Enrollment profile only works on iOS 7 w/ iPCU box checked

jmsgrady
New Contributor III

Hi all,

I'm running into a strange problem while trying to create a new enrollment profile.

What I've got:
JSS 9.11 (Windows 2008 r2)
iPad 3,4 (4th Gen, wi-fi) - iOS 7 (11A465)
Apple Configurator 1.4

What happens:
After creating a new MDM Profile in the JSS (no fields populated or boxes checked other than "Display removal notification in inventory"), it fails to install via Configurator. The error I receive is: "The server certificate for 'https://apple.this.sucks:8443//otaenroll/' is invalid." Code: 23002 Domain: MCHTTPTransactionErrorDomain

However after cloning that same profile and checking the iPCU box for iOS 6, everything works fine.

Any ideas?

James

1 ACCEPTED SOLUTION

peineke
New Contributor III

Are you downloading your trust profile and downloading it to the configuration machine? That step is new.

My carts that I've updated are working using the method listed here. I am on 9.11 and iOS 7.

https://jamfnation.jamfsoftware.com/article.html?id=211

Installing Enrollment Profiles Created Using the JSS v9.1 or Later
When you create an enrollment profile for use with Apple Configurator, the JSS v9.1 or later automatically creates an associated Trust Profile (Trust Profile.mobileconfig). The Trust Profile contains the CA certificate that establishes trust between the certificate authority (CA) and mobile devices.

Before you can use Apple Configurator to enroll mobile devices, you need to download both the enrollment profile and its Trust Profile from the JSS so you can import these profiles to Apple Configurator.

View solution in original post

4 REPLIES 4

peineke
New Contributor III

Are you downloading your trust profile and downloading it to the configuration machine? That step is new.

My carts that I've updated are working using the method listed here. I am on 9.11 and iOS 7.

https://jamfnation.jamfsoftware.com/article.html?id=211

Installing Enrollment Profiles Created Using the JSS v9.1 or Later
When you create an enrollment profile for use with Apple Configurator, the JSS v9.1 or later automatically creates an associated Trust Profile (Trust Profile.mobileconfig). The Trust Profile contains the CA certificate that establishes trust between the certificate authority (CA) and mobile devices.

Before you can use Apple Configurator to enroll mobile devices, you need to download both the enrollment profile and its Trust Profile from the JSS so you can import these profiles to Apple Configurator.

jmsgrady
New Contributor III

Thanks peineke!

austin_henderso
New Contributor

Thanks! I just setup 30 devices, and all but two worked without installing the Trust Profile first. The two that gave the invalid cert error work just fine now that I installed the trust profile first. Saved me some headache.

khurram
Contributor III

How do you bind the enrollment and configuration profiles together we have used department field but how do we setup the username, fullname and email address fields, should we use $USER, $EMAIL for it. I am asking this because the department binding is not enough and in the absence of username, email and fullname settings in enrollment profile the configuration profile is dropping-off and taking all the payloads off with it but the enrollment profile (i.e. MDM profile) remains there. Please note that we are using jss User Location settings with LDAP to tie the users with that department.