Jamf Nation Community

gloper1977 · ‎08-12-2021

I have some MacBooks that are pre-stage enrolled that have stopped checking in and stopped inventorying. I have others that are User initiated enrolled that stopped checking in but I just had them remove the profiles and redo the enrollment and they are working again. These are all remote users so I cannot be hands on. I had a few of the pre-stage enrolled devices attempt to run sudo jamf recon and sudo jamf policy from terminal but they are receiving "Device Signature Error - A valid device signature is required to perform the action" Other postings I've seen that are quite a bit older mention unenrolling devices and reenrolling them. Not really an option if they are pre-stage enrolled from what I understand. Does anyone know what I can do get these devices reporting properly?

junjishimazaki · ‎08-12-2021

I believe for the device signature error. The one of these 2 terminal commands should resolve it. sudo profiles renew -type enrollment or sudo jamf enroll -prompt

MikeF · ‎08-12-2021

sudo jamf enroll -prompt is what i usually use

koeberleinr · ‎03-01-2024

This worked for me.
I had to use my JSS creds.

I want to know does this happen often and is this a maintenance piece we should do on the regular?
Do we know why this happens?

johntgeck · ‎05-08-2024

I know this is an old thread but I just wanted to echo that this worked for me.

We do a yearly inventory audit, and we have a report for anything that hasn't checked in in >30 days. So far we've run into a handful. You could set up a similar report and then have it email you whenever a new device meets the criteria, so that it's a continual maintenance thing. Or do a periodic audit like we do.

mschroder · ‎08-13-2021

My understanding is that the binary does not find the device certificate that is needed so that the server accepts requests from the device. Potential reasons are

the device signature has been deleted
the device signature went into the wrong keychain
an invalid device signature is found in the keychain
?

gloper1977 · ‎08-13-2021

Had a user attempt sudo jamf enroll -prompt and they received

"An error occurred while enrolling computer: Permission Error - The user specified does not have permission to perform the action.

Restoring JAMF.keychain since an error occurred.

Device Signature Error - A valid device signature is required to perform the action.

Checking in the background for policies that use the Enrollment Complete trigger

Enroll return code: 70"

Any user should be able to enroll a device, but that is a User Initiated an enrollment so not sure if it is a permissions issue in Jamf for him? If it is I can always add him in Jamf to be able to do enrollments if that fixes it and then remove his permissions.

bmcdade · ‎03-18-2022

I have this same issue still. It seems to be when restore a TimeMachine image to a machine that's auto-enrolled via prestage enrolment. It seems if someone can easily disable the JamfFramework by just restoring a user from TimeMachine it's sort of defeats the usability of this as an MDM tool. We seem to have this with 10.14 all the way to 12.x.

Did you ever find a solution?

gloper1977 · ‎03-21-2022

That issue specifically was because the regular users didn't have all the proper permissions it works with my enroll account I created after I went through a gave all enroll abilities to the account. The TimeMachine restore issue is intriguing and might explain why some of these developers break Jamf. I could see some of them using TimeMachine and doing restores.

Jsynotte · ‎10-05-2022

I've got that issue too, I just use an admin account for Jamf in JSS Username and the SSH is the local admin

gloper1977 · ‎08-16-2021

I did have a laptop in my inventory pop the same error when I was trying to do sudo jamf recon. I did sudo jamf enroll -prompt and used my credentials when asked and it worked. I created an enroll Jamf user that does enrollments and I am having a few users trying the sudo jamf enroll -prompt with that Jamf user account. I believe that will resolve the issue. I will post again once I know results.

gloper1977 · ‎08-19-2021

I ended up needing to make the enroll account I created a full admin to get my user working normally. I am not sure why but it seems like doing a re-enrollment a standard enrollment account just doesn't have permissions to do it. If someone knows what I'm missing for permissions please let me know. I may create a ticket with Jamf over it.

dnorman · ‎08-18-2021

I had this happen for a user yesterday. Everything installed but self service and it does report to jamf after doing a recon command. New issue for me.

junjishimazaki · ‎08-19-2021

In those kinds of situations dnorman, I would run sudo jamf manage and then sudo jamf policy

ssmurphy · ‎04-15-2022

sudo profiles renew -type enrollment

Worked for us when we had the dreaded "Device Signature Error" when trying to do a manual recon on a device that stopped talking to Jamf Pro.

