First one is kind of shaky, the second one is definite.  I will update this post and make note of it if my information changes.  Last month I was receiving “the configuration for your iPad could not be downloaded from [my client’s server] NSURLErrorDomain -999.”  I found all kinds of solutions online relating to management suites, but I’m not even going to mention them because they were irrelevant to the solution in my case.  The only difference in my setup between functioning and non-functioning was the devices I was deploying started coming with iOS 11 instead of iOS 10.

This particular setup is just preparing the devices with Configurator 2, no DEP, then going through the iOS initial configuration of which the major steps are joining the wifi network, accepting enrollment, and logging in with the user’s account.  On initial setup of this system around the middle of 2017 I was receiving errors about SCEP enrollment, which was not being used.  That was fixed by enabling all the setup steps instead of trying to customize them.  (Also, see “4/17/18 note,” below.)

The change I made which fixed this problem was editing the enrollment url from:

https://serverfqdn/devicemanagement/api/device/dep_mdm_enroll

to

https://serverfqdn/devicemanagement/api/device/auto_join_ota_service

This month on trying to deploy another device I started receiving a new error, “the configuration for your iPad could not be downloaded from [my client’s server] “Invalid Profile.” To fix this open Configurator 2 -> Preferences -> Servers -> + -> [enter a name like mdm Jan 2018] -> [for “host name or url” use only the fqdn and no path info so it autodiscovers the full path, i.e. https://fqdn/]. This will fetch the most current cert/info via built-in autoconfig.

After receiving the “Invalid Profile” message I needed to manually erase the device to begin again, but after erasing and re-preparing it the steps went back to working perfectly.

1/25/18 note: My employee was testing this, it failed even with a newly autodiscovered server entry.  However prior to use instead of being brand new (in my case) he used Configurator 2 to erase it.  Using the built-in “Erase All Content and Settings” did allow the process to proceed.  Next new iPad I get I’ll try erasing it prior to preparing it using Configurator 2 and leaving the existing server entry in place.  If that works I’ll update this post.

4/17/18 note: SCEP errors can also occur if port 80 is not open to the profile manager server.

If I’ve made an error or helped you out, I’d love to hear about it. Please email me at mdm@ this domain name (without the www.) Thanks!

[Disclaimer: there are some very powerful commands mentioned casually here.  BE CAREFUL, I assume no liability for you recursively deleting or removing all permissions from your data.  Or for that matter, anything else as a result of a lack of caution or expertise!]

This was an interesting one.  Had a machine that kept having issues during Time Machine (TM) backups.  It completed the first backup successfully and then stalled on one of the next few backups.  In this particular case it’s multiple terabytes over a fairly slow connection so the first backup takes days.

Then it sits “preparing” for as long as you’d care to watch it.  First time this happened I monitored TM activity using Console.app and a backupd search string, nothing was really happening.  So then I stopped TM and tried to cleanup the .inProgress folder so TM could start over.  I was trying to force its recovery after (not completely covered) basic methods didn’t work.

This .inProgress folder completely refused to be deleted.  Nothing worked: started with rm -R and when it complained thought it was the usual system immutable flag.  That the file was locked.  Tried chflags -R nouchg and had no luck.  Tried some advanced variations of that, still nothing.

(Side note: this is my second round with this exact issue, the first time through I made sure the data was backed up elsewhere and formatted the drive, just for the sake of time efficiency.  Since the issue is back I have to address it head on.)

“ls -lahe” revealed files with ACLs set to deny access to everyone.  So I used chmod -RN to recursively remove all permissions.  I kept getting “chmod: Failed to clear ACL on file” and “Operation not permitted” despite being root.

So.  Hmmm.  I can’t remove ACLs prohibiting deletion on files which also have system immutable flags set, meaning I can’t change ACLs via any method.  I should mention that yes, I did check directory structure integrity way earlier in the process.  Taking a step back I realized this was a TM-created issue, so maybe tmutil can come to the rescue again.

Sure enough: Use tmutil listbackups just for verifications and then use tmutil delete snapshot_path [use actual path here sans brackets, e.g. /Volumes/ExternalBackup6TB/Backups.backupdb/ComputerName/2016-09-12-000400.inProgress/]

This returned the error “snapshot_path: No such file or directory (error 2)” AND YET in a separate session escalated appropriately “fs_usage | grep tmutil” showed the truth, that tmutil was furiously cleaning up all those untouchable files.  I later verified that the .inProgress folder had actually been removed.

Problem solved!  Hope this helps someone.  I love to hear when it does (tmutil@ this domain name) but if you’re too busy, no worries!

So you might know that /Applications/Firefox.app/Contents/MacOS/firefox-bin --ProfileManager will launch Firefox’s profile manager. Ran into a bit of a surprise when I couldn’t get the profile manager to open, even by deleting profiles/prefs and caches (using Maintenance.app) plus doing other normal fixes.

Despite Terminal reporting “Error: Access was denied while trying to open files in your profile directory.” the actual problem was the Caches directory in ~/Library/Caches – instead of the client’s short username, root owned the Caches folder. Really surprised this guy wasn’t having more issues.

