You are not logged in.

Announcement

[2017.09.08] DeployStudio build v1.7.8 (checksum, release note).
[2016.08.26] DeployStudio build v1.6.19 (release note).
[2013.02.23] DeployStudio last universal build v1.5.17 (release note).

#1 2014-06-18 15:05:05

jelockwood
Member
Registered: 2009-11-11

Problem using Automatic Enrollment step

I have DeployStudio 1.6.9 installed with matching NetBoot images on a Mavericks 10.9.3 server. I am currently using a 10.8.5 based NetBoot Image with DeployStudio Runtime 1.6.9.

I have a workflow with many steps all of which are working except for the step to Automatically Enroll to my Profile Manager server. Using the built-in workflow step to do this I get an error saying -

ds_finalize.sh - running /etc/deploystudio/bin/ds_auto_enroll.sh
ds_auto_enroll.sh - v1.0 (Wed Jun 18 06:41:55 PDT 2014)
profiles install for file:'/etc/deploystudio/bin/ds_auto_enroll_bootstrap.mobileconfig' and user:'(null)' returned -1202 (The certificate for this server is invalid. You might be connecting to a server that is pretending to be “server.domain.com” which could put your confidential information at risk.)
Auto enrollment failed, will retry on next boot!
ds_finalize.sh - script execution failed, system will automatically reboot.
ds_finalize.sh - end

One might assume initially from the above that it is telling the truth and there is something wrong with the certificate. Except the same Trust and Enrollment mobileconfig files do work when either manually imported on the same Mac after an image restore without using the built-in command, and even more puzzlingly also work in the workflow if I use the same mobileconfig files and MY OWN script!!!

This is my own script, as you can see almost the same as the one DeployStudio uses. My script is being executed as a postponed script and follows another step which copies the files to /Users/Shared

#!/bin/sh

# disable history characters
histchars=

SCRIPT_NAME=`/usr/bin/basename "${0}"`

echo "${SCRIPT_NAME} - v1.0 ("`date`")"

TRUST="Trust_Profile_for_MyCompany.mobileconfig"
ENROLLMENT="Mac_Enrollment_Profile.mobileconfig"

if [ -e "/Volumes/Macintosh HD/Users/Shared/ConfigurationProfiles/$TRUST" ]
then
    echo "Importing Trust Profile"
    /usr/bin/profiles -I -F "/Volumes/Macintosh HD/Users/Shared/ConfigurationProfiles/$TRUST"
fi

if [ -e "/Volumes/Macintosh HD/Users/Shared/ConfigurationProfiles/$ENROLLMENT" ]
then
    echo "Importing Enrollment Profile"
    profiles -I -F "/Volumes/Macintosh HD/Users/Shared/ConfigurationProfiles/$ENROLLMENT"
    if [ ${?} -ne 0 ]
    then
        echo "Auto enrollment failed, will retry on next boot!"
        exit 1
    fi
    /usr/bin/srm -mfr "/Volumes/Macintosh HD/Users/Shared/ConfigurationProfiles"
fi

exit 0

As a reminder my script during the workflow and manually importing after a restore both work in that the mobileconfigs are imported successfully and the Mac shows up in Profile Manager server.

As further background I am using a self-signed rootCA which in turn has been used to create a server certificate for the Profile Manager server, and I have also used my self-signed rootCA to produce my own code-signing certificate. These seem to work fine as again mentioned above they import without problems when I do it myself, the Mac does show up in Profile Manager, and Profiles in System Preferences shows "Verified" for both the Trust Profile and the Enrollment/Remote Management Profile.

The only things I can see that might be considered strange as shown in Profiles in System Preferences are -

1. For some reason the Trust Profile contains two identical copies of my self-signed rootCA rather than just one (I am not using an Intermediate CA)
2. In the Remote Management profile, under "Mobile Device Management" in red text is "Unknown access right: 2048 Erase all data on this computer, Add or remove configuration profiles, Add or remove provisioning profiles, Lock screen" I am guessing this maybe due to the Mac running OS X 10.8.5 whereas the Profile Manager server is running 10.9.3

Does anyone have any suggestions?

