Apple DEP - Failed to contact Mobile Device Management server

jbarnes
New Contributor

We've signed up with Apple DEP and successfully put a token into the JSS. Inside the JSS, we can see the two test OS X machines we've added to DEP and their requisite serial numbers.

When we go to re-image one, the DEP dialog that our institution has been detected shows up, but when you hit continue, the computer cannot contact the MDM server with the error "Failed to contact Mobile Device Management server. Your Mac will not be configured with default settings from Institution Name. To apply these settings later, click Continue." Which seems odd, because inside the JSS, the MDM server is clearly contacting the DEP to show us the machines that have been added.

We do not currently have port 8443 open incoming outside our intranet for this server, as it is in development. I was wondering if that could be the issue -- and perhaps the JSS can contact DEP when I'm logged into it because it's establishing an outgoing connection, not an incoming one? Basically, I'd like to understand what's happening after the computer knows it is associated with our institution (which it does, as it has our DEP e-mail and phone number) without just opening the required ports in the documentation.

Does anyone know?

31 REPLIES 31

RobertHammen
Valued Contributor II

What network is your Mac on?

If your JSS isn't open on the Internet on port 8443, you will likely have issues.

davidacland
Honored Contributor II

I've only tried it on a fairly "open" setup but my understanding is the communication would be similar to an MDM workflow. Device starts the setup process, contacts Apple, Apple instructs it to contact the JSS.

Does everything work correctly if you manually enrol the Mac? (just to rule out a separate communication issue between the client and the JSS)

jbarnes
New Contributor

Since the computer never got to do DEP, you get a notification on login in the top right corner after the first time computer setup.

"Device Enrollment - Institution can automatically configure your Mac"

If you click "Details" you are brought to a System Preferences window called "Profiles" and prompted with "Institution can automatically configure your Mac based on settings provided by your System Administrator."

Then, if you click "Allow" you get "The Device Enrollment server certificate chain was not properly set up"

Curiously, after I installed the QuickAdd package and successfully enrolled to the JSS manually, I was able to use the Apple DEP Notification -> Details and successfully enroll the computer through DEP, which has no knowledge of what I was doing on the JSS side.

I am not sure why that would be? Do you think the Quickadd process adds the certificate to the keychain which DEP then uses? I am stumped what I should do next. After a re-image and an attempt to redo the DEP -> MDM process, the same errors occur.

jbarnes
New Contributor

It ended up being that when the management interface set up DEP, the anchor cert wasn't added. I removed the DEP configuration and the MDM server from deploy.apple.com and reinstalled everything, and that fixed the issue.

ftiff
Contributor

Same for me, I did renew the Built-in CA and that broke DEP. I removed DEP config and put it back, and it's now working fine.

harperwr
New Contributor II

I have deleted the Pre-stage enrollment, The DEP config within JSS, the MDM server on deploy.apple. Reset up them both and I'm still getting the same error.

What is also strange is that the pre-stage is showing that the computer is completing the enrollment even though I can get past this message in the setup assistant screen?

My JSS is set up on the 8443 port as well, and we have an externally facing JSS. I have tried in both on the internal and external network. We also just upgraded to JSS 9.92 from 9.81 to try and resolve this issue.

Any ideas?

noah
New Contributor II

@harperwr I'm having the exact same issue. I've reset everything up multiple times; everything is accessible from outside the network; we're running the current version of JSS. I can manually enroll the machines and run policies no problem, including jamf manage to install the MDM profile, but I still get the notification about Device Enrollment and the ultimate error:

"Device Enrollment" installation failed. The server certificate chain for your organization’s MDM server was not properly set up.

chriscollins
Valued Contributor

@noah You might have an SSL certificate issue (as your error message seems to indicate). We would get the same errors but SSL seemed to be fine for everything else. In our case the problem was that our load balancer was running the SSL cert while tomcat was also running the cert. We had the network team turn off the cert termination on our load balancer and it fixed this particular error. But even if you are not using a load balancer or in this exact same situation, if you are seeing this error I would go through and re-do your SSL certs for Tomcat on your JSS. The cert check when DEP is enrolling seems to be much more sensitive to SSL misconfiguration than enrolling and regular JSS communication as for us everything else including enrollment and regular use seemed to work fine, only DEP would raise the SSL errors.

We had also seen random issues before even the load balancer issue was uncovered when one of our JSS servers had had a certificate in the cert chain not be added. Fixing THAT issue also fixed similar issues.

swapple
Contributor III

When you rebuild the DEP config, did you put back the anchor cert?

aaronkerrgfs
New Contributor

We're currently troubleshooting this same issue and haven't yet found a solution. Manual enrollments work fine through the load balancer, but DEP fails. We see the same error in the Mac log:

"Device Enrollment" installation failed. The server certificate chain for your organization’s MDM server was not properly set up.

We've tried multiple steps, including essentially starting from scratch on the DEP setup. I'll post an update if we find a solution.

sgoetz
Contributor

Hey Guys,

What logs are you guys looking at to troubleshoot DEP stuff on OSx?

Thanks

Shawn

swapple
Contributor III

We rolled back from our 3rd party SSL to the self signed one and DEP works again. So we still can't get the cert to work.
On our DEP test machine, there is some good info in /var/log/system.log showing the URL to cloudenroll that DEP uses.

I also found it interesting that Apple released a security patch 7/18 to fix 3rd party SSL certs not working with DEP in Profile Manager.

cclements
New Contributor

Adding to the other fixes on this thread, we received this error message because we had not yet accepted the new Sierra agreements on Apple's DEP website. Visiting deploy.apple.com, logging in and accepting the agreements cleared this all up!

