Endpoint Security Complete

Hello,

I have installed a new platform with Mobile Management solution 7.1MR1.

All is working fine on IOS4 but doesn't work with IOS5. When I try to enroll an ios5 device (internally by wifi and using https), I have the popup to accept eula and after the device can't install MDM profile.

During the MDM Enrollment profil I see the following logs using Iphone Configuration utility and I have a popup on the device that said :"Failed to install profile".

Any idea? thanks in advance
 

Iphone Configuration utility Logs :

Desc   : Le certificat de serveur pour https://MMS-NS.SBMDMDMO.local/IOSServices/mdm.sync nest pas valide.
US Desc: The server certificate for https://MMS-NS.SBMDMDMO.local/IOSServices/mdm.sync is invalid.
Domain : MCHTTPTransactionErrorDomain
Code   : 23002
Type   : MCFatalError
Params : (
"https://MMS-NS.SBMDMDMO.local/IOSServices/mdm.sync"
)
Jan  3 18:36:55 iPad-de-Demo-SBMDM profiled[112] <Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
Desc   : Le certificat de serveur pour https://MMS-NS.SBMDMDMO.local/IOSServices/mdm.sync nest pas valide.
US Desc: The server certificate for https://MMS-NS.SBMDMDMO.local/IOSServices/mdm.sync is invalid.
Domain : MCHTTPTransactionErrorDomain
Code   : 23002
Type   : MCFatalError
Params : (
"https://MMS-NS.SBMDMDMO.local/IOSServices/mdm.sync"
)
Jan  3 18:36:55 iPad-de-Demo-SBMDM profiled[112] <Notice>: (Error) MC: Cannot install MDM MDM. Error: NSError:
Desc   : Lentit MDM na pas pu tre installe.
Sugg   : Le certificat de serveur pour https://MMS-NS.SBMDMDMO.local/IOSServices/mdm.sync nest pas valide.
US Desc: The payload MDM could not be installed.
US Sugg: The server certificate for https://MMS-NS.SBMDMDMO.local/IOSServices/mdm.sync is invalid.
Domain : MCInstallationErrorDomain
Code   : 4001
Type   : MCFatalError
Params : (
MDM
)
...Underlying error:
NSError:
Desc   : Le certificat de serveur pour https://MMS-NS.SBMDMDMO.local/IOSServices/mdm.sync nest pas valide.
US Desc: The server certificate for https://MMS-NS.SBMDMDMO.local/IOSServices/mdm.sync is invalid.
Domain : MCHTTPTransactionErrorDomain
Code   : 23002
Type   : MCFatalError
Params : (
"https://MMS-NS.SBMDMDMO.local/IOSServices/mdm.sync"

A few things to check:

1) In the console, under Mobile Management Server Settings, Enrollment tab.  Click your Site Server, then Edit.  Ensure the "Override server connection info" is checked, "Use HTTPS" is checked, and port 443 is specified. 

2) On the iOS device that is failing, reset the Symantec agent (Configuration, Apps, Symantec Mobile Managment) and remove any installed profiles (Configuration, General, Profile, MDM Enrollment).  Try logging in again.  I originally couldn't get iOS 5 to work but I had attempted enrollement prior to installing MR1 (where iOS5 support was added) and it was preventing it from working until I removed the prior enrollment info.

3) Check the SSL certificate on the site server.  Are the dates valid?  Signed by an authority the agent trusts?

Hope that helps. 

You will need to export the self-signed SSL certificate and then import it into the iOS Configuration Editor in the Certificates area.  Then, when creating the installation profile, select this Certificate Profile as an additional profile to provide during enrollment.  What's happening is that the agent is going to the SSL URL, but because the SSL certificate is self-signed--because it is not externally signed--the SSL certificate is failing validation, and the enrollment halts.

Once you create a Certificates profile, include the self-signed certificate in the profile, and then include the profile in what you roll out to your agents, you'll SHOULD be okay.  Though it's best to use an externally-accessible MMS site server with an externally-signed SSL cert and a real, publicly-resolveable FQDN.

Does this help?

Hello Joe,

In response to your questions:

1: "Override server connection info" is checked, "Use HTTPS" is checked, and port 443 is specified

2: I try to remove all profile, reset agent, uninstall and reinstall Symantec agent (from apple store)

3: Certificate dates are ok and certificate is signed by an authority that the agent trust.

Thanks for your help

Hello Mike,

I try to import the certificate in the ios Configuration editor but I have alway the same issue.

When the ipad show the MDM Enrollment Profile install popup, I can see my additionnal certificate if I click on "More details button". When I clic on install button I have alway the same popup: "Unable to install profile - The profile MDM Enrollment can not be installed".

Which option do you choose when exporting the certificate: Export Private key? Which file format do you use (Der, base-64, P7b, Pfx) ?

Thanks for your help.

Export it as a .pfx then import it in the Credentials (not Certificate) area of the iOS Configuration Editor.

Then, for your iOS MDM Enrollment Configuration, click the yellow asterisk and select this Credentials profile as an Additional Configuration Profile to include.  Be sure to restart the Mobile Management Service Agent on your MMS site server.

Then delete all profiles and the Symantec Mobile Management Agent from the iOS device (to get a fresh start) and try again.  If it fails again in the same way, ensure you can resolve the server name -- I believe you were using a .local domain, which obviously isn't externally-resolveable.  If you can resolve it, ensure you can reach it on port 443 from the domain you're using.  Also ensure you've selected override for Mobile Management Server settings and have forced https, the proper FQDN, and port 443.

It fails again.

I'm using the solution internally by Wifi, I can resolve the FQDN and telnet is responding on port 443.

Additionnaly to that I try to connect to the enrollment adress with HTTPS and FQDN using Safari on the IOS device and I have the success message.

I have also selected overide, forced https and port 443.

Is your SCEP server available and have you properly configured all of those steps?  Can you reach the FQDN of the SCEP server on 443?  Have you double-checked the SCEP certificate details are correct in each of the screens in MMS?  Be sure to restart the Symantec Mobile Service Agent on your MMS SS if you change any settings.

Issue is now solved!

I could fixed it by buying an externally-signed SSL

Thanks for your help.

Stef

Hello Stephane,

I am glad you found a solution.  I am having the same issues in my proof of concept.

I am only connecting via internal WLAN and am getting "Profile failed to install" error as well as similar iOS console errors as you did.

A self certificate did not work for my scenario no matter how I configured it.

I am purchasing an external SSL certificate today and should receive it tomorrow.

Could I ask you if you had to set it up any particular way?  Or did you just import it into IIS

Any where in the symantec console did you add the certificate,  iOS Configuration Editor?  iOS MDM Enrollment Config?

Thank you for your time,

Clay

Hello Clay,

first you need to purchase a certificate that authority is recognised by apple by foolowing this apple technote: http://support.apple.com/kb/HT5012

Once you have your certificate, you just have to bind it to your website in IIS on your mobile server. Nothing else to do in configuration editor or enrollment config.

Hope it could be help you.

Stéf.

Stef,

Thank you for your direction.

I received my externally signed SSL cert and viola.  I am now able to download and install the MDM profile.

Now to test the real functionality of the MDM solution.

Thanks again,

Clay