Endpoint Security Complete

Hi,

Finally I finished the configuration of my test Mobile Management Server.

First Test from Ipad, before the enrollment process completes I received a Message

"Profile Failed to Install" The UUID for the profile "MDM Enrollment" is not unique.

Search connect and the Internet but I can find what the problem is. Any help would be great

Thanks

Best Regards,

Rubén

I'd try recreating the provisioning profile.

Hi Mike,

You mean the Enrollment Profile for IOS?

Regards,

Yes.  Perhaps it doesn't like the current one.

OK

Now the error on Ipad is, Cannot install MDM Profile

Regads,

If you are getting to the point where its trying to install the MDM profile, the issue likely resides with the MDM enrollment certificate that you generated from Apple.  The AppID MUST be in the format of 'com.apple.mgmt.<whateveryouwant>.  If it doesn't begin with com.apple.mgmt, the profile will not install.  

Let me know if that resolves your issue!

Hi Joe,

Mi certificate is:

com.apple.mgmt.testkenos

I tested with Ipad, Ipod touch and Iphone, same result UUID is not unique.

Thanks,

Ruben

Any update on this?  If you're running 2008 R2 with SP1 applied, you may need to run through this KB:
http://www.symantec.com/docs/HOWTO59804

Any errors from the Altiris Log Viewer?

Hi Mike,

I'd review all settings. 

If you created your own CA, did you install Active Directory Certificate Services and then Certificate Authority?  Did you install NDES as a role service for ADCS?  Did you specify a user with adequate permissions as the user account for NDES, and add them to the IIS_IUSRS group?  What key character length did you select?  Did you install Certificate Enrollment Web Service and change it to Client certificate authentication instead of Windows Integrated?

Did you configure NDEs to allow multiple uses and non-expiration of the NDES enrollment challenge password by modifying the registry and restarting IIS, then confirming at http://<host>/certsrv/mscep_admin that it can be used multiple times and will not expire?

Have you configured SCEP and the certs?  Did you make note of the Subject CN= value which is needed during the configuration process from the Details page of the SCEP certificate?  Did you create a new profile in the iOS configuration editor and paste in the proper values (http://<ip address>/CertSrv/mscep/MSCEP.dll)?  For the subject, did you remove all spaces from the Subject CN= value?  Did you copy the enrollment challenge password from the mscep_admin page and copy it to the challenge phrase within the iOS Configuration Editor?

For the iOS MDM Enrollment profile, did you select the SCEP payload you created above and your subject is in the form com.apple.mgmt.<whatever>, is all lowercase, and matches what's on your APNS certificate that you installed on your MMS server?

Mike,

First of all sorry, by mistake a answer you in the wrong post.

Review

I followed the video tutorials from Brian Fromm to configure the server

https://www-secure.symantec.com/connect/user/brianfromm

To avoid errors, I copy all setting in notepad and then paste them on the Mobile Management Configuration Pages.

However, I just did a double check based in your comments and everything looks right.

In my test Ipad I upgrade to IOS 5.1, now when I try to enroll the device the error is "Cannot Install Profile" Safari could not install a profile due to an unknown error.

In  the NS console I can see basic inventory of the device.

Are you running 2008 R2 SP1?  Did you follow this KB?
http://www.symantec.com/docs/HOWTO59804

YES

I´m running 2008 R2 SP1, review and follow the KB, the problem remains

Also Update Mobile Management to MR1

Has anyone come up with a resolution for this?  I am having the EXACT same issue. 

Safari could not install a profile due to an unknown error.

I have recreated my server 3 times, followed brian fromm's video's to a T and have my certificate in the form of com.apple.mgmt.mycompanyname

It's the same error everytime,  it's driving me nuts.

Thanks,

Patrick

Are you using HTTP or HTTPS for your MMS SS?  Have you confirmed the IP address you have in the override settings is accessible by the client?  If HTTPS, are you using an externally-signed cert (e.g. VeriSign, GoDaddy)?

HTTP

I´m using HTTP for the MMS SS. The IP address is accessible, even I can open the NS Console from the Ipad (with limitations of course]).

http://www.symantec.com/business/support/index?page=content&id=TECH173907

Looks like this is a problem with sp1 for windows server 2008 mr2.  Very nice symantec.

You should uninstall SP1 for 2008 R2 and ensure you're using HTTPS if you're trying to enroll an iOS 5 device.  HTTPS is required for iOS 5 and 2008 R2 SP1 remains unsupported, as mentioned in the install guides.

If you uninstall SP1 and use HTTPS with an externally-signed certificate and the appropriate override checkbox, are you able to enroll a device?

Any update on this?  SSL is required for iOS 5.  If you're doing an internal test over WiFi, you'll need to use SSL with a self-signed cert.  If you're doing this over 3G, you'll need an externally-available MMS SS with an external IP (real external, or through one-to-one NAT) or a reverse proxy.  Then you'll need an externally-signed cert installed on the MMS SS via a org like GoDaddy.  Then use the override checkbox to use https and contact the SS on a URL like mms.companyname.com on port 443.

Then uninstall the agent from your iOS 5 device, go to General, Profiles, and remove all certificates/profiles present.  Then reinstall and reenroll and you should be functional.

Does this solve the issue?

Hi Mike,

I´m working on a test environment and sharing resources with other users. I will be unable to uninstall SP1 for a while to continue testing MM.

I will advance with the installation of the self-sign cert.

Thanks!!!!!

Rubén

All the pointers you have mentioned, I have checked.

Still when I connect a new ios 5 device (iphone or ipad 2) I get a "safari cannot install a profile" popup.

I've got wireshark running everyware and I can see communication with the apple servers and with the mms server . One thing I did notice is that during innitialisation between the ipad and mms server (MDM server)

ther a NO tcp/ip packages trigered to the SCEP server.

Have I overlooked something?