cancel
Showing results for 
Search instead for 
Did you mean: 

Afaria device enrollment issue

Former Member
0 Kudos

Hi Community,

We have setup Afaria 7 SP3 environment and installed below components inside our firewall.

Afaria Server 7 SP3

Afaria API Service and Administartor

Enrollment Server

Certificate Authority

Package Server

Microsoft SQL Server as database

Configured Relay Server for Afaria Server, Enrollment server and Package Server and opened relay server port 80 to internet. We are not using Self Service Portal for device enrollment.

To enroll IOS device, in Afaria Admin I created a Policy for IOS and generated an enrollment code.

On IOS Device, installed Afaria application. Launched Afaria client app and entered Enrollment code that I generated in Afaria Admin. But I am getting a warning message as " Enrollment is incomplete. Refresh page to try again." and I do not see that device in Afaria Admin device list.

Am I following the right procedure to enroll device? What might be the issue for enrollment failure?

Also, could you please suggest on below queries?

1. Is one of SMTP Server connectivity or SMS Gateway mandatory for device communication?

2. Does device directly communicates to CA Sever? Because, We have our all our Afaria components behind firewall and As mentioned we configured Relay server to Afaria Server, Enrollment and Package Servers for devices to connect those servers. Does CA also need to be open to devices or will devices connect to CA only through Afaria Server?

Thanks for your time.

Regards

Narasimha

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Thanks Abhishek, Chetan and Prathik for your helpful responses.

The issue was with serverconfigurations in rs.config file for enrollment server and it's RSOE. It is resolved. But I have a different issue now.

When I do iPad enrollment, during Profile Service installation I am getting 'Profile Installation Failed' error. In the ICU log I see below error message. 

(Error) MC: Connection to https://<RelayServer>:443/ias_relay_server/client/rs_client.dll/EnrollmentPentair/aips2/aipService.svc/TokenCheckin failed with error: NSError:

Desc   : The server certificate for https://<RelayServer>:443:443/ias_relay_server/client/rs_client.dll/EnrollmentPentair/aips2/aipService.svc/TokenCheckin is invalid.

Domain : MCHTTPTransactionErrorDomain

Code   : 23002

Type   : MCFatalError

Params : (

"https://<RelayServer>:443:443/ias_relay_server/client/rs_client.dll/EnrollmentPentair/aips2/aipService.svc/TokenCheckin"

)

The port 443 on Relay Server is open to internet. I also imported Self Signed certificate created on relay server into Personal Certificate store of Enrollment Server.

Do I need to make any other configuration in Afaria Server Admin?

Thanks for your time.

Regards

Narasimha

Former Member
0 Kudos

Hi,

Step to follow for Certificate IMPORT

1. SSL certificate configured on relay server. Try open the https://relayserveraddress link from internet it should contain the certificate. ( Please test this url on device )

Note: Please make sure when you try to open the link it should directly open it shouldn't ask for the Error you want to continue with the site : Normally SSL certficate create from internal CA authority face this kind of error make sure the SSL certificate better to be  purchased from third party.

2. Import the SSL certificate in personal certificate of enrollment server.

3. Re install the provision server component and select the SSL certificate at the time of installation.

4. Make sure the port 443 open from relay server to external for both direction.

5. Configure the CA server Setting properly on Afaria console ..Setting .. CA authority

6. outbound enabler connected properly.

For Token Error which you are getting

1 . Open Server Manager ... Roles .. Web Server (IIS) .. roles

2. If WebDAV publishing service is been installed .. removed the webdav publishing service from remove role services.

0 Kudos

Hi Narasimha,

When you install enrollment server, you need to select relay server certificate (certificate of machine to which your device will connect first and here it's relay server.

Also, your relay server certificate should be issued to FQDN/IP (depends on what URL your device/enrollment code opens). If your enrollment code points to https://relayserver.abc.xyz.com:443 then your relay server cert should be issued to relayserver.abc.xyz.com otherwise iOS devices are smart enough to reject/drop the connection due to untrusted host certificate (certificate and host name dont match).

Regards,

Abhishek Joshi

Former Member
0 Kudos

Even I had this issue. Removing WebDAV public services resolved my problem.

Answers (5)

Answers (5)

Former Member
0 Kudos

I installed Hotfix 6 before I apply hotfix 7. I still had issue after that.

Anyway error is resolved now after I updated iPad to ios 7.0.2. After this update profile is installed successfully.

Thanks for the support throughout.

Regards

Narasimha

Former Member
0 Kudos

Hi Chetan/Abhishek,

Now to setup Afaria in production environmnet, Can I reuse Apple certificates (AAICA, Root and APNS Certificates) that I generated for test environment OR should I generate new certificates for this?

Please clarify.

