Jamf Nation Community

@mhasman I had the same issue when I was imaging a machine that already existed in the JSS. I don't believe I got that error on a machine that was not in JSS. Like you, my ID has full admin privileges.

As a test, I turned off the setting "Restrict re-enrollment to authorized users only" in Global Management --> User-Initiated Enrollment. Even though, as an admin, this restriction should not apply to you, I have not had the error repeat on me.

Give that step a try and see if it helps.

@dpertschi Yes, as Administrator I have full privileges, and everything is checked in JSS Objects

@bkramps I checked, mac is not in the JSS. Checked with another mac which is 100% not in the JSS - the same error message...
Checked Global Management --> User-Initiated Enrollment, "Restrict re-enrollment to authorized users only" is off. Turned it on, tested, turned it off, tested - the same issue...

Thanks for helping! I wonder if there is anything else I may try to play with...

@mhasman It looks from your screenshot that you are doing Netboot Imaging. Do you get the same error if you do Target Mode Imaging? I don't think I got the error doing TMI? Try a TMI and see if it repeats.

What tool, if any, did you use to create the NetInstall? I had previously been using Casper NetInstall Creator but stopped using it after going to 9.73 since I had so many issues. I created my own NetInstall but the AutoCasperNBI tool works well. If you used Casper NetInstall Creator, I would try making a NetInstall with AutoCasperNBI as a test.

It is possible that switching to my own NBI fixed my issue and not turning off the setting I mentioned in my last post. I did both at the same time.

@bkramps Sorry, I forgot to mention that issue comes from Target Mode Imaging. Yes, I got 10.10.5 NetBoot image built via AutoPkgr and AutoCasperNBI yesterday, but did not have a chance to try the imaging process yet.

@mhasman Your solution doesn't work for us if we're netbooting the device in question. Full admin rights on Casper? No problem. Partial admin rights? Not so good. Despite granting full rights to Capser Imaging for one of our tech bench staff (who does not have full admin rights) he gets the same "Needs an invitation) error even after we option-launch Casper Imaging.

Our 10.10.4 netboot image was built -- like you -- with AutoCasperNBI.

Was any one able to figure this out the above didn't work.

@pgh I thought this was an issue with having full rights to computer objects but what @themacdweeb said has me doubting myself.

@themacdweeb Did the tech have full rights to computer objects within the JSS?

@bentoms Thanks for the reply

@themacdweeb Where you able to figure it out?

The tech has Create Read Update. However delete is not checked. for computer objects. (Should i check it?)The user was able to image and then one day was not able to. The tech was in a group and he was the only one that was having the issue i took him out of the group and gave him custom privileges. The user is the following LDAP User, Full Access, Custom.

We also deleted and added the account back and added him back to the group however no success and like i said other users in that group are not having the issue just him.

@erin.miska This KB article could use an update, "add hardware" doesn't appear to exist anymore: Imaging Computer Permission Requirements

From trial and error I wound up with these settings for techs to image (TDM and NetBoot) and use Casper Remote successfully with limited rights.....please note these are likely not exactly what are required, but they are working for me on 9.63:

JSS Objects
Computer Enrollment Invitations -CRUD (Create, Read, Update, Delete)
Computers - CRUD
Enrollment Profiles - CRUD
Policies - CR (I think Create was needed to use Casper Remote to push software...this really needs to be a separate permission)
Users - CR (I think this was for imaging too....not sure)
Some other settings - Read only to share information, I don't think any were required for functionality.

JSS Settings
All - Read only

JSS Actions
Eveything except change password and send emails to users

Recon -access to both
Add Computers Remotely
Create QuickAdd Packages (this was necessary for something....probably imaging? I don't actually want them creating quick add packages)

Casper Admin - none

Casper Remote - All

Casper Imaging - just not autorun data

@themacdweeb

@Josh.Smith

@bentoms

OK the only thing that was not check was computer -> delete permissions, and JSS settings had to mark read.

I will have him try it and report back the status.

Maybe try changing the password?
We've seen a password with special characters cause this for a full admin, changed password and hey presto. The characters were not that special, either. It only manifested during imaging, same error.

Here is what I did to get for issue fixed (JSS 9.81):

1. Boot up mac with Casper Imaging external drive

2. Re-enroll with JSS

3. Reboot

Explain how to re-enroll with jss?

Thanks

we don't, as a general rule, provide edit or delete capabilities to ANY L1 or L2 helpdesk staff, so our solution looked differently than yours but i think you nailed it. we edited:

JSS Objects, JSS Settings, JSS Actions to allow more create/read rights and now our staff IS able to log into via netbooted image and run casper imaging on the local device.

note: we didn't give ANY recon rights.

thank you for the suggestions, everyone and, especially, @Josh.Smith

So if anyone hit this in 10.3 Support says there is a error in JSS that special characters makes this error show. If you change the account password to just numbers and letters than the issue goes away.

We just encountered this like minutes ago. PI is PI-005660. This means also Jamf Admin LDAP users/groups with a period or any special characters on their UN/PW will not work. So you need to create a special user for Casper/JamfPro Imaging. But this affects JamfPro Imaging only. LDAP accounts still work on JamfPro Admin.

