MDMCore can't parse Apple APNS certificate

[TonyatGTL 0]

Hello,

 

Despite having followed the KB time and time again I keep hitting a hard stop whenever I try to enroll iPhones into the ERA MDM.

 

Basically, I get the error message I've attached to this message every time an iPhone (the one in the screenshot is a simulator but we've tried with real devices as well, same difference) connects to MDMCore for enrollment.

 

I have followed the KB, I've verified that the certificates match, I've obtained the right APNS cert from Apple yet I keep getting the same error.

 

This is the MDMCore trace (edited for IPs)

 

------- start log

2016-09-29 10:06:36 I [1] MDMCore version: 6.4.252.0
2016-09-29 10:06:36 I [1] Running MDMCore...
2016-09-29 10:06:36 I [1] Database type: MSSQL
2016-09-29 10:06:36 I [1] Loading ESET modules from C:\ProgramData\ESET\RemoteAdministrator\MDMCore\Modules\
2016-09-29 10:06:52 I [1] CE2 module initialization
2016-09-29 10:06:59 I [1] Config: server connection: "localhost", port 2222
2016-09-29 10:06:59 I [1] Config: host: "HOST.DOMAIN.local", port 9981, enrollment port 9980
2016-09-29 10:06:59 I [1] HTTPS certificate CN: HOST.DOMAIN.local      *** (yes, it matches the one on the line above)
2016-09-29 10:06:59 I [1] Setting log level from CE to warning
2016-09-29 10:06:59 W [1] Cannot parse APNS cert, iOS enrollment and push notifications will not work
2016-09-29 10:07:00 W [1] AdminConnector not added to Storage. EnrollmentTokenPoolLog for reenrollment not sent.
2016-09-29 10:07:04 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-09-29 10:07:04 I [1] Logging to directory C:\ProgramData\ESET\RemoteAdministrator\MDMCore\Logs\Proxy/
2016-09-29 10:07:05 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-09-29 10:07:05 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-09-29 10:07:06 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-09-29 10:07:10 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-09-29 10:07:13 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-09-29 10:07:18 E [8] Uncaught exception: Connection reset by peer,
2016-09-29 10:07:35 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-09-29 10:11:01 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-09-29 10:11:03 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-09-29 10:11:04 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-09-29 10:11:04 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-09-29 10:12:04 E [5] Error while updating ConfEng: Perform Update: UpdPerformUpdate failed with error: 4122
2016-09-29 10:12:17 W [5] Exception in APNS feedback check: "Net Exception" (NodSsl returned an error 206. Peer 17.188.135.152:2196, local 192.168.X.Y:49427). Aborting feedback processing.
2016-09-29 10:12:17 E [5] Uncaught exception: Net Exception, NodSsl returned an error 206. Peer 17.188.135.152:2196, local 192.168.X.Y:49427
------- end log

 

Any clue as to why it does that? The certificate, CRL, private key, everything was done according to the manual and I've even requested a new APNS key but it does the same thing. I've contacted our reseller for support but it's been a few days and no answer so I thought I'd try here.

 

Thanks

Tony

[madmaxoft 3]

Hello,

we've just updated the KB on the APNS certificate to clearly say which file goes where, have a look (step 9) and just make sure that it's what you've been doing - basically the file downloaded from the Apple portal needs to go into the APNS certificate field, and the private key downloaded from the webconsole goes to the APNS private key field).

hxxp://support.eset.com/kb5771/#MDMSignedAPNCert

 

I can see one additional problem in the log, not sure if it was due to your editing. The hostname given to MDM needs to be resolvable from the device. If you want your MDM to work on devices that leave your company network, that means the hostname needs to be publicly accessible. The one you're using, "xxx.yyy.local", is unlikely to be accessible from the outside internet.

 

Let me know if any of this helps.

Mattes

Edited October 7, 2016 by madmaxoft

[TonyatGTL 0]

Hello,

 

Thanks for your reply. The certificates are applied in the way you explained in your documents (it was like that even before but to be sure I reapplied the certificates making sure which is which) and the device is currently on the corporate network, DNS name resolution is OK, VPN is always on and and in fact Android phones on the exact same network running ESET Mobile Security for Android work perfectly so it's not an infrastructural thing (at least not between the phone and the server).

 

Last log:

 

2016-10-17 14:31:41 I [1] MDMCore version: 6.4.252.0
2016-10-17 14:31:41 I [1] Running MDMCore...
2016-10-17 14:31:41 I [1] Database type: MSSQL
2016-10-17 14:31:41 I [1] Loading ESET modules from C:\ProgramData\ESET\RemoteAdministrator\MDMCore\Modules\
2016-10-17 14:31:56 I [1] CE2 module initialization
2016-10-17 14:31:56 I [1] Config: server connection: "localhost", port 2222
2016-10-17 14:31:56 I [1] Config: host: "HOST.domain.local", port 9981, enrollment port 9980
2016-10-17 14:31:56 I [1] HTTPS certificate CN: HOST.domain.local  /* edited out due to security policy */
2016-10-17 14:31:56 I [1] Setting log level from CE to warning
2016-10-17 14:31:56 W [1] Cannot parse APNS cert, iOS enrollment and push notifications will not work
2016-10-17 14:31:56 W [1] AdminConnector not added to Storage. EnrollmentTokenPoolLog for reenrollment not sent.
2016-10-17 14:31:56 I [1] Logging to directory C:\ProgramData\ESET\RemoteAdministrator\MDMCore\Logs\Proxy/
2016-10-17 14:31:58 W [8] Enrollment from iOS requested but no APNS certificate provided. Enrollment profile not sent.
2016-10-17 14:36:59 E [5] Error while updating ConfEng: Perform Update: UpdPerformUpdate failed with error: 4122
2016-10-17 14:37:13 W [5] Exception in APNS feedback check: "Net Exception" (NodSsl returned an error 206. Peer 17.188.161.14:2196, local 192.168.x.xxx:64379). Aborting feedback processing.
2016-10-17 14:37:13 E [5] Uncaught exception: Net Exception, NodSsl returned an error 206. Peer 17.188.161.14:2196, local 192.168.x.xxx:64379
 

It looks to me that at right at startup the APNS certificate can't be parsed for some reason. I've tried 4 different certificates, all valid. I've opened a support case and provided logs, hope I'll get to the bottom of this.

 

Thanks

Edited October 17, 2016 by TonyatGTL