Posted on 12-09-2019 06:13 AM
I've noticed lately that ASM is not syncing with JSS intermittently, it will come up with the error:
Sync failed. Awaiting next sync.
I've already placed public token in ASM and have uploaded the ASM token to JSS. No changes have been made to our firewall or filtering system.
We are on version 10.17.1
Is there anything I'm overlooking?
Solved! Go to Solution.
Posted on 12-09-2019 02:50 PM
Posted on 12-09-2019 04:28 PM
Can confirm that @bentoms fix worked. Added -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" to the Java Options in the Tomcat Properties, restarted the JSS, and ASM sync'd right away. Thanks!
Posted on 12-12-2019 10:06 AM
I can confirm that this worked for me, only needed TLS1.2 thankfully.
I was still having the issue until I renewed the DEP token. I was able to successfully do so after entering in the -Djdk.tls.client.protocols="TLSv1.2" entry. Before adding the entry, I kept getting "cannot connect to Apple Services" error. But all is well now, thank you!
Posted on 12-12-2019 11:29 AM
Anyone have the path for Windows Server? Having trouble locating where to tweak the JAVA_OPTS
Posted on 12-12-2019 01:18 PM
Posted on 12-12-2019 01:35 PM
Yep! Addd TLS1.2 which worked.
Posted on 12-12-2019 02:17 PM
jp 10.17, Windows 2019
I added this line to Tomcat8w Java options:
Restarted tomcat. Edit: working now!
Posted on 12-13-2019 12:06 PM
If anyone finds any other angles to this, please post here. I've added the TLSv1.2 line to our Tomcat (10.17.1 on Win 2016 Server) and I still can't sync or upload a new token.
I had literally just gotten this configured and working the week before, so this is a huge bummer. Last sync was on the 8th. We are using Oracle's Java 11, so maybe I have to switch to a free option like most of you have already?
Edit: Looks like it might be Oracle's Java 11, I checked another instance I'd set up for another team on their Windows build with the same version of Java, and it stopped syncing on the morning of the 9th. Mine stopped on the evening of the 8th. I cannot install Corretto because Windows Server 2016 insists it can't run it, even though it is supported. I'm worried I'm completely hosed here.
Posted on 12-13-2019 01:41 PM
My Java edit did not work until I pasted it into NotePad+++ and then into the Java settings.... Not a Windows person so learning some stuff :)
Posted on 12-13-2019 02:36 PM
Also experienced what @janselmi3953 did. Adding the Java settings to setenv.sh didn't solve for us right away, even after the Tomcat restarts. Once I uploaded a new ABM server token to our JSS, we were in business. We're Ubuntu and on JSS v10.17.0.
export JAVA_OPTS="$JAVA_OPTS -Xmx4096M -Xms512M -Djava.awt.headless=true
Posted on 12-16-2019 08:23 AM
Upgraded to 10.17.1 last Friday (12/13). Noticed the issue after upgrading. I made the changes this morning and things remain the same:
"Sync failed. Awaiting next sync
Uploaded a fresh token, still a no go. :(
Posted on 12-16-2019 08:44 AM
@mhegge You aren't alone. I experienced this back earlier in the month, a few Tomcat bounces and the TLS settings fixed it, though every other sync would fail.
Now it's OAuth errors all the way down. TLS1.1, 1.2, both, none specified, nothing is working. I can't even update the token, all communications with Apple seem to be completely broken. 10.17, Coretto 11.0.5 (which was supposed to have fixed the TLS bug in 11.0.4 that was supposedly causing all this). Not a single one of my Jamf tokens (one for each Site) have successfully connected to ASM since the morning of Dec 9th. I have a single AirWatch server in my ASM instance too, hasn't communicated with ASM since yesterday.
Posted on 12-16-2019 09:00 AM
Sync has been intermittent for me since upgrading to 10.17.0 (and OpenJDK 11.0.5 which was supposed to have the TLS1.3 issue fixed). I'm not seeing any new assignments since the morning of 12/6 either, so something is definitely broken. I've reached out to Jamf Support to see if there's any point enabling TLS1.2 (which I'm hesitant to do).
The fact that it's not just our environment makes me feel a bit better, but given that we're so far into DEP it's strange that Apple's status page says everything is working when it clearly isn't.
Posted on 12-16-2019 01:23 PM
Hey guys, just a bit of and update from me on this. I was running into the issue where none of my pre-stages were running. I contacted support and they are aware of this issue. Enabling the above SSL is what we did to get it working, support helped me get that issue sorted.
Posted on 12-16-2019 01:40 PM
Hello, I updated following @bentoms link. I just like to leave a followup. The plist that @gshackney posted is pretty much all that I added to our server. I also renewed my token and all was clear. I wish I posted this sooner but have had other projects come up.
Posted on 12-17-2019 03:13 PM
Another +1 here for the @gshackney fix being the one that helped us on a Mac server. Restarted Tomcat after editing the plist and DEP synced immediately.
Posted on 12-18-2019 03:34 PM
For those following this, the official PI for this appears to be PI-007522
Log into your account and check under My Assets > Product Issues
Posted on 12-20-2019 11:25 AM
Still having issues with this, after switching to Amazon Corretto 11.0.5 and forcing TLSv1.2. I ran some packet captures and it appears that Apple is rejecting the initial TLS handshake. Right after our JSS sends the Client Hello, Apple's mdmenrollment.apple.com server sends back a TCP reset packet. TLSv1.2 is being used, the ciphers offered look good, so I opened a case with Apple Enterprise Support.