Thought I’d post this here in case someone else runs into what seems to be a profile folder problem but can’t fix it through the usual Firefox-specific methods. In case that doesn’t tell you all you need to know, check this link for more details, specifically the part surrounding the command you’ll use to fix it which I’ll quote here in case it helps:
sudo chown -R `id -un`:`id -gn` ~/Library/Caches
Please note I haven’t tested that on Yosemite 10.10.5 but the code doesn’t look tricky so it should work fine. It’s just a basic chown command with a couple nested commands that insert your specific username and groupname into the main command. Email me at firefoxprofiles at this domain name if you have questions!

Recently transitioned from 10.7.5 Server to 10.9.4 Server.  Apple dumped webmail in Mountain Lion Server so of course it’s gone in Mavericks Server too.  With webmail gone there’s no way to implement filtering with a GUI at the server level anymore.

With the combination of push email and loads of scripts emailing me at all hours, I found even configuring the rules in Mail.app on the server itself wasn’t fast enough to prevent my phone from buzzing before the message was filed away (in the next second or two.)

I found tidbits all over the place but no comprehensive guide to configuring sieve in OS X Server (on Mavericks or ML.)  I don’t know that this is comprehensive, but it’s more than I found.  This is written assuming you’re at least a little comfortable on the command line.

Find your unique mail ID.
I just headed to /Library/Server/Mail/Data/mail/ and looked for the most recently modified folder since I’m by far the most active user on my server.  You can also check the folder hierachy within it to see if those folders look like yours.

The safer way is to head to Server.app, open Directory Utility, switch to Directory Editor, make sure you’re in the right node (either /Local/Default for local users or /LDAPv3/127.0.0.1 for Open Directory users) and then select the user.  The GeneratedUID is the value you’re looking for and looks like this: 704751C3-6F9D-4A10-8CA9-04E34CBA5B3C.  I’m going to call this $USER_GUID.

Create Rules folder and sieve file

Fire up TextEdit.app, grab this text below, customize with your GUID value, then copy and paste the lines beginning with sudo into Terminal, one by one.  Make sure there are no line breaks for the four lines that begin with “sudo” or the commands will not work.  Here is a text version of it.
sudo mkdir -p /Library/Server/Mail/Data/rules/$USER_GUID
sudo chmod 775 /Library/Server/Mail/Data/rules/$USER_GUID
sudo nano /Library/Server/Mail/Data/rules/$USER_GUID/dovecot.sieve
(just type #replaceme for now, control+x, y, then return)
sudo chown -R _dovecot /Library/Server/Mail/Data/rules/$USER_GUID

Now comes the fun part, creating the rules. 

The link below contains several examples in a format that will work directly in dovecot.sieve, with modifications for your rules and mailboxes of course.

There are far more advanced ways to edit the dovecot.sieve file, but for really basic usage you can use the line beginning with “sudo nano …” above and then either edit directly, or edit in something with a friendly GUI like TextWrangler and then copy and paste into dovecot.sieve.  Just hold down control+K to delete the file line by line then paste from your editor.  Yes this will make your average command line geek cringe, but it’s quite straightforward.

Click on this text for dovecot sieve examples.
—
I provide all of these rules to provide examples of what you can do.  For what it’s worth I use one domain with a catch-all address, that way I can give companyname@mydomain.com email addresses out.  If/when the address gets compromised I can block that exact email address (which is sometimes buried in the headers instead of in the To field.)  This has happened at several small companies, and more recently Adobe, XM, and Toyota.

More examples can be found on the Dovecot LDA/Sieve page here: http://wiki1.dovecot.org/LDA/Sieve

As soon as you save the dovecot.sieve file the rules are in effect.  If you run a test and it’s not working (and I do recommend testing with just one rule before implementing everything!) you’ll see dovecot.sieve.log right next to dovecot.sieve in /Library/Server/Mail/Data/rules/$USER_GUID/ telling you in fairly plain english (at least for a program) what you did wrong.  Probably the easiest error to make would be leaving out a comma in one of the multiple rules, or adding an extra one on the last/only one.

If I’ve made an error or helped you out, I’d love to hear about it.  Please email me at dovecot@ this domain name (without the www.)  Thanks!

Applied Security Update 2014-001 recently to 10.7.5 Server (on this server I’m behind on purpose.)  First time through it stalled on reboot and killed the network user database.  Thought it wasn’t the update’s fault since I had a failing external backup drive I was replacing.  Restored from secondary backup and ran the update again.  This time it appeared to work – mail was coming in, sharepoints working, etc.

I found it actually had trashed the postgres db dealing with calendar and contacts.  The error messages received on the client side were “the server is not responding” and the old “CalDAVAccountRefreshQueueableOperation” error.  The port wasn’t open, which was because the service wasn’t starting.  Errors in the server logs were varied.  For example /Library/Logs/PostgreSQL/PostgreSQL.log was showing (date & time removed since it won’t match any search terms anyway):

LOG:  connection received: host=[local]
LOG:  connection authorized: user=caldav database=caldav
FATAL:  role “caldav” does not exist

In case you run into these errors first verify you have the same issue by checking for the caldav database in postgres:

sudo -u calendar psql -U _postgres caldav

If you receive

psql: FATAL:  database “caldav” does not exist

then you have the same problem.  If you are dropped into a caldav prompt after it lists the psql version, then this is not your exact problem.

