@qsodji We found those 2 defects, and 3 more causes as well. In addition to yours, there was:
Unidentified JAMF issue. We had 3 servers go down at once. They came back up randomly a few days later. Nothing changed on them, the JSS just suddenly couldn't talk to MDM.
Time on the JSS server gets out of sync. One of our servers had the time wrong (auto-time stopped refreshing), so Apple's servers were rejecting the connection. As soon as we fixed time, it fixed the issue.
Info on DEP-side changed. Our phone number in the DEP changed. We had the error until we generated a new token that contained up-to-date DEP info
Per a conversation with JAMF, It has been identified that the issue is a defect in the current version of Casper.
2 scenarios
iOS: Make MDM Profile Mandatory' check box is selected
OSX: when "Make MDM Profile Mandatory" is selected but "Allow MDM Profile Removal" is deselected.
I have neither of these selected on the OSX side and am still seeing the error.
We're experiencing the same issue. Our admin will try updating our DEP tokens and see if that fixes it.
This fixed my problem. https://jamfnation.jamfsoftware.com/featureRequest.html?id=2270
Turns out, our time server on our JSS was off by 9 minutes. Updated it via command line and it resolved it immediately. (face palm)
Everything went fine for me on the iOS side, but I get the same error for OSX (with "Make MDM Profile Mandatory" selected and "Allow MDM Profile Removal" deselected). We are cloud hosting the JSS; is there any way to update the time server? We're on Pacific time but all of our time stamps are in Eastern time. I'm not sure if that would make a difference or not.
We are running JSS 9.3 and started recieving this error when attempting to create a new Pre-Stage Enrollment for iOS devices:
Unable to contact https://mdmenrollment.apple.com about a new PreStage enrollment or changes to an existing PreStage enrollment
We have created iOS Pre-Stage enrollments in the past without any trouble.
We like to make the MDM profile mandatory and not allow it to be deleted, but I can confirm that in our case, unchecking "Make MDM Profile Mandatory" and checking "Allow MDM Profile Removal" fixes the above error. That is unfortunate considering that we like to make the MDM profile mandatory.
@dboeshart][/url
The behavior you described is certainly not intended, and is the result of a currently open defect.
For reference, the defect ID is D-007032.
The workaround to the defect is exactly what you've described in your post.
If you haven't already contacted your Technical Account Manager to open up a case on the issue, please do so when you get a chance so we can get the case attached to D-007032 for tracking purposes.
Thanks!
Amanda Wulff
JAMF Software Support
I had this issue when I was testing 9.40 back on 8/19. I contacted Support, and used the workaround of the non-Mandatory and Removable PreStage enrollment.
I could not find the details in my notes today, so I made this the last thing I tested again before going live. It works. Both my test box running 9.40, and after I upgraded live to 9.40.
Perhaps it turned out not to be an issue in the JSS code but in communicating with Apple?
I'm happy. 
:)
chris
I'm am seeing "Unable to contact https://mdmenrollment.apple.com" again in 9.51. Is the issue back?
@Nick_Gooch we saw this this morning on both our servers. I think it happened last week when we accepted the new DEP terms. We renewed the key and the token and all is good again.
Thank you! We had to accept the new terms and conditions but didn't need to renew the keys and tokens. All is working again.
+1 for accepting new terms. Log in to http://deploy.apple.com and accept the new terms and conditions. Then go back to the JSS. I tried editing a PreStage Enrollment and the error went away.
Thanks!
~Joe
We just started seeing this message two days ago. iPads are not enrolling successfully (getting an "Invalid Profile" error) and the JSS is showing "Unable to contact https://mdmenrollment.apple.com to get the list of devices" when I look at the DEP status and "The DEP service reported an error. (https://mdmenrollment.apple.com [403])
Unable to contact https://mdmenrollment.apple.com to add a device to a PreStage enrollment" when I go to the PreStage Enrollment page.
I did log into deploy.apple.com to make sure there wasn't new terms to accept (I remember having to do that back in Sept), but no new terms.
Any new ideas about this? Oh, and we are running JSS 9.6
@musat, please log into your DEP, look at your server list, and look for the "last connected" date. I'd bet that date is the last time your enrollment worked. I had the same problem, exactly as you described. I set up new tokens (uploaded a new token from the JSS to the DEP, and uploaded a new token from the DEP to the JSS). It was fixed within minutes. I have no idea why it happened, but somehow the tokens stopped allowing communication and that "last connected" date reflected it.
You are correct about the "Last Connected" date. I tried refreshing the token, but got a "Problem contacting Apple services" when uploading the new server token to the JSS. Looking at the date, I realized that this was the date that I move the JSS VM to a different host server. I moved the VM back to the original host and it connected with the DEP server right away.
