Mobile Management: APNS/MDM Commands Not Working

Article:TECH191916  |  Created: 2012-06-27  |  Updated: 2013-09-09  |  Article URL http://www.symantec.com/docs/TECH191916
Article Type
Technical Solution


Issue



The Symantec Mobile Management Solution provides the functionality to send remote APNS/MDM commands to managed iOS devices via the Apple Push Notification Service. The following are the APNS/MDM commands, which are available once you install the Mobile Management Solution:

 

1) Lock Device

2) Send Inventory

3) Update Policies

4) Wipe Device

 

For these APNS/MDM commands to function correctly you must ensure that the following pre-requites must be met:

 

1) The Mobile Management Site Server must be able to communicate with Apple's Push Notification Servers on ports 2195, 2196 and 5223. 

2) A valid APNS certificate is installed on the Mobile Management Site Server

 

However, the APNS/MDM may still not function as expected. The following are the most common scenarios which result in these APNS/MDM commands not functioning:

 

Scenario 1:

When attempting to use an APNS/MDM command, an error message is seen on the following popup window:

 

And the following error message is seen in the SMP Server Logs:

The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketsException: An existing connection was focibly closed by the remote host at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)

"2012-02-09 16:46:42","Error sending lock device request.  Url to command webservice on mobile management server: [https://MMS_FQDN/demandcommandws/demandcommandws.asmx].

( Exception Details: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

 

Scenario 2:

When attempting to use an APNS/MDM command, an error message is seen on the following popup window:

 

However, no error message is seen in the SMP Server Logs. The only other indication of an issue is the following error within the nlog located on the Mobile Management Site Server (Location of Nlog):

 

2011-12-13 18:07:22.2129 INFO Creating new connection to APNS

2011-12-13 18:07:23.2080 ERROR Error in ReceiveCompleted inner catch

2011-12-13 18:07:23.2080 INFO Invalid length for a Base-64 char array.

2011-12-13 18:07:23.2080 WARN requeuing push message - see previous errors

2011-12-13 18:07:23.2080 INFO Pausing processing for 900000 due to error sending

 

Scenario 3:

When attempting to use an APNS/MDM command, it has been noted that the APNS/MDM command is never recieved by the iOS device. In this Scenario no errors are seen on the SMP Console or the SMP Server Logs. The only other indication of an issue is the following error within the nlog located on the Mobile Management Site Server (Location of Nlog):

 

2012-06-18 11:28:26.9004 INFO  Creating new connection to APNS 

2012-06-18 11:28:27.8067 ERROR Error in ReceiveCompleted inner catch 

2012-06-18 11:28:27.8067 INFO  A call to SSPI failed, see inner exception. 

2012-06-18 11:28:27.8223 INFO  InnerException: The message received was unexpected or badly formatted 

2012-06-18 11:28:27.8223 WARN  requeuing push message - see previous errors 

2012-06-18 11:28:27.8223 INFO  Pausing processing for 900000 due to error sending 


Environment



Symantec Mobile Management 7.x


Solution



Scenario 1:

In this Scenario it was noted that the Symantec Management Platform server is attempting to connect to the Mobile Management Site Server using the following URL: https://mmsserver.domain.com:443/demandcommandws/demandcommandws.asmx

However, the MMS server is configured to use a different SSL certificate than mmsserver.domain.com, and this causes a security error. Ideally, the mmsserver.domain.com name should be reachable internally and externally.  However, certain environments have a different externally facing name for the MMS server, which is internet facing only.

As of Symantec Mobile Management 7.1 SP1, there is a new override setting for NS to MMS communication, that can be used to change how the NS tries to reach the MMS server.

  • Navigated to Home -> Mobile Management
  • Select Mobile Management Server settings
  • In the lower pane, select the server name and choose the pencil icon to edit it.
  • In the NS to MMS communication field, alter the settings as needed.  It could be as simple as selecting the "Ignore SSL Certificate Warnings" option, or configuring the override server connection info to put in a server name that can be reached internally.

 Scenario 2:

For this Scenario it was discovered that the Symantec Mobile Management Site Server did not have the IIS6 Compatibility Role installed.

This prerequisite is vital for the APNS Commands to function. Once the IIS6 Compatibility Role was installed the APNS Commands begun functioning correctly. 

 

Scenario 3:

For this particular Scenario it was discovered that the APNS Certificate which was installed on the Symantec Mobile Management Site Server did not have an associated Private Key, so it was unable to encrypt the data which was meant to be sent to the Apple Push Notification Servers.

The simplist way to confirm whether the APNS Certificate has an associated Private Key is to view the details of the APNS Certificate via the Microsoft Management Console, and near the bottom of the certificate details you should see the following text near the bottom of the details:

 




Article URL http://www.symantec.com/docs/TECH191916


Terms of use for this information are found in Legal Notices