– Verify there is a /var/pgsql.pre-restore-[something] folder in /var/.  Without it this guide is worthless.
– Open Server.app and shut down all services.
– Perform the following steps:
sudo serveradmin stop postgres
sudo mv /var/pgsql /var/pgsql.broken
—Use tab to autocomplete the part in brackets below.—
sudo cp -Rp /var/pgsql.pre-restore-[my .pre-restore file] /var/pgsql
sudo serveradmin start postgres

– Check permission to make sure _postgres is both the user and group.  If not run this:
chown -R _postgres:_postgres /var/pgsql

– Verify it works by running:
sudo -u _postgres psql -U caldav

– Open Server.app and start all previously running services.

I manage a healthy number of servers, and this does not happen on all of them.  However it does happen to other people as targeted searches indicate, so I’m inclined to believe certain OS versions shipped with a bug that causes this.  I’ve run into something similar with the 10.7.3 combo update, but none of the rest of my 10.7.x servers have this issue.  They also came with different versions of OS X, though that’s a guess based on timing and not hard data.  If you’ve had this bug occur, it will probably occur again and I urge you to make a bootable clone after shutting down services prior to running security updates (there will be no more combo updates for 10.7.5, obviously.)

When it’s time to upgrade I will be starting from scratch in order to avoid migrating this bug, and I suggest you do the same!

On an install of OS X Server 10.8.5 Mountain Lion where mail services had not been used, I received the error from clamd “can’t open file or directory.”  There was no more information available in the /Library/Logs/Mail/clamav.log.

After a bunch of dead ends I was looking at the setup script (/Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/CommonExtras/63-setup_clamav.sh) to find permissions for all items and stumbled across this:

# Set _clamav home to /var/clamav
`/usr/bin/dscl . -create /Users/_clamav NFSHomeDirectory /var/clamav`
`/usr/bin/dscl . -append /Groups/_amavisd GroupMembership _clamav`

Turns out /var/clamav didn’t exist!  Turned off Mail services and created the directory, set permissions, and fired it back up – no error.

I was root and already in /var so these commands are different from what I used, but they’re more universal and can be run directly after opening Terminal.

sudo mkdir /var/clamav

sudo chown _clamav:_clamav /var/clamav

If iCal gives the error “iCal can’t read this calendar file.  No events have been added to your iCal calendar.” and you’re trying to import an ics file, try using TextWrangler (or some other method) to convert the line breaks to Unix (LF).  This is near the text encoding value (e.g. UTF-8) and also present in the Save dialog box.  I ran into this error when trying to import to iCal 5.0.3 from Thunderbird 12.0.1.

Neither Windows (CRLF) nor classic Mac (CR) line breaks worked, the former was the default as exported by Thunderbird.

If you’re unlucky enough to be using Retrospect 8.2 in OS X and run into “This disk is already a member of this media set” even though it is clearly not (freshly formatted, not listed in the members section of a backup media set, different names, etc,) I had some success reformatting the volume using Apple Partition Map instead of GUID.

Recently setup Lion Server and it’s very different from previous OS X Server incarnations.  Mostly things went well, some things went amazingly well, but of course there were a couple stupid hiccups too.

The main one that gets me is that I turned on a number of services and always enabled SSL, using a self signed certificate because in this case I’m only providing service to a couple people where it’s trivial to accept the cert permanently.  When trying to access iCal Server either via the web or iCal itself I received varying messages.

From iCal on a Snow Leopard client I got “Then account information was not found. The server has not specified a calendar home for the account at [blah blah blah].”  Via a web connection I got “Calendar service is turned off” when it was clearly turned on (and rebooted, etc.)

The fix is to use the Server application, go to Hardware, then Settings.  Click Edit next to SSL Certificate.  Even though I had never edited this setting before, by default both Mail and Web had my self-signed cert selected and iChat, iCal, and Address Book did not.  After selecting the certificate I was able to access all services normally.

I do not know why Lion Server had those boxes unselected.  In future 10.7 server setups I will be interested to see whether this was a recurring issue or a one-time failure.

—

Lion Server feels unfinished.  I very much agree with “macshome” take on afp548.com.  They are trying to make a server OS iOS-simple and in many ways they’ve succeeded.  However there has to be all those settings accessible somewhere.  I hate that Server Admin Tools do not come on the server by default – what were they thinking?  Further, the lack of MySQL and relegation of so many functions to the command line borders on silly.  If I wanted command line I’d be running CentOS or debian or RHEL.  You know, sources with good package management, backports of security patches, and the knowledge Apple won’t unceremoniously overwrite your configs out of the blue.

It’s a love/hate relationship, what can I say?