Cannot Install Profiles

BryanSchmiedele · Aug 7, 2013

I am running Mac OS X 10.8.3 Server on a Mac Min. It is in a DMZ.

Recently I hooked my MBP up to it in order to get at it, as I had stupidly turned off remote administration. When I did so, many Server settings got changed. I changed them back as best I could, and someone else assisted me in this. We can access the server again and all LOOKS well, but...

When we email new Profiles to test users we are getting errors. On my iPhone I get the error:

"Profile Installation Failed"

"A connection to the server could not be established"

My co-worker gets an error about not being able to reach the server.

I am very new to Mac OS X Server Administration. I have used Google and found lots of posts, but nothing that seems to help me.

I am also having the error described in this post:

https://discussions.apple.com/message/22671146#22671146

Any assistance would be much appreciated!

Bryan

alexrmc92 · Aug 8, 2013

BryanSchmiedele said:
I am running Mac OS X 10.8.3 Server on a Mac Min. It is in a DMZ.

Recently I hooked my MBP up to it in order to get at it, as I had stupidly turned off remote administration. When I did so, many Server settings got changed. I changed them back as best I could, and someone else assisted me in this. We can access the server again and all LOOKS well, but...

When we email new Profiles to test users we are getting errors. On my iPhone I get the error:

"Profile Installation Failed"

"A connection to the server could not be established"

My co-worker gets an error about not being able to reach the server.

I am very new to Mac OS X Server Administration. I have used Google and found lots of posts, but nothing that seems to help me.

I am also having the error described in this post:

https://discussions.apple.com/message/22671146#22671146

Any assistance would be much appreciated!

Bryan

I want to try to help you the best that i can, but there are many things that can cause these types of problems. I've read your previous posts and i think i need to go over how everything as a whole works so you can have a better understanding of what to look for.

First off you stated that the OS X server is in DMZ. If you didn't know, DMZ stands for demilitarized zone. To have your Mac server in DMZ means you must have some type of router that also functions as a firewall or has an external firewall. Knowing this i am assuming your network is setup like this

(DMZ)
Internet-->Router / Firewall ---------> Mac Server
|
| (LAN)
---------> Other Computers

DMZ and LAN cannot communicate with each other. The only way to communicate with the DMZ from LAN is through the public IP address of the router (which is provided by your ISP). All incoming traffic is forwarded directly to the DMZ.

Now lets look at the local computers. All of these computers are most likely assigned local IP addresses by the router via DHCP. DHCP also tells them which DNS server to use and can also forward other information if needed. Your mac server can also function as a DNS server, but in order for it's DNS server to work for you each local computer needs to be configured to use it as a DNS server.

Think of DNS as a big phone book, it contains all of the records need to know the IP numbers of domain name (such as google.com). By default your router usually functions as a DNS relay for your ISP's DNS server, your ISP's DNS server doesn't have records for your mac server in it. You need to configure your router to relay DNS requests to your mac server.

Afterwards make sure your mac server is configured to to forward external DNS requests (like google.com, apple.com, etc..) to another name server. You can use google's DNS servers which are 8.8.8.8 and 8.8.4.4 to do this. If this isn't done you wont be able to resolve domain names which basically means no internet access.

Make sure the mac server has DNS records pointed to itself and then profiles should work. If any of this is over your head you should see if anyone you know might be able to explain it better. Or with your permission i would consider remotely logging in and helping you which can be discussed over PM.

BryanSchmiedele · Aug 8, 2013

alexrmc92 said:
I want to try to help you the best that i can, but there are many things that can cause these types of problems. I've read your previous posts and i think i need to go over how everything as a whole works so you can have a better understanding of what to look for.

First off you stated that the OS X server is in DMZ. If you didn't know, DMZ stands for demilitarized zone. To have your Mac server in DMZ means you must have some type of router that also functions as a firewall or has an external firewall. Knowing this i am assuming your network is setup like this

(DMZ)
Internet-->Router / Firewall ---------> Mac Server
|
| (LAN)
---------> Other Computers

DMZ and LAN cannot communicate with each other. The only way to communicate with the DMZ from LAN is through the public IP address of the router (which is provided by your ISP). All incoming traffic is forwarded directly to the DMZ.

