Jamf Nation Community

same here and we were on 10.8 then upgraded to 10.13 and still having the issue

Had to replace our DEP token today for that same issue. Nothing on our end changed. Once we redid the DEP token it died again. I keep wondering why this would just fail randomly. We are on 10.16.1

Gabe Shackney
Princeton Public Schools

We're seeing this as well in our Stage lane (Jamf Pro 10.17.1) and our Production lane (Jamf Pro 10.16.1).

Case #: JAMF-0841146
AppleCare Case No.: 100971412807

Apple seems to keep having issues either provisioning new nodes for ABM or in a maintenance script, as certain ABM nodes lose the ability to accept TLS1.3 from time to time.

Id see this pop up the odd time, but after waiting 15-20 mins and rechecking all seems to be ok.

Yes, I am running into this today as well. Seems like an issue with Apple side.

We've seen this a couple times in the past month. Only really matters if you're moving stuff from prestage to prestage and want to reprovision right away. Annoying.

Ive seen it since 10.14.0 forward on and off. Especially after the legacy vpp/dep portals have gone away. Check back in on it an hour or so later and it seems to be fine.

Echoing that we've seen it in 10.15.1 ans 10.17.0, thanks for sharing the ticket numbers @dan-snelson.

I modified the JAVA_OPTS in my setenv.sh file on my jss master node to this and it resolved the issue:
export JAVA_OPTS="$JAVA_OPTS -Xmx8192M -Xms256M -Djava.awt.headless=true -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2""

Just had this on an instance and Ben's fix worked for me as well.

A little concerned about enabling TLS 1.0 and 1.1....

no issues until today, modified my JAVA_OPTS as mentioned above, working now. RHEL 7 with RHEL OpenJDK 11.0.3

I also added the line -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" which resolved the issue. Thanks!

That fix worked for us, thanks! I still can't enroll iPads via DEP but thats another issue.

We have been getting the sync errors on and off for a couple of months, but they would always resolve themselves after a few sync attempts. Today was the longest run where the syncs had consistently failed for over a day.

Modified the setenv.sh on my Ubuntu master as mentioned above and all errors went away immediately after restarting the servers.

This fixed ours as well. I only need to add TLSv1.2 and everything seems fine.

@m.donovan ditto, just re-applied the fix with only TLSv1.2 and sync is still good. That made my Security brain much happier.

if you are editing the setenv.sh file manually, it's required that the addition is added thus: export JAVA_OPTS="$JAVA_OPTS -Xmx4096M -Xms512M -Djava.awt.headless=true -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2"

otherwise, Tomcat will not startup.

as soon as I added it, bingo! We're back communicating again...

Followed the above added -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" and its just started syncing for me again, i also managed to update token whilst i was at it (although we had till July 20. Thanks.

any assistance as to where to add that to a macOS instance

I applied the above solution by HVIKE. After I restarted our JSS I came to the wonferful screen of Unable to connect to the Database...
I have followed this KB to solve this. https://www.jamf.com/jamf-nation/articles/135/title
All was correct and it did not solve the issue.

Only after I removed the line "-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" and rebooted our whole JSS environment it started working again.

Please be carefull by performing the provided solution as it did our JSS environment not good.

If people have a other solutions on how to perform this, I would be glad to hear it.
Because our DEP does not sync at the moment en we need to enroll our Devices manual.
We use Server 2016 for our JSS, and the version is 10.17

@amityaccounts if you mean you're jss is on a mac os server setup, look in the Tomcat directory.

You may have some luck within terminal finding it, try using the following command

sudo mdfind -name setenv.sh

if that doesnt work, try

sudo find / -name setenv.sh

it will bring that file up located in the backups as well, but ultimately you will find the direct path if you don't know where to look.

+1 only needed to add TLSv1.2 to the Java Options in the Tomcat Properties, restarted and everything seems fine.
Thank you!