Thank you, @Eigger. Changing my user password fixed the problem for me.

yep super simple un and pw fixed this. JAMF 10.3.0
no bueno.....

Yep. @Eigger 's fix worked for me as well:
Created a new local admin with no special characters in the password. Recon made the package.
Thanks!

What's even worse, I have special characters in my LDAP account (password policy requirement), and not only does it fail to image, it locks my LDAP account out as well!

I'll be making an enrollment-only account now.

Changing my LDAP password fixed the issue here. I'm going to to have to create an enrollment only account.

Unfortunately, changing passwords doesn't work in an environment like mine that enforces a minimum complexity for the passwords our provisioning technicians use. In my experience in the past, sometimes these issues can be triggered by new features that are added in an upgrade but not enabled by default, but that doesn't appear to be the case here either. Or, I can't find a smoking gun if there is one.

@bmarks So you have no permission yourself in your JamfPro to create a "Local User" non LDAP, with simple UN like Admin and simple Password like 4dm1n with Imaging and Enrollment only permission that your Provisioning Technicians can share?

@Eigger Correct, in our environment, our security team won't allow us to create a shared account with shared credentials.

Bumping this thread to add that I'm in the same boat... +1 for unsolved. I too discovered this issue last week in testing a v10 upgrade:
In my environment techs make API calls via script with their credentials. Valid passwords may contain "special characters" and Unicode. Most usually do since the techs are located globally and their international keyboards make this quite easy and valid! I cannot (and should not) control valid password character ranges...

Unicode (multi-byte characters) and punctuation have always needed to be URI Escaped (see my reply for some pointers) for them to work with the v9 API but this is no longer working in v10.

The web console for Jamf Pro web and the auth screens of the Apps work in accepting non-alphanumeric characters, but anything in those apps that leverage the API are affected. Besides the invitation creation of this thread, in the Recon app if you attempt to create a QuickAdd with an account that contains a Unicode character it will fail.

Fun troubleshooting fact: if you run Wireshark/packet capture on your JSS and connect over http (port 9006) you can grab the API calls and compare the Authorization: Basic headers. Recon v9 and v10 QuickAdd creation creates the same headers when Unicode is used, so the breakdown is not encoding or the App but the API character decoding/handling.

My Product issue is: PI-005738 up 78 since April 3rd... hmm.., Looking forward to 10.13.2 and this being fixed. Jamf: have a bug-a-thon this weekend before the weather gets too nice, it'll make for a better summer! :]

We are seeing this as well. Since updating to 10.3 I think...

This issue has just been introduced for us since upgrading from v10.1.1 to v10.3.1.
Tested on a Jamf local admin account. When imaging I get the message "Unable to create an invitation"

We also experience this issue with JAMF 10.3.1 - hope that it is solved soon.

Did someone already issue a ticket to JAMF regarding this issue in 10.3.1?

JAMF says "Currently there is a known product issue (PI-005660). That is if a password contains special characters we are not able to log in to Jamf Imaging. Currently, the only workaround is to create an account with only numbers and letters. This will allow you to log in and image machines. This product is considered critical and we are working on a resolution, but we still are not aware of an ETA when it will be fixed. "

Thanks @agerson... this was doing my head in. Guess we'll just stick to no complexity and local accounts until the next update.

It worked for us.
Local account with admin rights and 4 letter pw got it done. Jamf Pro 10.3.1

Other threads with the same issue:
https://www.jamf.com/jamf-nation/discussions/8133/anyone-seen-unable-to-create-an-invitation
https://www.jamf.com/jamf-nation/discussions/27794/unable-to-create-invitation#responseChild165045

JAMF confirmed this in a support ticket as well. I just tried again, turns out the username can't have special characters either. For a work-around, create a group with custom (or enrollment if you don't use imaging) and assign the following permissions to enroll and image.

Enrollment: Computer enrollment invitations CRUD
mobile device enrollment invitations CRUD
Computers CR
Mobile Devices CR
Users CRU
Allow User to Enroll - Checked
Enroll Computers and Mobile Devices - Checked
Add Computers Remotely - Checked

Imaging:
Customize a Configuration - Checked
Use Jamf Imaging - Checked
Use PreStage Imaging and Autorun Imaging - Checked

Confirmed I had to remove special characters for my imaging to work.
Can we have this patched please, thank you..lol

Ugh, receiving this as well since upgrading from 10.2.2 to 10.3.1. +1 for the PI-005660 issue here as well. Thanks for publishing the permission sets, @epomelow!

I had this too, with JSS 10.3.0.

I spent 2 hours rebuilding the Netboot server.. and it was because I had a hyphen in my password.

The issue was my password! No special characters allowed.

Anyone know if there is a fix for this yet?

WOW - Just discovered this issue for the first time (had Jamf for 2 years). Running JSS 10.3.1. Never saw this bug before.

I just wasted an entire day troubleshooting this with my dektop support team. It was a freaking ! character in my password! I was hung-up thinking it was a DEP error bcause of the word "invitaion" in the error string.

This is a sloppy bug. No excuse for this. Ouch!

Fixed in 10.4?