Closed michalnicp closed 1 year ago
The NSOSStatusErrorDomain -67688 is "errSecInvalidSignature". I noticed that there is a certificate created on the device "MDM SCEP SIGNER
I still get this issue even with manual enrollment.
interesting... using the method you described above (thanks!) I get a different error (manual enrollment):
2022-11-23 15:26:01.265747-0300 0xc0ce Debug 0x0 1233 0 mdmclient: (Security) [com.apple.securityd:atomicfile] 0x137f2aad0 allocated /Library/Keychains/System.keychain buffer 0x128018000 size 45468
2022-11-23 15:26:01.265759-0300 0xc0ce Debug 0x0 1233 0 mdmclient: (Security) [com.apple.securityd:atomicfile] 0x137f2aad0 closed /Library/Keychains/System.keychain
2022-11-23 15:26:01.266960-0300 0xc0ce Debug 0x0 1233 0 mdmclient: (Security) [com.apple.securityd:atomicfile] 0x138814860 free /Library/Keychains/System.keychain buffer 0x128028000
2022-11-23 15:26:01.266992-0300 0xc0ce Debug 0x0 1233 0 mdmclient: (Security) [com.apple.securityd:handleobj] create 0x137f37843 for 0x137f37870
2022-11-23 15:26:01.267024-0300 0xc0ce Default 0x0 1233 0 mdmclient: (Security) [com.apple.securityd:security_exception] MacOS error: -25304
2022-11-23 15:26:01.267811-0300 0xc13f Error 0x139d4 1233 0 mdmclient: [com.apple.ManagedClient:CPDomainPlugIn] [ERROR] <<<<< PlugIn: InstallPayload [CertificateService] Error: Error Domain=NSOSStatusErrorDomain Code=-67688 "(null)" UserInfo={IsInternalError=true} <<<<<
MacOS error: -25304
description is "The specified item is no longer valid. It may have been deleted from the keychain." 🤔
Clouds in the sky, Making Fleet smoother and better, Fixing enrollment.
Fleet version: 4c0456be731dafcf0fff05585668230ca3457d4b
🧑‍💻  Expected behavior
Installing an enrollment profile should succeed.
đź’Ą Â Actual behavior
Installing the profile files with an "NSOSStatusErrorDomain". Retrying is successful, but it shouldn't fail on the 1st attempt.
This also fails with the same error when using DEP enrollment.
More info
Use the guide https://micromdm.io/blog/troubleshoot-dep/ to troubleshoot MDM issues on the device.
This seems to be related to issuing a device certificate from the scep server. Logs from the device show
Use https://www.osstatus.com to find the meaning of apple api error codes.
Note that you should use a clean fleet installation to reproduce the issue! Repeated attempts without using a clean database fail to reproduce.