Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Francesco DellaPorta

Pages: [1]
1
Device self-enrollment service unavailable with Server 4.0.3

Right after upgrading and updating my OS X Server to the version 4.0.3 on Yosemite 10.10.1 an issue with the device management service of the Profile Manager feature just raised. The process of enrolling additional devices, be it a Mac computer or an iOS device, was simple not "happening" any more.

Accessing the user profile page (https://host.example.com/mydevices) via the web browser went through. However, clicking on the ENROLL botton did not produce the expected result: downloading the MDM profile and hence asking for installing it on the device. This message instead was what the OS X Server was sending back to the enrolling device:

Quote
Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
Apache Server at host.example.com Port 443

By looking into the system.log file it turned out to be a PHP (Hypertext Preprocessor) web service error message coded 503. Ups, the php-fpm (PHP FastCGI Process Manager) service was not running. Such a daemon service is controlled by the system launchd at /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.DeviceManagement.php-fpm.plist
Further investigation on the web, through the man pages, and inside the file system brought me to the following conclusion.

In order for the PHP service, and in so doing the device self-enrollment procedure, to work two configuration files needed to be manipulated inside the Server.app bundle: the com.apple.DeviceManagement.php-fpm.plist and the php-fpm.conf.

1. php-fpm.plist
/Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.DeviceManagement.php-fpm.plist
# Comment out:
<!--
        <key>UserName</key>
        <string>_devicemgr</string>
        <key>GroupName</key>
        <string>_devicemgr</string>
-->

2. php-fpm.conf
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/php/php-fpm.conf
# Remove comment (";") for:

        user = _devicemgr
        group = _devicemgr

The first modification is to launch the php-fpm command as root user. The second is needed by php-fpm to define a user for the process to run as.
After changing the files, one needs to reload the php-fpm daemon. This command is made persistent by the system. Unload it first if the operation is already in progress.

Code: [Select]
sudo launchctl load /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.DeviceManagement.php-fpm.plist

'Hope it helps some admins not deploying Device Enrollment Program (https://deploy.apple.com) but instead allowing anyone with a domain login to self-enroll devices.
 
-- Francesco Della Porta

2
Mavericks Server - Foundation Services / Re: AirPrint Server?
« on: September 08, 2014, 02:57:48 PM »
Hi pixelpshr

I have tested printopia. It works very well. However, my favorite is handyPrint v3.1.5 by Netputing. It does exactly what it should. No more, no less. The app advertises AirPrint service for non-AirPrint printers on the local network. Check it out.

http://www.netputing.com/handyprint/

Franco

3
Thanks for replying, tcguru

So the SuSE Linux upgrade seems too cumbersome to deal with. It might be. Even though Apple strives for simplicity, an OS X Server upgrade may also show its hiccups. Anyway, it really looks like that switching from a Linux box to a Mac mini fits your needs. Using the Linux box as the failover server implies that you keep it up-to-date. Although the OS X Server is a perfect match for running Apache with PHP, it stills requires some out-of-the-box thinking for MySQL databases. Moving from MAMP trials to a full-fledged OS X Server's Websites deployment comes with some measures. Check this out: https://discussions.apple.com/thread/5579232 

Here my proposals for your case:
  • Use NAT on a router between the cable modem and the LAN
  • Keep your Linux box, but downgrade it to that router
  • Deploy Mac mini Server with minimal DNS configuration
  • Install MySQL for Mac OS X Server
  • Migrate your webpages to the Mac mini Server
  • Start Websites service on OS X Server
  • Cross your fingers and enjoy the Mavericks Server
Furthermore, better than assuming/hoping that your configuration scripts for apache, PHP and MySQL databases will work on the OS X Server would be to test them thoroughly beforehand. Also try to keep the SuSE Linux software up-to-date in case of server failover.

4
Dear forumadmin, dear tcguru
Let me please add something to the discussion...

There is a third alternative to those two proposed by forumadmin, which are the NAT on OS X (master of pfctl) or to leave the Linux box in place (NAT on Lunix). The third alternative would be: NAT on a router between the cable modem and the LAN. Minimal changes and simple configurations is the goal here.

We work on the assumptions/requirements that imply:
  • removal of the Linux box (@tcguru, please describe why would you need to do that?)
  • adding a router, eventually a new Airport Extreme manageable form the Server.app
  • OS X Server running with minimal DNS configuration (nslookup to the Server only would give an authoritative answer)
  • hosting the several (non-virtual) websites on OS X Server (@tcguru, please check if OS X Server fulfills your requirements)
  • starting additional services on OS X Server (Quoting forumadmin: "what role do you want the mini Server to play on your network?")
Keep your discussion going...

5
Apple released on Tuesday, May 20, 2014 the OS X Server v3.1.2 software update.

Quote
What’s New in Version 3.1.2
• Calendar Server improvements for imports, invites and group scheduling
• Improvements to Messages Server stability when using Chat Rooms
• Fixes for Profile Manager deploying profiles containing variables when code signing is enabled
• Improved Profile Manager reliability for sending Volume Purchase Program invitations
• Fixes to enable Profile Manager to manage Device Enrollment Program systems with long descriptive names
Source: Mac App Store Preview, https://itunes.apple.com/ch/app/os-x-server/id714547929

6
Dear Reid Bundonis, book author
Many thanks for the nice words. It is indeed my pleasure making a contribution to your endeavor.

Downloading version 1.3 — it look great!
Apropos, to force refresh the latest version from iBooks on a Mac, one needs to delete and re-download the book from iCloud.

The worming message from iBooks.app says...
Quote
Are you sure you want to delete the copy of this book from your Mac?
A copy will remain in iCloud, and you can download it again later.
Once done, the latest version will be immediately available keeping bookmarks, notes and highlights from the previous version.

—Francesco Della Porta

7
Servus!
Oh, then migration is up for next week. Just for preparation check out this thread, if not done yet.
https://discussions.apple.com/thread/5472957

Looking for reading and learning next book on Control & Collaboration.

8
Mapping a backup and restore command-line procedure from OS X Server Mountain Lion leads to archiver database error.

Below there is the set of commands which should be able to backup first and, if so required, to restore the Wiki (collab) database.

# Backup Wiki
sudo pg_dump -h /Library/Server/Wiki/PostgresSocket -Fc -Z9 -b -U _teamsserver collab -f /tmp/collab.pgdatabase

# Restore Wiki
sudo pg_restore -h /Library/Server/Wiki/PostgresSocket -1 -U _teamsserver -d collab /tmp/collab.pgdatabase

Both commands have been adapted to match the changes on OS X 10.9.2 and Server 3.1.1 (PostgreSQL 9.2.4). Before restoring the database, the Wiki service needs to be stopped, and hence later restarted. If successful, the backup command returns no standard output. The restore command instead gives an error output:

pg_restore: [archiver (db)] Error while PROCESSING TOC:
pg_restore: [archiver (db)] Error from TOC entry 762; 1247 16905 TYPE acl_action collab
pg_restore: [archiver (db)] could not execute query: ERROR:  type "acl_action" already exists
    Command was: CREATE TYPE acl_action AS ENUM (
    'read',
    'write',
    'delete',
    'own',
    '*'
);

Once cleared, this procedure may well be integrated in the second book "Mavericks Server - Control and Collaboration".

9
Apple released on Monday, Mar 24, 2014 the OS X Server v3.1.1 software update. It replaces and contains all improvements included in the Server 3.1 release.

Among other things, it fixes the issue describe earlier in this post: 1. Server update, b. running Profile Manager causes "recurring set of system.log entries".
Other symptoms of the issue are:
  • extra cpu activity on the server
  • extra cpu activity on managed devices
  • quick battery drain on managed iDevices
Measures
  • Sending Update Info requests to all managed devices did not solve the issue. It just postponed (of about 24 hours) the unnecessary recurring process.
  • Removing and then enrolling again all managed devices did not solve the issue. It just caused unnecessary administrative work
  • Wiping up the database by means of wipeDB command din not solve the issue. It just refreshed the profile manager settings and its database.
Solution
Update the Server.app with the latest OS X Server v3.1.1 software update.
 
Quote
Server v3.1.1 fixes an issue that could cause Profile Manager to be unresponsive or generate extra cpu activity after updating to Server 3.1.
Source: http://support.apple.com/kb/HT6172

10
Follow-up...

1. Server update
Yes, the Profile Manager did heal. However, it needed some manual intervention. Moreover, the deprecated group in DS Local is due to the new profile manager feature which allows device enrollment during Setup Assistant. Please let me detail.

a. During the server update all relevant data concerning profile manager have been successfully migrated. Check Logs under Profile Manager > Migration Log for a confirmation. Server 3.1 brings in a new feature which introduces the possibility to "Allow device enrollment during Setup Assistant". These settings need to be broadcasted to the managed devices, if so chosen. In the migration process a new profile for Everyone has been updated. Look for it under Profile Manager > Configuration Profiles > Default Configuration Profile with the name "Settings for Everyone". All of these changes are obviously almost invisible from the Server.app GUI.