Offline

#2 2014-06-19 22:20:25

egraham1
Member
Registered: 2014-06-19

Re: Problem using Automatic Enrollment step

Hi,
I'm having a similar problem with the same setup but getting a different message in the logs.  New MacPro with 10.9.3, Server is 10.9.3 and net boot is 10.9.3.  Using DeployStudio 1.6.9.  Tried on other machines as well, same problem,  it installs the trust profile but not the enrollment.  I can though manually enroll the devices, so I know it's not anything to do with my Profile Manger settings.  Here's what the log came up with.


Automatic enrollment configuration action:
Setting automatic enrollment configuration
Installing Automatic enrollment scripts...
ds_finalize_install.sh - v1.18 (Thu Jun 19 16:49:32 EDT 2014)
Finalize resources already installed, skipping...
ds_finalize_install.sh - end
/bin/cp /tmp/DSNetworkRepository/ConfigurationProfiles/BFA_Photo_Enrollment_Profile.mobileconfig "/Volumes/Macintosh HD/etc/deploystudio/bin/ds_auto_enroll_bootstrap.mobileconfig" 2>&1
/bin/cp /tmp/DSNetworkRepository/ConfigurationProfiles/Trust_Profile_for_School_of_Visual_Arts.mobileconfig "/Volumes/Macintosh HD/etc/deploystudio/bin/ds_auto_enroll_ssl.mobileconfig" 2>&1
ds_auto_enroll_install.sh - v1.2 (Thu Jun 19 16:49:34 EDT 2014)
ds_auto_enroll_install.sh - end
Automatic enrollment configuration successful (elapsed time: 0.03 minutes)

Offline

#3 2014-07-03 00:52:34

camiloken
Member
Registered: 2010-05-07

Re: Problem using Automatic Enrollment step

I think I might have the same problem. Tried with 1.6.9 and 1.6.10 with the same results, I can enroll manually with a signed certificate, but just trying to enter it on the deploystudio admin results in a crash. I do not know what it is, but I have the same enrollment profile working in deploy studio admin 1.6.8 and lower

Offline

#4 2014-07-03 08:53:10

admin
Administrator
Registered: 2007-03-29
Website

Re: Problem using Automatic Enrollment step

Please email us a copy of the enrolment profile which makes DS Admin crash (admin@deploystudio.com).

Offline

#5 2014-07-09 11:21:31

jelockwood
Member
Registered: 2009-11-11

Re: Problem using Automatic Enrollment step

Just retested this issue with DeployStudio 1.6.10 and a Mavericks 10.9.4 NetBoot image and restoring a Mavericks 10.9.4 image.

Using the built-in workflow step to enrol in to Profile Manager still fails the same way as my original report. Using my own virtually identical script still works fine, both using the same Trust and Enrolment profiles.

Offline

#6 2014-07-09 12:55:44

admin
Administrator
Registered: 2007-03-29
Website

Re: Problem using Automatic Enrollment step

It won't crash anymore in future builds.

Offline

#7 2014-07-09 16:18:37

jelockwood
Member
Registered: 2009-11-11

Re: Problem using Automatic Enrollment step

> admin wrote:

> It won't crash anymore in future builds.

It is not crashing for me, it fails with an error in the log, and this causes the workflow to abort to a reboot and retry. The subsequent retries also fail and eventually it gives up. This leaves a Mac with an incomplete setup which is actually a good thing since it makes it blindingly obvious the problem occurred.

However I will retest when the next version is released and update you.

Offline

#8 2014-07-09 23:55:06

admin
Administrator
Registered: 2007-03-29
Website

Re: Problem using Automatic Enrollment step

Please try DSS v1.6.11.

Offline

#9 2014-07-10 09:58:32

jelockwood
Member
Registered: 2009-11-11

Re: Problem using Automatic Enrollment step

> admin wrote:

> Please try DSS v1.6.11.

As requested I have now tried 1.6.11 and the problem still remains unchanged. The built-in step fails causing a reboot (as it is supposed to in the event of a failure), whereas my previously posted version of the script works perfectly (still).

This is with a 10.9.4 NetBoot image and restoring a 10.9.4 image produced using AutoDMG. The client Mac being used for testing is a MacBook Pro model MacBookPro6,2 with 8GB of RAM connected via Ethernet. The server is a Mac mini running OS X 10.9.3 and of course DeployStudio 1.6.11. The Mac mini runs NetBoot and AFP and NFS (for NetBoot).

Offline

Board footer

Powered by FluxBB