- Universal Device Service
- iOS device
The iOS device may encounter the following error when attempting to enroll on the Universal Device Service through the device app:
Your device cannot be activated at this time. Please try again later or contact your administrator.
The most common cause of this error is related to the certificate the iOS device receives from Universal Device Service, specifically from the Communication Server.
If any one of the following points is not satisfied, then the error described above will be encountered:
- One of the pre-installation tasks is Requesting an SSL certificate for the Communication Module. This certificate must be signed by a certification authority. Self-Signed certificates are not supported by the Universal Device Service. Refer to the Installation and Configuration Guide for instructions on how to Submit the certificate signing request to a certification authority for signing.
- The Root CA Certificate or Certificate Chain for the CA that issued the SSL Certificate for the UDS Communication Module must be trusted by the iOS device before the activation is attempted, otherwise the enrollment process will fail as per the topic of this KB Article. To trust the Root CA Certificate, simply utilize the Safari Browser on the iOS device to navigate to the URL for the CA that issued the certificate. For an internal Microsoft CA the default URL would look something like: http://<CAServername>/certsrv. Once on this page, simply install the CA.
- Once the administrator has created the certificate signing request for the Communication Module, it will need to be submitted to a certification authority for signing. Please ensure that the Certificate Template that is selected is Web Server otherwise the enrollment process will fail as per the topic of this KB Article. To validate the Certificate Template that was used an administrator can check the Certificate Authority application under the view of Issued Certificates and see the type of template that was used.
- The URL that the user enters into the Universal Device Service application must match the Certificate Subject, this includes upper and lowercase characters. This can be validated under IIS Manager by selecting the UDS.CommunicationModule Site > Bindings > Edit > Select the SSL Certificate > View > Details Tab > Subject . As an example if the Subject of the Certificate is CN = servername.domain.com this is exactly how the user must enter the URL into the device application.
Alternatively, SSL certificate using wildcard can be used for UDS.CommunicationModule Site. If wildcard Certificate is used for the Communication Module, the URL that the user enters into the Universal Device Service application doesn't match exactly the Certificate Subject, however, the common part of the URL must match and is case sensitive.
Wildcard certificates only support a single level of sub-domain matching by standard RFC 2818. Names may contain the wildcard character * which is considered to match any single domain name component.
e.g., *.a.com matches foo.a.com but not bar.foo.a.com.
- The certificate issued to the Communication Module may be expired.
- If a multi-server install of Universal Device Service was performed whereby the Communication Module was installed in the DMZ, there may be an authentication issue between the Communication and Core Module components. Please refer to KB31152 to determine if the symptoms are similar to your environment.
By downloading, accessing or otherwise using the Knowledge Base documents you agree:
(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.