5 Replies Latest reply on Sep 4, 2017 1:48 AM by MKelle

    LANrev: Enrollment issue with iOS 10 devices requiring Authentication

    dherder Specialist

      We have discovered an issue where iOS 10 devices that require authentication during enrollment will fail with an error "The operation couldn't be completed. (NSURLErrorDomain error -1012.)". This issue impacts LANrev version 7.3, build *5641*.

       

      The root cause of this issue appears to be related to enabling the Windows Authentication method in the "Profile" directory of the "MDM2008Handler" site.

       

      For a workaround to this issue, please refer to KB 25569.

       

      We will be releasing a new build of the 7.3 version of LANrev to correct this problem.

       

      KB contents:

      Article Title: Enrolling an iOS 10 device to a Windows MDM server fails with the error "The operation couldn't be completed. (NSURLErrorDomain error -1012.)

       

      Article Resolution:

      In some cases, your IIS server may have "Windows Authentication" enabled for the "Profile" directory of the MDM2008Handler. iOS 10 seems to reject this authentication method, and requires the Basic Authentication method.

       

      To work around this issue, follow the below procedure:

      1. Open IIS Manager
      2. Choose the "MDM2008Handler" site
      3. Choose the "Profile" directory
      4. Click on "Authentication" and re-configure IIS Authentication settings for the "Profile" directory
      5. disable Windows Authentication
      6. Make sure only Anonymous is enabled.
      7. restart IIS by opening a cmd prompt (with Admin credentials) and issuing the command "iisreset".
      8. try an iOS 10 DEP enrollment.
        • 1. Re: LANrev: Enrollment issue with iOS 10 devices requiring Authentication
          dherder Specialist

          Update: Some users have found that by enabling Basic Authentication, there is a negative affect on iOS 9 enrollments. If you run into this issue, please ensure Basic Auth. is disabled. The key here seems to be ensuring that Windows Authentication is disabled.

          • 2. Re: LANrev: Enrollment issue with iOS 10 devices requiring Authentication
            timelost Rookie

            Has the updated build been released yet?

            • 3. Re: LANrev: Enrollment issue with iOS 10 devices requiring Authentication
              dherder Specialist

              Yes, this is a build increment only on the MDM server, 7.3 build 5642.

              • 4. Re: LANrev: Enrollment issue with iOS 10 devices requiring Authentication
                dirwin Rookie

                I am having similar issues, but I am running my MDM Server on a MacMini server.  What would be the equivalent steps to resolving the issue?

                • 5. Re: LANrev: Enrollment issue with iOS 10 devices requiring Authentication
                  MKelle Rookie

                  We have still trouble in LANrev version 7.4 v5906 on macOS 10.12.6 to entroll iOS devices with either DEP or Apple Configurator 2.

                   

                  The SSL certificate is located at /etc/lighttpd/certs/lighttpd.pem including the intermediate certificate and private key. The intermediate certificate is issued by a trusted CA supported by Apple in iOS 10 (COMODO RSA Certification Authority -> List of available trusted root certificates in iOS 10 - Apple Support). Moreover the actual domain used for MDM enrollment matches the domain in the certificate, no wildcard certificate is used.

                   

                  The certificate of the LANrev server is automatically generated during initial setup self signed. We copied the certificate from

                  /Library/Application Support/LANrev Server/Server Certificate.pem

                  to

                  /etc/lighttpd/certs/TrustedCertificates.pem

                   

                  Ports 443 and 8443 are open via NAT for external access from the internet.

                   

                  On the following screenshots you can see our configuration of LANrev:

                  Screenshot 2017-08-31 at 05.09.41 PM.pngScreenshot 2017-08-31 at 05.13.14 PM.pngScreenshot 2017-08-31 at 05.14.42 PM.png

                  Enrollment Process

                   

                  When trying to enroll an iOS 10 device (iPhone SE) with Apple Configurator 2, following configurations are used (screenshot). The trust chain is received automatically when adding a MDM server to Apple Configurator 2. As enrollment profile (Registrierungsprofil) is the by LANrev provided profile used, located at /Library/Application Support/LANrev Server/MDMEnrollmentBootstrap.mobileconfig

                  The Trust-Profile contains all signing CAs used by us.

                  Enrollment.png

                   

                  In both cases DEP is used or no DEP profile is assigned to the iPhone the enrollment fails with the error "NSURLErrorDomain error -1012."

                  The only way to enroll devices is to skip the enrollment with DEP or Apple Configurator 2 and use the manuell enrollment by visiting the enrollment website with the iPhones Safari browser. HTTPS works fine for the website.

                   

                   

                  [...]
                  Sep  1 11:45:30 iPhone Setup[369] <Notice>: Retrieving enterprise configuration...
                  Sep  1 11:45:30 iPhone securityd[99] <Notice>: cert[0]: AnchorTrusted =(leaf)[force]> 0
                  Sep  1 11:45:30 iPhone profiled(Security)[349] <Notice>:  [leaf AnchorTrusted]
                  Sep  1 11:45:30 iPhone Setup(CFNetwork)[369] <Notice>: TIC TCP Conn Start [2:0x170189580]
                  Sep  1 11:45:30 iPhone Setup(CFNetwork)[369] <Notice>: TIC TCP Conn Event [2:0x170189580]: 1 Err(0)
                  Sep  1 11:45:30 iPhone Setup(CFNetwork)[369] <Notice>: TIC TCP Conn Connected [2:0x170189580]: Err(0)
                  Sep  1 11:45:30 iPhone Setup(CFNetwork)[369] <Notice>: TIC Enabling TLS [2:0x170189580]
                  Sep  1 11:45:30 iPhone Setup(CFNetwork)[369] <Notice>: TIC TLS Event [2:0x170189580]: 2, Pending(0)
                  Sep  1 11:45:30 iPhone Setup(CFNetwork)[369] <Notice>: TIC TLS Event [2:0x170189580]: 11, Pending(0)
                  Sep  1 11:45:30 iPhone Setup(CFNetwork)[369] <Notice>: TIC TLS Event [2:0x170189580]: 13, Pending(0)
                  Sep  1 11:45:30 iPhone Setup(CFNetwork)[369] <Notice>: <MCHTTPRequestor: 0x17409fb30> cannot accept the authentication method NSURLAuthenticationMethodClientCertificate
                  Sep  1 11:45:30 iPhone Setup(CFNetwork)[369] <Notice>: <MCHTTPRequestor: 0x17409fb30> failed to communicate to the server. Error: NSError:Desc   : The operation couldn\M-b\M^@\M^Yt be completed. (NSURLErrorDomain error -1012.)
                  Domain : NSURLErrorDomain
                  Code   : -1012
                  Extra info:
                  {
                  NSErrorFailingURLKey = "https://mdm.lan.XXXXXXXX.de/Profile/adepenrollment.mdm?auth=0&vsc=1";
                  NSErrorFailingURLStringKey = "https://mdm.lan.XXXXXXXX.de/Profile/adepenrollment.mdm?auth=0&vsc=1";
                  }
                  Sep  1 11:45:30 iPhone Setup(CFNetwork)[369] <Notice>: TIC TCP Conn Cancel [2:0x170189580]
                  Sep  1 11:45:30 iPhone Setup[369] <Notice>: Error retrieving cloud config: <private>
                  Sep  1 11:45:30 iPhone Setup[369] <Notice>: Unbalanced nav bar spinner animation for "Disclosure"!
                  Sep  1 11:45:30 iPhone Setup(CFNetwork)[369] <Error>: HTTP load failed (error code: -999 [1:89])
                  [...]