So the question now is, what difference would a different VM host make when everything else about the JSS server was working without any issues? Because the VM host server is scheduled to be replaced, which is why we moved the JSS server off of it.
Hmm that's a stumper. Do you have a backup of the VM you could restore onto the "new" host server and test with?
If you do, I'd try running these commands from the VM.
telnet 35-courier.push.apple.com 5223
telnet albert.apple.com 443
telnet gateway.push.apple.com 2195
telnet gateway.push.apple.com 2196
If any of those fail, you've got a communication issue. There could be a ton of other stuff, but those are the 4 commands I have from JAMF that helped me troubleshoot a past communication issue.
Similarly, when the VM was on the new host, you confirmed the system time was correct? I've had issues before where time was wrong, so the tokens failed. Maybe daylight savings time is involved... maybe??
Thanks for the links. I give them a try. There are also two other new VM hosts that I am going to try moving the JSS server to, but now that I know that this could be an issue I'll be waiting to test off hours.
Checking on an issue with the error: "Unable to contact https://mdmenrollment.apple.com about a new PreStage enrollment or changes to..." and running chlaird's telnet check, all but one worked.
Error as follows with "telnet 35-courier.push.apple.com 5223":
System:~ user$ telnet 35-courier.push.apple.com 5223
Trying 17.172.232.51...
telnet: connect to address 17.172.232.51: Connection refused
Trying 17.172.232.53...
telnet: connect to address 17.172.232.53: Connection refused
Trying 17.172.232.59...
telnet: connect to address 17.172.232.59: Connection refused
Trying 17.172.232.83...
telnet: connect to address 17.172.232.83: Connection refused
Trying 17.172.232.90...
telnet: connect to address 17.172.232.90: Connection refused
Trying 17.172.232.57...
telnet: connect to address 17.172.232.57: Connection refused
Trying 17.172.232.70...
telnet: connect to address 17.172.232.70: Connection refused
Trying 17.172.232.64...
telnet: connect to address 17.172.232.64: Connection refused
telnet: Unable to connect to remote host
Would this be an internal networking issue if the other 3 telnet checks worked?
Checking into 30-courier.push.apple.com, there is an issue inside and outside our network. May not be our network, does this still exist or is the domain incorrect?
Any other thoughts out there?
Checking into 35-courier.push.apple.com, there is an issue inside and outside our network. May not be our network, does this still exist or is the domain incorrect?
Any other thoughts out there?
As of two minutes ago, I can reach all 4:
external image link
Starting Tests.....
APNs tests beginning #info #network
Feedbackhost (gateway.sandbox.push.apple.com): Resolving DNS Name
Pushhost (gateway.sandbox.push.apple.com): Resolving DNS Name
Courierhost (5-courier.sandbox.push.apple.com): Resolving DNS Name
Altcourierhost (5-courier.sandbox.push.apple.com): Resolving DNS Name
Altcourierhost (5-courier.sandbox.push.apple.com): 17.172.232.9
Courierhost (5-courier.sandbox.push.apple.com): 17.172.232.9
Altcourierhost (5-courier.sandbox.push.apple.com): Checking for proxy
Courierhost (5-courier.sandbox.push.apple.com): Checking for proxy
Altcourierhost (5-courier.sandbox.push.apple.com): No proxy found. Attempting to connect
Courierhost (5-courier.sandbox.push.apple.com): No proxy found. Attempting to connect
Registered for APNs with token XXXXX
Connected to Courierhost (5-courier.sandbox.push.apple.com) at IP address 17.172.232.9 on port 5223
Connected to Altcourierhost (5-courier.sandbox.push.apple.com) at IP address 17.172.232.9 on port 443
Pushhost (gateway.sandbox.push.apple.com): 17.172.232.18
Feedbackhost (gateway.sandbox.push.apple.com): 17.172.232.18
Pushhost (gateway.sandbox.push.apple.com): Checking for proxy
Feedbackhost (gateway.sandbox.push.apple.com): Checking for proxy
Pushhost (gateway.sandbox.push.apple.com): No proxy found. Attempting to connect
Feedbackhost (gateway.sandbox.push.apple.com): No proxy found. Attempting to connect
Connected to Pushhost (gateway.sandbox.push.apple.com) at IP address 17.172.232.18 on port 2195
Connected to Feedbackhost (gateway.sandbox.push.apple.com) at IP address 17.172.232.18 on port 2196
Trying to sending ourselves a push notification
Sent Push....Waiting for a response
Received Push Notification
APNs tests completed with 4 passed and 0 failed. #info #network
Ok, if I still get the error for "telnet 35-courier.push.apple.com 5223", then it has to be our network as other are able to connect. Am I right in the assumption? Curious.
I believe so. I don't believe anything changed on the Apple side, so the directions from JAMF should still be current, and that's what they told me. "connect to all 4. if you can't hit any of them, that's a problem"
