DEP Sync Failing

sirsir
Contributor

I've noticed lately that ASM is not syncing with JSS intermittently, it will come up with the error:

Sync failed. Awaiting next sync.

I've already placed public token in ASM and have uploaded the ASM token to JSS. No changes have been made to our firewall or filtering system.

We are on version 10.17.1

Is there anything I'm overlooking?

2 ACCEPTED SOLUTIONS

bentoms
Release Candidate Programs Tester

hfike
New Contributor

Can confirm that @bentoms fix worked. Added -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" to the Java Options in the Tomcat Properties, restarted the JSS, and ASM sync'd right away. Thanks!
e7fd0f2bd68444349e0ecabf10743aac

View solution in original post

71 REPLIES 71

m_donovan
Contributor III

We are on JP 10.15.1 and we are seeing the same thing.

ronhunter212
New Contributor III

same here and we were on 10.8 then upgraded to 10.13 and still having the issue

GabeShack
Valued Contributor III

Had to replace our DEP token today for that same issue. Nothing on our end changed. Once we redid the DEP token it died again. I keep wondering why this would just fail randomly. We are on 10.16.1

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

dan-snelson
Valued Contributor II

We're seeing this as well in our Stage lane (Jamf Pro 10.17.1) and our Production lane (Jamf Pro 10.16.1).

Case #: JAMF-0841146
AppleCare Case No.: 100971412807

dgreening
Valued Contributor II

Apple seems to keep having issues either provisioning new nodes for ABM or in a maintenance script, as certain ABM nodes lose the ability to accept TLS1.3 from time to time.

Dylan_YYC
Contributor III

Id see this pop up the odd time, but after waiting 15-20 mins and rechecking all seems to be ok.

Person
New Contributor III

Yes, I am running into this today as well. Seems like an issue with Apple side.

larry_barrett
Valued Contributor

We've seen this a couple times in the past month. Only really matters if you're moving stuff from prestage to prestage and want to reprovision right away. Annoying.

gcarmichael
New Contributor III

Ive seen it since 10.14.0 forward on and off. Especially after the legacy vpp/dep portals have gone away. Check back in on it an hour or so later and it seems to be fine.

tyra_robertson
New Contributor II

Echoing that we've seen it in 10.15.1 ans 10.17.0, thanks for sharing the ticket numbers @dan-snelson.

bentoms
Release Candidate Programs Tester

hfike
New Contributor

Can confirm that @bentoms fix worked. Added -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" to the Java Options in the Tomcat Properties, restarted the JSS, and ASM sync'd right away. Thanks!
e7fd0f2bd68444349e0ecabf10743aac

zinkotheclown
Contributor II

I modified the JAVA_OPTS in my setenv.sh file on my jss master node to this and it resolved the issue:
export JAVA_OPTS="$JAVA_OPTS -Xmx8192M -Xms256M -Djava.awt.headless=true -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2""

aaronpolley
Contributor

Just had this on an instance and Ben's fix worked for me as well.

A little concerned about enabling TLS 1.0 and 1.1....

davidhiggs
Contributor III

no issues until today, modified my JAVA_OPTS as mentioned above, working now. RHEL 7 with RHEL OpenJDK 11.0.3

Noret
New Contributor

I also added the line -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" which resolved the issue. Thanks!

sirsir
Contributor

That fix worked for us, thanks! I still can't enroll iPads via DEP but thats another issue.

jbisgett
Contributor II

We have been getting the sync errors on and off for a couple of months, but they would always resolve themselves after a few sync attempts. Today was the longest run where the syncs had consistently failed for over a day.

Modified the setenv.sh on my Ubuntu master as mentioned above and all errors went away immediately after restarting the servers.

m_donovan
Contributor III

This fixed ours as well. I only need to add TLSv1.2 and everything seems fine.

aaronpolley
Contributor

@m.donovan ditto, just re-applied the fix with only TLSv1.2 and sync is still good. That made my Security brain much happier.

Not applicable

Tested successfully with -Djdk.tls.client.protocols="TLSv1.2" on Jamf Pro 10.17.1. Thanks a lot for the tips

kerouak
Valued Contributor

if you are editing the setenv.sh file manually, it's required that the addition is added thus: export JAVA_OPTS="$JAVA_OPTS -Xmx4096M -Xms512M -Djava.awt.headless=true -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2"

otherwise, Tomcat will not startup.

as soon as I added it, bingo! We're back communicating again...

conitsupport
Contributor

Followed the above added -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" and its just started syncing for me again, i also managed to update token whilst i was at it (although we had till July 20. Thanks.

amityaccounts
New Contributor II

any assistance as to where to add that to a macOS instance

dprins
New Contributor II

I applied the above solution by HVIKE. After I restarted our JSS I came to the wonferful screen of Unable to connect to the Database...
I have followed this KB to solve this. https://www.jamf.com/jamf-nation/articles/135/title
All was correct and it did not solve the issue.

Only after I removed the line "-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" and rebooted our whole JSS environment it started working again.

Please be carefull by performing the provided solution as it did our JSS environment not good.

If people have a other solutions on how to perform this, I would be glad to hear it.
Because our DEP does not sync at the moment en we need to enroll our Devices manual.
We use Server 2016 for our JSS, and the version is 10.17

Hugonaut
Valued Contributor II

@amityaccounts if you mean you're jss is on a mac os server setup, look in the Tomcat directory.

