iPad cannot Enrol via URL or A.C Profile installation

MattT
New Contributor III
New Contributor III

Prior to this issue we have successfully enrolled 400 odd iPads using either method.

On the iPad, go to correct ios enroll url, enter AD credentials, install the trust certificate after which the iPad is immediately redirected to the enrollment login page. The trust cert installs correctly but cannot go further.

I tried plugging into Apple Configurator (last resort -_-) v1.5, and tried to install a downloaded trust cert and enrollment profile manually, in that order. Again the trust cert installs fine, but get the error of "Profile Installation Failed - Invalid Profile'.

Any idea's why this iPad is different? No restrictions or other settings on that I could see that would impact. Checked iPad date and time settings.

3 REPLIES 3

andyparkernz
New Contributor III

We've been seeing something similar - https://jamfnation.jamfsoftware.com/discussion.html?id=10633 and haven't been able to pin it down, but we tend to find that after restarting the Tomcat service the devices have a higher chance of enrolling.

justinrummel
Contributor III

During JumpStarts I get things like this a lot. This is what I usually check:

  1. Restart Tomcat - Why not, it's easy
  2. Verify you are using the FULL url to change any JSS settings and during enrollment! https://jss.domain.tld:8443/
  3. Check URL Setting - https://jss.domain.tld:8443/jssServerURL.html (they should be the FULL url)
  4. Recreate your CA - https://jss.domain.tld:8443/tomcat.html (the CN should be your FULL url)
  5. Recreate your PUSH cert - https://jss.domain.tld:8443/pushNotificationCertificate.html

Here is the WARNING, you already have devices! Recreating the CA may cause ALL of your devices to not communicate any longer and would require to re-enroll all of your devices.

fabian_ulmrich
Contributor

We had the same problems since we upgraded to JSS version 9 and the solution for this was to remove the URL for "JSS URL for Enrollment Using Built-in SCEP and iPCU" under '/Settings/Global Settings/JSS URL'. Here you can point to a special URL if using iPCU or an Built-In SCEP Server which obviously is configured automatically when setting up the JSS URL for all other devices (OSX clients).

Removing this URL solved all my problems with iOS enrollment via Apple Configurator, User-initiated or OTA invitations wether it was an iPod/iPad or AppleTV. As mentioned by @justinrummel, be careful with removing or redoing the Mobile Device Enrollment Profile....really could end up in sh*** loads of work.

Hope that helps.

Cheers!