Adding Macs to new JSS; not enrolled in MDM

@Bartoo I am seeing the same thing.

I started up a completely new lab JSS running 9.3 yesterday, new certs and everything. I enrolled a single 10.9.2 machine and I am getting these same results.

This is from the console log from the enrollment:

Checking for policies triggered by "enrollmentComplete"...
Tue Apr 22 12:13:32 jamf[1540]: The management framework will be enforced as soon as all policies are done executing.
Tue Apr 22 12:13:33 jamf[1540]: Removing existing launchd task /Library/LaunchDaemons/com.jamfsoftware.task.checkForTasks.plist...
Tue Apr 22 12:13:33 jamf[1540]: Adding launchd task com.jamfsoftware.task.checkForTasks...
Tue Apr 22 12:13:34 jamf[1611]: Enforcing management framework...
Tue Apr 22 12:13:38 jamf[1611]: Problem installing MDM profile.
Tue Apr 22 12:13:38 jamf[1611]: Problem detecting MDM profile after installation.
Tue Apr 22 12:13:38 jamf[1611]: Enforcing scheduled tasks...

And the same when running 'jamf manage':

Enforcing management framework...
Checking availability of https://jss.jssaddress:8443/...
The JSS is available.
Problem installing MDM profile.
Problem detecting MDM profile after installation.
Enforcing scheduled tasks...
Creating launch daemon...
Creating launch agent...

I tried the things mentioned above, unenroll/re-enroll, I turned off the Wifi as one poster suggested, etc... I'm open to suggestions if anyone has any others.

JAMF suggested this- and it did resolve the issue, though you may want to run this by JAMF Support first to see if it's applicable.

Make a backup of the DB

Go to the JSS Global Management>>JSS URL

find the field marked:

JSS URL for Enrollment Using Built-in SCEP and iPCU
URL for enrolling mobile devices using the built-in SCEP server and Apple's iPhone Configuration Utility (e.g. "http://jss.mycompany.com:9006/")

We had a value in that field - we removed it and restarted TomCat and it resolved the issue.

I was recently having trouble getting profiles to install in a new lab environment:

jamf[6182]: Problem installing MDM profile.
jamf[6182]: Problem detecting MDM profile after installation.

Renewing the SSL cert. solved it for me straight away. (which was super bizarro because it's all brand new)

We had the same issue, and did what @Bartoo recommended to get it to work.

Checked for the field @Bartoo][/url mentioned, but mine's already empty.

Renewed the cert, no luck. Ditched the cert and got a new one, same results.

I guess going back to 9.24 or .25 is next.

Update: Put the same computer on my production server and MDM was on immediately. Its running 9.22.

This may or may not be linked but I encountered similar issue at a client site a while back and came up with this workaround - try it and see it it works.

https://datajar.zendesk.com/hc/en-us/articles/200366911-JSS-MDM-Enrollment-Fails

@jennifer_unger,

I had a different issue involving the JSS URL for Enrollment Using Built-in SCEP and iPCU blank (see https://jamfnation.jamfsoftware.com/discussion.html?id=10080), but I was able to fix mine by adding my Casper URL to the previously blank JSS URL for Enrollment Using Built-in SCEP and iPCU, saving the change, then removing the URL and saving the change. That might work for you as well.

@jennifer_unger][/url , are these machines enrolled in the DEP? I know 9.3 has some bugs with enrolling DEP devices that will be fixed in 9.31. I've had to use a few workarounds for 9.3 DEP.

Edit:: to be more specific, one workaround was to follow these directions: https://jamfnation.jamfsoftware.com/article.html?id=365

That page did not even mention the error I was having, but it worked anyway.

Thanks for all the ideas everyone!
@james_ridsdale I tried running the command before running the quick add, but had the same result. Do you know if it matters to have the script wrapped with the quick add? (I just don't have the right software on the test machine at the moment to do that).
@rtrouton unfortunately, no luck there.
@chlaird Nope, not enrolled in the program.

