MicroMDM Enrollment Certificate Chain Error

MDS
#1

Hi,

I have MDS MicroMDM all configured with Push Cert, DEP Token and Self-Signed SSL Certificate created by MDS. All status indicators are green. My test MacBooks have DEP licenses and ABM is configured to redirect the to our MDS MicroMDM. And everything seems to works up until the Mac tries to enroll with this MDM on first boot. The error message reads “The server certificate chain for your organizations’s MDM server was not properly set up.” I tried generating a certificate in keychain with a local CA, but I can’t get MicroMDM to start at all with those.

Any ideas what I can do to get this working?

Regards

#2

https://twocanoes.com/knowledge-base/troubleshooting-deployment-enrollment-dep-for-macos-by-viewing-the-activation-record/

#3

Hi, thanks for the link. It helped me figure out that I have an issue with the MDM DEP Profile not updating at all. I checked the mds-micromdm-err.log and realized my db files where messed up, was able to restore them from backup and it works fine now.

Thanks for this great tool!

1 Like
#4

I’m getting the same error message, but with a different background…
I created a certificate with certbot/let’s encrypt, copied the cert and key to a folder which MDS can access and renamed them as needed.
I then restarted the MDM service and updated the enrollment profile. Checking the enrollment site (https://mymdsservername.com:8443) now shows a lock and checking the certificate, everything seems to be in order including the certificate chain.
But when trying to enroll a device through a “regular” setup without MDS, I get stuck at the enrollment screen with the same error message concerning the cert chain…
After changing back to the self signed cert and key, restarting MDM and updating the enrollment profile I can enroll again.
Checking the logs has not yielded any useful information. Why does MDM seem to have a problem with the cert chain but the enrollment webpage does not?
regards

#5

What settings do you use for “Include MDM Service Certificate for Anchor Certificate” and “Profile is removable” in you MDM profile? Try disabling both checkboxes.

#6

Hi sakuld,
thanks a lot for your help! I have the checkbox for removing the profile checked, since this caused an error when updating the enrollment profile without it being checked. So I unchecked the “Include MDM Service Certificate for Anchor Certificate” and… the cert chain error is gone! Great! But as usual a got another problem after solving one… Now the device just sits there with the message “waiting for management server”… The device was able to connect to the server and installed the enrollment profile, I can see that. But nothing ever happens after that. Checking the logs I found an entry which is probably the cause.
transport=http method=DELETE status=500 proto=HTTP/1.1 host=127.0.0.1 user_agent=“MDS/36240 CFNetwork/1128.0.1 Darwin/19.6.0 (x86_64)” path=/v1/blueprints
Seems as if the server can’t update the blueprints and the device enrolling is waiting for that.
Any ideas what might be the problem now? :sweat_smile:

#7

Hi, you right about the profile checkbox, I got confused cause the checkbox is the inverse of the actual value sent to the server.
Under microMDM preferences enable “MDM HTTP Debugging”. Then you can view the most recent messages with: tail -b 10 /Library/Logs/mds-micromdm.log
You could find more details there.
Don’t try to open or show the entire file, it gets big fast.

#8

Hi sakuld,
I figured as much with the checkboxes and yeah it’s a bit confusing! I completly restarted MDS and the 500 error disappeared and I was able to update. Finally everything seems to be working! Thanks a lot for your help, much appreciated!
greez

1 Like