9.3 quirks

Hey all,

I should have updated this Friday of last week, but what actually ended up being the issue in my case was the presence of a comma in our Organization Name under System Settings > Activation Code

Once I removed that comma, systems could enroll again. Not sure why that caused it to break this version where it worked in previous versions - but it cleared up immediately.

@jardoin1 That was something we did during my support session with JAMF Support, but that didn't fix the issue for us. Definitely worth a shot for others, but not a guaranteed fix.

Not sure what changed for us over the weekend but I can now enroll machines using the following command:

sudo jamf enroll -prompt -verbose

Haven't tried yet with a quick add package but I'll report back when that happens.

@johnnasset we've been trying that too, but we still get an MDM profile error:

verbose: Attempting to install the mdm profile at the computer level.
Problem installing MDM profile.
Problem detecting MDM profile after installation.

Obviously the best case scenario would be it would start working correctly. But the thing that gets me is when you run the QuickAdd package and it says installation failed, even though it worked with the exception of the MDM profile. I'm hesitating to roll this out to users if they are going to get a failure message.

If we keep certificate-based authentication turned off while we enroll machines, will turning it on later (in the event that this issue is resolved) update the agent and include push notifications? Or will it just always be busted?

@emilykausalik

The Quick Add is now working this morning. Other than renewing our built-in CA and APNs certificate (which didn't fix it last week), not sure why it started working this morning. The only other change I made was I removed the url from Settings-Global Management-JSS URL-JSS URL for Enrollment Using Built-in SCEP and iPCU. Not sure if this helped or not.

@johnnasset

Hot damn, that worked! I removed that URL from the Settings > Global Management > JSS URL > JSS Url for Enrollment Using Built-in SCEP and iPCU and it worked.

verbose: Attempting to install the mdm profile at the computer level.
The computer was successfully enrolled in MDM with the JSS.

Weird! We're not enrolling mobile devices anyway, really, we just want the push notification system to work. I wonder what was going on with that URL field? I'll pass this along to my JAMF Support helper on this issue to help them narrow their scope to see what's going on.

Thanks!

@emilykausalik

Good to hear. Yeah, seems like a weird fix. Hopefully this will help some other folks as well.

So to be clear enrolling a Mac into 9.3 works for everyone? We've always had random MDM issues so not a key requirement for us at this stage, but basic enrolment I hope hasn't broken in 9.3! :)

Not until I removed the URL from Settings > Global Management > JSS URL > JSS Url for Enrollment Using Built-in SCEP and iPCU

Hm, something I've found (even with MDM finally working) is that when I try to remote install a package Casper Remote is unable to open the SSH connection. When I have "Enable certificate-based authentication" turned OFF, it works fine.

Hmm, not having the same issue.

hmm, did 9.24 have these issues? The more I read this forum the more i'm having 2nd thoughts about 9.3. I'm migrating from 8.73 in a few days so I have enough issues to deal with as it is...

We are running 9.25 and it's pretty good. After seeing some of this stuff I have held back on going to 9.3. I'll probably wait till 9.31 or 9.32. We first moved from 8.73 to 9.21 at the end of November. We haven't had any major issues. Each update got a little better. 9.25 is running well for us right now. You might want to go with that and then wait until the 9.3 stuff gets ironed out.

Ah yes @rcorbin I forgot about 9.25, i'll continue my migration testing on that version going forward as 9.3 seems a tad risky post migration from 8 at this stage.

9.3 seems ok to me.

Issues we have are all 9.x related.

@jardoin1][/url I used your suggestion about removing the comma between the company name and that seems to resolve at least the MDM enrollment at imaging time for my machines. I disabled the MDM settings over the weekend and just turned them back on after I made that minor change. I ran a jamf manage on the machines and they seem to be grabbing the MDM profiles just fine. I did notice that the override building locations was also acting strange. The log show two checkins for the same time. One grabs the building and assigns it according to IP range the other removes it.

Looks like 9.3 should have never made it out of QA. I have everything working again EXCEPT JDS Cert Auth. I am however still getting some errors about generating a certificate when debug is turned on in /logging.html that JAMF appears to have no idea how to fix. It doesn't seem like it's affecting anything as far as I can tell.

@jhbush1973 We seem to have had the same exact problems with our upgrades. I also turned back on MDM after removing a "," in our company name and it appears to have fixed the issue. jamf manage also got the rest of the computers back on to MDM. Is your JDS cert auth turned on and working? I can't get it to work on computers already enrolled and with fresh new computers enrolling.

We upgraded to 9.3, now our new MacBooks won't bind to the directory, when I go to check the logs, The JSS locks up and fails, its not been fun.

To add to this discussion and I am seeing clients move in and out of smart groups all by themselves. Theses smart groups are mainly based on Building and Department criteria. They just move in and out all the time. This is over and above the normal activity usually seen. Clients that belong to locations are disappearing. I am also seeing crashes regularly with Casper Admin, I am having a tough time getting OS upgrades to work out of Self Service, I am using createdOSXInstall. I am seeing issues after packages install or policies run with recon the error is the "Running Recon... Error running recon: Connection failure: "The host MYSERVER.com is not accessible."
Nothing is unreachable either my server is totally up and available.

I am seeing some issues with enrollments. I agree with @oneloveamaru][/url][/url QA was not done right on this release.

Hi dvasquez,

The Smart Groups issue you are experiencing is one we have had problems with for over a year. JAMF Support acknowledged that this was a defect (D-002920) where smart groups based on fields from Location Information have computers leave unexpectedly and rejoin. At the time I contacted them (Feb 2013) there was no workarounds listed other than to base the smart groups on another variable (other than Location Info). Here's an old post on this issue:

https://jamfnation.jamfsoftware.com/discussion.html?id=5227

Looks like it is still an issue with v9. We haven't been able to rely on Smart Groups based on Location for over a year now. Things would be much more efficient if we could count on Location Smart Groups to be accurate. I really hope this can be fixed soon.

~Joe

Hi dvasquez and nsdjoe,

I am having the same problems with iPads leaving smart groups and reappearing. Mine seems to be caused by the inventory disappearing during an update. I watched it happen this afternoon - I clicked the "Update Inventory" button on the management tab, then reasonably quickly had a look at the device in question.

The inventory page listed 0 Apps, 0 certificates and 0 profiles. After a few seconds these values were once again correctly displayed.

Cheers,
Chris.

The Failed to enforce the management framework: Unknown Error - An unknown error has occurred. showed up for me as well in my test environment. What appears to have fixed it is adding my Casper URL to the previously blank JSS Url for Enrollment Using Built-in SCEP and iPCU, saving the change, then removing the URL and saving the change.

I also had a comma in my organization's name for the Activation Code section which I removed for good measure, but things started working again before I made that change.

Just want to add another comment that the tip from @johnnasset to remove the JSS URL for Enrollment Using Built-in SCEP and iPCU worked for me.

After doing that, I did a jamf removeMdmProfile and a jamf manage, and MDM enrolled fine.