Video Screencast Help

Symante Mobile Management Agent for IOS

Created: 11 Jun 2012 | 23 comments
prasad.ganta's picture

Hi All,

           We are setting up Symantec Mobile Management in our environment. Configured required components and servers. Installed mobile management agent for IOS using apple app store. Enrolled the device but when trying to open any of the tabs like updates/about/ any other tab, it is saying

mobile library not available and symantec mobile management enrollment is not yet done. When I viewed reports for mobile managment, for the device it is saying Agent installed as False.

Please do the needful to overcome the issue...

 

Thanks in Advance...

Comments 23 CommentsJump to latest comment

joe.zeles's picture

If you go to Settings -> General -> Profiles, do you have an MDM profile?  If you don't, your install didn't succeed.  If thats the case, try resetting the agent on the device (done from Settings) and then try again.

Joe Zeles - Sr. Systems Engineer

Intuitive Technology Group - Symantec Platinum Partner

prasad.ganta's picture

Hi,

        I could not see profiles column under general in settings tab of device. Hence, I uninstalled the agent and trying to reinstall the agent.

Also I am unable to browse  http://MMSserverIP/MobileEnrollment/SYMC-iOSEnroll... in my IPAD.I could browse the same in my local network and also in DMZ. Any things need to be checked at the device.

thanks in advance..

mclemson's picture

If you uninstall and reinstall the agent, you must manually delete the Profile from within the Settings > General > Profiles area on the iPad. 

If you browse the Symc-iOSEnroll.aspx URL from the same network as your iOS devices will be enrolling from and do not receive the following text, you have a problem:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<result>success</result>

Namely, if you see gobbledegook, you did not meet the minimum requirements for the MMS site server before you provisioned it, such as not installing the IIS or .NET components.  If the page does not load at all and you cannot reach the server on port 443, you have incorrectly configured SSL, IIS for SSL, or a port is blocked by a firewall or other network device.

Remember that your MMS site server must be externally accessible and must have an FQDN that matches the SSL certificate.  iOS 5 and later cannot enroll over HTTP, and cannot enroll over HTTPS if the certificate is not valid for the URL.  In other words, if you get an SSL certificate for my-mms.company.com, but then try to enroll over https://12.34.56.789/, the iOS device will not validate the SSL certificate and enrollment will fail.

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

prasad.ganta's picture

HI,

     We are checking the enrollment internally only. Also we are enrolling the device on IOS 4.3.3. Now I am able get result success for both http//Symc-iOSEnroll.aspx and https://Symc-iOSEnroll.aspx enroll url in the IOS device.

After reinstalling the agent, Tried re-enolling  the deive I got an error "MDM profile could nto be installed". After time I re-enrolling the device, a new error came up saying "Mobile Library not Available and MDM enrollment process is not completed".

I could not see profiles under General --> Profiles --> in the device.

Thanks in Advance.

 

Mina Gerges's picture

Hi,

Please post your iOS device logs during the enrollment process. the clue of why it fails might be there.

prasad.ganta's picture

Hi,

    Please find the device logs attached.....

But no information related to enrollment process is available in the device logs.

     

Thanks in Advance...

AttachmentSize
device log.txt 34.41 KB
prasad.ganta's picture

HI,

      Recollected the device logs and uploading the same...

Thanks in Advance....

AttachmentSize
device log.txt 31.57 KB
mclemson's picture

You must follow the steps in the KB to resolve the issues you see in the logs, which are caused by invalid HTTP headers.  After following the steps, restart the MMS server, Remove any profiles that are installed on your test device, and reattempt enrollment.

http://www.symantec.com/docs/HOWTO59804

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

prasad.ganta's picture

Hi,

     MMS server means site server or SMP where we install Mobile Management Solution...?

MMS Site server is not on windows 2008 R2 SP1 as specified in the article. But my SMP where MMS Solution is installed is on 2008 R2 SP1. So now the fix should be applied in MMS site server or SMP server.

thanks in advance..

 

HighTower's picture

That fix is supposed to be run on your MMS server.

mclemson's picture

Is your MMS site server Server 2003, Server 2008 R2, or Server 2008 R2 SP1?  If Server 2008 R2 SP1, run the fix on the MMS site server.  If Server 2003 or Server 2008 R2, uninstall the MMS SS components and reinstall them.  Be sure you meet the requirements (.NET Framework 3.5 SP1, Microsoft Message Queueing Service, ASP.NET).

