on a mini mac running OS Server 5.3?
Thank you
-
Firefox does not start, the Profile Manager is not available
Firefox worked, then update it does not start. I tried all the fixes; However, the Profile Manager is not accessible or even present in the execution file. I unintalled and reinstalled several times, but I still can't get it to work. There is no Windows or Norton firewall block so I do not understand. What can I do? I want to use Firefox because it's the best browser; but now I'm forced to use Oscar. It's not terrible, but I prefer the features I've had with Firefox
I had upgraded to the latest version; but the thought of demotion to the version which worked perfectly. In the end, I had to defrag, do a registry clean and optimization of performance of PC, but for the upgrade launched. So, I'm happy to say that I reply to this post with my Firefox browser. Thank you very much for your help. If all goes well, I won't have problems.
DoubleD52 -
I can not get to start Profile Manager.
I go to ~/.thunderbird and run
./thunderbird -ProfileManager
Instead of giving me a Profile Manager window it gives me just an instance of the envelope to thunderbird.
I have a problem with the email thunderbird at the moment and it was suggested to me that I change my
Profile (using the command above).I'm running (the very older) Fedora 17.
In fact I realized the problem: the instructions that I was told to go in the profile directory
~/.thunderbird/********.default
and run. / thunderbird - ProfileManager.
But there was no thunderbird executable in this directory! So I went to a directory in which there * was * a thunderbird executable and issued the command. With the unsatisfactory results tht I described.
I *finally* found that if I went to /.thunderbird/********.default and issued the command "thunderbird -ProfileManager" (*not* preceded by "./" --- so that I got the "system" thunderbird command) then the result was as desired.
So my problem is solved. But he had nothing to do with letting thunderbird running.
-
When the Profile Manager stores data profiles created?
I have several profiles of Firefox that I created with the Profile Manager, but I find no where the Profile Manager stores data for profiles created because even if I delete all the firefox location of C:\Users\user\AppData\Local\Mozilla user data files and all the data in the registry though Firefox I start the Profile Manager still lists all created profiles.
Then, where the data for profiles created is stored?
Hello, these data are stored in subfolders of \Mozilla\Firefox\Profiles\ C:\Users\user\AppData\Roaming- profiles - where Firefox stores your bookmarks, passwords and other user data
-
Profile Manager fot portable applications
I need to import my backup in my portable thunderbird and I read in the documentation that I have use the "Profile Manager" or edit the "profiles.ini". I can't find them both.
This line: ["L:\PortableApps\ThunderbirdPortable\ThunderbirdPortable.exe" - p] just open the usual program
How may I access the profile with the mobile application manager?
Thank you
OK I have neen searching around on portableapps.com for Thunderbird.
You see you do not actually use Mozilla Thunderbird desktop, you use a product that has been modified by a third party and really should ask in this forum of products.
http://PortableApps.com/node/23603
The Profile Manager is not portable. It is just not supported by Thunderbird Portable because it will break things.http://PortableApps.com/node/11191
http://PortableApps.com/support/thunderbird_portable#local_profile
Maybe you are looking for
-
Can I partition my drive Time Machine to back up the other 2 drives?
Is it possible to partition a hard drive and use it with Time Machine to back up the other 2 drives? Example: I want to save internal drive of my iMac and my external storage drive, and I wonder if I can partition a hard drive for use with Time Machi
-
Drivers Toshiba for Windows XP Home edition and VISTA fpr a Satellite Pro P100 - PSPAH
Hello. I need help. I bought a Satellite pro P100 - PSPAH with Vista Premium Home edition version of recovery. Now, I want to install a second operating system such as Windows XP Home edition on this laptop. The problem is that Windows XP Home editio
-
understand what to remove from the iPad
I have a 32 GB iPad mini I continue to receive messages that the storage capacity is full and I have to delete something... I can't understand which fits all this space, I have a ton of HD movies out there or anything like that... perhaps I should si
-
How to detect Plug and unplug the card nidaqmx programmatically
I have a card NI6218 DAQmx. It is the peripheral USB card. I wanted to follow the event when the data card is connected to a usb drive by programming (in c# specifically). Is there an API / event triggered by the NIDAQ assemblies will give me the sta
-
Transfer pictures from email received to the windows photo gallery
Transfer pictures from email received to the windows photo gallery