Skip to main content

Hello,

I've been changing our live JAMF system over from using a self-signed certificate to a proper public certificate. I finally got it all working Thursday afternoon. (Definition of "working": I was able to get a new Apple push certificate using it; communication between my JAMF server and Apple School Manager is working; I was able to reinstall a client and it picked up NDM and carried on happily.)

On Friday, I was off, which means that nobody was doing anything with the JAMF system or that client.

Today, I found that that client can't communicate with the JAMF server. And it lost the ability to communicate between 10:09 and 10:28 *Friday* morning. When I wasn't even there.

Log entries go from this:

Fri Jul 21 09:50:34 LISA-065 jamf[38385]: Checking for policies triggered by "recurring check-in"...
Fri Jul 21 09:50:38 LISA-065 jamf[38385]: Checking for patches...
Fri Jul 21 09:50:38 LISA-065 jamf[38385]: No patch policies were found.
Fri Jul 21 10:08:57 LISA-065 jamf[39031]: Checking for policies triggered by "recurring check-in"...
Fri Jul 21 10:09:01 LISA-065 jamf[39031]: Checking for patches...
Fri Jul 21 10:09:01 LISA-065 jamf[39031]: No patch policies were found.

...To this:

Fri Jul 21 10:28:52 LISA-065 jamf[39649]: Checking for policies triggered by "recurring check-in"...
Fri Jul 21 10:31:29 LISA-065 jamf[39649]: Could not connect to the JSS. Looking for cached policies...
Fri Jul 21 10:49:46 LISA-065 jamf[40390]: Checking for policies triggered by "recurring check-in"...
Fri Jul 21 10:49:47 LISA-065 jamf[40390]: Could not connect to the JSS. Looking for cached policies...

...With an occasional variant like this:

Mon Jul 24 12:52:09 LISA-065 jamf[106]:
There was an error.

Connection failure: "An SSL error has occurred and a secure connection to the server cannot be made."

But those are few and far between. In fact I don't think I get any of those unless I'm trying to get it to do things, i.e. it never did any of those over the weekend, it only started on them this morning. It may be that they only happen when I log onto the client.

Meanwhile, in the server logs, there is...not much happening; I can't find anything in the log that doesn't occur elsewhere in the log when there was nothing bad going on. Connection with Apple School Manager is still working (I have just been able to move another client onto this MDM, it appeared, I was able to check its box in a pre-stage enrollment, and later it became "Assigned").

So: anyone have any ideas why a client that was happy enough to go through MDM enrollment and installation, and receive all its configuration profiles and all of that stuff, should, just under 24 hours later, suddenly become unable to do so?

Thanks,
Lisa.

You mentioned getting a new Apple push certificate. Did you renew the one that was already installed, or did you install a completely new one? A completely new one will break the MDM communication between the managed devices and Jamf Pro since the MDM profile that they have installed is no longer associated with the current in use push certificate. I too used to use Jamf Pro with a self signed SSL certificate. In 2015, I changed that. I started using a third party SSL certificate. I had no issues with that change. All of the enrolled devices continued talking to Jamf Pro. In fact, they probably worked better with the Jamf Pro server. Have you tried re-enrolling the affected computers? That would fix the APNS issue, and it would likely also fix issues with receiving policies.

You mentioned getting a new Apple push certificate. Did you renew the one that was already installed, or did you install a completely new one? A completely new one will break the MDM communication between the managed devices and Jamf Pro since the MDM profile that they have installed is no longer associated with the current in use push certificate. I too used to use Jamf Pro with a self signed SSL certificate. In 2015, I changed that. I started using a third party SSL certificate. I had no issues with that change. All of the enrolled devices continued talking to Jamf Pro. In fact, they probably worked better with the Jamf Pro server. Have you tried re-enrolling the affected computers? That would fix the APNS issue, and it would likely also fix issues with receiving policies.


Hello,

We couldn't renew the one that was already installed; it was issued by our self-signed certificate. This all came at the end of about a week of certificate-related problems. Our built-in CA needed to be renewed (the system has existed for 10 years), and as part of that process, although clients survived that, a week later they did not survive the expiration of the signing certificate that had previously been issued by that CA, so the clients are already all orphaned. These are student walk-up computers and we are in summer, so it's not the end of the world. In a couple of weeks we'll be doing next year's configuration and reinstalling them from scratch anyway.

In any event, after giving up and allowing the clients to become orphaned, I transitioned to a public certificate. I thought everything was fine.

Bear in mind that this problem happened after the client had been successfully reinstalled from scratch via MDM, which happened AFTER all our certificate changes. So: the new certificate arrangements were working well enough to get a client all the way through the installation process. Then, suddenly, while I was on holiday and nobody was changing anything, that client stopped working. "An SSL error has occurred" isn't hugely helpful in figuring out just what, exactly, it doesn't like. I can't even tell whether it's the client that is unhappy with the server, or the server that is unhappy with the client. Or both!

To add insult to injury, I have just moved another test station onto this same JAMF instance, and I'm in the process of reinstalling it. It has just hooked MDM perfectly happily! Of course for all I know, 24 hours from now, it might also die.

Thanks,
Lisa.

I have this same error.  Are you an On-Premise instance as well?

I have this same error.  Are you an On-Premise instance as well?


Yes, we are. But my other, test instance (also on-premise) is not having this problem.

Terms & ConditionsCookie settings