Jump to content

canno't add new iOS phone with ERA MDM


Aladin
 Share

Recommended Posts

Hello,

I have some trouble to add iOS phone with ERA MDM. I explain my problem:

• I have add a ERA MDM Appliance (CentOS 6). This Appliance is in a DMZ and NAT is OK with private/public IP.  It's working well with Android phone

• I have follow the procedure about iOS (hxxp://support.eset.com/kb5771/)

   > I have created APNs certificate and generate certificate on apple push web site. It's ok. 

  > I have created a MDM Policy. It's ok (execpt https certificate!)

When I try to install certificate on a iOS phone I have this error message: "Profile Installation Failed" 

I have already open a ticket to the support but they don't solved my problem....

I try to add a https certificate i can't! I have this message : ParsePkcs12: Could not verify password (invalid password or corrupted pkcs12 structure)

I use the native CA wich is install in the Appliance. So I dont know the password. I tried root password. Doesn't work.

I have also a error message in trace.log 2017-02-26 22:25:43 E [317] Uncaught exception: Net Exception, NodSsl returned an error 200. Peer [::ffff:privateGateway]:61603, local [::ffff:PrivateIP]:9981

I have also this message with Android phone (and it's work fine).

I don't know if it's really a https certificte problem ? or something else ?

Do you have any ideas ?

Thanks ...

Aladin.

Link to comment
Share on other sites

  • ESET Staff

Hello, 
regarding the  "  ParsePkcs12: Could not verify password (invalid password or corrupted pkcs12 structure "  you need to use for the Certification Authority Passphrase the password you used for ERA Server VA that you setup during configuration. (as mentioned here : http://help.eset.com/era_deploy_va/64/en-US/index.html?config_server_va.htm )

From your description, I am not usre if you use the ERA https certificate for MDM or if you use your 3rd party https certificate.
Also, as mentioned in the KB5771.the hostname in the HTTPS certificate and the hostname in the MDC policy must match. (so if you use the IP address of MDC device in https certificate you must use the IP address also in MDC policy. the same applies for hostname)
Also , you do not mention which version of ERA you are using, (6.3/6.4) but: the hostname must be the same doring the whole process (MDC certificate, APN certifcate, MDC policy, iOS enrollement ) , and if hostname, of https certificate are changed, in one of the mentioned , you need to also update the rest. 
For the Profile Installation Failed error: try to troubleshoot according to this KB : http://support.eset.com/kb6011/ 
 

Link to comment
Share on other sites

I try to user the same password (ddb, webconsole) but doesn't work anymore! I can't add MDM certificate.

 

i'm note sure to inderstand the troubleshooting hxxp://support.eset.com/kb6011/

As a reminder, I have one era server (into a network) an another era mdm server into another network (DMZ). All ports are open end NAT is ok.

So, what hostname I need to add in the Policy? I have add the public IP (of my MDM server). It's ok ?

If I change to era hostname doens't work (because it's private IP).

 

Do you have any other ideas ?

Thanks.

Aladin.

Link to comment
Share on other sites

Succes! I create a new MDM certificate! one step by step ... :-)

I add the certificte to my Policy, but doesn't work anymore. I have another problem:

When I clic to accept the profil, safari turn in a loop ! and the trace.log add many lines !!!

ideas ?

Link to comment
Share on other sites

  • ESET Staff

Hello,
can you please post the lines from the tracelog loop ? 
Also, just to be on the same page: you are using ERA CA ? 
 

Link to comment
Share on other sites

2017-03-06 11:15:37 E [10] Uncaught exception: Net Exception, NodSsl returned an error 200. Peer [::ffff:MyPrivategateway]:39558, local [::ffff:ERAMDMPrivateI^P]:9980

I am using ERA Certificat Autority (provide in the Appliance)

Link to comment
Share on other sites

  • ESET Staff
1 hour ago, Aladin said:

When I clic to accept the profil, safari turn in a loop ! and the trace.log add many lines !!!

short story: restart device.

long story: devices/browsers usually cache previously accepted certificates, when this certificate changes on webside (You changed https certificate) browsers try to validate to previously accepted certificate and fail. I have noticed some browsers end in infinite loop of re-connection. (unsure if it was safari, but this was definitely reproduced inhouse)

 

Link to comment
Share on other sites

Ho yes! It's working better after a reboot!! Perfec, I have add the iOS into MDM. The profile is installed. And MDM can communicate with the phone (after activation).

It's normal if there is no application eset installed in the iOS ? (in Android application was installed)

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...