As a twice-stung Lion Server configuration engineer, I approached the Lion Profile Manager Service with much apprehension. And it did not disappoint.
Please bear in mind I was using the 10.7.2 update of Lion Server at the time and was plagued with cryptic error messages and a complete failure to run. Eventually I abandoned my testing to concentrate on more pressing matters, the VPN testing, see my previous blog posts: Lion Server and VPN and Lion Server and VPN Episode 3.
After the release of 10.7.3 and the fixing of the VPN service (but requiring me to fully reinstall my server from scratch) I decided to take another plug at configuring Profile Manager. Again, I was met with more disappointment, but at least the service now turned on and was accessible via the web pages. This meant I could manually install profiles, but I could not actually enrol devices (one of the main features of Lion Profile Manager).
At this point I have to be honest and say I was more annoyed than I can get across without profanity so I left this alone. That was until I went through more guides and tried attempt number three. Eventually this resulted in success!
In a move to save others from my grief, I have decided to share the steps I took to configure my Lion Profile Manager Server. Next time I will also go through common failures and ways to resolve them.
Please note: This guide is designed for those who are at least fairly familiar with Lion Server and its configuration and just want to know what hoops they need to jump through, when and how.
The Step-By-Step: Part 1
1. Install a fresh copy of Lion Server, created the default admin account (plus a second as a backup, should the first ever become corrupt in the future!) and install all Software Updates, including the manual installation of the Server Admin Tools (including Workgroup Manager and Server Admin).
2. Configure the server with its Manual IP address details, including it self as the first DNS server.
3. Launch Server Admin and enable to DNS service. Configure both forward (‘A’ record) and reverse (‘PTR’ record) for your server.
For example, my server was ‘test.internal.amsys.co.uk’ with the IP 10.0.0.56.
I created the Primary domain of ‘internal.amsys.co.uk’ and then created the DNS records for test.internal.amsys.co.uk < – > 10.0.0.56.
(This step can be actually carried out on another server, indeed a non-mac server with the appropriate changes made in step 2, however, I have kept this local for ease of instruction).
4. Run the checkhostname command to confirm and correct the DNS hostname as far as the OS is concerned. This requires you to launch the terminal application and type the following command in:
sudo changeip -checkhostname
This will spit out a message. The key line you are looking for is “There is nothing to change” in which case, move onto step 5.If any other message is displayed, than it will also spit out the command to correct the issue. This is displayed after the ‘e.g.’. Simply copy and paste this into the terminal, as root. Once complete, rerun step 4 until ‘there is nothing to change’.
5. Next step is to check the DNS of the server a second method to ensure all is ok. Launch the terminal application and type the following command in:
This should spit out the hostname the server thinks it should have, in our example, this should spit out test.internal.amsys.co.uk.Now copy the hostname and type the following command into the terminal window:
dig [ hostname ]
Where the ‘[ hostname ]’ is the result from the first part of step 5. In our example, this would be dig test.internal.amsys.co.uk.
This will spit out an IP address in the ‘Answer’ section. This should match what has been set it steps 2 and 3, in the case of our example 10.0.0.56.
Finally, type the following in the terminal window:
dig –x [ IP Address ]
Where the ‘[ IP Address ]’ is the result from the above test.
This should spit out the hostname as we found in the first part of this step.
Please Note: If any of these should not produce the correct results, you will need to recheck all of your DNS settings as, if these values are not correct, all of the next step will fail.
6. Right, the next step is to get a new SSL certificate from the Server.app.
a. Launch the Server.app and connect to the server.
b. Select your server under the ‘HARDWARE’ heading and, once loaded, select the ‘Settings’ Tab.
c. Find the ‘SSL Certificate’ section and click the ‘Edit’ button.
d. Click the Action Cog and select ‘Manage Certificates…’.
e. Click the plus (‘add’) symbol and select ‘Create a Certificate Identity..’ option.
f. On the new page, fill in the full FQDN the iOS devices will use to access your server (most likely this will be the external DNS name). Leave the Type fields as ‘Self Signed root’ and ‘SSL Server’ as defaults and TICK the ‘Let me override defaults’ box. Click ‘Create’, followed by ‘continue’.
g. Leave the Serial Number and validity Period as defaults (unless you feel like experimenting) and click ‘Continue’.
h. In the Email Address Field, type in an administrators email address, NOT an individual user’s email and preferable one not hosted on this server. Fill in the Common Name with the FQDN from step 6f. Fill in all of the other boxes as appropriate and click ‘Continue’.
i. Leave the Key Pair information screen at defaults and click ‘Continue’.
j. And the same for Key Usage, Extended Key usage and Base Constraints screens (3). Click ‘Continue’ on all three.
k. On the ‘Subject alternate Name Extension’ screen, remove anything in the iPAddress box. In the dNSName box, fill in all of the FQDNs that people can access your server from, separated by spaces. Click ‘Continue’.
l. Once complete click ‘Done’ followed by ‘allow’ on the Keychain warning screen. Finally, once your new certificate is added to the list, click ‘OK’.
7. The Next step is to set the new SSL Certificate for use on out server:
a. Click the SSL Certificate Edit button again.
b. In the Certificate drop down box, select your newly created self signed certificate. Click ‘OK’. Wait 30 – 90 seconds for the certificate to be set to the relevant services.
8. The final Step on the preparation side of things is to go to the ‘Web’ service and launch this service. Leave the settings at default and just turn it on. Check the default webpage loads fine.
The Step-By-Step: Intermission
And deep breaths! Go have a cup of tea. We’re halfway through, with all of the prep work carried out. All of these steps are necessary I’m afraid, as even one wrongly configured part above will cause the failure of the profile manager service configuration with its lovely cryptic error messages.
The Step-By-Step: Part 2
Nice break? Finished your tea? Lets get back in….
9. Relaunch the Server.app, if required, and select the profile manager service.
10. Select the ‘Configure’ button and follow through each screen, letting the wizard create an Open Directory Master as required.
11. Whilst this is going on, navigate to https://appleid.apple.com and create a new Apple ID. We would recommend this is created as a company one, not an individual’s. More importantly, this will have to have NOT been used previously to issue Apple Push Certificates.
12. Ensure to also register a non-iCloud / non-MobileMe email address and to follow the steps to verify this address.
13. When prompted, use this new Apple ID to get the Apple Push Certifications.
14. Set the newly created Intermediate certificate when prompted and wait for the Profile Manager Configuration wizard to complete. Once this has been done, turn the Profile Manager service on.
15. This may take up to 5 minutes to sort it self out, but once the spinning cog disappears from the lower right corner, move onto step 16.
16. Create a test user account in OD (or import from an OD backup).
17. On the iOS device, connect to your newly created server’s webpage via safari and navigate to the profile manager section.
18. When prompted, login as a user (either the test user or a proper OD user), clicking continue on any warnings.
19. Once logged into, navigate to the second tab ‘Profiles’ and download and install the Trust Profile.
20. Once complete, return to Safari, reload the page and return to the first tab ‘Devices’
21. Final step: click and install the enrol profile!
And (finally!) there you have it. This will add the device to the devices list and allow Over the Air management. Don’t forget to forward those ports through the firewalls!
I hope this rather long post helps out others and saves them grief!
Stay tuned for my next post, full of possible error messages and steps I took to eliminate them!
As always, please feel free to ask questions, or make suggestions for future topics in the comments below.
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.