Device Signature Error

gloper1977
Contributor

I have some MacBooks that are pre-stage enrolled that have stopped checking in and stopped inventorying.  I have others that are User initiated enrolled that stopped checking in but I just had them remove the profiles and redo the enrollment and they are working again.  These are all remote users so I cannot be hands on.  I had a few of the pre-stage enrolled devices attempt to run sudo jamf recon and sudo jamf policy from terminal but they are receiving "Device Signature Error - A valid device signature is required to perform the action"  Other postings I've seen that are quite a bit older mention unenrolling devices and reenrolling them.  Not really an option if they are pre-stage enrolled from what I understand.  Does anyone know what I can do get these devices reporting properly?

15 REPLIES 15

junjishimazaki
Valued Contributor

I believe for the device signature error. The one of these 2 terminal commands should resolve it. sudo profiles renew -type enrollment  or sudo jamf enroll -prompt

MikeF
Contributor II

sudo jamf enroll -prompt is what i usually use

 

mschroder
Valued Contributor

My understanding is that the binary does not find the device certificate that is needed so that the server accepts requests from the device. Potential reasons are

  • the device signature has been deleted
  • the device signature went into the wrong keychain
  • an invalid device signature is found in the keychain
  • ?

gloper1977
Contributor

Had a user attempt sudo jamf enroll -prompt and they received 

"An error occurred while enrolling computer: Permission Error - The user specified does not have permission to perform the action.

Restoring JAMF.keychain since an error occurred.

Device Signature Error - A valid device signature is required to perform the action.

Checking in the background for policies that use the Enrollment Complete trigger

Enroll return code: 70"

Any user should be able to enroll a device, but that is a User Initiated an enrollment so not sure if it is a permissions issue in Jamf for him?  If it is I can always add him in Jamf to be able to do enrollments if that fixes it and then remove his permissions.

I have this same issue still. It seems to be when restore a TimeMachine image to a machine that's auto-enrolled via prestage enrolment.  It seems if someone can easily disable the JamfFramework by just restoring a user from TimeMachine it's sort of defeats the usability of this as an MDM tool.  We seem to have this with 10.14 all the way to 12.x.  

Did you ever find a solution?

That issue specifically was because the regular users didn't have all the proper permissions it works with my enroll account I created after I went through a gave all enroll abilities to the account.  The TimeMachine restore issue is intriguing and might explain why some of these developers break Jamf.  I could see some of them using TimeMachine and doing restores.

Jsynotte
New Contributor II

I've got that issue too, I just use an admin account for Jamf in JSS Username and the SSH is the local admin

gloper1977
Contributor

I did have a laptop in my inventory pop the same error when I was trying to do sudo jamf recon.  I did sudo jamf enroll -prompt and used my credentials when asked and it worked.  I created an enroll Jamf user that does enrollments and I am having a few users trying the sudo jamf enroll -prompt with that Jamf user account.  I believe that will resolve the issue. I will post again once I know results.

I ended up needing to make the enroll account I created a full admin to get my user working normally.  I am not sure why but it seems like doing a re-enrollment a standard enrollment account just doesn't have permissions to do it.  If someone knows what I'm missing for permissions please let me know.  I may create a ticket with Jamf over it.

dnorman
New Contributor III

I had this happen for a user yesterday. Everything installed but self service and it does report to jamf after doing a recon command. New issue for me.

junjishimazaki
Valued Contributor

In those kinds of situations dnorman, I would run sudo jamf manage and then sudo jamf policy

ssmurphy
New Contributor III

sudo profiles renew -type enrollment

Worked for us when we had the dreaded "Device Signature Error" when trying to do a manual recon on a device that stopped talking to Jamf Pro.

 

Thanks for the tip!

kevin_neely
New Contributor II

What if none of these work?  What's the next step?

My situation is related to Migration Assistant, and it has worked on dozens of other laptops/Users but I have two that will no longer communicate after moving a User over.

My Go-To for that was to remove the framework entirely, and then do a reinstall using a QuickAdd pkg.  Thought I haven't had this in a while, you may be able to just use the online enrolment method instead of a QuickAdd.

kevin_neely
New Contributor II

Thanks for the reply bmcdade!  That did not work for me as the Users' Library just had something so old and junky it was messing everything up.  Using TimeMachine and moving everything over manually (except the Library) fixed it up.

 

Appreciate the assist.