The Management Extender for iOS manages Apple iOS devices by using the Apple MDM APIs that are triggered by communicating with the Apple Push Notification Servers.

Troubleshooting Management Extender Installation

The Management Extender for iOS installation is performed by a Fixlet available in the Mobile Device Management domain. Common installation issue include:

• If the Management Extender for iOS Fixlet is not relevant on a computer, make sure the BigFix Agent is installed on that computer and that the BigFix Relay version 8.2 or higher is installed (the relay is a prerequisite for Management Extenders).
• The Management Extender for iOS must be installed on a Windows computer that doesn't have other Management Extenders installed
• Apple requires an MDM certificate signed by both IBM and Apple to manage your Apple iOS devices. Make sure to follow the installation instructions to get a signed license before installing the Management Extender for iOS.
• After the Fixlet installs the Management Extender for iOS, make sure you follow the installation instructions to manually complete the final steps that include placing the MDM certificate in the appropriate location (the files must be named push_key.pem and push.cer) and starting the BES Proxy Agent service and TEM Apple iOS Server service.
• When prompted during the installation for a DNS/IP name for the Management Extender, use a fully qualified name or IP that the Apple iOS devices can reach (the name will be put into an HTTPS certificate).

Troubleshooting Connectivity

The Management Extender for iOS requires has several specific connectivity requirements:

• The Apple iOS devices can reach the Management Extender on the network on the specified port (default is HTTPS port 443) at the DNS name/IP specified during installation (if using a DNS name, it must be fully qualified since iOS devices will not resolve non-qualified DNS names). If the device is connected via WiFi on the LAN and can resolve the name, it should be able to connect directly. If the device is communicating over an external network (WiFi, 3G, etc.) then you will need to open a port in the firewall to route traffic to the Management Extender. See the guidelines for an Internet Relay for more information on setting up a server in the DMZ.
• The Management Extender for iOS must be able to communicate directly with the Apple Push Notification Servers at *.push.apple.com using TCP port 2195 and 2196. This connection cannot be proxied through typical proxy servers. If the Management Extender cannot reach the APNS servers, then the devices will never check-in to your Management Extender and won't appear in the console.
• The Apple iOS devices themselves must be able to talk to the APNS servers on TCP port 5223 to *.push.apple.com. This is typically not a problem for devices outside the company network, but if your firewall blocks devices from connecting to the APNS servers, the devices will not be able to receive the Apple push notifications and will not be manageable.

Troubleshooting Apple iOS Device Enrollment

Enrolling the Apple iOS devices should be a simple and quick process. Common issues might include:

• The default installation creates a self-signed HTTPS certificate. This will allow you to easily set up the Management Extender, but it requires that each device first install the self-signed certificate before enrolling to be managed. Replace the self-signed HTTPS certificate with a certificate signed by a trusted party to skip the initial certificate installation step.
• Enrollment can be done through the IBM Endpoint Manager for Mobile Device app on the Apple App Store. After installation the app will prompt the user to enter the dns/IP of the Management Extender. The app will give additionally functionality (like Jailbreak detection and a list of recommended apps), but if you are experiencing issues with the app enrollment, try visiting the Management Extender url in Safari (e.g., https://ios.companyname.com) to see if the device can communicate with the Management Extender. Enrollment can also be performed through this method.
• If the device doesn't appear in the Console within a few minutes after successful enrollment, the Management Extender or Apple device might be a connectivity issue with the APNS servers. See the Troubleshooting Connectivity section above.
  • There is a known issue in some cases where some devices do not report back to the Management Extender upon initial profile installation. In the case that this occurs, try restarting the BESProxyAgent service. If the device still does not report in, try restarting the TEM_IOS service, waiting a minute, then restarting the BESProxyAgent service again.
• If the device gives an error "The Server Certificate for <DNS name> is invalid", it means that either:
  • You haven't installed the self-signed certificate (this is "step 1" in the instructions if you browse to the Management Extender enrollment web page).
  • Your self-signed certificate name (that you typed in when you installed the Management Extender) doesn't match the enrollment server name (make sure to use just the dns name/IP at install time and don't put in "http://" or "https://").
  • If you are using an HTTPS certificate from a trusted party, the certificate is invalid or the name doesn't match.

Troubleshooting Device Actions / Updates

• If devices are not responding to actions or reporting properly, verify that the device and the Management Extender connectivity (information above).
• The Proxy Agent logs at in the __Logs folder of the Management Extender folder will give information about actions run by the proxy agent and how often the "list" command is run (which prompts the devices to send in their latest information).
• The MDM Provider logs in the "MDM Provider\log" folder of the Management Extender folder will give information about the devices connecting to the Management Extender. The log files with "stdout" in the name will show the history of connectivity.