I'm starting to wonder if there is a bigger problem somewhere. The quick add failed this time, with fabulously unhelpful log notes:

11:42:03 installd[368]: PackageKit: Running idle tasks
11:42:03 Installer[6306]: install:didFailWithError:Error Domain=PKInstallErrorDomain Code=112 "An error occurred while running scripts from the package “QuickAdd-6.pkg”." UserInfo=0x7fe663673380 {NSFilePath=postinstall, NSURL=file://localhost/Users/username/Downloads/QuickAdd-6.pkg, PKInstallPackageIdentifier=com.jamfsoftware.osxenrollment, NSLocalizedDescription=An error occurred while running scripts from the package “QuickAdd-6.pkg”.}
11:42:03 installd[368]: PackageKit: Removing client PKInstallDaemonClient pid=6306, uid=501 (/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer)
11:42:03 installd[368]: PackageKit: Done with sandbox removals
11:42:03 Installer[6306]: Install failed: The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.
11:42:03 Installer[6306]: IFDInstallController 6343E5C0 state = 8
11:42:03 Installer[6306]: Displaying 'Install Failed' UI.
11:42:03 Installer[6306]: 'Install Failed' UI displayed message:'The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.'.

jamf log is unhelpful as well, it just stops until the next policy ran, which gave the same error as always
11:42:08 jamf[7047]: Creating launch daemon...
11:42:08 jamf[7047]: Creating launch agent...
11:44:41 jamf[7115]: Enforcing management framework...
11:44:45 amf[7115]: Problem installing MDM profile.
11:44:45 jamf[7115]: Problem detecting MDM profile after installation.

@jennifer_unger

If it was the same issue, that should of worked.

@jennifer_unger,

This may be a dumb question, but are you using different Push Notification Certificates for your production and test environments? You should have one APN certificate for your production box and a second separate APN certificate generated for your test box.

@rtrouton][/url yes. I also tried deleting it and creating another new one outside of my network (maybe the port was blocked?) but the same results.
I'm going to leave it alone for a bit and setup a different 9.3 environment on a VM, see if I can duplicate the results.

Update:

The short version, I've run through a bunch of different tests with only one success, JSS 9.31 installed on a 10.8.5 machine, with proxy settings (if applicable) turned off.

The long version.

Since my new install wasn't working I went back to a replica of my production JSS. This machine has been upgraded to Mavericks, 10.9.2. I updated the JSS to 9.3 and had all the same errors listed in previous posts. I tried rolling back this JSS to 9.25 and enrolling machines. The MDM still didn't work, though it produced a different error message. "The computer was not enrolled in the MDM with the JSS. The device certificate did not install."

I moved to a 10.8.5 machine to test 9.3, but since 9.3.1 was released this morning, I went ahead with that one. This was once again a new, empty JSS, with a new push certificate. The first try had the same results, no MDM. I went back, renewed the SSL cert, removed the machine, turned off the proxy login and reenrolled. Success! MDM appears to be working here.

So I went back to the 10.9.2 machine that I started with last week on 9.3 and updated to 9.3.1. Unfortunately, I could not get the MDM going on here, even following the same steps that worked on the 10.8.5 machine.

Conclusion, my personal results suggest that the combination of 9.3.x and 10.9.x are causing the MDM to fail to enroll (at least in my environment). I'll be curious to see if others are seeing anything similar. For now, I'm sticking with 10.8.5.

I'm hoping that 9.31 solves these issues for some of you. I had been sticking to 9.25 after seeing some of these issues being talked about. I was hoping to move to 9.31 if all was good. I'm about to do a large deployment of 10.9.2 MacBooks. Maybe I'll wait until after.

<0.02>

I was seeing this in 9.31 as well with a fresh QuickAdd_9.31.pkg

Clearing out the SCEP URL per @Bartoo resolved the issue for me.

</0.02>

I am seeing the same thing with my JAMF Cloud environment...