Enrollment Weirdness .... today was not a good day

Wakko
Release Candidate Programs Tester

"Just wakin' up in the mornin', gotta thank God
I don't know but today seems kinda odd"
.........

So has anyone run into these issues:
1. Yesterday [20230907] we were enrolling devices without any issues. It was all good!
2. In the late afternoon, things went bonkers!
3. Once the device got pass JC, the device booted to the desktop and just stood there. In JPS it showed up as an unmanaged device. It never proceeded to run enrollmentcomplete. What's worst we couldn't even do a EACAS. We had to N&P™ the long way.

4. So we tried another device, same issue and same results.
5. Then we thought we'd be smarter than the average bear and DFU a mac(hine) to macOS 13.5.2. In hopes that we would identify an issue. Sadly, same results.

Now for hoy dia, we are having more stranger issues:
1. Regardless of macOS 13.5, 13.5.1 or 13.5.2, JC allows the us to sign in. However now it by-passed FileVault prompt.

2. It created the account and proceeded to the Desktop. It went straight to jail and did not pass Go and collected the $200.
3. It got stranger, the mac(hine) however enrolls and reboots as expected. We have a clean record in JAMF. When we log back into the device, then we are prompted for FileVault. Makes no sense, nothing has been changed in our enrollment. So what happens now?
4. So we do an EACAS and try again. From this point on we are right back where we started yesterday. Can't get the device to successfully enroll. I even delete the JAMF record, just in case the record had a DB issue.

So I ask, has anyone run into this in the last 24-36 hours? We need to on-board devices for Monday. As you can all imagine this is creating much un-needed stress and delays for our team.

+ Gracias

5 REPLIES 5

easyedc
Valued Contributor II

Quick Question - did the Lakers beat the Supersonics?

Also - yes, I experienced similar issues mid/late last week with some new builds, but I didn't think much of it given it was in the Amazon EC2 space and things are "weird" there sometimes for me. I am taking a local test box and doing a wipe/reload as we speak.  If you run a 

sudo jamf recon -verbose

Do you experience any hangs?  I seem to be seeing a hang at the recon of hardware, which is where I used to see hangs when the check for OS updates was failing.  But the old work-arounds don't seem to work for me. 

Wakko
Release Candidate Programs Tester

@easyedc I see ya, love what you did there.

So this is where it gets stranger. I was happy to see that our instance was updated to 10.50. I was like iight, got some fresh Bustelo and was ready to go.

  1. macOS 13.5.2 (22G91)
  2. JAMF Connect 2.26.0 (4999)

And ....... no bueno, but another issue did pop up. So when JC comes up, it shows up for like ~3-5 seconds and it refreshes. The screen goes black for like ~20 seconds. JC comes up, I sign in with my Okta ID, mac(hine) proceeds to Desktop. This is where we get stuck as the account created is not an admin account.

However is I can escalate with our managed account, and then do "jamf policy -trigger enrollmentcomplete". The mac(hine) starts to enroll as expected. Now this is not completely ideal as we do not want to share out this login info. However the mac(hine) does enroll, but is still in a questionable state.

But wait there's more ..... out 4 enrollments this morning I saw the follow:

  1. OKTA ID, refreshes when trying to MFA challenge, however able to sign in with a non-enabled MFA. Result: still questionable after "jamf policy -trigger enrollmentcomplete". So I'm able to EACAS
  2.  OKTA ID, no MFA challenge and I'm able to log in my MFA-enable ID. But this is when it gets strange, the JAMF binary is not installed.
    Result: I have do an internet restore as EACAS is not possible.
  3. OKTA ID, no MFA challenge and then I'm presented with FileVault enablement, proceed to Desktop and it fails. Log out, sign back in and guess what prompted again for FV enablement. The cycle never ends.
    Result: I have to do an internet restore again.
  4. This 4th time, we get scenario numero dos.

This is extremely strange. Out of 4 enrollments, on the same mac(hine), same PreStage. I get 3 different results and not one successful enrollment. As you can all imagine, this is starting to create some backlogs. Not to mention the pressure out team is facing with on-boarding issue. It's simply a no bueno situation.

Be back later ..... my pager's still blowin' up

AJPinto
Honored Contributor III

We have not seen any issues of late. If a device failed to manage during enrollment, it could likely be a network communication error between the device, your MDM server and Apple. I'd suggest checking JAMF System logs, and the MDM logs on macOS to see if there are any errors.

 

You best bet with an issue like this is to open a ticket with JAMF, they can direct you in the logs you need to check fairly quickly. Also would not be a bad idea to run a JET, and Mac Environment Evaluation. 

Releases · jamf/Jamf-Environment-Test (github.com)

Apples Mac Evaluation tool is located in AppleSeed for IT.

Wakko
Release Candidate Programs Tester

Great suggestion. We've already got a ticket open with JAMF and .  The strange thing is this, every was all good just a week ago. Nada has changed, up until recently right. All that changed is as follows:

  1. macOS 13.5.2 release last week Thursday afternoon, east coast time
  2. JPS has not been upgraded, it was on version 10.49. This was just updated this weekend to version 10.50
  3. JAMF Connect is still on version 2.26.0, it has not been updated at all.

So if we take these things into account, everything is everything right. But the issue started to present itself Thursday afternoon, after macOS 13.5.2 when public. Additionally, it's affecting device striaght out of the box. Devices that are imagined with 13.4 or 13.4.1 [depending on the date the batch was purchased]. We even took a mac(hine) we restored to macOS 13.5, same results. Then we took it step further and DFU'd to macOS 13.5.2. Lastly to rule out the network, we had three team member take devices home. Guess what same results, I was the 4th tester as well and encountered the same issue[s].

I have a sneaky suspicion that when the device is going through the enrollment process.  is downloading/installing/touching something. That's what I suspect, as it's now affect device that have macOS 13.4 installed on them. At this point I feel like Mulder, I just need proof.

This is bad, REAL BAD, Michael Jackson!