OS X Server: Resolving issues with Profile Manager

Use the steps in this article to help you isolate issues if Profile Manager doesn't work the way you expect.

If you can't access the administration page

Profile Manager's basic setup is within Server app. Using this service requires using Safari to access Profile Manager's mydevices webpage and the administration webpage.

Only server administrators are allowed to access your administration page. The URL format for your administration page is:

  • https://your_server's_fully_qualified_domain name/profilemanager
    Example: http://www.example.com/profilemanager

Mac computers and iOS devices can enroll by visiting:

  • https://your_server's_fully_qualified_domain_name/mydevices
    Example: https://www.example.com/mydevices

If you have difficulty accessing your server's administration page using a web browser other than Safari, try using Safari before trying other steps.

Check DNS

Profile Manager requires Open Directory or Active Directory. These directory services can be used locally, or from another server. An important part of setting up these services is related to DNS. If Profile Manager doesn't open, make sure your server is pointed to a reliable DNS server. You can also use Server app to set up DNS so that your server can resolve itself.

If your server migration wasn't successful

If Profile Manager isn't properly set up after migrating from an earlier version of OS X server, you can use this Terminal command to try migrating again:

sudo /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/CommonExtras/80-devicemgrcommon.sh

Check SACLs when users can't access Profile Manager

In OS X Server version 2.2 and earlier, Service Access Control Lists (SACLs) are an "allow or deny" list of directory users who are able to use the Profile Manager service. Any users that are part of the Open Directory group "Workgroup" are allowed to access this service. If a user is not able to access this service, check the group's membership.

If you can't push profiles or apps to clients

If you are experiencing issues pushing profiles or apps to client systems, check the system log file in Console. If this log reports that your server cannot reach Apple's APNS servers, check your network's configuration to ensure all ports needed are open.

You can also enable APNS debug logging for more information using these Terminal commands in OS X Mountain Lion and Mavericks:

sudo defaults write /Library/Preferences/com.apple.apsd APSWriteLogs -bool TRUE
sudo defaults write /Library/Preferences/com.apple.apsd APSLogLevel -int 7
sudo killall apsd

The resulting log file can be found at /Library/Logs/apsd.log. 

When you're finished logging your APNS transactions, use these Terminal commands to disable debug logging:

sudo defaults write /Library/Preferences/com.apple.apsd APSWriteLogs -bool FALSE
sudo defaults delete /Library/Preferences/com.apple.apsd APSLogLevel
sudo killall apsd

If you're experiencing other issues with Profile Manager

Examining Profile Manager logs can help you resolve issues related to Profile Manager. There is a symbolic link named “devicemgr” located at /var/log. This file points to /Library/Logs/ProfileManager, where you can find these items:

devicemgrd.log
  • Provides the status of querying and syncing Open Directory and Active Directory users and groups (includes device_id, mdm_target_id, last_push_time, token, and device name).
  • Reports PostgreSQL errors. Refer to the PostgreSQL log for more detailed information on errors listed in this log file.
  • Displays entries related to sending push notifications.
  • Provides general logging for the Profile Manager service.
dmrunnerd.log
  • Displays the status of starting and stopping the processes that support the Profile Manager administration page and mydevices page. This log is sometimes empty.
migration_tool.log
  • Shows the status and details of migration from a previous OS version. 

php.log

  • Lists the IP addresses of devices managed by Profile Manager. IP addresses listed here may not match if your devices are behind Network Address Translation (NAT).
  • Shows the interaction of MDM commands sent to devices and their responses.
  • Lists profile installation attempts and all commands send to devices.

php-fpm.log

  • Issues with PHP are logged to this file. If nothing is logged in php.log (or the log entries are truncated), this file might contain helpful information for diagnosing your issue.

php-fpm.devicemgr.log

  • Displays which URLs devices have requested with success or failure status.
PostgreSQL-<yyyy-mm-dd>.log
  • Logs any transactions with Profile Manager's PostgreSQL database that resulted in an error.
profilemanager.log
  • Logs all user interactions performed in the Profile Manager administration page (i.e. http://<server hostname>/profilemanager).
  • Lists error messages related to the Profile Manager administration page.
  • In OS X Server version 2.2 and earlier, this log shows profiles being created that are intended to be pushed to devices. In later versions of OS X  Server, these items are logged in devicemgrd.log.
  • Rails process transaction issues are logged here.
scep_helper.log
  • Includes messages related to devices acquiring certificates from the system keychain during profile signing and device enrollmente
servermgr_devicemgr.log
  • Logs the starting and stopping of the Profile Manager service.

The system logs located in /var/log/ can also provide helpful information.

About transaction "failures"

You might see transaction "failures" or retries listed in some of these logs. Most of these entries are expected and don't generally indicate an issue. These logged events are simply conflicts between concurrent attempts to modify the underlying PostgreSQL database. These kinds of transactions are automatically retried if they aren't successful the first time.

Transaction conflicts can be identified by any of the following notes in your log files:

  • Canceled on conflict out to pivot
  • could not serialize access due to concurrent update
  • @@@ Retry #X
  • @@@ Retry X

Use verbose logging to find more info

Sometimes there might be more information available for troubleshooting an issue if you increase the log level. To gather the information you need, reproduce the issue after increasing the logging level.

When you're finished troubleshooting, revert to the original logging level. Leaving the logging level at a higher setting decreases free space on your startup drive. Be sure to revert to the original logging level when you are done troubleshooting.

Turn on verbose logging

To increase the level of logging in OS X Server v3.0 or later, use this Terminal command:

sudo defaults write /Library/Preferences/com.apple.ProfileManager debugOutput 3

Restart the Profile Manager service to begin verbose logging. Use this command to restart Profile Manager rather than turning it off and back on in Server app:

sudo killall -u _devicemgr

Turn off verbose logging

To revert the logging level back to its original setting, use this Terminal command:

sudo defaults delete /Library/Preferences/com.apple.ProfileManager debugOutput

Restart the Profile Manager service to return to the original logging level:

sudo killall -u _devicemgr

Learn more

You can learn more about Profile Manager from these pages.

Last Modified: