Endpoint Security Complete

 View Only
Back to discussions
Expand all | Collapse all

iOS MDM Enrollment fails to install with network error

  • 1.  iOS MDM Enrollment fails to install with network error

    Posted Feb 27, 2012 01:25 PM

    I am using an iPAD version 4.3.3.

     

    When enrolling the device I install the agent and then follow the enrollment process. The system begins to generate the key but then fails at the point of enrolling the device wit

     

    Profile failed to install, a network error has occured.

     

    I have a third party SSL certificate installed and I have verified that it is valid.

     

    All certificate profiles have been removed from the device

     

    Can you help?



  • 2.  RE: iOS MDM Enrollment fails to install with network error

    Posted Feb 28, 2012 11:20 PM

    This points to a communication or SCEP issue:

    • Can the device resolve the FQDN of the SCEP server?
    • Can the device resolve the FQDN of the MMS?
    • Did you correctly set the server override for HTTPS to the FQDN of the server over port 443?
    • Is the MMS SS accessible on port 443 from the network the iOS device is using?
    • Is the SCEP server properly configured to reuse the certificate without expiration, so that the challenge enrollment password is static, and is configured properly in MMS?
    • Have you verified all settings for the SCEP profile match the SCEP certificate?
    • Is your APNS certificate in the proper format of com.apple.mgmt.* where * is whatever you want?


  • 3.  RE: iOS MDM Enrollment fails to install with network error

    Posted Mar 02, 2012 10:44 AM

    You could also try this fix:
    http://www.symantec.com/docs/HOWTO59804



  • 4.  RE: iOS MDM Enrollment fails to install with network error

    Posted Mar 05, 2012 04:26 AM

    Thanks for that. I will investigate and respond.

     

    Mike



  • 5.  RE: iOS MDM Enrollment fails to install with network error

    Posted Mar 05, 2012 12:28 PM

    Hi,

     

    Q1. Can the device resolve the FQDN of the SCEP server?

    For testing I have defined a DNS entry to the wireless router and the iPAD is connect to the router. Performing a DNS lookup on the iPAD shows the FQDN to resolve correctly 

    Q2. Can the device resolve the FQDN of the MMS?

    Yes

    Q3. Did you correctly set the server override for HTTPS to the FQDN of the server over port 443?

    No need as I have a public dns entry for the FQDN of the MMS

    Q4. Is the MMS SS accessible on port 443 from the network the iOS device is using?

    Yes

    Q5. Is the SCEP server properly configured to reuse the certificate without expiration, so that the challenge enrollment password is static, and is configured properly in MMS?

    Yes

    Q6. Have you verified all settings for the SCEP profile match the SCEP certificate?

    Yes

    Q7. Is your APNS certificate in the proper format of com.apple.mgmt.* where * is whatever you want?

    Yes

    This was working properly on an internal network. The issues occurred since I have changed ip addresses to put the MDM server onto the internet.

    Is there anything else I  can try?

    The version of Windows server 2008 is not on the service pack and therefore the other fix that is mentioned does not apply

    Thanks

     

    Mike



  • 6.  RE: iOS MDM Enrollment fails to install with network error

    Posted Mar 06, 2012 08:42 AM

    What's in the log file of your IOS device.
    You can capture a log file during the enrollment with the following tool from apple: http://support.apple.com/kb/DL1465



  • 7.  RE: iOS MDM Enrollment fails to install with network error

    Posted Apr 23, 2012 08:20 AM

    Why does it need to? I didn't think the iOS device was supposed to speak directly to the SCEP server?

    Is it for some iOS validation purpose?



  • 8.  RE: iOS MDM Enrollment fails to install with network error

    Posted May 13, 2012 10:56 PM

    ...that I found in a lab I was building today occurs with a misconfigured SCEP profile.  In my lab environment, I had put https instead of http in for my SCEP config, and this one mistake caused this same "Profile Failed To Install - A network error has occurred" error.  Note I had SSL certs set up and was set to use SSL, but that one config page wanted http not https. 

    Specifically:

    In SMP Console / Mobile Management / iOS Configuration Editor / SCEP / URL, I had put https://fqdn/certsrv/mscep/mscep.dll.  Once I changed that to http://fqdn/certsrv/mscep/mscep.dll, the "Profile Failed To Install - A network error has occurred" error went away and enrollment worked perfectly.  Just an FYI of something else to watch out for...



  • 9.  RE: iOS MDM Enrollment fails to install with network error

    Posted May 16, 2012 02:29 AM

    Hi Chris,

    I'd be interested in finding out why you couldn't use https for your scep config, as I've used SSL for SCEP for around 6 months or so without issue.

    Interesting that what works for one person doesn't work for another.  The only thing I can think of is there is absolutely no name mismatch in our environment, the external dns and the fqdn are the same, no redirecting to an IP address. So https works for everything in our environment.



  • 10.  RE: iOS MDM Enrollment fails to install with network error

    Posted May 30, 2012 04:55 PM

    You are correct about external FQDN being the same as the internal.  We've had this be the case for some client installs, but not for others.  Sometimes we had to configure it Chris's way, and sometimes yours.



  • 11.  RE: iOS MDM Enrollment fails to install with network error

    Posted May 30, 2012 04:58 PM

    Mike, did you ever get this resolved?