Hope this helps someone else down the road!

chris_miller
Contributor

I'm having this issue. 3rd party cert, ssl decrypting on web apps, all behind a load balancer. DEP broke when I installed the cert.

jcwoll
New Contributor III

I have this issue everytime I upload an SSL cert for use with Tomcat. It breaks DEP.

I renewed the PublicKey and server token, but I'm not sure why uploading an SSL cert is breaking communcation with DEP. Any ideas?

Normal self-initiated enrollment works just fine.

chendricks
New Contributor

We are experiencing this issue. Anyone have a working solution?

We added a 3rd party certificate to our JSS and suddenly DEP stopped working. We purchased new macOS devices that work fine with DEP but our existing devices that were refreshed for the new school year do not work with DEP.

guidotti
Contributor II

I just did the same thing. I went from a self-signed JSS cert to one generated from our internal PKI.
The same cert is on the internal and DMZ JSS servers. Now I get: "Unable to Connect to the MDM server for your organization" when the devices are inside the firewall or outside the firewall. For iOS, I get a similar problem: "The configuration for your iPad could not be download from xxxxx. The operation couldn't be completed. (NSURLErrorDomain error -1012."

Does anyone have any insight?
On our internal certificate has subject alternative names for the internal and external servers and their actual hostnames.
That way, during the migration to a new DNS name, the clients would still recognize the server no matter if they had changed URLs or not.
Should I be including the certificate chain in the anchor certs part of the DEP configuration?

Thanks.
-Bruce

stevevalle
Contributor III

Have a look at your DEP PreStage. If you have the default Built-In Anchor certificate, remove it.

I had the same issue today. Uploaded a 3rd party cert and DEP enrolment stopped working!

Our JAMF buddy suggested to remove the Anchor certificate.

DEP is working again :)

psd_martinb
New Contributor III

I've tried all the suggestions here, still getting the same issues after adding my public trusted 3rd party (COMODO) cert to Tomcat. Which was no walk in the park. Previously self signed, DEP worked but some macs were losing the trust anchor and were losing connection with MDM. Would much rather to use our 3rd party cert, without going behind our load balancer. Which I may end up trying as I'm running out of options.

iOS receives (NSURLErrorDomain error -1012)
macOS receives "The server chain for your organization's MDM server was not properly setup"

  • Checked my chain here: https://www.digicert.com/help/ no issues.
  • Removed the self signed anchor from the prestage
  • Attempted to add my chain and anchor to the prestage
  • Changed security setting to always check ssl, never, or only during enrollment
  • Added original csr to keystore, ensured key was present and all anchoring certificates
  • Deleted JSS from deploy.apple.com, readded, reassigned.

The only thing I haven't been able to try is to delete the DEP configuration and prestage enrollments from JAMF all together. Would like to avoid this as there have been many prestages created for managing iPad carts.

psd_martinb
New Contributor III

Removing the DEP configuration from the JSS seemed to do the trick. I realised in the prestage enrollments, you can select which DEP configuration to use. So without deleting my old DEP configuration, I renewed the DEP token from apple, then uploaded it as a new configuration.

lashomb
Contributor II

Seeing this too when trying to DEP enroll while inside our LAN, although without the option to manage later. On public wifi or external networks we don't see this issue. We're using a load balanced setup like many others here.

Sacred_Heart_Co
New Contributor

Got this error due to not accepting apples new terms and conditions in apple school manager

tylalonde
New Contributor

@lashomb did you ever get a fix for this? Im having the same issue right now. Enrollment working over LTE/external but all failing on internal network.

krausec
New Contributor II

@tylalonde Call or get a Support ticket going. I just spent 2.5 hours on the phone with John and he helped upgrade my server and make several other adjustments, but I am again getting my DEP updates.

tylalonde
New Contributor

@krausec I have a ticket open but no luck so far. Figured I'd try here while I'm awaiting a response on my ticket.

lidiya_dergache
New Contributor

Same issue here. Have a ticket open and awaiting response.

dbradprice
Release Candidate Programs Tester

Having this issue intermittently. Some computers do enroll anyway (after clicking "OK" at "Enrolling with management server failed" message.. Some never enroll. Tried both on institution network, and external (open) network.

dbradprice
Release Candidate Programs Tester

Seeing different sub-texts below the "Enrolling with management server failed". E.g. "Unable to connect to the MDM server for your organization" (ok... maybe a basic network issue), but also "Unexpected error (NSOSStatusErrorDomain:-67846)" not sure what this means. Also in another instance got the "your institution has MDM" gear screen but "null" where the institution name should be.

BCPeteo
Contributor III

Was getting "The server chain for your organization's MDM server was not properly setup" when trying to enroll using ADE when going from the built in CA cert to a 3RD party cert. The fix was to add the 3rd part cert to the certificates in the PreStage enrollment. That cert then gets added to the MDM profile that gets pushed down.

dstranathan
Valued Contributor II

I had a similar issue on my on-prem JSS servers (10.29.2) after replacing the built-in SSL cert with a third-party cert, I was seeing this error when enrolling Big Sur Macs into our Jamf MDM:

"Enrolling with management server failed. The server certificate chain for your organization's MDM was not properly set up" (See screenshot).

I called Jamf Support and I was told to delete my current PreStage (that had an existing built-in anchor cert) and create a new, clean PreStage WITHOUT an anchor certificate payload. I was also told that on-prem Jamf servers that use an external third-party SSL cert should NOT use an anchor certificate in PreStages.

ScreenshotScreenshot





Is this the MDM cert or web cert? I am using self signed for MDM and 3RD party web cert. In this config I needed to have both in prestage in order for ADE to work. Seems Apple requires it in order for a MacOS or iOS device to initially talk to Jamf. If you enroll using the jamf URL you do not need the web cert.