Jamf Nation Community

jimderlatka · 9 hours ago

I'm working a customer setting up macOS Onboarding and we had it going, then at the end of the for some reason they started getting this message: " Cannot reach a Jamf MDM Server" after Device Enrolment, when the desktop came up, and SelfService Opens to start installing policies as per onboarding setup.

At this point the onboarding froze of course as it cannot connect to mdm...

-Jamf Pro is On PRem in this installation:

- Only change the local tech made was in the prestage, setup assistant. Originally they left unchecked the location services, so on enrolment the user would select their location... He remove this in setup assistant and then all of sudden this message started coming up.

-Server Reboot was done - no change
-Ticket has been logged with Jamf - still waiting on resolution

-We were able to get it going again by once again removing the check on the setup assistant skip, so no again the user selects the location services.
- we also saw once the checkbox was removed, that the onboarding starting installing other policies that were not in the onboarding... almost feels like the onboarding is corrupted.
to me this doesn't make sense....

anyone have this experience

any thoughts.???

AJPinto · 8 hours ago

My brain goes to a VPN client, or Network Security tunnel doing things.

Three things come to mind.

Can you Ping your Jamf Server?
Can you navigate to your Jamf Servers web portal?
Are any other network services impacted? (sharedrives, internal homepage, etc)

jimderlatka · 8 hours ago

Can yo ping the jamf server
Yes we opened a terminal and were able to ping ip and dns host name of the server

Can you navigate to your jamf server web portal
yes we were able to reach the jamf portal
any other network services impacted
no, other prestiges were still able to continue to device enrolled with no issues,
only one that was impacted with this new prestage

we could not see anything else not working. as it was ethernet hardwire connected ...

AJPinto · 7 hours ago

Hrm. I trust this issue is isolated to the one customer in question, well I hope at least :).

Seems like the Jamf Binary may be borked from a failed enrollment. Without a direct slam dunk answer, I would start checking logs and make sure the MDM Profile has the correct server URL and the certificates are good. Logs would be anything related to com.jamfsoftware.* in console. However, a reenroll will likely be the fastest path to resolution.

I have never found this command useful but sudo jamf checkJSSConnection will tell you if the Jamf binary can see Jamf.

jimderlatka · 7 hours ago

1) when we look in settings under the profiles we can see all the profiles from jamf installed

2) we looked at the /Library/Preferences/com.jamfsoftware.com. for the jss_url variable, and it was set correctly.
3) jamf checkJSSCOnnection - reported connection successful.. no issues there.

4) we have wiped and re-enrolled a number of times and keep having this issue....
- logs have been collected now and sent to jamf for the ticket that has been opened...
yes to certificates also appear to be good and valid, no issues...

yes isolated to this customer

Shyamsundar · 7 hours ago

What happens if you try to run jamf recon/policy. did you try running

sudo profiles renew -type enrollment

jimderlatka · 7 hours ago

yes to the sudo profiles renew - it failed
recon failed also.

which points to the jamf binary enrolment did not complete.... which we believe is the cause of the message... but the fault that is causing this to happen is the mystery...

again the other pre-stages the customer has setup are all working just fine.. only this new one, that seems to have a problem.

AJPinto · 3 hours ago

Have you tried deleting the Jamf device record? Sometimes there is something screwed up in the database for a specific record and deleting it may help. Of course you would have to enroll again after deleting it.

jimderlatka · 3 hours ago

yes we always recommend and do delete the device object before a re-enrollment...

Shyamsundar · 7 hours ago

Could you please check User initiated enrollment is set to disabled?

jimderlatka · 6 hours ago

so it is currently enabled. the jamf documentation says you have to enable launch self service after enrolment under the user enrolment section.. you can only do that if you enable user enrolment....

https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/macOS_Onboarding.html

Jamf Nation Community

Cannot reach a Jamf MDM Server after macOS Onboarding