CA Certificate

sebastian_santo
New Contributor III

I need someone help I noticed today that my CA Certificate on the certificate Details section is giving me the description but also gives me an error saying Not found in keychain
25fb6e406d614a488cb8e3a7626add25

8 REPLIES 8

whiteb
Contributor II

I know this is an old thread, but I'm seeing this issue as well on our MDM Profile, but only for computers that aren't talking to Jamf anymore / throwing a 'Device Signature Error' when trying to run Jamf commands like policy or recon through terminal. Tried a sudo profiles renew -type enrollment, but didn't fix. 

If the machine is not talking to jamf you can try to remove the framework (sudo jamf removeFramework) keep in mind that sudo profiles renew -type enrollment only works on DEP-ABM enrolled computers.

Thanks for the response. Did you ever figure out that keychain error for the config profile? I've found there can be multiple reasons for a computer can stop talking to Jamf. Migration Assistant can cause it, hardware changes can cause it. Heck, I had one recently that fell off Jamf management, would throw a 'Device Signature Error' when trying to run Jamf commands on it manually (just recon and policy update) - it turned out to be an old Garage Band Instruments.dmg policy we still had. Not sure how it was hosing Jamf on the computer, but I was able to recreate it elsewhere. The sudo jamf removeFramework has actually kinda screwed me in the past because it pulled the CA cert, but not the MDM profile, and it wouldn't let me re-enroll it properly via any method. My prefered method of fixing is a sudo jamf enroll -prompt. Or, using Jamf API to issue re-install the Jamf binary / 'self heal' - https://www.modtitan.com/2022/02/jamf-binary-self-heal-with-jamf-api.html

I had to resort to sudo jamf enroll -prompt to fix one computer, and even though that got it to check-in again and be properly managed again, the MDM profile still says keychain not found at the bottom under the 'SCEP Enrollment' section. So a little different than yours, but I just thought it was somewhat similar. I'm probably going to call Jamf support. Computer seems totally fixed, I just don't like how it says that keychain error. Our web filtering certificate config profile (Securly is the company) also throws a 'Error: Not found in keychain' on this computer. There wasn't that many google results for that error in a Jamf context (this was one of the few) so just figured I'd ask.

 

Cheers.

encie
New Contributor

@whiteb did you happen to find a solution to 'Error: Not found in keychain'?

whiteb
Contributor II

I've found there isn't always a one-size-fits-all fix for that.

What I would generally start with is running a sudo jamf enroll -prompt on the affected computer. This will re-enroll the computer with Jamf, and re-establish the trust relationship between the Jamf binary and the server (I believe).

Before you try that re-enroll, if you can run a recon on the computer, manually through terminal without getting the 'Device Signature' error, you can try using the Jamf API (I just use their web API for this) - to redeploy the jamf-management-framework (is what the API call is named).

A third option that sometimes works when all others don't is running a

sudo profiles renew -type enrollment

If successful, you will get the little popup that there are config profiles to install, and then it will re-install the MDM Profile. You're technically not supposed to run that one over top of an existing MDM Profile, but I have a computer or two with an existing MDM Profile, fell off from being managed by Jamf, and was only fixed by doing that.

But generally speaking, the sudo jamf enroll -prompt will usually fix it.

encie
New Contributor

Interesting... This happens on our machines immediately after setup. Not only that, the device certificate actually IS in the keychain. ¯\_(ツ)_/¯ 

whiteb
Contributor II

That is curious. I wonder if you have an expired cert in Jamf somewhere. What do your MDM Profile look like? I was seeing 'Not found in keychain' which was a clue to the issue.

mdm_error copy.png

 

Is it all devices, or just some of them? If it's happening after enrollment, it almost sounds like a possible configuration issue somewhere, or maybe a cert.

I've seen MDM connection get hosed for various reasons. I even had an old 'Garage Band Sounds.dmg' that I discovered was causing the issue.

Try posting on the #MacAdmins Slack. It's the best resource out there. 

I'm noticing this on some mac's when the stop getting profiles/management commands (Checking in fine, inventory working, policies working)

Not sure how the MDM profile gets the Error: Not found in keychain. When its initially enrolled MDM profile is fine and mac is getting profiles.