Profile installation issues

[weiyong]

What version of micromdm are you using?

micromdm version v1.8.0

What micromdm command did you run?

/v1/commands request_type=InstallProfile

What did you expect to see?

The signing profile certificate generated on July 12th was able to install the provisioning profile, distribute single applications, and receive the quit command until July 17th. After the command was sent to the MicroMDM server, the server logged a message saying “queued event for device”, but the webhook callbacks were not triggered. Any requests with webhook URLs did not receive callbacks. However, manual installation and removal of the MDM certificate did trigger callbacks for mdm.Authenticate and mdm.TokenUpdate. Occasionally, the error message “no blueprints to apply” was encountered.

This is already in our enroll payload:

{"request_type":"InstallProfile","payload":"MIA...","udid":"00008103-001D3939..."}

What did you see instead?

All webhook are asynchronous without callback

[korylprince]

MDM commands are asynchronous. This comment has a basic description of how a device receives a command and responds.

It sounds like you're queueing commands successfully, but the device is not checking in to get the command(s) in a timely manner.

This could be because:

• MicroMDM is having trouble contacting Apple's APNS servers (which should be logged)
• The device is not receiving APNS notifications from Apple
• The device can't reach your MicroMDM server

Also, it would be useful to upgrade to MicroMDM 1.11, which should be completely backwards compatible and includes bug fixes related to logging some errors.

[weiyong]

MDM commands are asynchronous. This comment has a basic description of how a device receives a command and responds.

It sounds like you're queueing commands successfully, but the device is not checking in to get the command(s) in a timely manner.

This could be because:

• MicroMDM is having trouble contacting Apple's APNS servers (which should be logged)
• The device is not receiving APNS notifications from Apple
• The device can't reach the MDM server

Also, it would be useful to upgrade to MicroMDM 1.11, which should be completely backwards compatible and includes bug fixes related to logging some errors.

Thank you very much for your reply. The device can request the description file through mdm/enroll, so it can be sure that the device has been connected to the MDM server. I still have a few questions that need your guidance:

1. What is the APNS server? From the mobile device management of the description file, it can be seen that "use and develop APNS is No", and the issue of the certificate issued before is also No. Does it affect this?
2. Will the MicroMDM server be restricted and affect the webhook callback, such as a firewall; if so, what methods can I use to check or which domain names (addresses) may be restricted;
3. If you upgrade to MicroMDM 1.11, which startup parameters can troubleshoot this problem? Looking forward to your reply.

[korylprince]

1. APNS is the Apple Push Notification Service. APNS is an integral part of MDM. The quickstart guide covers adding the APNS certificate to MicroMDM. I'm not sure what document you're referencing.
   • Note: APNS is also the service apps use to send notifications, so most documentation you'll see on it is about that use case.
2. I'm not really sure what you're asking here. The webhook is a URL that you specify via the -command-webhook-url. MicroMDM POSTs events to the URL as described here. It's up to you to make sure the server running MicroMDM can access the URL you specify.
3. The -http-debug flag can be useful to see the actual requests/responses MicroMDM is receiving/sending. To be clear though, this is for incoming requests. Requests sent to the webhook by MicroMDM don't have extra logging when this flag is enabled. But v1.11 also fixes a bug that caused some errors to not be logged properly.

[weiyong]

1. APNS is the Apple Push Notification Service. APNS is an integral part of MDM. The quickstart guide covers adding the APNS certificate to MicroMDM. I'm not sure what document you're referencing.

   • Note: APNS is also the service apps use to send notifications, so most documentation you'll see on it is about that use case.
2. I'm not really sure what you're asking here. The webhook is a URL that you specify via the -command-webhook-url. MicroMDM POSTs events to the URL as described here. It's up to you to make sure the server running MicroMDM can access the URL you specify.
3. The -http-debug flag can be useful to see the actual requests/responses MicroMDM is receiving/sending. To be clear though, this is for incoming requests. Requests sent to the webhook by MicroMDM don't have extra logging when this flag is enabled. But v1.11 also fixes a bug that caused some errors to not be logged properly.

The enroll.mobileconfig file can be manually installed normally, or information can be obtained through the /v1/devices device. The device status is' enrollment_status': true, and manual installation can also receive mdm. Authenticate and mdm. TokenUpdate callbacks. But it cannot be installed by pushing files through /v1/commands InstallProfile. After seeing the 'queued event for device' in the MicroMDM log, there were no error reports and the device did not respond，callback webhook did not receive a request either. MicroMDM startup specifies parameters such as -http-debug, -api-key, -tls=false, -command-webhook-url. Then, on the MicroMDM server, the address in the curl -command-webhook-url can be used for normal communication. Open the browser on the device and access the /mdm/enroll address to see and download enrol.mobileconfig. I would like to ask why this situation occurs

