IOS Mobile device management failed to install profile
Possible issues can be,
Check your CN first. Yes it should match the domain. If you are testing it in your local machine make sure to add the IP there.
Make sure you SSL certificate is signed with Root CA if its self signed. Signer should clearly indicated as Root CA.
If you are using a RA certificate it also needs to be signed by the Root CA.
Implement checkin and server urls as PUT methods. If this is not implemented simply it will give this error.
I also had your issue due to point 4) and managed to resolve that.
Related videos on Youtube
soniality
Updated on February 06, 2023Comments
-
soniality over 1 year
I'm trying to setup a MDM Check-in connection from my device to server. In my .mobileconfig I already put in the identity which is from the credential, I generate it from keychain access and using the .p12 file. For Server & Check-in URL - https://address.To.Server:9769/mdm/
I'm hosting my server in tomcat with SSL enabled which i generate the JKS using keytools, - "keytool -importkeystore -srckeystore client-cert.p12 -srcstoretype PKCS12 -destkeystore keystore.jks"
*client-cert.p12 is same with the .p12 file i put in mobileconfig's identity.
If i'm not mistaken, all the request from IOS to server are using HTTP PUT method. I already tried access my server directly from chrome browser and got no problem with it. I believe it is the certificate problem, but i got no clue what happening.
I got all these error when i tried to install the profile from safari.
>Notice: (Error) MC: Connection to <server> failed with error: NSError: Desc : The server certificate for <server> is invalid. US Desc: The server certificate for <server> is invalid. Domain : MCHTTPTransactionErrorDomain Code : 23002 Type : MCFatalError Params : ( "<server>" ) >Notice: (Error) MC: Cannot install MDM Mobile Device Management. Error: NSError: Desc : The payload Mobile Device Management could not be installed. Sugg : The server certificate for <server> is invalid. US Desc: The payload Mobile Device Management could not be installed. US Sugg: The server certificate for <server> is invalid. Domain : MCInstallationErrorDomain Code : 4001 Type : MCFatalError Params : ( "Mobile Device Management" ) >Desc : The profile SilverlakeMDM could not be installed. Sugg : The payload Mobile Device Management could not be installed. US Desc: The profile SilverlakeMDM could not be installed. US Sugg: The payload Mobile Device Management could notbe installed. Domain : MCProfileErrorDomain Code : 1009 Type : MCFatalError Params : ( SilverlakeMDM )
Below are from my server console:
>httpsConnector.receiver.02 ERROR DefaultSystemExceptionStrategy:300 logException - Caught exception in Exception Strategy: Received close_notify during handshake javax.net.ssl.SSLException: Received close_notify during handshake at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1868) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1821) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1922) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:848) at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) at sun.security.ssl.AppInputStream.read(AppInputStream.java:69) at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78) at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106) at org.mule.transport.http.HttpServerConnection.readLine(HttpServerConnection.java:219) at org.mule.transport.http.HttpServerConnection.readRequest(HttpServerConnection.java:185) at org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:155) at org.mule.work.WorkerContext.run(WorkerContext.java:311) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) at java.lang.Thread.run(Thread.java:722)
-
soniality almost 11 yearsI able to access the https link using my ipad safari, but the cert is stated not trusted because it is self-sign certificate. For configuration profile, i generate using IPCU and insert .p12 generated from keychain access into identity section in IPCU. i can't install the profile because of "The server certificate for <server> is invalid". By the way, am i doing it right on generating the certificate? I'm confused.
-
Victor Ronin almost 11 yearsFirst of all, disregard my comment regarding cert trusted or not. I just looked in iOS UI and it looks like it doesn't indicate any per cert status, but rather indicate Unsigned/Verified status for the whole profile.
-
Victor Ronin almost 11 yearsRegarding cert generation. Just to make sure that we are on the same page. Credentials item in IPCU allows to add one of two things: 1) .cer (This will make iOS device trust server cert). 2) PKCS12 - it's device identity cert (it's a cert and private key which will be used by a device to authenticate to the server). At the end of the day, if your server has self-signed key, you should have install both server certificate + (PKCS12 or SCEP).
-
Victor Ronin almost 11 yearsIf I am not mistaken, Apple downloads has some configuration profiles for diagnostics and one of them is for diagnostic of MDM errors. You can install this configuration profile and in such case, it may give you more information on your error.
-
soniality over 10 yearsAccording to this answer here stackoverflow.com/a/10905901/2695014 , my CN would be address.To.Server:9769/mdm/ or address.To.Server:9769? Is it necessary to set the CN according to my server address?
-
Victor Ronin over 10 yearsRead this question for details: stackoverflow.com/questions/5935369/… Generally speaking CN should be equal to your host and domain. It shouldn't include ports (like 9769) and it shouldn't include path (/mdm)
-
Imran almost 9 yearsHi,which server you are using for MDM?Initially we used dedicated server but now we are transferring to Microsoft Azure.So the profile installation is failing when we are installing it (Profile Installation Failed) which used to work earlier.May be the azure has issue with the PUT request what I got to know till now.Do you gave any idea about it?Do we need to create fresh Certificates?
-
Dilshan almost 9 yearsRight now I am just a developer of WSO2 EMM. This will work with WSO2 EMM.
-
mor222 about 7 years@soniality did you solve your problem? I have the same issue.