@Eigger Correct, in our environment, our security team won't allow us to create a shared account with shared credentials.

Bumping this thread to add that I'm in the same boat... +1 for unsolved. I too discovered this issue last week in testing a v10 upgrade:
In my environment techs make API calls via script with their credentials. Valid passwords may contain "special characters" and Unicode. Most usually do since the techs are located globally and their international keyboards make this quite easy and valid! I cannot (and should not) control valid password character ranges...

Unicode (multi-byte characters) and punctuation have always needed to be URI Escaped (see my reply for some pointers) for them to work with the v9 API but this is no longer working in v10.

The web console for Jamf Pro web and the auth screens of the Apps work in accepting non-alphanumeric characters, but anything in those apps that leverage the API are affected. Besides the invitation creation of this thread, in the Recon app if you attempt to create a QuickAdd with an account that contains a Unicode character it will fail.

Fun troubleshooting fact: if you run Wireshark/packet capture on your JSS and connect over http (port 9006) you can grab the API calls and compare the Authorization: Basic headers. Recon v9 and v10 QuickAdd creation creates the same headers when Unicode is used, so the breakdown is not encoding or the App but the API character decoding/handling.

My Product issue is: PI-005738 up 78 since April 3rd... hmm.., Looking forward to 10.13.2 and this being fixed.
Jamf: have a bug-a-thon this weekend before the weather gets too nice, it'll make for a better summer! :]

We are seeing this as well. Since updating to 10.3 I think...

This issue has just been introduced for us since upgrading from v10.1.1 to v10.3.1.
Tested on a Jamf local admin account. When imaging I get the message "Unable to create an invitation"

We also experience this issue with JAMF 10.3.1 - hope that it is solved soon.

Did someone already issue a ticket to JAMF regarding this issue in 10.3.1?

JAMF says "Currently there is a known product issue (PI-005660). That is if a password contains special characters we are not able to log in to Jamf Imaging. Currently, the only workaround is to create an account with only numbers and letters. This will allow you to log in and image machines. This product is considered critical and we are working on a resolution, but we still are not aware of an ETA when it will be fixed. "

Thanks @agerson... this was doing my head in. Guess we'll just stick to no complexity and local accounts until the next update.

It worked for us.
Local account with admin rights and 4 letter pw got it done.
Jamf Pro 10.3.1

Other threads with the same issue:
https://www.jamf.com/jamf-nation/discussions/8133/anyone-seen-unable-to-create-an-invitation
https://www.jamf.com/jamf-nation/discussions/27794/unable-to-create-invitation#responseChild165045

JAMF confirmed this in a support ticket as well. I just tried again, turns out the username can't have special characters either. For a work-around, create a group with custom (or enrollment if you don't use imaging) and assign the following permissions to enroll and image.

Enrollment:
Computer enrollment invitations CRUD
mobile device enrollment invitations CRUD
Computers CR
Mobile Devices CR
Users CRU
Allow User to Enroll - Checked
Enroll Computers and Mobile Devices - Checked
Add Computers Remotely - Checked

Imaging:
Customize a Configuration - Checked
Use Jamf Imaging - Checked
Use PreStage Imaging and Autorun Imaging - Checked

Confirmed I had to remove special characters for my imaging to work.
Can we have this patched please, thank you..lol

Ugh, receiving this as well since upgrading from 10.2.2 to 10.3.1. +1 for the PI-005660 issue here as well. Thanks for publishing the permission sets, @epomelow!

I had this too, with JSS 10.3.0.

I spent 2 hours rebuilding the Netboot server.. and it was because I had a hyphen in my password.

The issue was my password! No special characters allowed.

Anyone know if there is a fix for this yet?

WOW - Just discovered this issue for the first time (had Jamf for 2 years). Running JSS 10.3.1. Never saw this bug before.

I just wasted an entire day troubleshooting this with my dektop support team. It was a freaking ! character in my password! I was hung-up thinking it was a DEP error bcause of the word "invitaion" in the error string.

This is a sloppy bug. No excuse for this. Ouch!

Fixed in 10.4?

@dstranathan From the 10.4 changelog here:

[PI-005660] Fixed an issue that caused an error to display when imaging computers using Jamf Pro administrator passwords containing special characters.

You should be good after upgrading!

We ran into this issue yesterday and fixed it:

We were running Jamf 9.101.0 and had no issues.
We then upgraded the Jamf server to 10.4 and this introduced the bug for us. Our usernames all have a hyphen in the middle so we would get the error when trying to re-image a Mac over NetBoot "Unable to create an invitation. Check to make sure you have permission to create an invitation". These accounts were all AD accounts and full administrators in Jamf. A work around was to add an AD account as a full administrator in Jamf without any special characters in the username.