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

prasad.ganta's picture

Hi,

     I installed the MMS site server on windows server 2008 SP2 not R2/2003. I have reinstalled the components as said and all the requirements are met but no luck... 

I am able to browse http://MMSSite server IP address/MobileEnrollment/SYMC-iOSEnroll.aspx with result success in the browser of IPAD but when trying to enroll the device the error is coming saying "Mobile Library not available and enrollment process is yet to complete"

Stuck at this point for the past 3 weeks... Any other things to check apart from this....?

Please help....

 

Thanks in Advance...

mclemson's picture

Per this KB, if the iOS device British English vs. English, change the iOS device to English and it should be able to access the Mobile Library:
http://www.symantec.com/business/support/index?page=content&id=TECH182561

If enrollment has really failed, then no enrollment profile will be present.  Are any profiles listed after your latest attempt at Settings > General > Profiles?  If not, you could have a configuration issue with SCEP.  Are you sure you've configured SCEP for multiple enrollments (challenge passphrase does not expire)?  Is the  most recent passphrase from that change part of your iOS enrollment configuration?

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

prasad.ganta's picture

Hi,

       The device languae setting is English but not British English.

Also I could not se any profiles listed under  Settings --. Genrel --> Profiles...

Yes .. SCEP is configured for Multiple Enrollments and Challenge Passphrase does not expire .....

I have reinstalled the MMS service in the machines where MMS site server uis configured and tried enrolling but still no luck...

Any other things to check.... because we may miss small things some times....

Thanks in Advance...

joe.zeles's picture

Looking at the logs, I don't see any log entries showing that the APNS connection was making it to the device.  Are you sure that the required ports are open (Outbound 2195, 2196, and inbound 5223)?  To verify these are open make sure you can telnet to them.  To do so:

telnet gateway.push.apple.com 2195

telnet gateway.push.apple.com 2196

 

 

Joe Zeles - Sr. Systems Engineer

Intuitive Technology Group - Symantec Platinum Partner

prasad.ganta's picture

Hi,

No exceptions are placed in firewall to the device or MMS site server. We have tested the ports in MMS site server and they are open.

Thanks in Advance...

joe.zeles's picture

I had a similar issue with a lack of communication, and it wasn't until I completely opened the firewall that we were able to get communication started.  We then discovered that one of the firewall rules was typo'ed.  We were able to show that there were firewall issues by showing we couldn't telnet to the needed location.

Joe Zeles - Sr. Systems Engineer

Intuitive Technology Group - Symantec Platinum Partner

mclemson's picture

Go ahead and try the HTTP headers fix anyway:
http://www.symantec.com/docs/HOWTO59804

I'd also be sure that your clients are using fully-qualified domain name of the server, not IP address.  Even though a certificate isn't in play that's always how I've done it.

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

joe.zeles's picture

How far in the enrollment process are you getting?  Whats the enrollment URL that you are entering in the agent?

Joe Zeles - Sr. Systems Engineer

Intuitive Technology Group - Symantec Platinum Partner

HighTower's picture

I just had similar behavior and it took an IISreset to get my SCEP server to accept enrollments again.

prasad.ganta's picture

Hi All,

Thanks for all the responses.....

We are checking at the firewall but we have no restrictions for the MMS site server from the firewall. We are using the below URL to enroll the devices..

http://MMSSiteserverIPAddress/MobileEnrollmet/ SYMC-iOSEnroll.aspx 

Also we have performed steps mentioned in the below article but not luck...

http://www.symantec.com/docs/HOWTO59804 --- This is for windows server 2008 R2 SP1 but our MMS site server is in windows 2008 SP2. We also tried this step but no luck on the same windows 2008 sp2 server...

Thanks in Advance...

 

MacBrinky's picture

Seeing this entry in your log = The strings don't match. Is this really a UUID?
I wonder if you have taken care for the setting mentioned in the article below?

iOS MDM Profile is unable to be installed - errors point to a SCEP Server invalid response
http://www.symantec.com/docs/TECH178368

What is your setting for the "Maximum query string (Bytes)”?

Further I wonder if you have the correct certificate pointed out in your iOS enrollment Settings (SCEP).
Is it the MDM CA certificate?

Mina Gerges's picture

Hi Prasad,

The enrollment can fail for several reasons, we can play the guessing game, or define the error and resolve it. The provided device logs do not cover the enrollment process, reproduce the issue and send the logs covering the enrollment process, will guide you what is the cause of the issue.

Also you can include the MDM logs under (programs files(x86)\Symantec\Mobile management\data\nlog)