Endpoint Security Complete

Hello!

I made a test environment with newest Symantec Mobile Manager MR1. Didnt installed SP1 for Windows 2008 R2. With SP1 had problem with installing the profile. Now with new environment(new install of windows) i have problem with connection. When going to Agent, enrolling i got message that Profile installation failed and network connection error occurred. I have iOS 5.0.1. Server is pinging. No errors in Altiris Log Viewer found.

With 4.3.5 everything was fine.

I see that your application is a bit buged... 

What is the override URL for your Mobile Management Server?  It should have 'use https' checked, port 443 in use, and an external IP address or DNS name.  Ideally, a DNS name that matches an externally-signed SSL certificate that you've installed onto your MMS box.

Are you using an externally-signed SSL certificate that matches the externally-resolvable FQDN of your MMS server?  Can you connect to the server from the internet on port 443?  To test, connect to public internet (e.g. coffee shop wireless) and use telnet to access the server on port 443 (e.g. telnet mms-server.mydomain.com).  You must use telnet because clients do not connect over the port used by ping.

Are your clients using internal wireless or external wireless/3G for this connection?

SSL is required for iOS 5, and since you are only having issues with iOS 5, it suggests you're trying to use HTTP, which will work for iOS 4.

hello All,

I'm working together with "piotrparfeniuk" on this project, so I send more description about this problem. The MMS was installed in single step directly from 7.1 MR1 install package. The problem occurs both in IOS 4.x and IOS 5.

Override URL for My MMS is server IP address, "use https" is checked and port is set to 443. My clients using internal wireless connection.

Below is a log from the device during a failed attempt ipad profile installation:

wt. lis 29 09:40:09 sandboxd[346] <Notice>: Mobile MGMT(337) deny file-write-create /private/var/mobile/Applications/55798F0F-F1FF-45CF-89BB-EB6146F24B9B/Documentsapt

wt. lis 29 09:40:09 sandboxd[346] <Notice>: Mobile MGMT(337) deny file-write-create /private/var/mobile/Applications/55798F0F-F1FF-45CF-89BB-EB6146F24B9B/Documentsapt

wt. lis 29 09:40:11 profiled[352] <Notice>: (Note ) profiled: Service starting...

wt. lis 29 09:40:11 profiled[352] <Notice>: (Note ) MC: Profile “com.symantec.mdm.enrollment.{0B46FF82-B1D5-4C4F-B49F-BDAF5221951A}” queued for installation.

wt. lis 29 09:40:11 Preferences[129] <Warning>: -[VPNConnectionStore reloadVPN]: The active VPN configuration has changed from  to (null)

wt. lis 29 09:40:12 Preferences[129] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0xe620910:<VPNBundleController: 0xe620910>): _serviceCount(0), serviceCount(0), toggleInRootMenu(0), RootMenuItem(1)

wt. lis 29 09:40:13 profiled[352] <Notice>: (Note ) MC: Checking for MDM installation...

wt. lis 29 09:40:13 profiled[352] <Notice>: (Note ) MC: ...finished checking for MDM installation.

wt. lis 29 09:40:13 profiled[352] <Notice>: (Note ) MC: Beginning profile installation...

wt. lis 29 09:40:16 profiled[352] <Notice>: (Error) MC: Cannot retrieve SCEP identity: NSError:
Desc   : WystƒÖpi≈Ç b≈ǃÖd sieci.
Sugg   : z≈Çy URL
US Desc: A network error has occurred.
Domain : MCSCEPErrorDomain
Code   : 22005
Type   : MCFatalError
...Underlying error:
NSError:
Desc   : z≈Çy URL
Domain : NSURLErrorDomain
Code   : -1000
Type   : MCFatalError

wt. lis 29 09:40:16 profiled[352] <Notice>: (Error) MC: Rolling back installation of profile “com.symantec.mdm.enrollment.{0B46FF82-B1D5-4C4F-B49F-BDAF5221951A}”...

wt. lis 29 09:40:16 profiled[352] <Notice>: (Error) MC: Installation of profile “com.symantec.mdm.enrollment.{0B46FF82-B1D5-4C4F-B49F-BDAF5221951A}” failed with error: NSError:
Desc   : Nie mo≈ºna by≈Ço zainstalowaƒá profilu ‚ÄûMDM Enrollment‚Äù.
Sugg   : WystƒÖpi≈Ç b≈ǃÖd sieci.
US Desc: The profile “MDM Enrollment” could not be installed.
US Sugg: A network error has occurred.
Domain : MCProfileErrorDomain
Code   : 1009
Type   : MCFatalError
Params : (
    "MDM Enrollment"
)

We don't have any idea to resolve this problem.