Now lets look at the local computers. All of these computers are most likely assigned local IP addresses by the router via DHCP. DHCP also tells them which DNS server to use and can also forward other information if needed. Your mac server can also function as a DNS server, but in order for it's DNS server to work for you each local computer needs to be configured to use it as a DNS server.

Think of DNS as a big phone book, it contains all of the records need to know the IP numbers of domain name (such as google.com). By default your router usually functions as a DNS relay for your ISP's DNS server, your ISP's DNS server doesn't have records for your mac server in it. You need to configure your router to relay DNS requests to your mac server.

Afterwards make sure your mac server is configured to to forward external DNS requests (like google.com, apple.com, etc..) to another name server. You can use google's DNS servers which are 8.8.8.8 and 8.8.4.4 to do this. If this isn't done you wont be able to resolve domain names which basically means no internet access.

Make sure the mac server has DNS records pointed to itself and then profiles should work. If any of this is over your head you should see if anyone you know might be able to explain it better. Or with your permission i would consider remotely logging in and helping you which can be discussed over PM.

Thank you very much for the assistance. I truly appreciate it.

I mostly follow everything that you wrote.

I think the DMZ issue is resolved. I can get to the server via the public address of the router - our network guy fixed that for me.

I understand DNS. What I am not sure about is if DNS must be running on the Mac OS X server? We are only using the server to push out apps and profiles. We have turned that off. We got the external forwarding working. We tested it by going to Apple's web site via IP, and then via domain name; and both worked.

What I don't understand is having DNS records pointing to itself. Can you elaborate on that a bit. Does DNS have to be running for that, or do we modify the host table?

My network guy is sniffing the firewall (just now) and he says that he is seeing that a server at Apple was trying to reach the Mac server and was denied. Perhaps we need to allow that in through the firewall in order to get the profiles to work?

Bryan

alexrmc92 · Aug 8, 2013

BryanSchmiedele said:
Thank you very much for the assistance. I truly appreciate it.

I mostly follow everything that you wrote.

I think the DMZ issue is resolved. I can get to the server via the public address of the router - our network guy fixed that for me.

I understand DNS. What I am not sure about is if DNS must be running on the Mac OS X server? We are only using the server to push out apps and profiles. We have turned that off. We got the external forwarding working. We tested it by going to Apple's web site via IP, and then via domain name; and both worked.

What I don't understand is having DNS records pointing to itself. Can you elaborate on that a bit. Does DNS have to be running for that, or do we modify the host table?

My network guy is sniffing the firewall (just now) and he says that he is seeing that a server at Apple was trying to reach the Mac server and was denied. Perhaps we need to allow that in through the firewall in order to get the profiles to work?

Bryan

If the Mac Server is in DMZ then no firewall should block anything incoming to it. The whole point of DMZ is to bypass the firewall. Anyways the answer is no, it is not required to let apple contact your server for profiles, but it is required for push notifications.

To elaborate on DNS. All of your network clients (iPhones, iPads, Macs, etc..) are assigned an IP address by your router? is this correct?

when your router assigns ip addresses to your clients it also assigns a list of DNS servers to use. These DNS servers are usually provided by your ISP. The problem is that your ISP does not know about your Mac server, so their DNS servers wont have a name for it.

You can either configure your router to use the Mac server as its DNS server, or you can go buy a domain on the internet (macserver.yourcomapny.com) and set it's ip to your public ip.

For the first option you will have to go into your routers settings and set it's DNS server to the public IP address of your mac server. Afterward you will have to go into the mac server and start the DNS server. You will have to add an entry that uses your macs hostname and points it to its public ip address. Then you will need to setup forwarding.

The second option you will have to create a domain on the internet and point it to your mac server, then change you mac servers host name to that domain name.

Make sure after all of this is done that you go into profile manager and have all of the hostnames correct.

Search

Search

Cannot Install Profiles

BryanSchmiedele

macrumors member

alexrmc92

macrumors regular

BryanSchmiedele

macrumors member

alexrmc92

macrumors regular

Our Staff