Device Signature Error

@patgmac
Do you mean the database table 'jss_custom_settings'

@kerouak I really don't know. That was a long time ago and someone else implemented the fix.

Does anyone have a root cause analysis for this "device signature error"?
It's frustrating that this issue just bit us again this past Thursday (Feb 13, 2020):

Thu Feb 13 12:36:31 xxxxxxx jamf[72190]: There was an error. Device Signature Error - A valid device signature is required to perform the action.

Is this caused by an expiring certificate? Which one?

I asked:

Is this [device signature error] caused by an expiring certificate? Which one?

Answering my own question, yes, this error started when this certificate expired:

$ sudo security -i find-certificate -a -p /Library/Application Support/JAMF/JAMF.keychain > /tmp/jamf.pem
$ openssl x509 -in /tmp/jamf.pem -noout -subject -issuer -dates  
subject= /OU=JAMF Device Certificate/CN=B303F0CB-3FF8-5FE1-9EC9-940648E3C7BF
issuer= /CN=<organization name deleted> JSS Built-in Certificate Authority
notBefore=Feb 11 17:12:00 2015 GMT
notAfter=Feb 13 17:12:00 2020 GMT
$

Note the expiration date of "Feb 13 17:12:00 2020 GMT."
This is exactly when the issue started (converting GMT to local timezone):

Thu Feb 13 12:36:31 xxxxxxx jamf[72190]: There was an error

The question now is: Why is this JAMF device certificate, wholly issued and controlled by the JSS, not being updated automatically by the JSS?
Of course, we're still running an old version (9.101.0), and yes, we're planning to upgrade it to v10.19.0. Is there any assurance that the newest version of JAMF Pro will handle these internal certificates more cleanly?

Nope, we have some devices too with similar errors.
I hope our Upgrade to 10.19 made it better.

Hello @mthakur

You are correct, today there is no mechanism in Jamf Pro to automatically handle renewing either this certificate or the device identity certificate in the MDM profile. I am happy to share we are actively working on this for an upcoming release of Jamf Pro and are looking for folks like yourself to test it out in the future. Would be you be interested?

For what its worth… If it can helps :

Had the issue today, with one single computer. Remove the MDM profile and tried to enroll it back, but then I had an SSL error while trying to install the configuration.profile.

The issue was the keychain of the user which was corrupted. Removed it and everything was back on track.

I've been running into the same issue on my round of fall imaging.

The fix was what @rfreeborn suggested - I created and enrollment invitation and then set up a policy to run the following command:

jamf enroll -invitation <invitationIDNumber> -reenroll -archiveDeviceCertificate

It's a little clunky having to do this one machine at a time, but it's a better fix than having to touch each one.

and here we go again!

cant access self service... Sudo jamf recon.. Device etc etc.. Really??

Recently I've had the Device Signature issue occur on new computers enrolments or existing computer wipe/enrolments. Trying to run any Jamf command fails, packages fail to install. If we let the computer sit for 5-15 minutes the error goes away and everything is normal. Possibly a delay in JSS updating the computer certificate for the device record?

Another issue... on some enrolments everything works okay except for Self Service, all policies get stuck on executing. Running the Jamf Manage command fixes things right away.

@kerouak @MrRoboto I'm also starting to see device signature error, it seems only since we upgraded to 10.28...have you learned anything more about what might be causing this?

I reproduced the 'Device Signature Error' problem via Migration Assistant in my test lab and the following command resolved that problem successfully on the DEP-enrolled test Mac: sudo profiles renew -type enrollment

I haven't tested that on actual users affected by this but I'm confident it'll work since it did on my test Mac, which is a MacBook Pro M1 on ADE in ASM with user-removal of MDM profile disallowed.

I just got a report of this from a user running macOS 11.4, we're running Jamf Pro 10.26.1 currently.

None of the commands we've tried so far have worked.
Kinda strange...

I haven't had time to test this more but I discovered the best way (for me at least) to reproduce Device Signature Errors for testing purposes is just deleting the computer's record in Jamf Pro.

I was able to fix the issue by running 

After that, I could successfully run