Computers unmanaged after initial enrollment?

homerbartlett
New Contributor

Lately when we self-enroll computers, the QuickAdd.pkg install says it failed. Self Service app is installed, but shows no content. On the JSS, the computers are there but with no name, OS info, etc. Issuing a "sudo jamf recon" on the machine resolves the issue, but would really like to resolve the underlying issue.

Once one of the computers in question goes from unmanaged to managed, we can see this error in the Management tab of that computer's profile

external image link

Anyone have any clues here?

13 REPLIES 13

davidacland
Honored Contributor II
Honored Contributor II

That sounds normal for the first part of the enrollment. When a computer first starts enrolling, a blank computer record is created with no info. Then, as the recon progresses the inventory record is completed. So I would guess there is some kind of interruption half way through.

homerbartlett
New Contributor

Thanks David, sounds about right. Any thoughts on where to look next?

Simmo
Contributor II
Contributor II

Check your /var/logs/install.log while you run the QuickAdd.pkg to see if you get any errors.

homerbartlett
New Contributor

install.log shows this:

Feb 26 15:52:00 <computername>.local installd[17904]: postinstall: There was an error.
Feb 26 15:52:00 <computername>.local installd[17904]: postinstall:      Error enrolling computer: Permission Error - The user specified does not have permission to perform the action.
Feb 26 15:52:00 <computername>.local installd[17904]: postinstall: Enrollment Failed. This PKG may be used already.

jamf.log shows this:

There was an error.

     Error enrolling computer: Permission Error - The user specified does not have permission to perform the action.

homerbartlett
New Contributor

To clarify our setup, we're using LDAP. We authenticate as the computer user on the enroll page (via LDAP) and download and run the QuickAdd.pkg.

Fveja
New Contributor III

The Permission Error you are receiving is in regards to the user that was used to authenticate when creating the QuickAdd.pkg. Make sure the user has the right privileges in Casper. If all else fails, recreate the QuckAdd.pkg using Recon.

homerbartlett
New Contributor

Thanks Fveja. We're authenticating via LDAP when enrolling. I don't see a way to manipulate the permissions of LDAP users in JSS. Can you point me in the right direction?

RobertHammen
Valued Contributor II

Settings->System Settings->JSS User Accounts & Groups->

You may need to Add Group from LDAP and give it enrollment privileges. This would be a group, either pre-existing or one you create in AD, for the users that will be enrolling their own machines.

homerbartlett
New Contributor

Thanks Robert. We have Global Management>User-Initiated Enrollment configured to enable user-initiated enrollment for OS X and under the Access tab of that setting we have the group "All LDAP Users" set to Yes for Institutional Enrollment. Shouldn't that cover it?

Also just for the record we are using a variant of OpenLDAP, not AD.

Thanks!

RobertHammen
Valued Contributor II

Yes, that should. Wonder if there is something awry with your directory mapping or the JSS' traversal of your LDAP. I would contact JAMF Support.

homerbartlett
New Contributor

Cool thanks Robert. We are working with our JAMF rep now.

dontmakememac
New Contributor III

I hate to revive a years' old thread... @homerbartlett did you find the root cause of this issue? I'm experiencing almost the same exact situation. Looking for leads before contacting Jamf Tech.

curullij
Contributor

@crehorewp Did you find a solution? I am seeing the same thing in my setup.