Endpoint Security Complete

 View Only

  • 1.  MDM Not Send Polices to IOS Device

    Posted Nov 30, 2011 02:11 AM

    Hi All,

    I need a solution, i currently have my MDM solution working with enrollment. My Current setup is a Reverse proxy and the MDM in the PROD network. The problem is that when i wont to do a remote lock or wipe, nothing happens. I check the logs and nothing errors out.

    I do see the following

     

    Nov 30 17:24:25 iPad sandboxd[179] <Notice>: Sym Agent(159) deny file-write-create /private/var/mobile/Applications/C85F2312-71C9-4D3C-B124-8655007B899E/Documentsapt

     

    But that really it, the rest looks to be normal.

    Also when i add a rss feed and then a doucment i can see the document on the Symantec App, but not able to Download

     

    Any help would be much appreciated



  • 2.  RE: MDM Not Send Polices to IOS Device

    Posted Nov 30, 2011 08:23 AM

    Are you using a valid APNS Bundle Identifier in the format com.apple.mgmt.* where * is whatever you like?  For example, com.apple.mgmt.emilio-test?

    It sounds like enrollment worked, but commands don't work.  Enrollment uses SCEP via NDES while commands are going to use APNS.  This points to an issue with APNS.

    This could also be an issue with networking.  Can the MMS SS communicate to gateway.sandbox.push.apple.com on ports 2195 and 2196?  Can the iPad?

    Did you properly set the override settings for the MMS SS, and are you using HTTPS?  If you set it to use port 443, can a computer on the iPad's network reach the MMS SS on port 443 (telnet mms.company.com 443)?

    Since you're using SSL (you must use SSL for iOS 5 devices), is the certificate you installed on the MMS SS signed by an external authority (e.g. GoDaddy)?  Does the FQDN (e.g. mms.company.com) resolve properly to the externally-assigned IP address?

    Each one of these questions is important, so please be sure you investigate each of these so that we establish a good baseline for troubleshooting.



  • 3.  RE: MDM Not Send Polices to IOS Device

    Posted Nov 30, 2011 05:46 PM

    Thanks for the reply, i have gone through the list of question and answer then to reflect my configurations, hopefully we can get this sorted.

    My setup is as followings

    Reverse Proxy(URL Rewrite) in the DMZ, and the MDM,SMP in the Prod Network.

    Are you using a valid APNS Bundle Identifier in the format com.apple.mgmt.* where * is whatever you like?  For example, com.apple.mgmt.emilio-test?

    When i Completed the export i did use a proper Format of com.apple.mgmt.*****. But it does not have the provate key as it was not exported with the key.

    But i think i will have to use a macbook to export the certificate and the export the private key from the keychain( would this be my issue?)

    It sounds like enrollment worked, but commands don't work.  Enrollment uses SCEP via NDES while commands are going to use APNS.  This points to an issue with APNS.

    When i Enroll the Device to the MDM, i can see the Our CA is issue a Certificate to the device.

    This could also be an issue with networking.  Can the MMS SS communicate to gateway.sandbox.push.apple.com on ports 2195 and 2196?  Can the iPad?

    Both Server the Reverse Proxy ( in the DMZ) and the MDM and SMP server ( ont he same box) can communicate to the over those to ports (Via Telnet). With the IPAD shouldnt they be already communicating via those ports. as it is using a 3G network.

    Did you properly set the override settings for the MMS SS, and are you using HTTPS?  If you set it to use port 443, can a computer on the iPad's network reach the MMS SS on port 443 (telnet mms.company.com 443)?

    I can access the the https://XXX.company.com.au/mobileenrollement/*******(all pages). I can also telnet the FQDN over 443. the override is set to the outside FQDN and is selected to use 443

    Since you're using SSL (you must use SSL for iOS 5 devices), is the certificate you installed on the MMS SS signed by an external authority (e.g. GoDaddy)?  Does the FQDN (e.g. mms.company.com) resolve properly to the externally-assigned IP address?

    We do have a SSL certificate on the Reverse Proxy in the DMZ, and the FQDN can resolve our Public IP address.

    I think maybe the issue is the APNS certificate not being export correctly.

    Thanks



  • 4.  RE: MDM Not Send Polices to IOS Device

    Posted Dec 01, 2011 11:37 PM

    I still get this error in the IPCU

    Just before i select install,

     iPad sandboxd[179] <Notice>: Sym Agent(159) deny file-write-create /private/var/mobile/Applications/C85F2312-71C9-4D3C-B124-8655007B899E/Documentsapt

    I have check all configure and it is all correct to what i can see, i have also check the ablve issue and they are answerd.

    Is there any other issue with using 2008 R2 for the SMP/MDM Serevr other the the Compression and HTTP Response Header.

    Please help.....

    Thanks



  • 5.  RE: MDM Not Send Polices to IOS Device

    Posted Dec 02, 2011 01:24 AM



  • 6.  RE: MDM Not Send Polices to IOS Device

    Posted Dec 02, 2011 11:17 AM

    If you upload that failed NSE, we could examine it for details.



  • 7.  RE: MDM Not Send Polices to IOS Device

    Posted Dec 02, 2011 11:20 AM

    And the source of this export was developer.apple.com, correct?  I've seen instructions on generating APNS certs from an XServe, but this has never been the process we've followed here at Intuitive.



  • 8.  RE: MDM Not Send Polices to IOS Device
    Best Answer

    Posted Dec 04, 2011 05:46 PM

    Hi All,

    The MDM Solution is now working @ 95%.

    My issue was the APNS Certificate, You will need to add the service account used in the SMP/MDM installation, as well as the network Service as stated int he Videos

    This worked for me with in 10 mins of restarted the Services

    Hope this helps anyone with the same issue.

    Thanks for all the assistants