Adding Macs to new JSS; not enrolled in MDM

RobertHammen
Valued Contributor II

Client was having issues with some machines being enrolled and being MDM-capable, others not.

We spun up a new 9.23 JSS, using the self-signed JSS CA. Everything there looks fine.

Took a client with no profiles, made sure no jamf binary on it.

Ran through the web-based enroll... downloaded the QuickAdd package, which runs but complains it failed. The computer does show up in the JSS, but it has no profiles and is not mdm capable. Log below. Any thoughts?

Feb 7 15:44:47 testclient.local installd[2871]: ./postinstall: Downloading the JSS CA Certificate...
Feb 7 15:44:48 testclient.local installd[2871]: ./postinstall: Error creating user: An account with the user name ladmin already exists.
Feb 7 15:44:48 testclient.local installd[2871]: ./postinstall: This computer was successfully enrolled to the JSS with the following device certificate: "18EFDA11-64F4-57E3-B53F-A22E0FF92635"
Feb 7 15:44:49 testclient.local installd[2871]: ./postinstall: Retrieving inventory preferences from https://jss.organization.org:8443/...
Feb 7 15:44:49 testclient.local installd[2871]: ./postinstall: Locating accounts...
Feb 7 15:44:49 testclient.local installd[2871]: ./postinstall: Locating applications...
Feb 7 15:44:49 testclient.local installd[2871]: ./postinstall: Locating hard drive information...
Feb 7 15:44:49 testclient.local installd[2871]: ./postinstall: Searching path: /Applications
Feb 7 15:44:49 testclient.local installd[2871]: ./postinstall: Locating package receipts...
Feb 7 15:44:49 testclient.local installd[2871]: ./postinstall: Locating printers...
Feb 7 15:44:51 testclient.local installd[2871]: ./postinstall: Locating hardware information (Mac OS X 10.9.0)...
Feb 7 15:45:13 testclient.local installd[2871]: ./postinstall: Submitting data to https://jss.organization.org:8443/...
Feb 7 15:45:14 testclient.local installd[2871]: ./postinstall: <computer_id>2</computer_id>
Feb 7 15:45:14 testclient.local installd[2871]: ./postinstall: Getting management framework from the JSS...
Feb 7 15:45:14 testclient.local installd[2871]: ./postinstall: Enforcing management framework...
Feb 7 15:45:14 testclient.local installd[2871]: ./postinstall: Checking availability of https://jss.organization.org:8443/...
Feb 7 15:45:14 testclient.local installd[2871]: ./postinstall: The JSS is available.
Feb 7 15:45:15 testclient.local installd[2871]: ./postinstall: Enforcing login/logout hooks...
Feb 7 15:45:16 testclient.local installd[2871]: ./postinstall: The computer was not enrolled in MDM with the JSS. The device certificate did not install.
Feb 7 15:45:16 testclient.local installd[2871]: ./postinstall: Enforcing scheduled tasks...
Feb 7 15:45:16 testclient.local installd[2871]: ./postinstall: Creating launch daemon...
Feb 7 15:45:17 testclient.local installd[2871]: ./postinstall: Creating launch agent...
Feb 7 15:45:17 testclient.local installd[2871]: ./postinstall: Checking for policies triggered by enrollmentComplete
Feb 7 15:45:20 testclient.local installd[2871]: ./postinstall: Enrollment Failed. This PKG may be used already.
Feb 7 15:45:20 testclient.local install_monitor[3657]: Re-included: /Applications, /Library, /System, /bin, /private, /sbin, /usr
Feb 7 15:45:20 testclient.local installd[2871]: PackageKit: releasing backupd
Feb 7 15:45:20 testclient.local installd[2871]: PackageKit: allow user idle system sleep
Feb 7 15:45:20 testclient.local installd[2871]: PackageKit: Install Failed: Error Domain=PKInstallErrorDomain Code=112 "An error occurred while running scripts from the package “QuickAdd.pkg”." UserInfo=0x7fda83597400 {NSFilePath=./postinstall, NSURL=file://localhost/Users/ladmin/Downloads/QuickAdd.pkg, PKInstallPackageIdentifier=com.jamfsoftware.osxenrollment, NSLocalizedDescription=An error occurred while running scripts from the package “QuickAdd.pkg”.} { NSFilePath = "./postinstall"; NSLocalizedDescription = "An error occurred while running scripts from the package U201cQuickAdd.pkgU201d."; NSURL = "file://localhost/Users/ladmin/Downloads/QuickAdd.pkg"; PKInstallPackageIdentifier = "com.jamfsoftware.osxenrollment"; }
Feb 7 15:45:20 testclient.local Installer[3647]: install:didFailWithError:Error Domain=PKInstallErrorDomain Code=112 "An error occurred while running scripts from the package “QuickAdd.pkg”." UserInfo=0x7ff889f3ff90 {NSFilePath=./postinstall, NSURL=file://localhost/Users/ladmin/Downloads/QuickAdd.pkg, PKInstallPackageIdentifier=com.jamfsoftware.osxenrollment, NSLocalizedDescription=An error occurred while running scripts from the package “QuickAdd.pkg”.}