The following is the push information seen from MicroMDM : ---BEGIN Request--- POST /v1/commands HTTP/1.1 {"request_type":"InstallProfile","payload":"MIA...","udid":"00008103..."} ---END Request--- ---BEGIN Response--- HTTP/1.1 201 Created Connection: close Content-Type: application/json; charset=utf-8

{ "payload": { "command_uuid": "fd59395c-9d23-4b8b-9990-9d47b8402417", "command": { "request_type": "InstallProfile", "payload": "MIA..." } } }

---END Response--- transport=http method=POST status=200 proto=HTTP/1.1 host=100.127.251... user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool" path=/v1/commands level=info msg="queued event for device" device_udid=00008103... command_uuid=fd59395c-9d23-4b8b-9990-9d47b8402417 request_type=InstallProfile ---BEGIN Request---

[korylprince]

If the device is enrolled, and it's not checking in after queuing a command (and therefore sending the device an APNS notification), then it's almost certainly one of the issues I mentioned above.

Also, since I forgot to mention it before, the "no blueprints to apply" message can safely be ignored. It just means that you haven't set up a Blueprint, which is an optional feature of MicroMDM.

[weiyong]

If the device is enrolled, and it's not checking in after queuing a command (and therefore sending the device an APNS notification), then it's almost certainly one of the issues I mentioned above.

Also, since I forgot to mention it before, the "no blueprints to apply" message can safely be ignored. It just means that you haven't set up a Blueprint, which is an optional feature of MicroMDM.

micromdm upgraded to 1.11, see micromdm still no error message： [app@vm-centos mdmmicro]$ micromdm -version micromdm version v1.11.0 [app@vm-centos mdmmicro]$ cat mdmmicro.log | grep 'checkin'

https://push.url/mdm/checkin

                            <string>https://push.url/mdm/checkin</string>

PUT /mdm/checkin HTTP/1.1 Content-Type: application/x-apple-aspen-mdm-checkin transport=http method=PUT status=200 proto=HTTP/1.1 host=100.127.251.139 user_agent=MDM/1.0 path=/mdm/checkin

https://push.url/mdm/checkin

PUT /mdm/checkin HTTP/1.1 Content-Type: application/x-apple-aspen-mdm-checkin transport=http method=PUT status=200 proto=HTTP/1.1 host=100.127.251.205 user_agent=MDM/1.0 path=/mdm/checkin PUT /mdm/checkin HTTP/1.1 Content-Type: application/x-apple-aspen-mdm-checkin transport=http method=PUT status=200 proto=HTTP/1.1 host=100.127.251.215 user_agent=MDM/1.0 path=/mdm/checkin PUT /mdm/checkin HTTP/1.1 Content-Type: application/x-apple-aspen-mdm-checkin transport=http method=PUT status=200 proto=HTTP/1.1 host=100.127.251.244 user_agent=MDM/1.0 path=/mdm/checkin

[app@vm-centos mdmmicro]$ cat mdmmicro.log | grep 'component=scep' component=scep op=GetCACert error=null took=12.503µs component=scep method=GET status=200 proto=HTTP/1.1 host=100.127.251.180 user_agent="profiled/1.0 CFNetwork/1335.0.3 Darwin/21.6.0" path="/scep?operation=GetCACert&message=Device%20Management%20Identity%20Certificate" component=scep op=GetCACaps error=null took=18.429µs component=scep method=GET status=200 proto=HTTP/1.1 host=100.127.251.215 user_agent="profiled/1.0 CFNetwork/1335.0.3 Darwin/21.6.0" path="/scep?operation=GetCACaps&message=Device%20Management%20Identity%20Certificate" component=scep op=PKIOperation error=null took=9.647446ms component=scep method=POST status=200 proto=HTTP/1.1 host=100.127.251.217 user_agent="profiled/1.0 CFNetwork/1335.0.3 Darwin/21.6.0" path="/scep?operation=PKIOperation"

[app@vm-centos mdmmicro]$ cat mdmmicro.log | grep 'api.push.apple.com' [app@vm-centos mdmmicro]$ curl -X POST -H "Content-Type: application/json" https://api.push.apple.com/ @@,���Unexpected HTTP/1.x request: POST /

I did not find the api.push.apple.com request in the micromdm log, curl api.push.apple.com found that it was rejected, but the browser access is normal, does it have something to do with this

[korylprince]

It sounds like you're not having an issue with MicroMDM sending push notifications to Apple, then.

If devices aren't checking in after queuing a command, then the issue is likely:

• The device is not receiving APNS notifications from Apple
• The device can't reach your MicroMDM server

Neither of those issues would log any error messages in MicroMDM logs, as the issue doesn't really have anything to do with MicroMDM.

[korylprince]

There hasn't been any activity on this, so I'm going to go ahead and close this issue. If you have any further issues/questions, feel free to reopen.