Jamf Nation Community

The localization (at least the german translation) is still a mess.

When I saw the release this morning I thought I'll wait till 9.31. But then looking through the release notes it does seem to have a ton of bug fixes from 9.2x. I may wait a couple of days but I am thinking of upgrading this week if no major quirks are found.

doesn't seem to be addressing of the netboot/JDS imaging issue.

I'm seeing issue with Self Service on freshly imaged machines. It doesn't show any links in the sidebar and fails to run policies. Enrollment also seems to be broken on freshly imaged machines. Removing the framework and doing either quick add or -prompt enroll fails.

error displayed is: Failed to enforce management framework.... There was an error...unknown error has occurred.

Weird error in Casper Remote:

Write Failed: Broken Pipe

The actions never showed as completed but seemed to be on the clients.

@jhbush1973, we're on 9.23 and new enrollments don't show any of our URLs on the sidebar in Self Service either. Systems that have upgraded their binaries from older versions retain the URLs. Not sure that is a new 9.3 issue.

@alexjdale][/url I'm seeing the same behavior here as well. The problems seem to effect only newly imaged machines. Self Enrollment fails as well. The MDM profile does not get installed, and I'm not sure where you grab that to install it via Profiles cli. I'm also seeing very slow imaging with 9.3 as well.

I have a new iMac I can't get to take on mdm capability for the life of me. It's erroring with "unknown error". I've put up the -verbose flag on the jamf -enroll command, and everything seems to be fine up to this point:

verbose: Creating launchd item for startup item...
Failed to enforce the management framework: Unknown Error - An unknown error has occurred.

This happens in enrolling as well as if I try to force it afterwards with -manage.

Not sure what to do. Removing framework and attempting to reinstall does nothing to fix this. I even wiped it disk utility and reinstalled from recovery. Using a quickadd.pkg I just created with the 9.3 casper remote flat out fails (post flight errors), wiping and running recon on it does no good either. This is a brand new out of the box (literally out of the box this morning) OSX with no tampering whatsoever. I'm about out of ideas here.

@jardoin1 I would say file a bug report because that's exactly the same behavior I'm seeing here as well.

After reading this thread I did. I was thinking I was somehow messing this up somewhere, but not sure where because there's nothing to mess up. It was driving me nuts.

@jpellet2- I believe that the VPP Accounts button in Global Management only becomes available once you perform the users migration under the Users tab. Here's a kbase article explaining the process: https://jamfnation.jamfsoftware.com/article.html?id=362

Hope that helps!
-Kitzy

@johnkitzmiller][/url I just did the User Migration and I still don't have a VPP button, only DEP right now.

-Nevermind, I have it now.

I checked the logs and I'm seeing this show up in my logs about every minute.

014-03-26 09:37:26,156 [ERROR] [Tomcat-4 ] [lientCommunicationServlet] - Error processing communication content

This error shows up when I try and enroll a machine into the JSS.

[WARN ] [Tomcat-179 ] [MdmApnsConnectionHelper ] - Unable to send check-in notification to COMPUTER ID: 100 with token: ""

Looks like I'm not alone. I can no longer enroll any computers either. Same errors that jhbush1973 posted. I put in a support ticket... I hope there is a fix soon.

Haven't heard back from JAMF yet but I can confirm that it is the cert auth that is broken. I disabled it in JSS and JDS and the errors are now gone and computers are checking in and enrolling just fine. I hope 9.31 comes out soon to fix this.

@oneloveamaru did disabling certificate based clear up both sets of errors?

@jhbush1973 it cleared up the Error processing communication content BUT apparently the upgrade also broke the APN Cert. Go into Computer Management - Management Framework and then open up Security. If the Enable Push Notifications isn't there, your APN Cert is also hosed. They told me to try renewing it but I'm holding off for an unrelated issue that I want to resolve(changing the server in the MDM Enrollment profile).

Apparently the client cert fix is coming though and it is a known issue. I want to turn it back on ASAP.

Add me to the list with issues enrolling in MDM with 9.3. Brand new MacBook Air won't install the MDM certs. Recreated the JSS CA cert, restarted Tomcat, tried with wi-fi turned off. Quick add wouldn't work either to get the machine in the JSS, I had to use Recon with Remote Computer enrollment. Existing devices are working fine with profiles, etc, just not this new machine.

@johnnasset][/url Having the same issue enrolling machines into a brand new JSS 9.3 (we did JumpStart this week). MDM profile won't install during enrollment, Macbook Air or 15" Macbook Pro. I'm working with JAMF Support right now on the issue.

