Unable to decrypt encrypted profile - Configuration Profiles

@rhoward

It sounds like you’re running into the behavior described in D-007135, in which we’d see that error happen on computers that are already in the JSS or were re-imaged while already in the JSS.

It’s caused by a timing issue between when the profile tried to install and the token update being pushed; when working normally, the profile will wait for the token update to go out before it attempts to install itself. With the defect, it fails to wait, goes first, and gets rejected because there is a mismatch.

D-007135 was fixed in 9.4.

Thanks!
Amanda Wulff
JAMF Software Support

FYI I'm seeing 'unable to decrypt profile' issue again in 9.62, similar to above only on reimaged computers. Working with support on it.

Still seeing this in 9.62 as well.

@jacom_salmela - are you seeing unable to decrypt issue with all OS's on reimage? So far I consistently see it with 10.9.4 base image, but not 10.10.1

We are not on Yosemite yet, but I see it very often with 10.9.5 and 10.9.4

@rhoward @CasperSally @jacob_salmela are you still seeing this behavior?

@david.kittle Affirmative. However, it is inconsistent. I have a test machine that I have imaged about a dozen time and it happened ~40% of the time.

@david.kittle][/url - yes. you have my base OS image and are working with me on it through support I believe. It's 100% reproducible in our environment with machines that exist in JSS.

Edit: works with 10.10 fine, but consistently gets error with 10.9

Add 10.8.5 to the list.

@jacob_salmela and @casper_ghost - is your JSS windows by chance? Looking for a common thread. Support hasn't been able to replicate the issue but it's 95% consistent for me on 10.9 with 9.62.

@CasperSally negative. Ours is on Ubuntu. I still see this with 9.63.

@jacom_salmela are you working with support too? thanks for letting me know it happens on 9.63 too.

FYI for anyone else who may see this issue, my issue was filed with defect D-007135.

We are still seeing this with 9.65 on 10.9.5 clients

Same here.

Glad I'm not alone. There's misery in company... I guess.

@marktaylor @jacob_salmela

Just to update you all, the defect mentioned earlier in this thread, and by @CasperSally on 2/6 has been re-opened, so if you’re seeing this behavior it may be due to D-007135.

If you have not already opened up a case with your Technical Account Manager, please do so so they can assist with further troubleshooting to either verify that you are experiencing the behavior described in D-007135 or to find out what the underlying cause is if it appears that that is not what you’re seeing in your environment.

You can get in touch with your Technical Account Manager either by giving Support a call, sending an e-mail to support@jamfsoftware.com (it will route directly to their case queue), or by using the My Support section of JAMF Nation.

Thanks for your patience!

Amanda Wulff
JAMF Software Support

Hello Seems I am getting this on JSS 9.96

I was experiencing similar issues with same scenario. Newly imaged machine already in JSS. with 9.96. What I ended up doing to fix this issue was to: sudo jamf removeFramework command. I restarted machined and then went to the website to enroll it to jss. After that it got the configuration profile within a minute or so. Hope this helps you.

Hi I am having this issue on one mac on 10.11.6 and JSS 9.97. It was previously managed by Profile manager but the old profiles were successfully removed and then enrolled in JSS and added to a configuration profile. I have tried various attempts to resolve but still returns the "unable to decrypt" fail. The mac enrols ok and has the verified MDM Profile in Sys Prefs. I can re enrol it with Profile Manager and it works perfectly again using that system. I have done numerous changeovers from Profile Manager but its just one stubborn iMac that gets this fail.

Is anyone still seeing this on 10.13 with JAMF Pro? I am attempting to setup a plist for Chrome settings via configuration profile and it gives me this error.

I have it as well... computer was initially enrolled and encrypted. I reformatted the hard drive HFS+ and still I get the error "Unable to decrypt encrypted profile."

Tried the terminal command listed above: sudo jamf removeFramework

Still cannot decrypt encrypted profile...

Any suggestions? Sigh... I'm going to try and reformat using APFS Encryption and see what Jamf Pro does after enrollment then...

We're seeing this issue as well running Jamf Pro JSS 9.101.0. Has there been any solution found as yet?