41 REPLIES 41

RobertHammen
Valued Contributor II

Wiped the machine and loaded a fresh 10.9.1 on it. Still failed. Anyone have any thoughts? Brand new JSS with the built-in JSS CA.

chlaird
New Contributor III

Having the same issue. 9.23 installed in a sandbox, fresh machine enrolled with Recon. Shows successful, but is not MDM enabled and can't pull down any profiles

chlaird
New Contributor III

sorry, double posted.

ericjboyd
Contributor

Saw this too earlier today. Enrolled two computers into 9.23 and both were listed as Not Enrolled.

Just went to check, and they have both enrolled. Looks like the MDM enrollment during check in is working.

mvught
Contributor

Is there a solution or workaround to this problem?

Edit: Fixed it was the certificate in the Tomcat, we had only changed the "Push Certificates" certificate.

AKuzenkov
New Contributor III

Sounds similar to https://jamfnation.jamfsoftware.com/discussion.html?id=7359

Rebuilding the SSL cert resolved it for me last time.

rcorbin
Contributor II

Did you get it working @RobertHammen][/url ?
Now that I'm reading this I'm kind of holding off on upgrading to 9.23.

RobertHammen
Valued Contributor II

Nope. I did try recreating the Tomcat/SSL cert, made no difference. Also wiped the client I was trying to enroll, no difference. Going to email support and see what they say.

chlaird
New Contributor III

Did a webex with jamf support today. We couldn't find the cause of the problem, everything looks how it should. We're gonna keep working until we figure it out; they said they're heard of a bunch of cases of this happening on 9.23.

appledes
New Contributor III

Yes we are seeing this as well. It started for us in 8.52 and has carried over into our 9.21 environment. The only machines affected are Mountain Lion any 10.8.x machines. We are trying to determine if an upgrade to Mavericks will fix. The hardware is all over the board. We have about 60 that are affected. We as well have tried reimaging (last resort) but often that has no affect. We created a new cert and restarted Tomcat, wiped a machine from JSS and reimaged but still the problem persists. We have opened a case with JAMF on this.

mvught
Contributor

@appledes
Did you re-enroll the machine and are you sure the "Apache Tomcat Settings" is filled in?

