Enrolling with Management Server Failed error

Hi JPost,

The "Enrolling with Management Server Failed" error with the message "Your enrollment Profile MAY have expired" can be caused by several factors. Here's a systematic approach to troubleshoot this issue:

Step 1: Check Certificates and Tokens in Jamf Pro

First, verify that all your certificates and tokens are valid:

1. MDM Push Certificate: Go to Settings > Global > Push Certificates and check if the MDM Push Notification Certificate is expired. If expired or expiring soon, renew it immediately.
2. Automated Device Enrollment Token: Go to Settings > Global > Automated Device Enrollment and verify the token isn't expired. If there's an error or it's expired, download a new token from Apple Business Manager/Apple School Manager and upload it to Jamf Pro.

Step 2: Verify Device Assignment

• In Apple Business Manager/Apple School Manager, confirm the device is assigned to your Jamf Pro MDM server
• In Jamf Pro, verify the device is assigned to a PreStage Enrollment (check Computers > PreStage Enrollments > Scope)

Step 3: Check the APSD Keychain (Common Fix)

If the device has been sitting for a while or the image is older, the local APNS certificate may have expired. Run this command to check:

/usr/bin/security find-certificate -a -p -Z /Library/Keychains/apsd.keychain | /usr/bin/openssl x509 -noout -enddate | cut -f2 -d=

If the date is in the past, delete the keychain and reboot:

sudo rm /Library/Keychains/apsd.keychain
sudo reboot

Step 4: Re-sync with ABM/ASM

Try unassigning and reassigning the device in Apple Business Manager:

1. Go to ABM/ASM and unassign the device from your MDM server
2. Wait 10 minutes
3. Reassign the device to your Jamf Pro MDM server
4. In Jamf Pro, verify the device appears in Automated Device Enrollment

Step 5: Force Enrollment Renewal

If the device is already past Setup Assistant, try:

sudo profiles renew -type enrollment

Step 6: Last Resort - Erase and Re-enroll

If none of the above works:

• For Macs with Apple Silicon or T2 chip: Go to System Settings > General > Transfer or Reset > Erase All Content and Settings
• Then go through Setup Assistant again

Additional Checks:

• Verify all required network ports are open for Apple services
• Test enrollment on an unfiltered network (mobile hotspot) to rule out firewall issues
• Check if any Enrollment Customization in your PreStage is causing issues (try creating a simple PreStage without customization)

References:

• Troubleshooting Automated Device Enrollment
• Push Certificates - Jamf Pro Administrator's Guide

Let me know what you find and we can troubleshoot further!

Those things all check out from what I see. I do see how unassigning and reassigning a device in ABM would help in this situation. The device was auto enrolling fine previously

This seems to be an automated response.

Not an automated response – apologies if it read that way.

Since the device was enrolling fine before the reset, the ABM reassignment steps don't apply here. You're right to question that.

This sounds like the apsd.keychain got corrupted during the reset. Can you check the certificate date on the affected Mac?

/usr/bin/security find-certificate -a -p -Z /Library/Keychains/apsd.keychain | /usr/bin/openssl x509 -noout -enddate | cut -f2 -d=

If it's expired or the command fails, delete it and reboot:

sudo rm /Library/Keychains/apsd.keychain
sudo reboot

Then retry enrollment. Let me know what you find.

Keychain shows Jan 13 19:30:58 2027 GMT

Thanks for checking – the keychain is valid, so that's not the issue.

A few follow-up questions:

• What type of reset was done? (Erase All Content and Settings, or just a jamf removeFramework?)
• Is there an existing MDM profile still on the device? Check System Settings > General > Device Management
• What's the exact error message you see during enrollment?
• Are you on a corporate network with any SSL inspection or firewall filtering?

If there's a stuck MDM profile, that's likely blocking the new enrollment.

• Reset - Erase All Content and Settings
• No Existing MDM profile is on the device as I ran a sudo profile renew -type enrollment and got: Error: DEP enrollment failed: No Device Enrollment Configuration was found for this computer.
• Error Message while in the MAC Setup screen when it determines the device is a managed SN. 
  Enrolling with Management Server Failed. Your enrollment Profile may have expired. Try downloading a new enrollment profile. 
• No I work from Home and have imaged here before. In fact I do most all my testing at my residence for Mac. 

Should I need to be on a hardwired connection? I have recently moved my desk and using wifi for this Device. However I am connecting to a 5G (wifi) gb router. 

When I hit this error in the setup. My Mac still shows up in Jamf Pro but at DEP - SN
It also does show up with a Jamf Pro Computer ID and Management ID but shows as not Managed. It does show my Enrollment Method as PreStage Enrollment and the config that it is assigned to.

Also created a new vanilla Pre-stage enrollment with just the General details but no Enrollment Customization and got the same error.

Also tried off my network using a Hotspot on my phone.

Thanks for the detailed info – that rules out a lot of the usual suspects.

The fact that profiles renew -type enrollment says "No Device Enrollment Configuration was found" after an Erase is strange. The device should be pulling its ADE config from Apple's servers at that point.

Since you've already ruled out network (hotspot test) and PreStage customization issues, I'd check:

1. In Jamf Pro, go to Settings > Global > Automated Device Enrollment and verify your token shows no errors or warnings
2. Under your PreStage, check the Certificates section – if there's an anchor certificate listed and you're on Jamf Cloud, try removing it
3. Look at the device record in Jamf Pro – under Management, what does "MDM Capable Users" show?

Also, what Jamf Pro version are you on? And is this happening on just this one Mac or multiple devices?

At this point this may warrant a Jamf Support ticket if the above checks out fine.

1. Automation Token generated 12-9-2025. No error showing in the Global/Automation Device Enrollment section
2. Non of my PreStage Enrollments have Certs in the Cert section.
3. MDM Capability: No  (No MDM Capable Users row)

Version of Jamf Pro: 

Version

11.23.2-t1767621885710

All checks look good on the Jamf Pro side. At this point, I'd recommend opening a Jamf Support ticket – they can review the server-side logs to see exactly where the enrollment handshake is failing.

The "enrollment profile may have expired" error with everything else checking out is unusual and likely needs Jamf to investigate from their end.