DEP Sync Failing


I've noticed lately that ASM is not syncing with JSS intermittently, it will come up with the error:

Sync failed. Awaiting next sync.

I've already placed public token in ASM and have uploaded the ASM token to JSS. No changes have been made to our firewall or filtering system.

We are on version 10.17.1

Is there anything I'm overlooking?


Release Candidate Programs Tester

New Contributor

Can confirm that @bentoms fix worked. Added -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" to the Java Options in the Tomcat Properties, restarted the JSS, and ASM sync'd right away. Thanks!

View solution in original post


Contributor III

We are on JP 10.15.1 and we are seeing the same thing.

New Contributor III

same here and we were on 10.8 then upgraded to 10.13 and still having the issue

Valued Contributor III

Had to replace our DEP token today for that same issue. Nothing on our end changed. Once we redid the DEP token it died again. I keep wondering why this would just fail randomly. We are on 10.16.1

Gabe Shackney
Princeton Public Schools

Princeton Public Schools

Valued Contributor II

We're seeing this as well in our Stage lane (Jamf Pro 10.17.1) and our Production lane (Jamf Pro 10.16.1).

Case #: JAMF-0841146
AppleCare Case No.: 100971412807

Valued Contributor II

Apple seems to keep having issues either provisioning new nodes for ABM or in a maintenance script, as certain ABM nodes lose the ability to accept TLS1.3 from time to time.

Contributor III

Id see this pop up the odd time, but after waiting 15-20 mins and rechecking all seems to be ok.

New Contributor III

Yes, I am running into this today as well. Seems like an issue with Apple side.

Valued Contributor

We've seen this a couple times in the past month. Only really matters if you're moving stuff from prestage to prestage and want to reprovision right away. Annoying.

New Contributor III

Ive seen it since 10.14.0 forward on and off. Especially after the legacy vpp/dep portals have gone away. Check back in on it an hour or so later and it seems to be fine.

New Contributor II

Echoing that we've seen it in 10.15.1 ans 10.17.0, thanks for sharing the ticket numbers @dan-snelson.

Release Candidate Programs Tester

New Contributor

Can confirm that @bentoms fix worked. Added -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" to the Java Options in the Tomcat Properties, restarted the JSS, and ASM sync'd right away. Thanks!

Contributor II

I modified the JAVA_OPTS in my file on my jss master node to this and it resolved the issue:
export JAVA_OPTS="$JAVA_OPTS -Xmx8192M -Xms256M -Djava.awt.headless=true -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2""


Just had this on an instance and Ben's fix worked for me as well.

A little concerned about enabling TLS 1.0 and 1.1....

Contributor III

no issues until today, modified my JAVA_OPTS as mentioned above, working now. RHEL 7 with RHEL OpenJDK 11.0.3

New Contributor

I also added the line -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" which resolved the issue. Thanks!


That fix worked for us, thanks! I still can't enroll iPads via DEP but thats another issue.

Contributor II

We have been getting the sync errors on and off for a couple of months, but they would always resolve themselves after a few sync attempts. Today was the longest run where the syncs had consistently failed for over a day.

Modified the on my Ubuntu master as mentioned above and all errors went away immediately after restarting the servers.

Contributor III

This fixed ours as well. I only need to add TLSv1.2 and everything seems fine.


@m.donovan ditto, just re-applied the fix with only TLSv1.2 and sync is still good. That made my Security brain much happier.

Not applicable

Tested successfully with -Djdk.tls.client.protocols="TLSv1.2" on Jamf Pro 10.17.1. Thanks a lot for the tips

Valued Contributor

if you are editing the file manually, it's required that the addition is added thus: export JAVA_OPTS="$JAVA_OPTS -Xmx4096M -Xms512M -Djava.awt.headless=true -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2"

otherwise, Tomcat will not startup.

as soon as I added it, bingo! We're back communicating again...


Followed the above added -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" and its just started syncing for me again, i also managed to update token whilst i was at it (although we had till July 20. Thanks.

New Contributor II

any assistance as to where to add that to a macOS instance

New Contributor II

I applied the above solution by HVIKE. After I restarted our JSS I came to the wonferful screen of Unable to connect to the Database...
I have followed this KB to solve this.
All was correct and it did not solve the issue.

Only after I removed the line "-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" and rebooted our whole JSS environment it started working again.

Please be carefull by performing the provided solution as it did our JSS environment not good.

If people have a other solutions on how to perform this, I would be glad to hear it.
Because our DEP does not sync at the moment en we need to enroll our Devices manual.
We use Server 2016 for our JSS, and the version is 10.17

Valued Contributor II

@amityaccounts if you mean you're jss is on a mac os server setup, look in the Tomcat directory.

You may have some luck within terminal finding it, try using the following command

sudo mdfind -name

if that doesnt work, try

sudo find / -name

it will bring that file up located in the backups as well, but ultimately you will find the direct path if you don't know where to look.

Looking for a Jamf Managed Service Provider? Look no further than Rocketman

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

Contributor III

+1 only needed to add TLSv1.2 to the Java Options in the Tomcat Properties, restarted and everything seems fine.
Thank you!

New Contributor II

@Hugonaut thanks for the info, but neither command brings up any results

New Contributor III

Any luck with this issue for those of us with JAMF residing on a MAC server? I've tried several variations of this fix and now can't start my Tomcat at all... :-(

Valued Contributor III

Is this the com.jamfsoftware.tomcat.plist?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

Gabe Shackney
Princeton Public School

Princeton Public Schools

Not applicable

on macOS try your jss/tomcat/bin folder for the file. That is where I found it on Ubuntu. on Ubuntu, you want to make sure to add the -Djdk.tls.client.protocols="TLSv1.1,TLSv1.2" to the JAVA_OPTS. I was able to upload my new token at that point but DEP is still not syncing. I'm running Jamf Pro 10.16.1

Valued Contributor III

Editing the above plist worked for me using this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

Basically putting the TLS line after the headless line (make sure you dont leave a space) and it came back and synced right away

Gabe Shackney
Princeton Public Schools

Princeton Public Schools

Valued Contributor II

not that this helps : since i checked earlier and nothing was up, now ASM shows resolved issue from only 3:05 to 3:30 - super cheeky, somethings up.

Looking for a Jamf Managed Service Provider? Look no further than Rocketman

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

New Contributor III

We had the same problem: Sync Problems since 3 days. We tried everything described above (we use RHEL 7 and JDK 11.0.5) but nothing helped.
Only after we renewed the Server token file (which was due in 22 days) the syncing works again.

New Contributor II

@gshackney THANK YOU!!! That worked perfectly. I had to recreate our plist, somehow it got a bit garbled [located /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist], after that, a reboot of the server, and a refresh of the key and token between JAMF and Apple, everything is back to normal.

Thank you all in assisting in patching this issue!!

New Contributor II

@m.donovan Thanks!

I have added the TLS 1.2. only as well as my previous post was a disaster. After a while the JSS was reachable again and the sync was pretty instant.
I recommend to do this if you are on Windows Server and has this issue as well.


+1 for @hfike and @bentoms

New Contributor

+another1 for @hfike - adding export JAVA_OPTS="$JAVA_OPTS -Xmx1024M -Djava.awt.headless=true -Djdk.tls.client.protocols="TLSv1.2"" to /usr/local/jss/tomcat/bin/ on all JSS's and restarting tomcat fixed it for us too (we trimmed out the TLS 1 and 1.1 bits as they don't appear to be needed?)

New Contributor

Confirmed - this worked for me in Windows too. Syncing is back up.