Posted on 12-23-2019 06:16 AM
Had the same issue. Applied the fix detailed in PI-007522, I then had to download a new token from Apple School Manager and upload it to JAMF, but the issue is now resolved.
Posted on 12-23-2019 11:36 AM
For those of you who also have SCCM managing your servers. My JSS is hosted on a windows server (which is running the coretto), and I manage it with sccm, after we applied the tls option to java, I still had issues with the web app starting. The solution was to disable or at least stop the SMS Agent Host service and restarting tomcat. It looks they are both trying to use the same port when starting up... port 8005. Once shut down service, the JSS web app started right up. I disabled the service and haven’t tried to restart it yet to see if they can both run but have a set startup order. Hope this helps some.
Posted on 01-02-2020 12:38 PM
Posted on 01-03-2020 08:20 AM
After resolving this issue, we are seeing some residual affects to macOS devices.
Posted on 01-03-2020 08:24 AM
@wkelly1 Yes we were, to a degree. I had to go back to our firewall team since it turned out the connections were being reset by our firewall appliance, but I don't know why this happened at the same time. It was either related or a coincidence, but they were able to whitelist the traffic (again) and it started working. We haven't seen any DEP setup/sync issues since.
Posted on 01-07-2020 12:33 PM
Adding TLS 1.2 and a reboot worked for me. Server 2016/Caretto.
Posted on 01-13-2020 07:48 AM
@gshackney The fix you posted worked for us. @amityaccounts We also rebooted and refreshed the token.
We are running MacOS 10.14.5, Jamf Pro 10.18.0, MySQL 8.0.16, and Amazon Corretto (OpenJDK) 11.
Posted on 01-13-2020 09:43 AM
For folks running the JSS (we are on JSS 10.15.1) on macOS, they will need to update: /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist
You will want to add this to the plist: <string>-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2</string>
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Disabled</key> <false/> <key>Label</key> <string>com.jamfsoftware.tomcat</string> <key>OnDemand</key> <false/> <key>ProgramArguments</key> <array> <string>/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java</string> <string>-Xms256m</string> <string>-Xmx5000m</string> <string>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager</string> <string>-Djava.util.logging.config.file=/Library/JSS/Tomcat/conf/logging.properties</string> <string>-Djava.awt.headless=true</string> <string>-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2</string> <string>-classpath</string> <string>/Library/JSS/Tomcat/bin/bootstrap.jar:/Library/JSS/Tomcat/bin/tomcat-juli.jar</string> <string>-Dcatalina.base=/Library/JSS/Tomcat</string> <string>-Dcatalina.home=/Library/JSS/Tomcat</string> <string>-Djava.io.tmpdir=/Library/JSS/Tomcat/temp</string> <string>org.apache.catalina.startup.Bootstrap</string> <string>start</string> </array> <key>ServiceIPC</key> <false/> <key>UserName</key> <string>_appserver</string> </dict> </plist>
Posted on 01-15-2020 05:27 AM
A huge thanks to everyone for the help I found here, the /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist edit solved the issue for our on premise, macOS JSS.
I wanted to add that applying the latest update (I went from 17.1 to 18) broke the fix as the plist was probably edited and garbled by the installer or server tools.
Posted on 01-15-2020 06:30 AM
We high recommend not to include 1 (1.0).
Should look something like this:
Please do not include TLS 1 ( as this is 1.0) and it is deprecated and not secure.
Posted on 01-23-2020 10:32 AM
Issue: Kept receiving an "Unable to contact Apple Services" while trying to upload the server token file in Jamf from Apple
Adding -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" to the Java Options in the Tomcat Properties resolved my issue
Posted on 01-29-2020 07:13 AM
Just discovered my on-prem instance of 10.15.1 on Windows Server 2016 was having the same issue. Uploaded public key on Apple Business Manager and downloaded a new token. When I tried to load the new token on JSS I received an error that Apple Services could not be contacted.
Checked services.msc for Tomcat, but that did not have the java tab. Found that you need to launch tomcatw8.exe from <JSS Install Dir>Tomcatin. That allowed me to add -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" to Java Options. Restarted service, was able to upload token to JSS, and now we're sync'ing.
Many thanks to those on this thread!
Posted on 02-05-2020 03:03 PM
@wsapplesupport We had the exact same setup as you except on our Windows Server the .exe to launch was tomcat8w.exe. Thanks to everyone here!
Posted on 02-25-2020 01:51 PM
I've been seeing this the last couple of weeks. It doesn't seem to resolved and I am not seeing my new inventory. I've updated my token - what is the solution? - Patti
Posted on 02-25-2020 01:58 PM
@gatesp If you edited the tomcat setting with the TLS lines listed above you should be good. But whenever you update your JSS you have to re edit those settings again.
If your still having issues call support and they should be able to step you through it.
Princeton Public Schools
Posted on 12-25-2021 03:28 PM
Just ran into this... years later. I had removed these settings at the advice of Jamf support and that immediately broke DEP. Odd that Apple or Jamf haven't fixed this, and it's concerning since Jamf lists disabling this functionality in future versions. =(