Jamf Nation Community

Don't have many left, but the few 10.8's we have appear to be checking in fine. I can see that they upgraded their binary to 9.99.0-t1494340586+LEG.

We don't have many left either, but they are checking in just fine.

I think mine broke from a different jamf upgrade, my jamf binary file was 0 bytes.

removed /usr/local/jamf and then reloaded the 9.99 quick add and it started working again.

Our binaries never upgraded at all. It seems like all the 10.8 machines lost communication due to the SSL error after upgrading to 9.99.

FWIW we're running RHEL 6.8.

Might want to take a peek at this article:
https://www.jamf.com/jamf-nation/articles/222/preventing-the-jamf-binary-from-updating
Which now has this info at the top of the window:
Important: This process is only applicable to the JSS v9.73 or earlier. As of the JSS v9.8, policies will no longer run on a computer that has an older version of the jamf binary installed. The JSS will only run policies on a computer if the version of the jamf binary is the same version as the JSS. If you followed the workflow highlighted in this article to prevent the jamf binary from updating on a computer and you plan to upgrade the JSS to v9.8 or later, you will need to manually remove the do_not_upgrade_jamf preference to re-enable policies on that computer.

I have, but you know that already. The issue lies with TLS 1.0 and 10.8 and earlier clients.

With TLS 1 disabled in /usr/local/jss/tomcat/conf/server.xml, the 10.8 and older systems cannot establish a secure ssl connection. With TLS 1.0 enabled, they can.

What's really odd about this is that I'm 99.9% certain we had disabled TLS 1.0 a year ago, and we disabled all the remaining 64-bit ciphers in April, in response to the SWEET32 birthday attack vulnerabilities. Through all of that, the pre-10.9 systems were still able to connect. After the 9.99.0 upgrade that seems to have changed. Tomcat was upgraded to 8.0.43 as part of the 9.99.0 upgrade.

It's very possible I'm crazy, and I hadn't disabled TLS 1.0 previously, or that I changed the configuration but never restarted tomcat. That seems super unlikely, since I'm sure we've restarted tomcat on the JSS a dozen times in the last year.

This puts us in a the position of either needing a solution to allow 10.8 and earlier systems to communicate with the JSS over TLS 1.1 or 1.2 or a very short timeline for EOLing all the older systems.

NB: the issue we are experiencing is not a binary-specific issue. The binary is unable to establish a secure SSL connection to the JSS without TLS 1.0 enabled. Attempting to enroll one of these systems with a 9.99.0 QuickAdd results in a failure as well, and the log indicates the same issue: SSL connection cannot be established.

@Sandy Thanks but that isn't the root cause. We get the message "An SSL error has occurred and a secure connection to the server cannot be made." (The do_not_upgrade flag was a cause of some problems about a year ago with a prior upgrade, despite us not setting it.)

Just looked through a few of our 10.8 machines and many seem to be checking in and have upgraded to 9.99.0-t1494340586+LEG.
I do have a number that are not checking in but I think those were lost during a different upgrade.

It's possible that the TLS1 ciphers were in use before due to JDS & that is why 10.8 works for some & not others (see this)

@bentoms Thanks. FWIW, we disabled TLS1 a while back but everything was working, even older OSes. The 9.99 upgrade is when we had the problems, but re-enabling TLS1 yesterday allowed the 10.8 machines to communicate and upgrade the binary. So, work in progress, as I don't want to keep TLS1 enabled, and need to eliminate these 10.8 machines...

@seann ah cool.. just a thought :)

Support confirmed that TLS1 is needed for 10.8 machines. Not sure why they were working prior to the 9.99 update with TLS1.0 turned off, but that's the official word.