You may have some luck within terminal finding it, try using the following command

sudo mdfind -name setenv.sh

if that doesnt work, try

sudo find / -name setenv.sh

it will bring that file up located in the backups as well, but ultimately you will find the direct path if you don't know where to look.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

carlo_anselmi
Contributor III

+1 only needed to add TLSv1.2 to the Java Options in the Tomcat Properties, restarted and everything seems fine.
Thank you!

amityaccounts
New Contributor II

@Hugonaut thanks for the info, but neither command brings up any results

cscsit
New Contributor III

Any luck with this issue for those of us with JAMF residing on a MAC server? I've tried several variations of this fix and now can't start my Tomcat at all... :-(

GabeShack
Valued Contributor III

Is this the com.jamfsoftware.tomcat.plist?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>Label</key>
    <string>com.jamfsoftware.tomcat</string>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
        <string>/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java</string>
        <string>-Xms256m</string>
        <string>-Xmx49152m</string>
        <string>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager</string>
        <string>-Djava.util.logging.config.file=/Library/JSS/Tomcat/conf/logging.properties</string>
        <string>-Djava.awt.headless=true</string>
        <string>-classpath</string>
        <string>/Library/JSS/Tomcat/bin/bootstrap.jar:/Library/JSS/Tomcat/bin/tomcat-juli.jar</string>
        <string>-Dcatalina.base=/Library/JSS/Tomcat</string>
        <string>-Dcatalina.home=/Library/JSS/Tomcat</string>
        <string>-Djava.io.tmpdir=/Library/JSS/Tomcat/temp</string>
        <string>org.apache.catalina.startup.Bootstrap</string>
        <string>start</string>
    </array>
    <key>ServiceIPC</key>
    <false/>
    <key>UserName</key>
    <string>_appserver</string>
</dict>
</plist>

Gabe Shackney
Princeton Public School

Gabe Shackney
Princeton Public Schools

Anonymous
Not applicable

on macOS try your jss/tomcat/bin folder for the setenv.sh file. That is where I found it on Ubuntu. on Ubuntu, you want to make sure to add the -Djdk.tls.client.protocols="TLSv1.1,TLSv1.2" to the JAVA_OPTS. I was able to upload my new token at that point but DEP is still not syncing. I'm running Jamf Pro 10.16.1

GabeShack
Valued Contributor III

Editing the above plist worked for me using this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>Label</key>
    <string>com.jamfsoftware.tomcat</string>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
        <string>/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java</string>
        <string>-Xms256m</string>
        <string>-Xmx49152m</string>
        <string>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager</string>
        <string>-Djava.util.logging.config.file=/Library/JSS/Tomcat/conf/logging.properties</string>
        <string>-Djava.awt.headless=true</string>
        <string>-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"</string>
        <string>-classpath</string>
        <string>/Library/JSS/Tomcat/bin/bootstrap.jar:/Library/JSS/Tomcat/bin/tomcat-juli.jar</string>
        <string>-Dcatalina.base=/Library/JSS/Tomcat</string>
        <string>-Dcatalina.home=/Library/JSS/Tomcat</string>
        <string>-Djava.io.tmpdir=/Library/JSS/Tomcat/temp</string>
        <string>org.apache.catalina.startup.Bootstrap</string>
        <string>start</string>
    </array>
    <key>ServiceIPC</key>
    <false/>
    <key>UserName</key>
    <string>_appserver</string>
</dict>
</plist>

Basically putting the TLS line after the headless line (make sure you dont leave a space) and it came back and synced right away

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

Hugonaut
Valued Contributor II

not that this helps : https://www.apple.com/support/systemstatus/ since i checked earlier and nothing was up, now ASM shows resolved issue from only 3:05 to 3:30 - super cheeky, somethings up.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

LeidenUniv
New Contributor III

We had the same problem: Sync Problems since 3 days. We tried everything described above (we use RHEL 7 and JDK 11.0.5) but nothing helped.
Only after we renewed the Server token file (which was due in 22 days) the syncing works again.

amityaccounts
New Contributor II

@gshackney THANK YOU!!! That worked perfectly. I had to recreate our plist, somehow it got a bit garbled [located /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist], after that, a reboot of the server, and a refresh of the key and token between JAMF and Apple, everything is back to normal.

Thank you all in assisting in patching this issue!!

dprins
New Contributor II

@m.donovan Thanks!

I have added the TLS 1.2. only as well as my previous post was a disaster. After a while the JSS was reachable again and the sync was pretty instant.
I recommend to do this if you are on Windows Server and has this issue as well.

lee_smith
Contributor

+1 for @hfike and @bentoms

UoS_iSolutions
New Contributor

+another1 for @hfike - adding export JAVA_OPTS="$JAVA_OPTS -Xmx1024M -Djava.awt.headless=true -Djdk.tls.client.protocols="TLSv1.2"" to /usr/local/jss/tomcat/bin/setenv.sh on all JSS's and restarting tomcat fixed it for us too (we trimmed out the TLS 1 and 1.1 bits as they don't appear to be needed?)

caseyj3350
New Contributor

Confirmed - this worked for me in Windows too. Syncing is back up.