Now, we used alternative sollution as follow. We installed MMS 7.1 without MR1 FixPack. Then we enroll devices with IOS 4.x over http. Everythink was fine.  In the next step we install hot fix MR1. Now every devices with IOS 4.x over http working fine, but we still have problems with IOS 5 over HTTPS. 

Bellow are the logs from IPad device with IOS 5 when we try enroll it over https:

wt. lis 29 14:59:56 profiled[366] <Notice>: (Error) MC: Profile “com.symantec.mdm.enrollment.{CE13EF37-7453-4C88-9249-053FD5DAF976}”

failed to install with error: NSError:

Desc   : Instalacja profilu nie uda≈Ça siƒô

Sugg   : Nie mo≈ºna by≈Ço zainstalowaƒá profilu ‚ÄûMDM Enrollment‚Äù.

US Desc: Profile Failed to Install

US Sugg: The profile “MDM Enrollment” could not be installed.

Domain : MCInstallationErrorDomain

Code   : 4001

Type   : MCFatalError

...Underlying error:

NSError:

Desc   : Nie mo≈ºna by≈Ço zainstalowaƒá profilu ‚ÄûMDM Enrollment‚Äù.

Sugg   : Nie mo≈ºna by≈Ço zainstalowaƒá pakietu danych ‚ÄûMDM‚Äù.

US Desc: The profile “MDM Enrollment” could not be installed.

US Sugg: The payload “MDM” could not be installed.

Domain : MCProfileErrorDomain

Code   : 1009

Type   : MCFatalError

Params : (

    "MDM Enrollment"

)

...Underlying error:

NSError:

Desc   : Nie mo≈ºna by≈Ço zainstalowaƒá pakietu danych ‚ÄûMDM‚Äù.

Sugg   : Certyfikat serwera dla

„https://SMM-IPAD.poc.com/IOSServices/mdm.sync” jest nieprawidłowy.

US Desc: The payload “MDM” could not be installed.

US Sugg: The server certificate for

“https://SMM-IPAD.poc.com/IOSServices/mdm.sync” is invalid.

Domain : MCInstallationErrorDomain

Code   : 4001

Type   : MCFatalError

Params : (

    MDM

)

...Underlying error:

NSError:

Desc   : Certyfikat serwera dla

„https://SMM-IPAD.poc.com/IOSServices/mdm.sync” jest nieprawidłowy.

US Desc: The server certificate for

“https://SMM-IPAD.poc.com/IOSServices/mdm.sync” is invalid.

Domain : MCHTTPTransactionErrorDomain

Code   : 23002

Type   : MCFatalError

Params : (

    "https://SMM-IPAD.poc.com/IOSServices/mdm.sync"

)

Looks like problem with certificate.

Do you have any idea or sugestions?

Regards

Tomek

Looks like you have something like

Äúcom.symantec.mdm.enrollment

It should be com.apple.mgmt.* where * can be whatever.  For example, com.apple.mgmt.mike-mms.prod and com.apple.mgmt.mike-mms.test would be valid APNS bundle identifier.  You will need to recreate the APNS certificate at developer.apple.com to use this format, and then update all APNS settings and steps that you followed previously -- importing the certificate, copying the thumbprint, subject, and so forth.

Does this help?

Also, ensure the SSL certificate is externally-signed and that SMM-IPAD.poc.com is accessible internally.  You will need to give it a legitimate FQDN for your company name (I'm assuming poc.com is not your actual domain) and obtain an externally-signed SSL certificate for the iOS 5 devices.

Do I understand that in order to connect the device with IOS 5 I must have an externally-signed SSL certificate? Even when I connect via an internal wifi network?

Where can I change the parameter "Äúcom.symantec.mdm.enrollment"? My configuration is given in the attached screenshots.

Regards

Tomek

As mentioned you will need to create a new App ID with the correct bundle identifier at developer.apple.com.

Thanks for this. I, too was getting the error "MDM profile installation failed" on a iPAD 5 device but no problems on a iPAD 4.3 device. Switching my self signed SSL certificate for an externally signed certificate enabled the iPAD 5 device to work.

Thanks again

Mike