The configuration for you iPad/iPod/iPhone could n...

jeremyking · ‎08-21-2019

Hi all,

A couple of weeks ago we started seeing the message, ' The configuration for you iPad/iPod/iPhone could not be downloaded. Invalid profile.' when enrolling iOS devices. This happened on DEP devices assigned to the AirWatch server, DEP devices not assigned to the AirWatch server, and non-DEP devices. At the time we were on version 9.6.0.8 and support suggested installing a patch to version 9.6.0.25. I did the patch and it installed successfully but the error still persisted. Today I upgraded to version 1907 and the issue still remains. I've had a support ticket open since Aug. 9th for this issue and I'm lucky if I can get support to respond to an email once a day so I'm coming here for help. I've tried renewing the APNS cert as well as the DEP cert, even though neither were expired, I've verified that the firewall is open and allowing all Apple traffic. It isn't affecting iOS device that are already enrolled just new enrollments. Does anybody have any suggestions that might be helpful?

RicardoPachecoR · ‎08-21-2019

APNs, good. DEP, good. Devices listed under Enrollment status, Yes, OK.

If the serial numbers are NOT listed, do this:

1) Groups and Settings

2) All Settings

3) Devices & Users

4) Apple

5) Device Enrollment Program

6) Under Token section, 'Sync Devices'

Once you can see the serial numbers under the Enrollment Status page, continue:

Then try this:

1) connect the iPad to a mac os client running Apple Configuator.

2) When the device is connected, what is the activation status?

--> Anything other than 'Unactivated' will make it fail.

What to do? In Apple Configurator 2, Version 2.9 (3J40)

1) Actions

2) Advanced

3) Erase All Content and Settings

These steps work for me and this is the reason I believe why...

A device enrollment was attempted, however it failed becuase the device was not yet discoverd by AirWatch. When you try to provision again without a full device wpie (Erase All Content And Settings), the serial number check has already been done and therefore the device activation record is already set.

Erasing all Content and Settings reset the activation record, forcing the iPad to go back to the Apple servers.

This is what I think it happens.

jeremyking · ‎08-21-2019

Hi,

I can see them under Lifecycle and I can sync and see new devices that are being added by our resellers so I know that's working. Even after erase all content and settings with configurator and going through activation again I still get the same error message.

RicardoPachecoR · ‎08-21-2019

how many MDM servers do you have? For my organization, I create one for each department/deployment. In DEP, go to Manage Devices and enter the serial number of one iPad at the top. After you press enter, do you see it assigned to the correct MDM server?

jeremyking · ‎08-21-2019

Yeah they're all assigned to the correct MDM server. I don't think it's a DEP issue because I'm getting the same message on device that aren't in DEP and are attempting to enroll by downloading the Intelligent Hub and going through enrollment in the app.

RicardoPachecoR · ‎08-21-2019

I have a new deployment that will be taking place tomorrow. On Monday, everything worked as expected. DEP, AirWatch then Automator. A few iPads I provisioned worked as expected. I don't have any devices right now to test. I can let you know tomorrow morning. We are a SaaS, running 10.9.0.5 (1907). The devices for the new deployment will be running iOS 12.4. I will keep you posted.

BendikSygnestve · ‎08-22-2019

Having the exact same issue.
Tried wiping the iPad through itunes, as well as through apple configurator on a MAC. Tried connecting to several different networks to see if it updated and synced devices under DEP settings in AW.

Nothing has worked so far. Interesting that you are having the same issue with iPads that aren't in DEP as well.

Jeremy, have you solved this in any way or did you create a support ticket?

jeremyking · ‎08-22-2019

Bendik,

I haven't gotten iOS enrollment working yet. I've had a support ticket open since the 9th of this month but all they'll say is that they are looking at logs with the ' backend team.'

Stansfield · ‎08-22-2019

Are all of your certs valid for Apple both not expired and meeting the new requirements for certificate transparency especially the cert used for profile encryption in the console under all settings>devices>Apple>profile since a cert that Apple does not like there will cause the behavior you are describing (expired/no longer allowed certificates are still valid when on an existing device but will not work to install on a new one)

RicardoPachecoR · ‎08-22-2019

Jeremy, et all -- this is what I just tried.

Recreate AirWatch DEP Configuration:

AW: Groups & Setting -> All Settings -> Devices & Users -> Apple -> Device Enrollment Program
AW: Configure
AW: Generated and Downloaded Public Key
DEP: Logged in to DEP
DEP: --> Manage Servers
DEP: --> Add MDM Server
DEP: Name: Psychology Service
DEP: Uploaded AW generated pub key
DEP: Downloaded DEP Server Token

AW: Uploaded Server Token and Completed AW configuration as usual.

In DEP, I assigned device to the correct MDM Server.
Device is assigned.
In AW, sync devices.
Noticed 1 device sync'd.
All good.

Started Automator workflow process to enroll devices.
1) Get Connected Devices
2) Erase Device
3) Prepare Devices Using Automated Enrollment. (Using company SSID for device provisioning, been using it for 2 years.)

Automator error:
The Action: ' Prepare Devices Using Automated Enrollment' encountered an error: ' cfgutil: error: The Configuration is not available. (Domain: MCCloudConfigErrorDomain Code: 33001). cfgutil: error: The configuration is not available. (Domain: MCCloudConfigErrorDomain Code: 33001)

Tried new cable, same failure. In the past, a brand new cable worked. I know how it sounds, but it worked.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, try manual process, as opposed to Automator. Using same company SSID used for device provisioning.

+ Showed Data Privacy (my AirWatch DEP Profile is set to bypass it)
+ Touch ID (my AirWatch DEP Profile is set to bypass it)
+ Passcode (my AirWatch DEP Profile is set to bypass it)
+ Apps & Data (for Migration) (my AirWatch DEP Profile is set to bypass it)

Then I get Remote Management, followed by an error: The Configuration for your iPad could not be downloaded. The Configuration is not available.

I went a few screens back to Wi-Fi and changed it to use my HotSpot.
Joined HotSpot.
Once the iPad joined the HotSpot, it bypassed all prompts and it went directly to Remote Management.
received message: Awaiting final configuration (as usual)
Received Location services prompt ( as usual)
Tapped on Get Started ( as usual)
Device is now enrolled and process worked as expected.

Tried with HotSpot alone and it worked as expected. No prompt for Data Privacy, Touch ID, Passcode or Apps & Data.

Tried Automator with iPad using HotSpot instead of the company provisioning SSID and it worked as expected.

Suggestion: Look at your firewall rules and whitelisted addresses for Apple and all of their services.

When they recently changed the URL name for iTunes:
from: https://itunes.apple.com/us/app/epic-rover/id583359867?mt=8
to: https://apps.apple.com/us/app/epic-rover/id583359867

The web content filter had to be updated to allow apps.apple.com. Firewall did have *.apple.com. However, content filter did not. Now, I have to do this for DEP.

Do traces for the device and sites to determine what has changed. Somewhere along your firewall or web content filter, the request/response from Apple is being blocked. Good luck.

All

The configuration for you iPad/iPod/iPhone could not be downloaded....

Device Enrollment