Private key of MDM Service certificate permissions issue

0 users found this article helpful

Symptoms

MDM profile can't be installed on Macs.

pma_agent.log:
11-18 15:57:52.130 I /MacAgentUtils:69:322f/ Installing MDM profile from 'https://xxx.yyy.zzz:8762/profile'
11-18 15:57:52.132 D /AppPolicyManager:69:307/ Evaluating application assignments
11-18 15:57:52.133 D /AppPolicyManager:69:307/ Have 0 active application assignments
11-18 15:57:52.135 D /LocalIpc:69:307/ LocalIpcConnectionImpl::onError() : 1 (QLocalSocket: Remote closed)
11-18 15:57:52.135 D /LocalIpc:69:307/ LocalIpcConnectionImpl::onDisconnected()
11-18 15:57:52.135 D /LocalIpc:69:307/ Connection 0x0x7f8a9bead7b0 was removed
11-18 15:57:52.135 D /MacAgentIpcServer:69:307/ Client '$pmmctl-admin-5403' disconnected
11-18 15:57:54.217 W /MacAgentUtils:69:322f/ /usr/bin/profiles failed:
profiles install for file:'/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/com.parallels.pmm.mdmenroller.yyuxUj/profile.mobileconfig' and user:'root' returned 1 (The operation couldn’t be completed. (InternalError error 1.))

11-18 15:57:54.217 W /MacAgentUtils:69:322f/ Exception: impl/MdmEnroller.cpp(231): Throw in function void (anonymous namespace)::install_profile(QByteArray)
Dynamic exception type: boost::exception_detail::clone_impl<boost::exception_detail::error_info_injector<std::runtime_error> >
std::exception::what: /usr/bin/profiles failed

pmm_mdm_service.log:
11-18 14:58:47.886 I /MdmCore:69412:dbc0/ POST request to /profile
11-18 14:58:47.887 I /MdmCore:69412:dbc0/ Client certificate: null
11-18 14:58:47.887 I /MdmCore:69412:dbc0/ Received MDM profile request from '10.5.129.16'
11-18 14:58:47.888 D /Certs:69412:dbc0/ Signers stack size: 1
11-18 14:58:47.888 D /MdmCore:69412:dbc0/ Signer: C764139A-728E-4E98-A547-4946A727CAA6
11-18 14:58:47.888 D /MdmCore:69412:dbc0/ Issuer: Apple iPhone Device CA
11-18 14:58:47.889 I /MdmCore:69412:e29c/ [C07JD0ANDJD3:AA763B08-60B5-5DD9-8C8B-891E4731D27B] Processing profile request...
11-18 14:58:47.889 D /MdmCore:69412:e29c/ Starting MDM profile request...
11-18 14:58:47.889 D /MdmIpc:69412:e29c/ Sending request 'type=EnrollmentConfig id=
{680715dc-9268-9448-9c81-3249ea811bb8}'...
11-18 14:58:47.889 D /MdmIpc:69412:12adc/ Sent request {680715dc-9268-9448-9c81-3249ea811bb8}

: success
11-18 14:58:48.001 D /MdmIpc:69412:12adc/ Received reply for 'id=
{680715dc-9268-9448-9c81-3249ea811bb8}

'
11-18 14:58:48.002 I /MdmCore:69412:e29c/ [C07JD0ANDJD3:AA763B08-60B5-5DD9-8C8B-891E4731D27B] Customizing profile...
11-18 14:58:48.296 W /Certs:69412:e29c/ CryptError: 0x80090014 (Invalid provider type specified.)
11-18 14:58:48.299 W /Certs:69412:e29c/ OpenSSL error
11-18 14:58:48.299 W /Certs:69412:e29c/ Error getting private key
11-18 14:58:48.314 I /MdmCore:69412:e29c/ [C07JD0ANDJD3:AA763B08-60B5-5DD9-8C8B-891E4731D27B] Completed successfully

Cause

Permissions issue with the private key of the Parallels MDM Service certificate.

Resolution

  1. Stop Parallels MDM Service;
  2. Export the "Parallels MDM Service" certificate in .pfx format with options "Yes, export the public key" and "Delete the private key if the export is successful";
  3. Start cmd.exe under the MDM service account: runas /user:domain\user cmd.exe
  4. Start mmc.exe in the cmd window launched above and add the Certificates snap-in there, selecting "Manage certificates for: Computer account";
  5. Import the certificate from step 2 with option "Mark this key as exportable";
  6. Grant MDM service account (that actually runs the service as it was configured in the Configuration utility) with permissions on the private key explicitly:


  7. Start the Parallels MDM Service.

Was this article helpful?

Tell us how we can improve it.