Resolve issues with Profile Manager in macOS Server

Learn how to find and fix issues if Profile Manager doesn't work the way you expect.

If you can't access the administration page

Profile Manager's basic setup is in Server app. You must use Safari to access Profile Manager's /mydevices webpage and the administration webpage.

Only server administrators can access your administration page. The URL format for your administration page is:

  • https://your_server's_fully_qualified_domain_name/profilemanager
    Example: https://www.example.com/profilemanager

To enroll an iPhone, iPad, iPod touch, or a Mac, go to:

  • https://your_server's_fully_qualified_domain_name/mydevices
    Example: https://www.example.com/mydevices

If you can't access the administration page with a web browser other than Safari, try with Safari. If you can't access it with Safari, try other steps.

Check your DNS server

Profile Manager requires Open Directory or Active Directory, which can be used locally or from another server. DNS settings are important when you set up these services. If Profile Manager doesn't open, make sure your server points to a reliable DNS server. You can also use Server app to set up DNS so that your server can resolve itself.

If you can't push profiles or apps to clients

If you experience issue when you push profiles or apps to client systems, check the system log file in Console. If it reports that your server can't reach Apple's APNS servers, check your network's configuration. Make sure that all needed ports are open.

For more information, turn on APNS debug logging with these Terminal commands:

sudo defaults write /Library/Preferences/com.apple.apsd APSWriteLogs -bool TRUE
sudo defaults write /Library/Preferences/com.apple.apsd APSLogLevel -int 7
sudo killall apsd

You can find the log file at /Library/Logs/apsd.log. 

After your APNS transactions are logged, use these Terminal commands to turn off debug logging:

sudo defaults write /Library/Preferences/com.apple.apsd APSWriteLogs -bool FALSE
sudo defaults delete /Library/Preferences/com.apple.apsd APSLogLevel
sudo killall apsd

If you get other issues with Profile Manager

Profile Manager logs can help you fix issues with Profile Manager. You can find a symbolic link named "devicemgr" at /var/log. This file points to /Library/Logs/ProfileManager, where you can find these logs:

devicemgrd.log
  • Provides the status of querying and syncing Open Directory and Active Directory users and groups.
  • Reports errors that occur from queries executed by devicemgrd.
  • Displays entries related to sending push notifications.
  • Displays entries related to DEP and VPP transactions.
dm_helper.log
  • Logs information related to MDM related user authentication from macOS network users.
dmrunnerd.log
  • Displays the status of starting and stopping the managed ruby processes that support the Profile Manager webpage (/profilemanager and /mydevices). This log is sometimes empty.
migration_tool.log
  • Shows the status and details of migration from a previous Server.app version. 

php.log

  • Lists the IP addresses of devices that Profile Manager manages. If your devices are behind Network Address Translation (NAT), IP addresses listed here might not match.
  • Shows the interaction of MDM commands sent to devices and their responses.
  • Lists profile installation attempts and all commands sent to devices.

php-fpm.log

  • Displays the status of starting and stopping the individual php-fpm helper processes.

php-fpm.devicemgr.log

  • Issues with PHP are logged to this file.
PostgreSQL-<yyyy-mm-dd>.log
  • Logs any queries with Profile Manager's PostgreSQL database that result in an error.
  • This also logs commands that change the database schema.
profilemanager.log
  • Logs all user interactions performed in the Profile Manager administration page.
  • Lists error messages related to the Profile Manager webpage (/profilemanager and /mydevices).
  • Managed ruby process transaction issues are logged here.
servermgr_devicemgr.log
  • Logs the starting and stopping of the Profile Manager service.

These logs can also provide helpful information:

  • /var/log/apache2/service_proxy_error.log
  • /var/log/opendirectory.log
  • /var/log/system.log

In macOS Sierra and later, some information is stored via Unified logging. The following terminal command can provide you with some additional helpful information:

sudo log show --info --debug --predicate "(eventMessage contains[cd] 'devicemgr') or (category contains[cd] 'HTTPServer')"

About transaction "failures"

Some of these logs might list transaction "failures" or retries. Most of these entries are expected and don't indicate an issue. These logged events are conflicts between attempts to modify the underlying PostgreSQL database at the same time. These kinds of failures retry until they succeed.

You can identify transaction conflicts when you see any of these notes in your log files:

  • Canceled on conflict out to pivot
  • could not serialize access due to concurrent update
  • @@@ Retry #X
  • @@@ Retry X

Use verbose logging to find more info

More information on how to fix an issue is sometimes available if you increase the log level. To gather the information you need, reproduce the issue after you increase the logging level.

When you're finished, revert to the original logging level. If you leave the logging level at a higher setting, it decreases the available space on your startup drive.

Turn on verbose logging

To increase the level of logging, use this Terminal command:

sudo debugDeviceMgr 4

This automatically restarts Profile Manager Service.

Turn off verbose logging

To revert the logging level back to its original setting, use this Terminal command:

sudo debugDeviceMgr 1

This automatically restarts Profile Manager Service.

Published Date: