I've noticed lately that ASM is not syncing with JSS intermittently, it will come up with the error:
Sync failed. Awaiting next sync.
I've already placed public token in ASM and have uploaded the ASM token to JSS. No changes have been made to our firewall or filtering system.
We are on version 10.17.1
Is there anything I'm overlooking?
Solved! Go to Solution.
I can confirm that this worked for me, only needed TLS1.2 thankfully.
I was still having the issue until I renewed the DEP token. I was able to successfully do so after entering in the -Djdk.tls.client.protocols="TLSv1.2" entry. Before adding the entry, I kept getting "cannot connect to Apple Services" error. But all is well now, thank you!
If anyone finds any other angles to this, please post here. I've added the TLSv1.2 line to our Tomcat (10.17.1 on Win 2016 Server) and I still can't sync or upload a new token.
I had literally just gotten this configured and working the week before, so this is a huge bummer. Last sync was on the 8th. We are using Oracle's Java 11, so maybe I have to switch to a free option like most of you have already?
Edit: Looks like it might be Oracle's Java 11, I checked another instance I'd set up for another team on their Windows build with the same version of Java, and it stopped syncing on the morning of the 9th. Mine stopped on the evening of the 8th. I cannot install Corretto because Windows Server 2016 insists it can't run it, even though it is supported. I'm worried I'm completely hosed here.
Also experienced what @janselmi3953 did. Adding the Java settings to setenv.sh didn't solve for us right away, even after the Tomcat restarts. Once I uploaded a new ABM server token to our JSS, we were in business. We're Ubuntu and on JSS v10.17.0.
export JAVA_OPTS="$JAVA_OPTS -Xmx4096M -Xms512M -Djava.awt.headless=true
@mhegge You aren't alone. I experienced this back earlier in the month, a few Tomcat bounces and the TLS settings fixed it, though every other sync would fail.
Now it's OAuth errors all the way down. TLS1.1, 1.2, both, none specified, nothing is working. I can't even update the token, all communications with Apple seem to be completely broken. 10.17, Coretto 11.0.5 (which was supposed to have fixed the TLS bug in 11.0.4 that was supposedly causing all this). Not a single one of my Jamf tokens (one for each Site) have successfully connected to ASM since the morning of Dec 9th. I have a single AirWatch server in my ASM instance too, hasn't communicated with ASM since yesterday.
Sync has been intermittent for me since upgrading to 10.17.0 (and OpenJDK 11.0.5 which was supposed to have the TLS1.3 issue fixed). I'm not seeing any new assignments since the morning of 12/6 either, so something is definitely broken. I've reached out to Jamf Support to see if there's any point enabling TLS1.2 (which I'm hesitant to do).
The fact that it's not just our environment makes me feel a bit better, but given that we're so far into DEP it's strange that Apple's status page says everything is working when it clearly isn't.
Still having issues with this, after switching to Amazon Corretto 11.0.5 and forcing TLSv1.2. I ran some packet captures and it appears that Apple is rejecting the initial TLS handshake. Right after our JSS sends the Client Hello, Apple's mdmenrollment.apple.com server sends back a TCP reset packet. TLSv1.2 is being used, the ciphers offered look good, so I opened a case with Apple Enterprise Support.
For those of you who also have SCCM managing your servers. My JSS is hosted on a windows server (which is running the coretto), and I manage it with sccm, after we applied the tls option to java, I still had issues with the web app starting. The solution was to disable or at least stop the SMS Agent Host service and restarting tomcat. It looks they are both trying to use the same port when starting up... port 8005. Once shut down service, the JSS web app started right up. I disabled the service and haven’t tried to restart it yet to see if they can both run but have a set startup order. Hope this helps some.
@wkelly1 Yes we were, to a degree. I had to go back to our firewall team since it turned out the connections were being reset by our firewall appliance, but I don't know why this happened at the same time. It was either related or a coincidence, but they were able to whitelist the traffic (again) and it started working. We haven't seen any DEP setup/sync issues since.
For folks running the JSS (we are on JSS 10.15.1) on macOS, they will need to update: /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist
You will want to add this to the plist: <string>-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2</string>
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Disabled</key> <false/> <key>Label</key> <string>com.jamfsoftware.tomcat</string> <key>OnDemand</key> <false/> <key>ProgramArguments</key> <array> <string>/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java</string> <string>-Xms256m</string> <string>-Xmx5000m</string> <string>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager</string> <string>-Djava.util.logging.config.file=/Library/JSS/Tomcat/conf/logging.properties</string> <string>-Djava.awt.headless=true</string> <string>-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2</string> <string>-classpath</string> <string>/Library/JSS/Tomcat/bin/bootstrap.jar:/Library/JSS/Tomcat/bin/tomcat-juli.jar</string> <string>-Dcatalina.base=/Library/JSS/Tomcat</string> <string>-Dcatalina.home=/Library/JSS/Tomcat</string> <string>-Djava.io.tmpdir=/Library/JSS/Tomcat/temp</string> <string>org.apache.catalina.startup.Bootstrap</string> <string>start</string> </array> <key>ServiceIPC</key> <false/> <key>UserName</key> <string>_appserver</string> </dict> </plist>
A huge thanks to everyone for the help I found here, the /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist edit solved the issue for our on premise, macOS JSS.
I wanted to add that applying the latest update (I went from 17.1 to 18) broke the fix as the plist was probably edited and garbled by the installer or server tools.
Just discovered my on-prem instance of 10.15.1 on Windows Server 2016 was having the same issue. Uploaded public key on Apple Business Manager and downloaded a new token. When I tried to load the new token on JSS I received an error that Apple Services could not be contacted.
Checked services.msc for Tomcat, but that did not have the java tab. Found that you need to launch tomcatw8.exe from <JSS Install Dir>Tomcatin. That allowed me to add -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" to Java Options. Restarted service, was able to upload token to JSS, and now we're sync'ing.
Many thanks to those on this thread!
@gatesp If you edited the tomcat setting with the TLS lines listed above you should be good. But whenever you update your JSS you have to re edit those settings again.
If your still having issues call support and they should be able to step you through it.
Princeton Public Schools