SSL Certificate
Subject Name CN=servername.domain.nl, OU=JSS, O=JAMF Software, L=Minneapolis, ST=MN, C=US

appledes
New Contributor III

Hi mvught. Yes. We re-enrolled manually about 300 machines, and the Apache Tomcat Settings are set. We have about 60 10.8.x machines that enroll successfully and 60 10.8.x that simply refuse. We are about to get our hands on one of the units that wont enroll. Despite my sincerest efforts, I cannot duplicate this in the lab environment. Again, we have several hundred Lion and Mavericks machines, but each of them re-enrolled fine. It is only ML that is affected. Each of these machines were originally enrolled in the 8.52 environment.

mvught
Contributor

And if you delete the machine with jamf removeFramework than remove the computer from the JSS and then re-enroll?

appledes
New Contributor III

Yes we tried that sequence but not successful.

rcorbin
Contributor II

Will be interested to know if the Casper 9.24 update that just came out fixes this for you. I held off on upgrading to 9.23.

mvught
Contributor

Cane you post the log, off your error?
And run the following command: sudo jamf enroll -prompt -verbose

RobertHammen
Valued Contributor II

There looked to be 2 changes to the JSS in 9.24; neither seemed directly applicable to the situation.

I have the client trying this now, and I'm trying it in another client environment where I just updated to 9.24.

appledes
New Contributor III

OK. We finally were able to pull one of the affected machines out of the environment and play with it. We found a solution to this. And again.. its only Mountain Lion and all versions 10.8.1 - 10.8.5.
If WIFI is configured and connected to our network, AND the Ethernet port is in use, the MDM will not enroll. If we turn off Wi-Fi, reboot the machine, log back in with a local admin account and run sudo jamf manage, the MDM profile will now be installed. This scenario is EASILY duplicated on any of the Macs in our lab. Hopefully this will work for others experiencing this problem.

rcorbin
Contributor II

@ appledes It does sound a little like the fix in 9.24

[D-006321] Fixed an issue that prevented the JSS from installing OS X configuration profiles with a
Network payload and a Wi-Fi network interface.

appledes
New Contributor III

@ rcobin. Thats what led us to look in that direction.

chlaird
New Contributor III

Has anyone tested this or had any success with Mavericks? I've been trying every suggestion I've gotten, including reenrolling with Wifi off as local admin, and it's still failing. QuickAdd fails, and jamf -manage just reports that the MDM could not be installed.

appledes
New Contributor III

I have had no problem enrolling Mavericks machines with JSS 9.21 or 9.23

rcorbin
Contributor II

So is this issue all resolved now ? I've been kind of holding off on upgrading to 9.23 or 9.24 since reading this.

james_ridsdale
New Contributor III
New Contributor III

I am seeing this issue - iOS seems to work without a hitch. When you say disable AirPort, is the AirPort connected to an SSID or just powered on?

Bartoo
New Contributor III

We're seeing this post 9.3 update-
Any newly imaged Macs show up as not MDM capable - we struck a new QuickAdd .pkg from the 9.3 Recon, removed the framework on any non-MDM cabpable Mac, installed the QuickAdd, and get:

jamf manage -verbose
Password:
Getting management framework from the JSS...
Enforcing management framework...
 verbose: Timeout: 60
Checking availability of https://ourjssserver.com:8443/...
The JSS is available.
Enforcing login/logout hooks...
 verbose: Creating login hook...
 verbose: Enabling login hook...
 verbose: Creating logout hook...
 verbose: Enabling logout hook...
 verbose: Writing preferences for Login window...
 verbose: Creating startup item script...
 verbose: Created startup item script
 verbose: Creating launchd item for startup item...
** verbose: Attempting to install the mdm profile at the computer level.
Problem installing MDM profile.
Problem detecting MDM profile after installation.**
Enforcing scheduled tasks...
 verbose: Removing existing launchd task /Library/LaunchDaemons/com.jamfsoftware.task.1.plist...
 verbose: Creating task Every 60 Minutes...
 verbose: Adding launchd task com.jamfsoftware.task.1...
Creating launch daemon...
Creating launch agent...
 verbose: Existing plug-in, 2.plist, is up to date.
 verbose: Existing plug-in, 3.plist, is up to date.
 verbose: Existing plug-in, 4.plist, is up to date.

jennifer
Contributor

@Bartoo I am seeing the same thing.

I started up a completely new lab JSS running 9.3 yesterday, new certs and everything. I enrolled a single 10.9.2 machine and I am getting these same results.

