Enrollment failed - "different server url"

abnaau
New Contributor III

Have a Mac that's lost contact with Jamf...

Trying to update the MDM profile with "sudo profiles renew -type enrollment" but end up with a "different server URL" error.  (I guess the prestage changed)

sudo jamf removemdmprofile didn't work - maybe because the machine has Ventura?

When I ran jamf policy I got "device signature error"

After running jamf removeframework the "bad" MDM profile persists. ... 

 

Is the only solution to wipe the device or have I missed something?

2 ACCEPTED SOLUTIONS

abnaau
New Contributor III

Got word from Jamf it's a product issue. 

PI110564" Running 'sudo profiles renew -type enrollment' fails to renew MDM profile and throws the 'Enrolling with management server failed' error." as a result The Mac prompts to update management configuration, end user accepts, and Mac thows the error: "Enrolling with management server failed. Update to MDM profile contains different server URL." There is no workaround to renew an existing MDM profile other than to send an Unenroll Device command and re-enroll via Terminal. Macs impacted by this issue (with non-removable MDM profiles installed) will need to erase to trigger re-enrollment into Jamf Now to re-establish MDM communication. End users can always take a Time Machine backup prior if they want to avoid data loss.

View solution in original post

khurram
Contributor III

1) sudo jamf removeMDMProfile (it won't uninstall the profile from computer but it is done in JAMF)

2)sudo jamf enroll -prompt

 

This fixed the issue.

View solution in original post

6 REPLIES 6

JustDeWon
Contributor III

Sounds like the device is apart of ABM, and the Pre-Stage enrollment policy is configured to not allow MDM removal. 

 

I would start there

abnaau
New Contributor III

Not sure what you mean about "there". The issue is device is "unmanaged" and the MDM profile won't resync or update. There's no "there" to start - as changing the prestage wouldn't have effect until the problem is solved anyway. 

I see no way other than wiping the device at this point?

"There" meaning identifying if that is indeed the Pre-Stage policy that's not allowing the removal of MDM.. To avoid re-image, you could boot into recovery, disable sip, then rebooting and removing the profile via terminal. Re-enable sip, then re-enroll the device since you removed the framework. Running any jamf commands won't work since you removed the framework.

abnaau
New Contributor III

Got word from Jamf it's a product issue. 

PI110564" Running 'sudo profiles renew -type enrollment' fails to renew MDM profile and throws the 'Enrolling with management server failed' error." as a result The Mac prompts to update management configuration, end user accepts, and Mac thows the error: "Enrolling with management server failed. Update to MDM profile contains different server URL." There is no workaround to renew an existing MDM profile other than to send an Unenroll Device command and re-enroll via Terminal. Macs impacted by this issue (with non-removable MDM profiles installed) will need to erase to trigger re-enrollment into Jamf Now to re-establish MDM communication. End users can always take a Time Machine backup prior if they want to avoid data loss.

khurram
Contributor III

1) sudo jamf removeMDMProfile (it won't uninstall the profile from computer but it is done in JAMF)

2)sudo jamf enroll -prompt

 

This fixed the issue.

khurram
Contributor III

If the management commands from JAMF are Failing/ Pending to apply on the Macbooks then it means the MDM profile on the Macbook has become Expired or Unverified. We have to now remove non-removable MDM profile from the Macbook.

 

 

How to delete the non-removable MDM profile and re-install fresh MDM profile ?

 

  • Follow the steps below to remove corrupted non-removable MDM profile where Jamf management commands failing or pending to apply the Macbook.

 

Here's how to remove a non-removable MDM profile

  1. Boot the Mac into Recovery Mode (hold down command+R during startup).
  2. Go to the Utilities menu and open Terminal and type: csrutil disable. This will disable SIP (System Integrity Protection).
  3. Reboot into the OS.
  4. Open the integrated terminal and type:

cd/var/db/ConfigurationProfiles
rm-rf *
mkdirSettings
touchSettings/.profilesAreInstalled

  1. Reboot.
  2. Boot the Mac into Recovery Mode (hold down command+R during startup).
  3. Go to the Utilities menu and open Terminal and type: csrutil enable. This will re-enable SIP.
  4. Reboot into the OS.

The profile will be now removed and you will be able to re-enroll the Mac to your MDM.

 

From <https://graffino.com/til/remove-a-non-removable-mdm-profile-from-macos-without-a-complete-wipe>

 

 

How to install fresh MDM profiles on Macbook ?

 

  • After MDM profiles are removed from Macbook, the JAMF framework is still installed and available for use, so run the following commands to re-install the MDM profile on Macboook

 

  • sudo jamf enroll -prompt
  • This command will require username/ password from a Jamf user who is authorised to add enroll Macbook in Jamf, most IT staff usually has this access