How to Solve Profile Manager Configuration Problems

Last week I showed you the steps I went through to configure Apple’s Profile Manager on Lion server. Hopefully you all had no issues following these to setup your server. However, especially if you have my luck, you most likely did.

I have detailed below the issues I came across and how I resolved them.

Please Note: As with everything, please, please, please make sure you have a full backup that has been booted up and tested to be working before going ahead with these steps.

Profile Manager shows ‘error when reading settings’ in

I’m sorry to say I found this one to have only one fix. Reset Profile Manager and start again. Helpfully enough the instructions for this were discussed by Peter earlier last week.

When running the Profile Manager configuration assistant an error 1 appears.

In my experience this was due to an Open Directory Master already being created that Profile Manager didn’t like.

The first time I had this error, my only fix was to export my Open Directory contents, destroy the LDAP (by demoting the server in Server Admin), then re-run the configuration tool.

Once I started getting the error again, even after following the above steps. I found this to be due to some saved certificates and keys from a now decommissioned Open Directory. This was done by launching the Keychain Access application(/Applications/Utilities/Keychain, navigating to the system keychain and removing any and all certificates and keys that refer to Code Signing, CA, Certificate Authority and the server’s hostname. After this, I had to also recreate the SSL certificate I created.

When enrolling a device I get an unknown error.

The first step is to ensure you have installed the ‘Trust’ profile from the enrolment form before installation the enrolment profile.

If you still have the same issue, then it may well be an issue with the Apple Push certifications.

I found that if you have the Apple Push certifications on one Apple ID, then try to get another set using the same ID (even after revoking the old certificates) then this error will show up. You need to create a brand new Apple ID (see my last post) and try to get some new Push Apple Certifications in the

If this is not possible, you’ll need to reset Profile Manager and start again.


A much shorter post this week but I feel it’s just as important as last weeks and will hopefully help someone out there.

Did this help you? Would you care to share your own story? Please do! We’d love to hear your stories and every response will help someone out there!

As always, please feel free to ask questions, or make suggestions for future topics in the comments below.


Apple’s Mac OS X Server

This post follows up from my previous post on “Configuring Lion Profile Manager”

If you require help with your mac setup within your organisation please get in touch, or check out our range of support & consultancy services here.


While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

5 Replies to "How to Solve Profile Manager Configuration Problems"

  • Profile Manager shows ‘error when reading settings’ in

    stop/starting the Postgres service has worked for me previously.

    sudo serveradmin stop postgres

    sudo serveradmin start postgres

  • Pushings from ProfileManager not happening at all?.. gotta suggestion?

    I have some occurrences where a newly added member to a group (in 3.1.2) is not getting pushed it’s settings. It’s not even getting queued on the server (well at least it’s not showing up in the ProfileManager’s “Active Tasks” nor in “Completed Tasks”. Any suggestions?

    Specifically.. I have a group called PHDUSERS. In PM, PHDUSERS provides a setting for Mobility. If I create a virgin user and add him/her immediately (before ever using the account) to PHDUSERS, the push goes pending. AOK. logging into the users makes the push happen. On logout then login,.. the user becomes locally installed as all Portable Home Directory users should. However if I create a virgin user test2.. and actually use that user (as a Network user) and then logout.. and THEN add to PHDUSERS… no amount of good-intentions will convince ProfileManager to push.. or even queue a push.. It’s as if it doesn’t care about test2. Curious though, that ProfileManager does indeed show the user in the PHDUSERS group. Just no result. And.. .thinking it may just be a gui problem.. I try cycling the login/logout of that user.. with no joy. It stays as a network user. Rebooting the server,.. rebooting the client.. no help. Cleaning the dylib caches.. no help. Going full on with everything Onyx can throw at it.. and rebooting.. no help. The Profile just doesn’t push to that user. The working users DO continue getting pushed anything changed in the settings of mobility. arghhh. Any thoughts?

  • Hi Shawn,

    It’s not a feature I use on Profile Manager (user level settings) but I’ll give you what information I have.

    User level, especially those based on AD group membership I find can be buggy and inconsistent. I have also found at a recent install (Server and client 10.9.2) that if a user is nested in a group, and the group is added into Profile Manager, the settings simply would never get pushed down. It’s not the exact same issue as yourself but is similar.

    I would first check if the issue only happens on one Mac (using the same user accounts) or only on one user (with different Macs). If it’s the Mac, it’ll be something system related (OS version different or just broken). If it’s the user account then I’d take a look at it compared to another directory user account.

    If this still gets you no where, and I’m afraid that is a possibility, I’d suggest looking at creating the profile and using a packaged installer to manually install this on your Macs.

    Alternatively, you could get clever with scripts and launch Daemons and have a script check membership at login and install and use the profile only on the users that require it.

    I hope that helps you out somewhat and I’m sorry I can’t give you a better answer.


Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy