I've noticed lately that ASM is not syncing with JSS intermittently, it will come up with the error:
Sync failed. Awaiting next sync.
I've already placed public token in ASM and have uploaded the ASM token to JSS. No changes have been made to our firewall or filtering system.
We are on version 10.17.1
Is there anything I'm overlooking?
@amityaccounts if you mean you're jss is on a mac os server setup, look in the Tomcat directory.
You may have some luck within terminal finding it, try using the following command
sudo mdfind -name setenv.shif that doesnt work, try
sudo find / -name setenv.shit will bring that file up located in the backups as well, but ultimately you will find the direct path if you don't know where to look.
+1 only needed to add TLSv1.2 to the Java Options in the Tomcat Properties, restarted and everything seems fine.
Thank you!
@Hugonaut thanks for the info, but neither command brings up any results
Any luck with this issue for those of us with JAMF residing on a MAC server? I've tried several variations of this fix and now can't start my Tomcat at all... :-(
Is this the com.jamfsoftware.tomcat.plist?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<false/>
<key>Label</key>
<string>com.jamfsoftware.tomcat</string>
<key>OnDemand</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java</string>
<string>-Xms256m</string>
<string>-Xmx49152m</string>
<string>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager</string>
<string>-Djava.util.logging.config.file=/Library/JSS/Tomcat/conf/logging.properties</string>
<string>-Djava.awt.headless=true</string>
<string>-classpath</string>
<string>/Library/JSS/Tomcat/bin/bootstrap.jar:/Library/JSS/Tomcat/bin/tomcat-juli.jar</string>
<string>-Dcatalina.base=/Library/JSS/Tomcat</string>
<string>-Dcatalina.home=/Library/JSS/Tomcat</string>
<string>-Djava.io.tmpdir=/Library/JSS/Tomcat/temp</string>
<string>org.apache.catalina.startup.Bootstrap</string>
<string>start</string>
</array>
<key>ServiceIPC</key>
<false/>
<key>UserName</key>
<string>_appserver</string>
</dict>
</plist>Gabe Shackney
Princeton Public School
on macOS try your jss/tomcat/bin folder for the setenv.sh file. That is where I found it on Ubuntu. on Ubuntu, you want to make sure to add the -Djdk.tls.client.protocols="TLSv1.1,TLSv1.2" to the JAVA_OPTS. I was able to upload my new token at that point but DEP is still not syncing. I'm running Jamf Pro 10.16.1
Editing the above plist worked for me using this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<false/>
<key>Label</key>
<string>com.jamfsoftware.tomcat</string>
<key>OnDemand</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java</string>
<string>-Xms256m</string>
<string>-Xmx49152m</string>
<string>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager</string>
<string>-Djava.util.logging.config.file=/Library/JSS/Tomcat/conf/logging.properties</string>
<string>-Djava.awt.headless=true</string>
<string>-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"</string>
<string>-classpath</string>
<string>/Library/JSS/Tomcat/bin/bootstrap.jar:/Library/JSS/Tomcat/bin/tomcat-juli.jar</string>
<string>-Dcatalina.base=/Library/JSS/Tomcat</string>
<string>-Dcatalina.home=/Library/JSS/Tomcat</string>
<string>-Djava.io.tmpdir=/Library/JSS/Tomcat/temp</string>
<string>org.apache.catalina.startup.Bootstrap</string>
<string>start</string>
</array>
<key>ServiceIPC</key>
<false/>
<key>UserName</key>
<string>_appserver</string>
</dict>
</plist>Basically putting the TLS line after the headless line (make sure you dont leave a space) and it came back and synced right away
Gabe Shackney
Princeton Public Schools
not that this helps : https://www.apple.com/support/systemstatus/ since i checked earlier and nothing was up, now ASM shows resolved issue from only 3:05 to 3:30 - super cheeky, somethings up.
We had the same problem: Sync Problems since 3 days.
We tried everything described above (we use RHEL 7 and JDK 11.0.5) but nothing helped.
Only after we renewed the Server token file (which was due in 22 days) the syncing works again.
