Posted on 02-19-2018 12:46 PM
Hey all,
Ok so I just finished Jumpstart for my company and we ran into an issue that we originally thought was our port settings. But after checking, they look correct.
Issue: DEP machine not pulling complete PreStage Enrollment settings during setup. After clicking continue in the "Remote Management" window, we get taken to the Configure new or restore window in the Apple Setup process. After following through the steps and logging in I do a quick test in terminal searching for "jamf" I do not get a syntax error but command not found. I also do not see any plist's in the respective locations. I also check the machine in jss and it shows as unmanaged even though the 3 profiles are in Profiles in SysPrefs. Running out of ideas especially as this is so new to me.
Steps for Prestage:
General: Device Enrollment Program Instance has our DEP selected, new devices are auto assigned, MDM profile is mandatory, Setup assistant Items not to be displayed is everything but Location Services and FileVault.
Account Settings: Management account is the one that was created in User-Initiated Enrollment Settings. Local user account type is set to admin account
User Location only has Building set
Certificates: CN=our company JSS Built-in Certificate Authority (checking PKI in Settings shows this cert as Jamf Pro Built-in CA for the CA configuration
Passcode, Purchasing, and Directly are not configured.
Let me know if I should format this question differently as well. Thanks everyone!
Posted on 02-19-2018 12:57 PM
Which version are you currently running? It looks like version 10.2.0's release notes state something similar to what you're experiencing has been resolved.
[PI-003771] Fixed an issue that prevented the jamf binary from installing due to a timeout when the Account Settings payload was configured for a computer PreStage enrollment.
Posted on 02-19-2018 01:01 PM
Oh snap I was planning on reading the release notes today as well. We are in 10.1.0.
Posted on 02-19-2018 01:07 PM
Took a look at that [PI-003771] and that sounds like what is happening. I will update our system and follow up here with what I find.
Posted on 02-19-2018 03:06 PM
So I updated to 10.2.0 but same issue. I am going to go over my PreStage setup and start simple. Friend of mine said I might have a conflicting setting.
Posted on 02-20-2018 12:00 PM
I had an issue the other day with devices not showing in the prestage. To correct this, i had to reload my DEP token and i found that the time on my server had drifted just enough that it was not communicating with Apple. After that, all went well and prestage started to work again.
Posted on 02-20-2018 01:31 PM
Thanks for that. I am investigating the time difference on my EC2 instance now. It's off by 12 hours so that could be it. Once I figure that out ill try again then try reloading my DEP.
Edit* the time is correct.
Posted on 02-20-2018 01:38 PM
@ericccccccwhyyyy hopefully thats all it is! id like to hear how it works out for you.
Posted on 02-20-2018 02:02 PM
I'll def keep updating. This has been a great learning experience since the get go
Posted on 02-20-2018 04:30 PM
Started poking around some logs and came across this one:
com.apple.message.domain: com.apple.MacAppStore.download_done_2
com.apple.message.was_pre_downloaded: false
com.apple.message.result: fail
com.apple.message.install_elapsed_actual: 2.12
com.apple.message.bundle_id: com.jamfsoftware.enrollment.dep.quickadd
com.apple.message.downloads_installing: 1
com.apple.message.error_description: n/a
com.apple.message.asset_size: 63422
com.apple.message.is_streamable: 1
com.apple.message.local_caching: not available
com.apple.message.cancelled: false
com.apple.message.was_staged: false
com.apple.message.error_code: 112
com.apple.message.queued_elapsed_actual: 1.14
com.apple.message.asset_download_elapsed_actual: 0.36
com.apple.message.staging_elapsed_actual: 0.00
com.apple.message.asset_download_elapsed_normalized: 56.35
com.apple.message.install_elapsed_normalized: 334.01
com.apple.message.downloads_active: 0
com.apple.message.power_state: on
com.apple.message.staging_elapsed_normalized: 0.00
com.apple.message.start_reason: purchase
com.apple.message.downloads_waiting: 0
com.apple.message.error_domain: PKInstallErrorDomain
com.apple.message.delta: not an update
com.apple.message.queued_elapsed_normalized: 180.45
SenderMachUUID: 6C79F664-3013-3800-AA53-91F19200E125
I'm getting closer to the source of the issue and I think its a cert issue or something with a load balancer my colleague setup. will continue tomorrow
Posted on 02-20-2018 04:36 PM
I am done for the day so I guess at this point I should point out my setup.
Locally hosted JSS 10.2.0 on an EC2 Ubuntu instance
S3 storage for cloud distribution
Load balancer in aws
Suspicion: I think the load balancer was installed after the fact so I think this is causing the issue.
Some articles I found that lead me to where I am currently:
https://www.johnkitzmiller.com/blog/dep-fails-in-casper-when-using-a-publicly-trusted-ssl-certificate/
https://www.jamf.com/jamf-nation/feature-requests/4544/don-t-automatically-add-jss-built-in-ca-to-anchor-certificates-in-dep-pre-stage-enrollments-when-using-a-3rd-party-ssl-cert
https://www.johnkitzmiller.com/blog/setting-up-the-jss-behind-an-elastic-load-balancer-in-amazon-web-services/
Posted on 02-21-2018 10:05 AM
hmmm... is support working with you on this? i think you might be on to the right track!
Posted on 02-21-2018 01:12 PM
so apparently I wasn't on the right track. Wasn't even close to the rails lol. Fix for my issue: added our fqdn to our service. We hadn't added our URL to our service when I did the initial installation (fqdn wasn't ready yet, and couldn't resched our jumpstart) and was waiting for support to confirm there'd be no issues. I added it this morning and poof. No Touch Deployment happiness.
Posted on 02-21-2018 02:22 PM
Doh! that would do it! Nice find and welcome to the JAMF family! If you can swing it, come to JNUC. i was amazed how much information is there. So much so, i asked work to send me for a 2nd year in a row :)
Posted on 02-22-2018 08:56 AM
Haha for sure. Super stoked. Jnuc will be a tough sell but at least they sprang for the Training Pass!
Posted on 02-22-2018 10:19 AM
@ericccccccwhyyyy i hope it works out for you! They do on site training/certification at JNUC poke poke