VMware Workspace ONE Community
GuyMSP
Contributor
Contributor
‎11-12-2018 11:58 AM
Jump to solution

Can't upload Apple APNs Certificate on workspace one console

Is it a bug on something wrong with my setup. My console version is 9.7.0.3. On my console in Setting/Devices & Users/Apple/APNs For MDM
I create my MDM_APNsRequest.plist download it from my console, upload it on Apple push certificates portal to create my APNs certificate, download it from Apple and finally, trying to upload the MDM_AirWatch_Certificate.pem on the console, click save and nothing happen. Loading logo appear for 2 secondes an then nothing. Loading bar stuck a 0%. Can only close the dialog box or click cancel. Did someone else experience this problem?
Labels (1)
Labels
1 Solution

Accepted Solutions
BDBos
Enthusiast
Enthusiast
‎11-12-2018 12:15 PM
Jump to solution

I assume an on-premise deployment. Do you use a load balancer or proxy for your installation? Then try opening the AirWatch console directly from the device / admin services server. (http (s): // localhost / AirWatch) Try to upload the certificate there, does that work?


View solution in original post

0 Kudos
6 Replies
BDBos
Enthusiast
Enthusiast
‎11-12-2018 12:15 PM
Jump to solution

I assume an on-premise deployment. Do you use a load balancer or proxy for your installation? Then try opening the AirWatch console directly from the device / admin services server. (http (s): // localhost / AirWatch) Try to upload the certificate there, does that work?


0 Kudos
GuyMSP
Contributor
Contributor
‎11-12-2018 12:41 PM
Jump to solution

Yep solve my problem. On-premise behind a reverse proxy. Work much better from the inside.
0 Kudos
ThomasCheng
Enthusiast
Enthusiast
‎11-12-2018 08:32 PM
Jump to solution

ministere, how is your setup better with reverse proxy?
0 Kudos
BDBos
Enthusiast
Enthusiast
‎11-13-2018 06:14 AM
Jump to solution

ministere, nice that it works in any case. But of course it is not a solution. You will experience this problem with all possible places where you can upload certificates within Workspace ONE. We also use a reverse proxy (HAProxy). We do this because we have several device / admin / api services behind it. For each endpoint (ConsoleUrl, SOAPApiUrl, AWCMUrl, AdminPanelUrl, etc.) we can route the traffic to the server where we want it to be handled. In addition, we apply load balacing and we do SSL offloading which saves capacity on the web servers.

I do not know exactly what the solution was for us. But you will have to look at this. It has to do with the fact that the certificate does not pass through the proxy. The solution will vary per proxy application. I'm not sure anymore, but we have added the following code to Haproxy on the 'frontend' under 'Advanced pass thru'. This could have been the solution at the time.

---code--- (for all frontends)
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

---code---
(for all device services servers)
http-response set-header Strict-Transport-Security max-age=31536000; or  includeSubdomains; or  preload
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Content-Type-Options nosniff

I expect that adding the 1st section will solve the problem for you.
0 Kudos
GuyMSP
Contributor
Contributor
‎11-16-2018 11:57 AM
Jump to solution

Right now enrollment with android device work flawlessly trough my reverse proxy, but with and iPhone or iPad, during the enrollment with the Workspace One Hub app, I enter my external server address, Group ID, User and password, it work and then load and install the MDM profil and certificat, then I get stuck on my server webpage Enrolling Device saying Process will begin shortly....


Checking log on my revers proxy /var/log/nginx/[external address_access.log]
xx.xx.xx.xx - - [16/Nov/2018:14:49:45 -0500] ' GET /DeviceManagement/Enrollment/check-enrollmentStatus?sid=9f684002-c26c-435b-bc6e-52187d2694bb HTTP/2.0'  200 5 ' https:// [external server address]/DeviceManagement/Enrollment/view-enrollmentPending?sid=9f684002-c26c-435b-bc6e-52187d2694bb'  ' Mozilla/5.0 (iPad; CPU OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1' 
This happen several time until I quit the Enrolling Device web page on the iPhone or iPad. It's like my server doesn't respond to my iOS device. I'm I missing something? The iOS device is visible on my Workspace One console but can't manage it.

0 Kudos
BDBos
Enthusiast
Enthusiast
‎11-19-2018 07:42 AM
Jump to solution

Do you have firewalling on your outgoing traffic / ports? Do you have port 2001 open? Are all services running on your devices server? It is difficult to provide concrete advice here as this probably has something to do with the proxy.

0 Kudos