Risking of being proven wrong, I would say that from the profile manager service point of view, the new local group Deprecated Profile Manager Access Group is the old local group Everyone.

b. The recurring set of system.log entries posted herein are about and around the mdmclient (Mobile Device Management client) command/process. Opening Profile Manager and issuing an Update Info (gear menu) request to the devices stops the recursive logging. Eventually it also solves the problem, if any.

I would recommend to add this step in the server update procedure: if you are running a profile manager service, then send update info to all managed devices.   

2. Mail server access shutdown re: Question
Many thanks for your answer. That is more than appreciated. Very well detailed.

So, if the firewall under question is... please let me name it... an AirPort device, then the external access may be temporarily shutdown by removing Mail from the list of available Public Services. Once that the Mail server is up and running, and ready to manage traffic, then it is time to add Mail back to the list of AirPort services.

If anything else, then please see the attachment AirPort_Network_Mail_2014-03-20 for the exact port numbers and types deployed by the Mail server running on OS X Server 3.1.

11
One impression and one question to share.

1. Server update
Strictly following the eight steps, turning all relevant services back on -- one by one with an eye on the system.log. All went smooth till the Profile Manager service, which yet came on and running. However with some symptoms:

a. A new local group account "appeared" in the group list. Its name, hold on...
"Deprecated Profile Manager Access Group"; Group ID: 1000; Account Name: deprecated_pm_access_61e93cd7. Its members are diradmin, localadmin, and all other network accounts. Weird!

b. A repeated set of log entries. Just like this... (server FQDN intentionally removed)
Mar 18 16:15:06 share kernel[0]: Sandbox: xscertd(339) deny file-read-metadata /private
Mar 18 16:15:06 --- last message repeated 69 times ---
Mar 18 16:15:06 mdmclient[81]: [Daemon:0] Processing server request: DeviceInformation  for: <Device>
Mar 18 16:15:06 mdmclient[81]: [Daemon:0] Processing server request: Restrictions  for: <Device>
Mar 18 16:15:06 mdmclient[81]: [Daemon:0] Processing server request: CertificateList  for: <Device>
Mar 18 16:15:06 mdmclient[81]: [Daemon:0] Processing server request: ProvisioningProfileList  for: <Device>
Mar 18 16:15:06 mdmclient[81]: [Daemon:0] Processing server request: ProfileList  for: <Device>
Mar 18 16:15:06 mdmclient[81]: [Daemon:0] Processing server request: InstalledApplicationList  for: <Device>
Mar 18 16:15:07 mdmclient[81]: === __40-[CKClientDispatch _xpcConnectionDirect]_block_invoke: An error was received (Connection invalid).
Mar 18 16:15:07 mdmclient[81]: [Daemon:0] Processing server request: SecurityInfo  for: <Device>

2. Question
Quote
Remember, if you are running a mail server, shutdown external access to ensure that the data stores are not altered.
Given that, by external access it is meant mail client users trying to access a temporary unavailable mail server, what is intended with shutdown and how is that accomplished? 

12
The version 1.2 of Mavericks Server - Foundation Services by Reid Bundonis is now available for download on iBook Store.

https://itunes.apple.com/book/mavericks-server/id737392044

New topics include how to monitor the health of your RAIDs, expanded details on what impact the use of RAID has on other features, and how to enable port 311 for managing the server with a web browser.

Happy reading!

13
Hi everyone

Please let me try to add something more to this post (just renamed).

Server.app provides three Home Folder options when creating network accounts: none, local-only, user-folder. Let me detail.
 
None - Services Only: As perfectly explained by Reid, this option is intended for network accounts that wish to use services offerd by the OS X Server. Those users need to authenticated with valid credentials (user, password) in order to be authorized to access the offered services (Calendar, Contacts, etc). By choosing this option no user home folder will be created.

Local Only: This default option creates (and eventually share) a home folder on the server. As misleading as it may seem, Local Only means local to the server, not the the Mac client. Authentication and authorization is given and mandatory.

User home folder: Provided that a shared folder has been enabled, this option allows to assign a user a home folder via the server. The user can log in to the Mac client using the credentials stored on the server. The user’s home folder may be on the server as with the Local Only option, however, more often it is intended for another drive or network location.

Reference: Server.app > Help > Server Help > Choose a user’s home folder location

14
Hi everyone

Excellent book! Look forward to reading and learning the whole series.

Note: The cover of the book does show 10.9.1 on iPad, but it still shows 10.9.0 on the Mac. Though, the content is updated on both devices. Weird! The book is not available for iPhone.

Pages: [1]