This is from the console log from the enrollment:

Checking for policies triggered by "enrollmentComplete"...
Tue Apr 22 12:13:32 jamf[1540]: The management framework will be enforced as soon as all policies are done executing.
Tue Apr 22 12:13:33 jamf[1540]: Removing existing launchd task /Library/LaunchDaemons/com.jamfsoftware.task.checkForTasks.plist...
Tue Apr 22 12:13:33 jamf[1540]: Adding launchd task com.jamfsoftware.task.checkForTasks...
Tue Apr 22 12:13:34 jamf[1611]: Enforcing management framework...
Tue Apr 22 12:13:38 jamf[1611]: Problem installing MDM profile.
Tue Apr 22 12:13:38 jamf[1611]: Problem detecting MDM profile after installation.
Tue Apr 22 12:13:38 jamf[1611]: Enforcing scheduled tasks...

And the same when running 'jamf manage':

Enforcing management framework...
Checking availability of https://jss.jssaddress:8443/...
The JSS is available.
Problem installing MDM profile.
Problem detecting MDM profile after installation.
Enforcing scheduled tasks...
Creating launch daemon...
Creating launch agent...

I tried the things mentioned above, unenroll/re-enroll, I turned off the Wifi as one poster suggested, etc... I'm open to suggestions if anyone has any others.

Bartoo
New Contributor III

JAMF suggested this- and it did resolve the issue, though you may want to run this by JAMF Support first to see if it's applicable.

Make a backup of the DB

Go to the JSS Global Management>>JSS URL

find the field marked:

JSS URL for Enrollment Using Built-in SCEP and iPCU
URL for enrolling mobile devices using the built-in SCEP server and Apple's iPhone Configuration Utility (e.g. "http://jss.mycompany.com:9006/")

We had a value in that field - we removed it and restarted TomCat and it resolved the issue.

dpertschi
Valued Contributor

I was recently having trouble getting profiles to install in a new lab environment:

jamf[6182]: Problem installing MDM profile.
jamf[6182]: Problem detecting MDM profile after installation.

Renewing the SSL cert. solved it for me straight away. (which was super bizarro because it's all brand new)

emily
Valued Contributor III
Valued Contributor III

We had the same issue, and did what @Bartoo recommended to get it to work.

jennifer
Contributor

Checked for the field @Bartoo][/url mentioned, but mine's already empty.

Renewed the cert, no luck. Ditched the cert and got a new one, same results.

I guess going back to 9.24 or .25 is next.

Update: Put the same computer on my production server and MDM was on immediately. Its running 9.22.

james_ridsdale
New Contributor III
New Contributor III

This may or may not be linked but I encountered similar issue at a client site a while back and came up with this workaround - try it and see it it works.

https://datajar.zendesk.com/hc/en-us/articles/200366911-JSS-MDM-Enrollment-Fails

rtrouton
Valued Contributor III

@jennifer_unger,

I had a different issue involving the JSS URL for Enrollment Using Built-in SCEP and iPCU blank (see https://jamfnation.jamfsoftware.com/discussion.html?id=10080), but I was able to fix mine by adding my Casper URL to the previously blank JSS URL for Enrollment Using Built-in SCEP and iPCU, saving the change, then removing the URL and saving the change. That might work for you as well.

chlaird
New Contributor III

@jennifer_unger][/url , are these machines enrolled in the DEP? I know 9.3 has some bugs with enrolling DEP devices that will be fixed in 9.31. I've had to use a few workarounds for 9.3 DEP.

Edit:: to be more specific, one workaround was to follow these directions: https://jamfnation.jamfsoftware.com/article.html?id=365

That page did not even mention the error I was having, but it worked anyway.

jennifer
Contributor

Thanks for all the ideas everyone!
@james_ridsdale I tried running the command before running the quick add, but had the same result. Do you know if it matters to have the script wrapped with the quick add? (I just don't have the right software on the test machine at the moment to do that).
@rtrouton unfortunately, no luck there.
@chlaird Nope, not enrolled in the program.