@Hugonaut thanks for the info, but neither command brings up any results

Any luck with this issue for those of us with JAMF residing on a MAC server? I've tried several variations of this fix and now can't start my Tomcat at all... :-(

Is this the com.jamfsoftware.tomcat.plist?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>Label</key>
    <string>com.jamfsoftware.tomcat</string>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
        <string>/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java</string>
        <string>-Xms256m</string>
        <string>-Xmx49152m</string>
        <string>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager</string>
        <string>-Djava.util.logging.config.file=/Library/JSS/Tomcat/conf/logging.properties</string>
        <string>-Djava.awt.headless=true</string>
        <string>-classpath</string>
        <string>/Library/JSS/Tomcat/bin/bootstrap.jar:/Library/JSS/Tomcat/bin/tomcat-juli.jar</string>
        <string>-Dcatalina.base=/Library/JSS/Tomcat</string>
        <string>-Dcatalina.home=/Library/JSS/Tomcat</string>
        <string>-Djava.io.tmpdir=/Library/JSS/Tomcat/temp</string>
        <string>org.apache.catalina.startup.Bootstrap</string>
        <string>start</string>
    </array>
    <key>ServiceIPC</key>
    <false/>
    <key>UserName</key>
    <string>_appserver</string>
</dict>
</plist>

Gabe Shackney
Princeton Public School

Editing the above plist worked for me using this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>Label</key>
    <string>com.jamfsoftware.tomcat</string>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
        <string>/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java</string>
        <string>-Xms256m</string>
        <string>-Xmx49152m</string>
        <string>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager</string>
        <string>-Djava.util.logging.config.file=/Library/JSS/Tomcat/conf/logging.properties</string>
        <string>-Djava.awt.headless=true</string>
        <string>-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"</string>
        <string>-classpath</string>
        <string>/Library/JSS/Tomcat/bin/bootstrap.jar:/Library/JSS/Tomcat/bin/tomcat-juli.jar</string>
        <string>-Dcatalina.base=/Library/JSS/Tomcat</string>
        <string>-Dcatalina.home=/Library/JSS/Tomcat</string>
        <string>-Djava.io.tmpdir=/Library/JSS/Tomcat/temp</string>
        <string>org.apache.catalina.startup.Bootstrap</string>
        <string>start</string>
    </array>
    <key>ServiceIPC</key>
    <false/>
    <key>UserName</key>
    <string>_appserver</string>
</dict>
</plist>

Basically putting the TLS line after the headless line (make sure you dont leave a space) and it came back and synced right away

Gabe Shackney
Princeton Public Schools

not that this helps : https://www.apple.com/support/systemstatus/ since i checked earlier and nothing was up, now ASM shows resolved issue from only 3:05 to 3:30 - super cheeky, somethings up.

We had the same problem: Sync Problems since 3 days. We tried everything described above (we use RHEL 7 and JDK 11.0.5) but nothing helped.
Only after we renewed the Server token file (which was due in 22 days) the syncing works again.

@gshackney THANK YOU!!! That worked perfectly. I had to recreate our plist, somehow it got a bit garbled [located /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist], after that, a reboot of the server, and a refresh of the key and token between JAMF and Apple, everything is back to normal.

Thank you all in assisting in patching this issue!!

@m.donovan Thanks!

I have added the TLS 1.2. only as well as my previous post was a disaster. After a while the JSS was reachable again and the sync was pretty instant.
I recommend to do this if you are on Windows Server and has this issue as well.

+1 for @hfike and @bentoms

+another1 for @hfike - adding export JAVA_OPTS="$JAVA_OPTS -Xmx1024M -Djava.awt.headless=true -Djdk.tls.client.protocols="TLSv1.2"" to /usr/local/jss/tomcat/bin/setenv.sh on all JSS's and restarting tomcat fixed it for us too (we trimmed out the TLS 1 and 1.1 bits as they don't appear to be needed?)

Confirmed - this worked for me in Windows too. Syncing is back up.