@gshackney THANK YOU!!! That worked perfectly. I had to recreate our plist, somehow it got a bit garbled [located /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist], after that, a reboot of the server, and a refresh of the key and token between JAMF and Apple, everything is back to normal.
Thank you all in assisting in patching this issue!!
@m.donovan Thanks!
I have added the TLS 1.2. only as well as my previous post was a disaster.
After a while the JSS was reachable again and the sync was pretty instant.
I recommend to do this if you are on Windows Server and has this issue as well.
+another1 for @hfike - adding export JAVA_OPTS="$JAVA_OPTS -Xmx1024M -Djava.awt.headless=true -Djdk.tls.client.protocols="TLSv1.2"" to /usr/local/jss/tomcat/bin/setenv.sh on all JSS's and restarting tomcat fixed it for us too (we trimmed out the TLS 1 and 1.1 bits as they don't appear to be needed?)
Confirmed - this worked for me in Windows too. Syncing is back up.
I can confirm that this worked for me, only needed TLS1.2 thankfully.
I was still having the issue until I renewed the DEP token. I was able to successfully do so after entering in the -Djdk.tls.client.protocols="TLSv1.2" entry. Before adding the entry, I kept getting "cannot connect to Apple Services" error. But all is well now, thank you!
Anyone have the path for Windows Server? Having trouble locating where to tweak the JAVA_OPTS
@cbBCC
C:Program Files>JSS>Tomcat>Bin>Tomcat8w
Yep! Addd TLS1.2 which worked.
Hi,
jp 10.17, Windows 2019
I added this line to Tomcat8w Java options:
Djdk.tls.client.protocols="TLSv1.2"
Restarted tomcat.
Edit: working now!
If anyone finds any other angles to this, please post here. I've added the TLSv1.2 line to our Tomcat (10.17.1 on Win 2016 Server) and I still can't sync or upload a new token.
I had literally just gotten this configured and working the week before, so this is a huge bummer. Last sync was on the 8th. We are using Oracle's Java 11, so maybe I have to switch to a free option like most of you have already?
Edit: Looks like it might be Oracle's Java 11, I checked another instance I'd set up for another team on their Windows build with the same version of Java, and it stopped syncing on the morning of the 9th. Mine stopped on the evening of the 8th. I cannot install Corretto because Windows Server 2016 insists it can't run it, even though it is supported. I'm worried I'm completely hosed here.
My Java edit did not work until I pasted it into NotePad+++ and then into the Java settings.... Not a Windows person so learning some stuff :)
Also experienced what @janselmi3953 did. Adding the Java settings to setenv.sh didn't solve for us right away, even after the Tomcat restarts. Once I uploaded a new ABM server token to our JSS, we were in business. We're Ubuntu and on JSS v10.17.0.
export JAVA_OPTS="$JAVA_OPTS -Xmx4096M -Xms512M -Djava.awt.headless=true
-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2"
Upgraded to 10.17.1 last Friday (12/13). Noticed the issue after upgrading. I made the changes this morning and things remain the same:
"Sync failed. Awaiting next sync
Uploaded a fresh token, still a no go. :(
@mhegge You aren't alone. I experienced this back earlier in the month, a few Tomcat bounces and the TLS settings fixed it, though every other sync would fail.
Now it's OAuth errors all the way down. TLS1.1, 1.2, both, none specified, nothing is working. I can't even update the token, all communications with Apple seem to be completely broken. 10.17, Coretto 11.0.5 (which was supposed to have fixed the TLS bug in 11.0.4 that was supposedly causing all this). Not a single one of my Jamf tokens (one for each Site) have successfully connected to ASM since the morning of Dec 9th. I have a single AirWatch server in my ASM instance too, hasn't communicated with ASM since yesterday.
Sync has been intermittent for me since upgrading to 10.17.0 (and OpenJDK 11.0.5 which was supposed to have the TLS1.3 issue fixed). I'm not seeing any new assignments since the morning of 12/6 either, so something is definitely broken. I've reached out to Jamf Support to see if there's any point enabling TLS1.2 (which I'm hesitant to do).
The fact that it's not just our environment makes me feel a bit better, but given that we're so far into DEP it's strange that Apple's status page says everything is working when it clearly isn't.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.