Jamf Nation Community

We ran into this issue yesterday and fixed it:

We were running Jamf 9.101.0 and had no issues.
We then upgraded the Jamf server to 10.4 and this introduced the bug for us. Our usernames all have a hyphen in the middle so we would get the error when trying to re-image a Mac over NetBoot "Unable to create an invitation. Check to make sure you have permission to create an invitation". These accounts were all AD accounts and full administrators in Jamf. A work around was to add an AD account as a full administrator in Jamf without any special characters in the username.

The Fix:
Our NetBoot Image (Created with AutoCasperNBI) was created on a Mac that had the Jamf Suite 9.101.0 installed. You could see the version number in the Casper Imaging application when attempting a Netboot re-image.

We then installed the Jamf Pro suite 10.4 and the latest version of AutoCasperNBI on a Mac and created a new NetBoot Image and uploaded it to the NetSUS server.

This fixed the issue for us. Update the NBI with version 10.4 and you should be fine.

The password issue (in Jamf 10.3) has been resolved by updating to Jamf Pro 10.4.

So for people who are saying this is fixed as of 10.4, has everyone had to update both their JSS and the version of Jamf Imaging.app on their NBI's? (Assuming you are using NetBoot, of course.) That seems to be my experience as well.

So we just upgraded from Casper 9.100.0 to Jamf Pro 10.3.1 a week ago and are getting hit by this issue. We use Active Directory groups and accounts to grant rights and sign into Jamf Pro.

So far in testing and reports from site admins I have found that the following characters DON'T work:

hashtags (#), exclamations (!), spaces ( ), at signs (@), ampersand (&)

The following characters DO work:

numbers, lowercase letters, uppercase letters, underscores ( _ )

When a password has any of the characters that don't work we see the following errors:
Jamf Imaging: We can log into the application fine, but when attempting to image we get

Unable to create an invitation. Check to make sure you have permissions to create an invitation.

Recon: We can log into the application fine, but when creating a QuickAdd package or using Remote Enrollment we get

Enrollment failed. Make sure you have the Create privilege for Computer Enrollment Invitations. Also, make sure you have access to at least one site. Connection failure: "The operation couldn't be completed. (NSURLErrorDomain error -1012.)"

The product issue is reported as the following in the 10.4.0 Release Notes with just the Jamf Imaging application:

[PI-005660] Fixed an issue that caused an error to display when imaging computers using Jamf Pro administrator passwords containing special characters. Note: When interacting with the Jamf API, the encoding for credentials must be UTF-8. Failure to use this encoding may cause authentication issues with the Jamf API when the username or password contain certain international characters.

For some reason they don't include Recon as being fixed in the 10.4.0 release notes even though we have tested Recon 10.3.1 and found it also has the issue.

Due to the fact that we just upgraded to 10.3.1, it would be several weeks of testing before we would upgrade to 10.4.x (or 10.5.x if it drops soon).

Since it is only an issue with the applications themselves and not the JSS, would it be safe to use the 10.4.1 versions of the applications with the JSS still running 10.3.1? And is this scenario is supported by Jamf? I thought had come across documentation that stated which scenarios you could/couldn't use the apps (new apps/older server older apps/newer server, etc.) but can't find it on Jamf Nation. For example, Composer doesn't matter since it doesn't talk to the JSS.

We have done some brief testing of the 10.4.1 apps against the 10.3.1 JSS and the only one that displays a version mismatch is Jamf Admin. Obviously we can temporarily change our AD passwords to something simpler or set up temp accounts, but just wanted to see if anybody has tried this scenario as an alternative to reducing password strength.

I can't speak for Recon because we rarely ever use it and I don't have the same historical data in my head, but I would suspect running mismatched versions of Jamf Imaging.app and JSS should be fine. Before this issue occurred, I hadn't upgrade my NetBoot image in years and it was still using Casper Imaging.app 9.82 with JSS 10.2.1. I think it if wouldn't work, you'd know immediately, like with Jamf Admin.app. But, this is just from experience. Someone else here could completely contradict me.

Thanks you anickless for succinctly highlighting the issue and its solution. My user account was LDAP (john.smith) and password had a 1 on the end. Creating a local JAMF Pro admin user account and password, without numbers or a full stop (period), solved this for me.

At first I thought it was the fact I had upgraded JAMP Pro Server, and the JAMF Pro app suite, but not the version of Casper Imaging running on the netboot, but the new local JAMF Pro username and password fixed it for me.

Thanks.

Just had this come up in Jamf Pro version 10.5.0
So it's not fixed?

We haven't had a reoccurrence of the issue and we're running 10.5. Has anything else changed in your environment, like new users or new groups being added? And, are you upgrading Jamf Imaging.app at the same time?

Thanks for your response @bmarks Nothing significant has changed in the environment, no. I mean, we add new people/users every month because we hire into Security and IT - but that has never caused an issue before. There are only 2 groups and we clone others when we get new hires. I am not upgrading Jamf Imaging now, we upgrade it when we upgrade Jamf. We've been on 10.5 for a bit now. More strangely, it locks out my user when this happens. Seems a LOT like it's my password...that's why I question whether or not it's fixed. My password does have one of the "no no" characters in it, but I had not seen this issue until Friday, late afternoon, after doing TONS of test images throughout the day.

We just started running into this issue today on 10.5. odd thing is we have running 10.5 for a good while with no issue.

@evan684 Whew...glad I'm not the only one. It is a password thing. I had to remove all of my special characters. Underscores used to be "okay" last time this happened...not the case this time. My password is now only alphanumeric and I'm not happy about it. Many companies require a special character...so hopefully this gets fixed quickly.

@danapeters I ended up figuring out the problem. A handful of new flash drives were made for imaging with an older version of the imaging app 10.1.1. Once we swapped these with our current version of jamf imaging we were good to go with symbols in the password.

Thanks everybody!