This article is intended to assist in basic to intermediate troubleshooting of common Systems Manager issues, as well as expose the tools needed to troubleshoot more advanced issues/cases.
When experiencing an issue with Systems Manager, the first step is usually to take a look at an example client which is exhibiting the behavior. Once you have identified an example device, its logging will describe the issue and provide suggestions on how to fix it.
The primary logging location in SM is the Client Details page, and is always the first/easiest place to look. Here you can find three primary banks of data:
If Dashboard-side logging isn't getting you anywhere, each OS includes logs that are local to the client devices.
It's important to remember that the majority of this logging is only temporarily available, so it's recommended to start capturing logs prior to triggering the broken behavior. Make sure to save/export these logs as soon as they're captured.
It is recommended to analyze logs related to the following processes:
Specific processes vary by OS/Device Manufacturer, but it's recommended to search for the phrase "fatal exception."
Agent logs are found in the /var/log/m_agent.log files.
System logs (similar to the iOS console logs) are found in /var/log/system.log
The primary process whose messages may assist from the system.log file is:
Agent logs are found in the C:\Windows\temp\m_agent_service.log files.
System logs are found in the Event Viewer in Windows Logs/Application and Services/Microsoft/Windows/DeviceManagement-Enterprise-Diagnostics-Provider/Admin
The following table describes common error messages organized by OS/Type:
|OS(s)||Error Code||Error Text||Reason||Fix||Notes|
|iOS/OSX||Profile Installation Failed: An SSL Error has occurred and a secure connection to the server cannot be made.||Proxy or MITM device is manipulating the payload/traffic containing the payload||Whitelist the client|
|iOS||1006||Profile could not be decrypted||Device has received an encrypted payload but is incapable of decrypting it||Remove DEP settings, set up the device, upgrade iOS, re-add DEP settings, factory reset client|
|iOS||2003||Domain: MCPayloadErrorDomain The field “UserName” is invalid.||EAP authentication information is incomplete for a WiFi Profile||Include a password with the Username in the EAP configuration in the WiFi Profile||This will only effect iOS 9+ Supervised devices|
|iOS||12021||Domain:* MCMDMErrorDomain“ScheduleOSUpdate” is not a valid request type.||Device needs to be DEP Supervised to execute an OS Update command||DEP Supervise the client|
|iOS||12023||Domain:* MCMDMErrorDomain“ The iTunes Store ID of the application could not be validated.|| |
Generic 'App License Unavailable' Error message
|iOS||12026||Domain:* MCMDMErrorDomain“ The app “com.generic.app” is already scheduled for management.||The app is already in the client's installation queue. Generally speaking, this error is safe to ignore||Wait||If the app never installs, look for messages from the installd process|
|iOS||12064||Domain: MCMDMErrorDomain License for app "X” could not be found.||License for the app is not available on the client||Unscope and rescope the client for this app||This message will only occur with the App configured to use Device License Assignment|
|iOS, OSX||'Error - Activation Lock Bypass code not found with Apple. Is activation lock already disabled?'||Activation Lock Bypass command was already acknowledged by Apple's servers||Attempt to restart the client device, associate it to wifi, wait 10, restart setup assistant (home button), try again||This doesn't always work, but if these steps fail contact Apple for Activation Lock Bypass assistance|
|iOS||Error - License for app "com.generic.app" could not be found|| |
|OSX/Windows Agent||curl error 5|| |
Couldn't resolve proxy. The given proxy host could not be resolved.
Typically this means that something upstream is firewalling the connection
|Open TCP993 Outbound to Dashboard||This error may also mean that there are no remaining licenses on dashboard, so be sure to check to see if the dashboard has hit its license limit.|
|OSX/Windows Agent||curl error 6|| |
Couldn't resolve host. The given remote host was not resolved.Typically this indicates that something is attempting to manipulate the traffic (SSL Intercept Proxy)
|Whitelist the client/traffic (not in dashboard, on that device whatever it is)||It's important to remember that TCP993 is also the IMAPS port, so when you are looking for what device is manipulating our datastream, also look at any Email Filtering systems or local Anti-Virus systems|
|OSX/Windows Agent||curl error 7||Typically this occurs on config fetch when the client is attempting to contact https://cf.meraki.com||Unblock/enable HTTPS traffic to this url|