Thanks for the tip!

kevin_neely · ‎07-13-2022

What if none of these work? What's the next step?

My situation is related to Migration Assistant, and it has worked on dozens of other laptops/Users but I have two that will no longer communicate after moving a User over.

bmcdade · ‎07-13-2022

My Go-To for that was to remove the framework entirely, and then do a reinstall using a QuickAdd pkg. Thought I haven't had this in a while, you may be able to just use the online enrolment method instead of a QuickAdd.

kevin_neely · ‎07-20-2022

Thanks for the reply bmcdade! That did not work for me as the Users' Library just had something so old and junky it was messing everything up. Using TimeMachine and moving everything over manually (except the Library) fixed it up.

Appreciate the assist.

jmancuso · ‎01-26-2023

This will work. But if you have a 0 touch prestage they will now be user initiated... If you have things subsetted like that in the future this will break other things. After you fix it, re enroll it again via the correct prestage or we swapped machines. Not ideal, but these effected were new hires and it was cause by a jamf upgrade going wrong.

jmancuso · ‎01-06-2023

#!/bin/bash

#########################################################################################################

# Script Objective:

# Renew Management Framework via device ID. Can target individual machines or by multiple ID's

#

# Authentication method is using Bearer Token

# Last Modified: 4/26/2022 by Steven Moore

#########################################################################################################

# server connection information

#Enter URL and port if required

URL="https://URL.jamfcloud.com"

#Enter a local Jamf Pro user here

username="USER"

password="PASSWORD"

#Machines targeted. For indiviual machines just enter the ID. For multiple machines enter each ID in the following format {1,3,4,8}

ID="{2,3}"

########################################

###### DO NOT MODIFY BELOW THIS #######

########################################

#echo requestBody: "$requestBody"

# created base64-encoded credentials

encodedCredentials=$( printf "$username:$password" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - )

#echo encodedCredentials: "$encodedCredentials"

# generate an auth token

authToken=$( /usr/bin/curl "$URL/api/v1/auth/token" \

--silent \

--request POST \

--header "Authorization: Basic $encodedCredentials" )

#echo authToken: "$authToken"

# parse authToken for token, omit expiration

token=$( /usr/bin/awk -F \" '/token/{ print $4 }' <<< "$authToken" | /usr/bin/xargs )

#echo token: "$token"

#Run CURL command that reinstalls management framework

curl --request POST \

--url $URL/api/v1/jamf-management-framework/redeploy/$ID \

--header 'Accept: application/json' \

--header "Authorization: Bearer $token"

# expire the auth token

/usr/bin/curl "$URL/uapi/auth/invalidateToken" \

--silent \

--request POST \

--header "Authorization: Bearer $token"

exit 0

Musicmaker · ‎01-18-2023

Thanks for this script. I have a machine that is not checking in with Jamf anymore so I gave this a try through terminal (copied the script through terminal).
When I execute this script the result is this:

{

"httpStatus" : 404,

"errors" : [ {

"code" : "INVALID_ID",

"description" : "computer with given id does not exist or user does not have site access",

"id" : "2",

"field" : null

} ]

}{

"httpStatus" : 404,

"errors" : [ {

"code" : "INVALID_ID",

"description" : "computer with given id does not exist or user does not have site access",

"id" : "3",

"field" : null

} ]

}%

My useraccount and password are right so that could not be the problem.

DDP · ‎02-07-2024

Hi @jmancuso , was this script placed in GitHub? I'd love to use as a refence if you could provide the URL.

Thank you!

jmancuso · ‎01-26-2023

@Musicmaker the above script may. work or not. They did get rid off QUickadd but you can still use it

for cloud https://domain/enroll/?type=QuickAdd this will re ignite the framework

for on prem use the :8443 for anyone that had an issue with this on prem and your services were done correctly, please let us know here bc that will point to the upgrade.

We are not doing any of these methods and are switching out 20 machines so they stay in the correct prestage enrollment. We are also asking for us not to be upgraded, they need to ask and wait till we read the release notes and feel comfortable with the upgrade - going forward.