DEP Sync Failing

sirsir
Contributor

I've noticed lately that ASM is not syncing with JSS intermittently, it will come up with the error:

Sync failed. Awaiting next sync.

I've already placed public token in ASM and have uploaded the ASM token to JSS. No changes have been made to our firewall or filtering system.

We are on version 10.17.1

Is there anything I'm overlooking?

2 ACCEPTED SOLUTIONS

bentoms
Release Candidate Programs Tester

hfike
New Contributor

Can confirm that @bentoms fix worked. Added -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" to the Java Options in the Tomcat Properties, restarted the JSS, and ASM sync'd right away. Thanks!
e7fd0f2bd68444349e0ecabf10743aac

View solution in original post

71 REPLIES 71

janselmi3953
New Contributor III

I can confirm that this worked for me, only needed TLS1.2 thankfully.
I was still having the issue until I renewed the DEP token. I was able to successfully do so after entering in the -Djdk.tls.client.protocols="TLSv1.2" entry. Before adding the entry, I kept getting "cannot connect to Apple Services" error. But all is well now, thank you!

cbBCC
New Contributor

Anyone have the path for Windows Server? Having trouble locating where to tweak the JAVA_OPTS

Sandy
Valued Contributor II

@cbBCC C:Program Files>JSS>Tomcat>Bin>Tomcat8w

CairoJXP
Contributor

Yep! Addd TLS1.2 which worked.

Sandy
Valued Contributor II

Hi,
jp 10.17, Windows 2019
I added this line to Tomcat8w Java options:
Djdk.tls.client.protocols="TLSv1.2"
Restarted tomcat. Edit: working now!

alexjdale
Valued Contributor III

If anyone finds any other angles to this, please post here. I've added the TLSv1.2 line to our Tomcat (10.17.1 on Win 2016 Server) and I still can't sync or upload a new token.

I had literally just gotten this configured and working the week before, so this is a huge bummer. Last sync was on the 8th. We are using Oracle's Java 11, so maybe I have to switch to a free option like most of you have already?

Edit: Looks like it might be Oracle's Java 11, I checked another instance I'd set up for another team on their Windows build with the same version of Java, and it stopped syncing on the morning of the 9th. Mine stopped on the evening of the 8th. I cannot install Corretto because Windows Server 2016 insists it can't run it, even though it is supported. I'm worried I'm completely hosed here.

Sandy
Valued Contributor II

My Java edit did not work until I pasted it into NotePad+++ and then into the Java settings.... Not a Windows person so learning some stuff :)

tyra_robertson
New Contributor II

Also experienced what @janselmi3953 did. Adding the Java settings to setenv.sh didn't solve for us right away, even after the Tomcat restarts. Once I uploaded a new ABM server token to our JSS, we were in business. We're Ubuntu and on JSS v10.17.0.

export JAVA_OPTS="$JAVA_OPTS -Xmx4096M -Xms512M -Djava.awt.headless=true
-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2"

mhegge
Contributor III

Upgraded to 10.17.1 last Friday (12/13). Noticed the issue after upgrading. I made the changes this morning and things remain the same:

"Sync failed. Awaiting next sync

Uploaded a fresh token, still a no go. :(

wmehilos
Contributor

@mhegge You aren't alone. I experienced this back earlier in the month, a few Tomcat bounces and the TLS settings fixed it, though every other sync would fail.

Now it's OAuth errors all the way down. TLS1.1, 1.2, both, none specified, nothing is working. I can't even update the token, all communications with Apple seem to be completely broken. 10.17, Coretto 11.0.5 (which was supposed to have fixed the TLS bug in 11.0.4 that was supposedly causing all this). Not a single one of my Jamf tokens (one for each Site) have successfully connected to ASM since the morning of Dec 9th. I have a single AirWatch server in my ASM instance too, hasn't communicated with ASM since yesterday.

jtrant
Valued Contributor

Sync has been intermittent for me since upgrading to 10.17.0 (and OpenJDK 11.0.5 which was supposed to have the TLS1.3 issue fixed). I'm not seeing any new assignments since the morning of 12/6 either, so something is definitely broken. I've reached out to Jamf Support to see if there's any point enabling TLS1.2 (which I'm hesitant to do).

The fact that it's not just our environment makes me feel a bit better, but given that we're so far into DEP it's strange that Apple's status page says everything is working when it clearly isn't.

Dylan_YYC
Contributor III

Hey guys, just a bit of and update from me on this. I was running into the issue where none of my pre-stages were running. I contacted support and they are aware of this issue. Enabling the above SSL is what we did to get it working, support helped me get that issue sorted.

Person
New Contributor III

Hello, I updated following @bentoms link. I just like to leave a followup. The plist that @gshackney posted is pretty much all that I added to our server. I also renewed my token and all was clear. I wish I posted this sooner but have had other projects come up.

Caleb_Anderson
New Contributor III

Another +1 here for the @gshackney fix being the one that helped us on a Mac server. Restarted Tomcat after editing the plist and DEP synced immediately.

aaronpolley
Contributor

For those following this, the official PI for this appears to be PI-007522

Log into your account and check under My Assets > Product Issues

alexjdale
Valued Contributor III

Still having issues with this, after switching to Amazon Corretto 11.0.5 and forcing TLSv1.2. I ran some packet captures and it appears that Apple is rejecting the initial TLS handshake. Right after our JSS sends the Client Hello, Apple's mdmenrollment.apple.com server sends back a TCP reset packet. TLSv1.2 is being used, the ciphers offered look good, so I opened a case with Apple Enterprise Support.

JCMBowman
New Contributor III

Had the same issue. Applied the fix detailed in PI-007522, I then had to download a new token from Apple School Manager and upload it to JAMF, but the issue is now resolved.

jyoakum
New Contributor III

For those of you who also have SCCM managing your servers. My JSS is hosted on a windows server (which is running the coretto), and I manage it with sccm, after we applied the tls option to java, I still had issues with the web app starting. The solution was to disable or at least stop the SMS Agent Host service and restarting tomcat. It looks they are both trying to use the same port when starting up... port 8005. Once shut down service, the JSS web app started right up. I disabled the service and haven’t tried to restart it yet to see if they can both run but have a set startup order. Hope this helps some.

wkelly1
New Contributor III

@alexjdale Did you ever get this resolved?

mhegge
Contributor III

After resolving this issue, we are seeing some residual affects to macOS devices.

7e531556e7fb4481b1f665a1fd628cf6

4f9e502692aa412f9c38d5af9adc12a5
18e884bce51c48ffac3dc794c668b222

alexjdale
Valued Contributor III

@wkelly1 Yes we were, to a degree. I had to go back to our firewall team since it turned out the connections were being reset by our firewall appliance, but I don't know why this happened at the same time. It was either related or a coincidence, but they were able to whitelist the traffic (again) and it started working. We haven't seen any DEP setup/sync issues since.

Gascolator
Contributor

Adding TLS 1.2 and a reboot worked for me. Server 2016/Caretto.

mpoteet
New Contributor II

@gshackney The fix you posted worked for us. @amityaccounts We also rebooted and refreshed the token.

We are running MacOS 10.14.5, Jamf Pro 10.18.0, MySQL 8.0.16, and Amazon Corretto (OpenJDK) 11.

lpierce
New Contributor III

For folks running the JSS (we are on JSS 10.15.1) on macOS, they will need to update: /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist

You will want to add this to the plist: <string>-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2</string>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>Label</key>
    <string>com.jamfsoftware.tomcat</string>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
        <string>/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java</string>
        <string>-Xms256m</string>
        <string>-Xmx5000m</string>
        <string>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager</string>
        <string>-Djava.util.logging.config.file=/Library/JSS/Tomcat/conf/logging.properties</string>
        <string>-Djava.awt.headless=true</string>
        <string>-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2</string>
        <string>-classpath</string>
        <string>/Library/JSS/Tomcat/bin/bootstrap.jar:/Library/JSS/Tomcat/bin/tomcat-juli.jar</string>
        <string>-Dcatalina.base=/Library/JSS/Tomcat</string>
        <string>-Dcatalina.home=/Library/JSS/Tomcat</string>
        <string>-Djava.io.tmpdir=/Library/JSS/Tomcat/temp</string>
        <string>org.apache.catalina.startup.Bootstrap</string>
        <string>start</string>
    </array>
    <key>ServiceIPC</key>
    <false/>
    <key>UserName</key>
    <string>_appserver</string>
</dict>
</plist>

Xaviermlp
New Contributor III

A huge thanks to everyone for the help I found here, the /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist edit solved the issue for our on premise, macOS JSS.
I wanted to add that applying the latest update (I went from 17.1 to 18) broke the fix as the plist was probably edited and garbled by the installer or server tools.

see
New Contributor III
New Contributor III

We high recommend not to include 1 (1.0).

Should look something like this:
Djdk.tls.client.protocols=TLSv1.1,TLSv1.2

Please do not include TLS 1 ( as this is 1.0) and it is deprecated and not secure.

lrivar
New Contributor

Issue: Kept receiving an "Unable to contact Apple Services" while trying to upload the server token file in Jamf from Apple
Adding -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" to the Java Options in the Tomcat Properties resolved my issue

wsapplesupport
New Contributor II

Just discovered my on-prem instance of 10.15.1 on Windows Server 2016 was having the same issue. Uploaded public key on Apple Business Manager and downloaded a new token. When I tried to load the new token on JSS I received an error that Apple Services could not be contacted.

Checked services.msc for Tomcat, but that did not have the java tab. Found that you need to launch tomcatw8.exe from <JSS Install Dir>Tomcatin. That allowed me to add -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" to Java Options. Restarted service, was able to upload token to JSS, and now we're sync'ing.

Many thanks to those on this thread!

gboggs
New Contributor

@wsapplesupport We had the exact same setup as you except on our Windows Server the .exe to launch was tomcat8w.exe. Thanks to everyone here!

gatesp
New Contributor

I've been seeing this the last couple of weeks. It doesn't seem to resolved and I am not seeing my new inventory. I've updated my token - what is the solution? - Patti

GabeShack
Valued Contributor III

@gatesp If you edited the tomcat setting with the TLS lines listed above you should be good. But whenever you update your JSS you have to re edit those settings again.

If your still having issues call support and they should be able to step you through it.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

rstasel
Valued Contributor

Just ran into this... years later. I had removed these settings at the advice of Jamf support and that immediately broke DEP. Odd that Apple or Jamf haven't fixed this, and it's concerning since Jamf lists disabling this functionality in future versions. =(