Author Topic: Profile Manager - Resolving an issue with device enrollment  (Read 2801 times)

Francesco DellaPorta

  • Newbie
  • *
  • Posts: 14
    • View Profile
Profile Manager - Resolving an issue with device enrollment
« on: January 18, 2015, 06:01:04 PM »
Device self-enrollment service unavailable with Server 4.0.3

Right after upgrading and updating my OS X Server to the version 4.0.3 on Yosemite 10.10.1 an issue with the device management service of the Profile Manager feature just raised. The process of enrolling additional devices, be it a Mac computer or an iOS device, was simple not "happening" any more.

Accessing the user profile page (https://host.example.com/mydevices) via the web browser went through. However, clicking on the ENROLL botton did not produce the expected result: downloading the MDM profile and hence asking for installing it on the device. This message instead was what the OS X Server was sending back to the enrolling device:

Quote
Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
Apache Server at host.example.com Port 443

By looking into the system.log file it turned out to be a PHP (Hypertext Preprocessor) web service error message coded 503. Ups, the php-fpm (PHP FastCGI Process Manager) service was not running. Such a daemon service is controlled by the system launchd at /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.DeviceManagement.php-fpm.plist
Further investigation on the web, through the man pages, and inside the file system brought me to the following conclusion.

In order for the PHP service, and in so doing the device self-enrollment procedure, to work two configuration files needed to be manipulated inside the Server.app bundle: the com.apple.DeviceManagement.php-fpm.plist and the php-fpm.conf.

1. php-fpm.plist
/Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.DeviceManagement.php-fpm.plist
# Comment out:
<!--
        <key>UserName</key>
        <string>_devicemgr</string>
        <key>GroupName</key>
        <string>_devicemgr</string>
-->

2. php-fpm.conf
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/php/php-fpm.conf
# Remove comment (";") for:

        user = _devicemgr
        group = _devicemgr

The first modification is to launch the php-fpm command as root user. The second is needed by php-fpm to define a user for the process to run as.
After changing the files, one needs to reload the php-fpm daemon. This command is made persistent by the system. Unload it first if the operation is already in progress.

Code: [Select]
sudo launchctl load /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.DeviceManagement.php-fpm.plist

'Hope it helps some admins not deploying Device Enrollment Program (https://deploy.apple.com) but instead allowing anyone with a domain login to self-enroll devices.
 
-- Francesco Della Porta