The Fix:
Our NetBoot Image (Created with AutoCasperNBI) was created on a Mac that had the Jamf Suite 9.101.0 installed. You could see the version number in the Casper Imaging application when attempting a Netboot re-image.

We then installed the Jamf Pro suite 10.4 and the latest version of AutoCasperNBI on a Mac and created a new NetBoot Image and uploaded it to the NetSUS server.

This fixed the issue for us. Update the NBI with version 10.4 and you should be fine.

The password issue (in Jamf 10.3) has been resolved by updating to Jamf Pro 10.4.

So for people who are saying this is fixed as of 10.4, has everyone had to update both their JSS and the version of Jamf Imaging.app on their NBI's? (Assuming you are using NetBoot, of course.) That seems to be my experience as well.

So we just upgraded from Casper 9.100.0 to Jamf Pro 10.3.1 a week ago and are getting hit by this issue. We use Active Directory groups and accounts to grant rights and sign into Jamf Pro.

So far in testing and reports from site admins I have found that the following characters DON'T work:

hashtags (#), exclamations (!), spaces ( ), at signs (@), ampersand (&)

The following characters DO work:

numbers, lowercase letters, uppercase letters, underscores ( _ )

When a password has any of the characters that don't work we see the following errors:
Jamf Imaging: We can log into the application fine, but when attempting to image we get

Unable to create an invitation. Check to make sure you have permissions to create an invitation.

Recon: We can log into the application fine, but when creating a QuickAdd package or using Remote Enrollment we get

Enrollment failed. Make sure you have the Create privilege for Computer Enrollment Invitations. Also, make sure you have access to at least one site. Connection failure: "The operation couldn't be completed. (NSURLErrorDomain error -1012.)"

The product issue is reported as the following in the 10.4.0 Release Notes with just the Jamf Imaging application:

[PI-005660] Fixed an issue that caused an error to display when imaging computers using Jamf Pro administrator passwords containing special characters.
Note: When interacting with the Jamf API, the encoding for credentials must be UTF-8. Failure to use this encoding may cause authentication issues with the Jamf API when the username or password contain certain international characters.

For some reason they don't include Recon as being fixed in the 10.4.0 release notes even though we have tested Recon 10.3.1 and found it also has the issue.

Due to the fact that we just upgraded to 10.3.1, it would be several weeks of testing before we would upgrade to 10.4.x (or 10.5.x if it drops soon).

Since it is only an issue with the applications themselves and not the JSS, would it be safe to use the 10.4.1 versions of the applications with the JSS still running 10.3.1? And is this scenario is supported by Jamf? I thought had come across documentation that stated which scenarios you could/couldn't use the apps (new apps/older server older apps/newer server, etc.) but can't find it on Jamf Nation. For example, Composer doesn't matter since it doesn't talk to the JSS.

We have done some brief testing of the 10.4.1 apps against the 10.3.1 JSS and the only one that displays a version mismatch is Jamf Admin. Obviously we can temporarily change our AD passwords to something simpler or set up temp accounts, but just wanted to see if anybody has tried this scenario as an alternative to reducing password strength.

I can't speak for Recon because we rarely ever use it and I don't have the same historical data in my head, but I would suspect running mismatched versions of Jamf Imaging.app and JSS should be fine. Before this issue occurred, I hadn't upgrade my NetBoot image in years and it was still using Casper Imaging.app 9.82 with JSS 10.2.1. I think it if wouldn't work, you'd know immediately, like with Jamf Admin.app. But, this is just from experience. Someone else here could completely contradict me.

Thanks you anickless for succinctly highlighting the issue and its solution. My user account was LDAP (john.smith) and password had a 1 on the end. Creating a local JAMF Pro admin user account and password, without numbers or a full stop (period), solved this for me.

At first I thought it was the fact I had upgraded JAMP Pro Server, and the JAMF Pro app suite, but not the version of Casper Imaging running on the netboot, but the new local JAMF Pro username and password fixed it for me.

Thanks.

Just had this come up in Jamf Pro version 10.5.0
So it's not fixed?

We haven't had a reoccurrence of the issue and we're running 10.5. Has anything else changed in your environment, like new users or new groups being added? And, are you upgrading Jamf Imaging.app at the same time?

Thanks for your response @bmarks
Nothing significant has changed in the environment, no. I mean, we add new people/users every month because we hire into Security and IT - but that has never caused an issue before. There are only 2 groups and we clone others when we get new hires. I am not upgrading Jamf Imaging now, we upgrade it when we upgrade Jamf. We've been on 10.5 for a bit now. More strangely, it locks out my user when this happens. Seems a LOT like it's my password...that's why I question whether or not it's fixed. My password does have one of the "no no" characters in it, but I had not seen this issue until Friday, late afternoon, after doing TONS of test images throughout the day.

We just started running into this issue today on 10.5. odd thing is we have running 10.5 for a good while with no issue.