@emilykausalik I disabled the certificate based authentication and MDM as mentioned above. That seems to resolve adding machines to the JSS. It seems like this is a known issue. JAMF really needs a RADAR like clearing house for issues.

@jhbush1973][/url

Yes, but disabling the certificate based authentication also disables push notifications. No go for us. Hopefully a fix will come soon.

EDIT: Just discovered that machines that were previously enrolled with MDM are dropping their certs. Bad stuff.

Definitely seems to be a certificate issue, though based on the DEBUG logs we captured to send in for analysis the certs in the database are fine. Not sure where the disconnect is happening. Hopefully they'll be able to resolve it soon.

Hi everyone, I will be upgrading our JSS from 8.73 to Casper 9.x at the end of this week. Should I stick with 9.24 as a stable release seeing the mentioned above issues or does 9.24 it's own bag of hurt?

Thanks

@frank whichever one tests better in your test environment is the one I'd go with. Seems like they both have some pretty significant bugs, though

Hey all,

I should have updated this Friday of last week, but what actually ended up being the issue in my case was the presence of a comma in our Organization Name under System Settings > Activation Code

Once I removed that comma, systems could enroll again. Not sure why that caused it to break this version where it worked in previous versions - but it cleared up immediately.

@jardoin1 That was something we did during my support session with JAMF Support, but that didn't fix the issue for us. Definitely worth a shot for others, but not a guaranteed fix.

Not sure what changed for us over the weekend but I can now enroll machines using the following command:

sudo jamf enroll -prompt -verbose

Haven't tried yet with a quick add package but I'll report back when that happens.

@johnnasset we've been trying that too, but we still get an MDM profile error:

verbose: Attempting to install the mdm profile at the computer level.
Problem installing MDM profile.
Problem detecting MDM profile after installation.

Obviously the best case scenario would be it would start working correctly. But the thing that gets me is when you run the QuickAdd package and it says installation failed, even though it worked with the exception of the MDM profile. I'm hesitating to roll this out to users if they are going to get a failure message.

If we keep certificate-based authentication turned off while we enroll machines, will turning it on later (in the event that this issue is resolved) update the agent and include push notifications? Or will it just always be busted?

@emilykausalik

The Quick Add is now working this morning. Other than renewing our built-in CA and APNs certificate (which didn't fix it last week), not sure why it started working this morning. The only other change I made was I removed the url from Settings-Global Management-JSS URL-JSS URL for Enrollment Using Built-in SCEP and iPCU. Not sure if this helped or not.

@johnnasset

Hot damn, that worked! I removed that URL from the Settings > Global Management > JSS URL > JSS Url for Enrollment Using Built-in SCEP and iPCU and it worked.

verbose: Attempting to install the mdm profile at the computer level.
The computer was successfully enrolled in MDM with the JSS.

Weird! We're not enrolling mobile devices anyway, really, we just want the push notification system to work. I wonder what was going on with that URL field? I'll pass this along to my JAMF Support helper on this issue to help them narrow their scope to see what's going on.

Thanks!

@emilykausalik

Good to hear. Yeah, seems like a weird fix. Hopefully this will help some other folks as well.

So to be clear enrolling a Mac into 9.3 works for everyone? We've always had random MDM issues so not a key requirement for us at this stage, but basic enrolment I hope hasn't broken in 9.3! :)

Not until I removed the URL from Settings > Global Management > JSS URL > JSS Url for Enrollment Using Built-in SCEP and iPCU

Hm, something I've found (even with MDM finally working) is that when I try to remote install a package Casper Remote is unable to open the SSH connection. When I have "Enable certificate-based authentication" turned OFF, it works fine.

Hmm, not having the same issue.

hmm, did 9.24 have these issues? The more I read this forum the more i'm having 2nd thoughts about 9.3. I'm migrating from 8.73 in a few days so I have enough issues to deal with as it is...

We are running 9.25 and it's pretty good. After seeing some of this stuff I have held back on going to 9.3. I'll probably wait till 9.31 or 9.32. We first moved from 8.73 to 9.21 at the end of November. We haven't had any major issues. Each update got a little better. 9.25 is running well for us right now. You might want to go with that and then wait until the 9.3 stuff gets ironed out.

Ah yes @rcorbin I forgot about 9.25, i'll continue my migration testing on that version going forward as 9.3 seems a tad risky post migration from 8 at this stage.