Device Manager fails to start on a macOS Server 5.2 Replica

[ZippyDan]

I have setup a working Open Directory Master on on Mac-Server-1 running macOS Sierra and macOS Server 5.2 (latest as of today). I have also successfully started the Device Manager and enrolled a client computer with no problem.

I have now also setup a working Open Directory Replica on Mac-Server-2 (at a different site) running MacOS Sierra and macOS Server 5.2. However, when I try to activate the Device Manager on the Replica, it stays Disabled.

Is this by design that Device Manager can only be active on the Master? Or is this a bug?

Steps:

1. In macOS Server -> Profile Manger -> Device Manager, status is Disabled
2. In macOS Server -> Profile Manger -> Device Manager, I click "Setup..." button
3. New window appears telling me I can manage devices. I click "Next"
4. The window now changes and asks me for a Name, E-mail, Telephone, and Address (presumably to generate a certificate?)
5. I enter the info, and click "Next"
6. The next window appears, telling me to click "Finish". I do.
7. The window disappears, returning me to the macOS Server -> Profile Manger window, where the status of Device Manager still shows as Disabled.

Ideas?

Note1 :I tried uninstalling Server.app and deleting /Library/Server/* and reinstalling the Replica from scratch. Same behavior.

Note2 : I tried reinstalling the entire server from scratch. Same behavior.

 

[chrfr]

Is this by design that Device Manager can only be active on the Master?

Not a bug. Profile Manager (which is what I assume you mean when you say "Device Manager") can't run on your Open Directory replica. (edit: actually, you may be able to run it on your replica if it is not already running on the master, but this isn't something I've tried or heard of people doing.) Profile Manager doesn't replicate from the Master to replicas either; you can only have one instance of Profile Manager managing your devices.

 

[ZippyDan]

Profile Manager does indeed run without any complaints even on my Replica.

It is only specifically when attempting to start Device Manager (via the Setup button) that it seems to go through some process and then... nothing.

If what you say is true, then it explains why my situation is not working, but it then results in several complaints:

1. macOS Server should notify me when attempting to start the Profile Manger or attempting to start the Device Manager, that is is unable to run on a Replica - only on a Master. Accepting the Setup process, showing me progress bars like it is configuring itself, and then just dumping me back to the status screen while showing that the Device Manager is still `Disabled` is incredibly obtuse and unhelpful. Industry standard graceful failure should be especially expected from the "it just works" / "user firendly" macOS ecosystem.

2. It seems then that macOS Server is completely unsuited to a multi-site environment? If I want to manage Mac computers profiles or user/group profiles that exist at different sites, but reside within the same company (i.e. same Domain or Directory), then all computers must be dependent on a single macOS Server that resides at a single location? If that site's VPN connection to the satellite branches goes down for whatever reason or whatever length of time, then my satellite Macs and users become unconfigurable for the outage? That seems like a rather elementary design flaw.

3. I'm not even sure I understand the purpose of a Replica. The description given by macOS Server is "Replicas provide failover and load balancing for Open Directory clients", which makes it sound like the Replica takes an active role in the management of computer. But if Profile Management occurs at only single site, then what is the Replica doing?

 

[DJLC]

Profile Manager does indeed run without any complaints even on my Replica.

It is only specifically when attempting to start Device Manager (via the Setup button) that it seems to go through some process and then... nothing.

If what you say is true, then it explains why my situation is not working, but it then results in several complaints:

1. macOS Server should notify me when attempting to start the Profile Manger or attempting to start the Device Manager, that is is unable to run on a Replica - only on a Master. Accepting the Setup process, showing me progress bars like it is configuring itself, and then just dumping me back to the status screen while showing that the Device Manager is still `Disabled` is incredibly obtuse and unhelpful. Industry standard graceful failure should be especially expected from the "it just works" / "user firendly" macOS ecosystem.

2. It seems then that macOS Server is completely unsuited to a multi-site environment? If I want to manage Mac computers profiles or user/group profiles that exist at different sites, but reside within the same company (i.e. same Domain or Directory), then all computers must be dependent on a single macOS Server that resides at a single location? If that site's VPN connection to the satellite branches goes down for whatever reason or whatever length of time, then my satellite Macs and users become unconfigurable for the outage? That seems like a rather elementary design flaw.

3. I'm not even sure I understand the purpose of a Replica. The description given by macOS Server is "Replicas provide failover and load balancing for Open Directory clients", which makes it sound like the Replica takes an active role in the management of computer. But if Profile Management occurs at only single site, then what is the Replica doing?

Profile Manager itself is a very elementary implementation of MDM. I've had multiple Apple employees tell me straight-up that Profile Manager isn't meant to be used in production. It was created as a proof-of-concept for third parties to run with.

An OD replica is providing a failsafe for authentication; much like an AD replica would. OD itself does nothing in regards to management.

I would advise implementing AD for authentication and something like FileWave for management. macOS Server is trash.

 

[chrfr]

2. It seems then that macOS Server is completely unsuited to a multi-site environment? If I want to manage Mac computers profiles or user/group profiles that exist at different sites, but reside within the same company (i.e. same Domain or Directory), then all computers must be dependent on a single macOS Server that resides at a single location? If that site's VPN connection to the satellite branches goes down for whatever reason or whatever length of time, then my satellite Macs and users become unconfigurable for the outage? That seems like a rather elementary design flaw.

3. I'm not even sure I understand the purpose of a Replica. The description given by macOS Server is "Replicas provide failover and load balancing for Open Directory clients", which makes it sound like the Replica takes an active role in the management of computer. But if Profile Management occurs at only single site, then what is the Replica doing?

Profile Manager's device management uses both Open Directory and its own, independent, database which does not replicate from a master to a replica. Only a single server can manage your devices. If you have a site of this scale, you probably should not be managing your devices with Profile Manager. It's not stable and it isn't at all suitable if you're concerned about having a single point of failure without downtime.
Open Directory used to be able to replicate configurations with the app called Workgroup Manager, but that's long since out of support.
As I mentioned in a separate post to you, I generate profiles using Profile Manager on a computer which does not have any client computers bound to it, and deploy those profiles to client computers, along with other software, using Munki. It works very well, and I can generate profiles with any computer and deploy them without the client computers caring about the source.