Regards

Narasimha

0 Kudos

Hi Narasimha,

You can reuse AAICA, Root certs but please create a new one APNS certificate.

Regards,

Abhishek Joshi

Former Member
0 Kudos

Thanks Abhishek.

Is there any reason to create a new APNS cert. My understanding was, since APNS is not linked to Afaria Server while generating we can reuse it for other server setup. Am I wrong in this?

Also, Is Google API key can be re-used?

Thanks for your time.

Regards,

Narasimha

0 Kudos

Hi Narasimha,

As you know Google API and APNS has limitation on number of messages per key hence i would reccomand to use different in different setups.

You can definately reuse them in both QA and Production if you dont have enough of messages flowing but for uninterupted services in production, you should not link QA system as dependent on it.

Also it helps you to debug both the landscapes seperately and isolate them.

Regards,

Abhishek Joshi

Former Member
0 Kudos

Thanks Chetan and Abhishek.

We made some progress in this. We are using SSL certificate from internal CA and it is issued to Relay Server DNS name.

When I do enrollment on my ios 6 devices (ipad and ipod), profile is installed successfully.

But when I try to enroll ios 7 ipad, profile installation is failed and I getting same error messages as earlier "Profile Failed to install".

I already applied Afaria 7 SP 03 Hotfix 7 for IOS 7 compatibility.

Regards

Narasimha

0 Kudos

Hi Narasimha,

Looks like you are not having SP03 Hotfix 6 on your server. It seems that Hotfix 7 is on top of 6 to reflect some changes.

Could you please install SP03 Hotfix 6 and then Hotfix 7 and try once. Also, i hope you would be using latest Afaria Client from App Store which has iOS7 client.

Regards,

Abhishek Joshi

Former Member
0 Kudos

Please install Hot fix 6 for IOS7

Former Member
0 Kudos

Hi,

PLease try below hot fix.

1.  Afaria 7 Service Pack 3 Hot Fix 4 or Hot Fix 6 for Afaria 7 Service Pack 3

SMTP : Not required for IOS device.

CA server :

1. You need to configured the CA server setting in Afaria console Setting area.

2. Check the outbound enabler for CA farm

3. You can try with opening the url of relay server :http://yourrelayserveraddress/ias_relay_server/server/rs_server.dll ( It should  show overall availability : FULL ) FULL stand for all the farm connected properly.

4. Or u can Test the url http://yourrelayserveraddress/ias_relay_server/server/rs_server.dll/yourIOS-FARM/aips/aipservice.svc... ( this page should open all the Services ). Open this url on device : so u can cross check the url connection between your server and device.

5. you can view the logs for both RSOE.config in relay server and outbound logs for Farm ( please keep the verbose 5).

prathik
Participant
0 Kudos

Hi Narsimha,

                    You can check the logs of your relay server by setting the verbose level while starting the relay server from the command prompt (i.e; by appending the relay server startup statement with V -5 in cmd)

- Please check if your policy is assigned to a group in the afaria admin portal.

- SMS gateway is not mandatory for device communication.

- are ther server configurtion details like farm ID etc are being captured in the afaria clint on your phone?

- are the package server details being feteched in the afaria client on your device?

-make sure you kill the process of the afaria client on your phone and reset the connection details in the settings of your afaria client on your phone before you try enrolling your device each time.

Check if you have applied all the hotfixes avalable here....

http://frontline.sybase.com/support/downloads.aspx

Hope it helps,

Regards,

Prathik

0 Kudos

Hi Narasimha,

I dont think SMTP server connectivity is mandatory for device communication.

Please check long URL for your tiny url enrollment code. It should point to your relay server with correct port, farm, etc.

If everything is fine then please try to open the enrollement code long url in browser and collect the logs on Afaria server, relay server and Afaria server rsoe processes so that we can check whats the issue.

Regards,

Abhishek Joshi

Former Member
0 Kudos

Thanks Abhishek for the response.

We are using Google URL Service and Yes, the long URL is pointing to Relay Server and enrollment Farm.

When I try to open enrollment code long url in browser, it is not returning anything. Is it suppose to return anything?

Please guide me where I can get the mentioned log files for Afaria Server, Relay Server and RSOE. I couldn't find those files in respective installation directories.

Thanks for your time.

Regards

Narasimha

0 Kudos

Hi Narasimha,

Are there any errors displayed in Afaria server (On Afaria Server Admin, You will get system log option to navigate)?

For relay server log, you need to log in to relay server and collect rs.log (default name but it could be anything as per your configuration while creating relay server service).

For RSOE, i guess you might not be running RSOE as service separate then running it from Afaria Admin. Log file might be found in Afaria Admin logs or under <AfariaServer>\bin\RSOE* directory.

Can you also try to collect console logs for your device when you try to connect using enrollment code? As it might be device connectivity issue as well.

Regards,

Abhishek Joshi