I'm starting to wonder if there is a bigger problem somewhere. The quick add failed this time, with fabulously unhelpful log notes:

11:42:03 installd[368]: PackageKit: Running idle tasks
11:42:03 Installer[6306]: install:didFailWithError:Error Domain=PKInstallErrorDomain Code=112 "An error occurred while running scripts from the package “QuickAdd-6.pkg”." UserInfo=0x7fe663673380 {NSFilePath=postinstall, NSURL=file://localhost/Users/username/Downloads/QuickAdd-6.pkg, PKInstallPackageIdentifier=com.jamfsoftware.osxenrollment, NSLocalizedDescription=An error occurred while running scripts from the package “QuickAdd-6.pkg”.}
11:42:03 installd[368]: PackageKit: Removing client PKInstallDaemonClient pid=6306, uid=501 (/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer)
11:42:03 installd[368]: PackageKit: Done with sandbox removals
11:42:03 Installer[6306]: Install failed: The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.
11:42:03 Installer[6306]: IFDInstallController 6343E5C0 state = 8
11:42:03 Installer[6306]: Displaying 'Install Failed' UI.
11:42:03 Installer[6306]: 'Install Failed' UI displayed message:'The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.'.

jamf log is unhelpful as well, it just stops until the next policy ran, which gave the same error as always
11:42:08 jamf[7047]: Creating launch daemon...
11:42:08 jamf[7047]: Creating launch agent...
11:44:41 jamf[7115]: Enforcing management framework...
11:44:45 amf[7115]: Problem installing MDM profile.
11:44:45 jamf[7115]: Problem detecting MDM profile after installation.

james_ridsdale
New Contributor III
New Contributor III

@jennifer_unger

If it was the same issue, that should of worked.

rtrouton
Valued Contributor III

@jennifer_unger,

This may be a dumb question, but are you using different Push Notification Certificates for your production and test environments? You should have one APN certificate for your production box and a second separate APN certificate generated for your test box.

jennifer
Contributor

@rtrouton][/url yes. I also tried deleting it and creating another new one outside of my network (maybe the port was blocked?) but the same results.
I'm going to leave it alone for a bit and setup a different 9.3 environment on a VM, see if I can duplicate the results.

jennifer
Contributor

Update:

The short version, I've run through a bunch of different tests with only one success, JSS 9.31 installed on a 10.8.5 machine, with proxy settings (if applicable) turned off.

The long version.

Since my new install wasn't working I went back to a replica of my production JSS. This machine has been upgraded to Mavericks, 10.9.2. I updated the JSS to 9.3 and had all the same errors listed in previous posts. I tried rolling back this JSS to 9.25 and enrolling machines. The MDM still didn't work, though it produced a different error message. "The computer was not enrolled in the MDM with the JSS. The device certificate did not install."

I moved to a 10.8.5 machine to test 9.3, but since 9.3.1 was released this morning, I went ahead with that one. This was once again a new, empty JSS, with a new push certificate. The first try had the same results, no MDM. I went back, renewed the SSL cert, removed the machine, turned off the proxy login and reenrolled. Success! MDM appears to be working here.

So I went back to the 10.9.2 machine that I started with last week on 9.3 and updated to 9.3.1. Unfortunately, I could not get the MDM going on here, even following the same steps that worked on the 10.8.5 machine.

Conclusion, my personal results suggest that the combination of 9.3.x and 10.9.x are causing the MDM to fail to enroll (at least in my environment). I'll be curious to see if others are seeing anything similar. For now, I'm sticking with 10.8.5.

rcorbin
Contributor II

I'm hoping that 9.31 solves these issues for some of you. I had been sticking to 9.25 after seeing some of these issues being talked about. I was hoping to move to 9.31 if all was good. I'm about to do a large deployment of 10.9.2 MacBooks. Maybe I'll wait until after.