Posted on 04-01-2024 11:24 AM
We encountered a problem with our APN certificate; it was mistakenly replaced rather than renewed. We had to track down the previous Apple ID to renew and restore it, preventing the need to re-enroll all devices.
Additionally, an automated enrollment token expired. A technician uploaded a new token from our Apple Business Manager account and created a new pre-stage profile, assigning all devices to it. However, the old token still appears in settings > global > automated enrollment, marked with a yellow alert and a "sync failed" message; the last sync for both tokens occurred one minute ago.
A iOS device was wiped for re-enrollment and is now stuck on the remote management screen displaying
"Jamf Pro enrollment issues, the configuration profile could not be downloaded the MDM server certificate is invalid."
Although initially enrolled with the now expired token, it was assigned to to the new profile using the non expired automated enrollment instance. No devices remain assigned to the expired token.
We've confirmed the device's assignment to Jamf in ABM and its pre-stage enrollment. Has anyone resolved a similar issue? Could removing the expired token resolve this?
Posted on 04-01-2024 12:01 PM
You can only wipe supervised devices, until the device successfully enrolls into an MDM it is not supervised. Unfortunately, you will need to manually wipe any devices that are sitting in this status if you can't finish the enrollment.
Posted on 04-01-2024 12:11 PM
We did wipe the devices manually.
It was erased through settings > general > erase all content and settings.
We also tested putting it in recovery mode and erasing through finder.
Posted on 04-02-2024 05:26 AM
Okay, you are not stuck at activation, and it does not sound like you are being directed to Automated Device Enrollment. Next thing to look at is to make sure your PreStage Enrollment is setup correctly and devices are assigned to it in Jamf. If this is setup correctly, you will need to look into Apple School Manager and make sure your MDM certificates are good and that devices are assigned to the MDM.
04-01-2024 04:06 PM - edited 04-01-2024 07:32 PM
Short version - your Automated Device Enrollment token is the main problem.
The error message you have there is basically saying that the certificate the device expecting to see for your MDM and ABM does not match. This check is an online check that checks the information defined in your JAMF instance versus what is defined in the referenced in School Manager/Business Manager (Business Manager>Preferences>Your MDM Servers). Your JAMF public key and ABM information don't match. Because they don't match it won't allow you to add the device, this is a safety and security feature.
Side note - you can technically use a different Apple ID for your push notifications versus Apple ID for DEP/Automated enrolment if it's defined that way from the beginning. That's how our org actually works with our development instance.
What you may need to do is confirm if you have multiple MDMs specified in ABM. What you can also do is:
Confirm what accounts in your Apple Business Manager has access to generate the token/View the MDM settings
Log in with that account
Double check what MDM instance your devices are linked to
See if this matches your "Server Name - Identifiable Name for MDM Server " information in Global>Automated device enrollment
If the old MDM server entry was deleted and recreated on your existing Apple ID you may need to delink your devices, wait for a sync interval to pass and then relink. This has worked for me in the past but your milage may vary.
I'd also suggest double check your Volume Purchasing service token is still linked to the correct Apple ID. This can be checked by going to Global>Push Certificates and check the Apple ID field. Not a contributor to the issue, more of a good thing to check to make sure you don't have issues down the line.
Hope this helps.
Posted on 04-01-2024 06:00 PM
Thank you for the response.
I have verified that the Apple ID used to generate the APN differs from the one associated with the DEP/Automated Enrollment profile assigned to the device.
The previously expired automated enrollment token was removed from Jamf during a support call, but we still have access to the managed Apple ID that was used to create the MDM Push Certificate. Would accessing that account and downloading/uploading into Jamf resolve the issue?
Would it be more advisable to add it as a new enrollment token or to replace the existing token assigned to the device?
Additionally, it would be useful to know if removing the device from the pre-stage enrollment and the MDM server in ABM is recommended before acquiring the new token.
This was super helpful btw.
04-01-2024 07:30 PM - edited 04-01-2024 07:34 PM
I've probably confused the issue a little referencing Apple IDs, APNs and Apple Business Manager. Sorry I also used Apple School Manager as well, just habit as I work for a School.
I'll try and list things out to make it a little less confusing. I have also edited my earlier post to try and explain a few points better.
Automated Device Enrolment Token
This token is generated in Apple Business Manager which is for linking your purchased devices and purchased software. To generate an MDM token in there it only requires a managed Apple ID with appropriate permissions and sufficient JAMF access to acquire the public key to create the MDM token. This will mean you may have a different Apple ID listed in the Admin ID in your JAMF Automated Device enrolment information versus your push certificate. Same for your volume purchasing. Only one Business Manager instance should be bound per JAMF instance.
Something you had said earlier was that the old token is still there in Automated Device Enrolment. If that is still the case you can just follow the renew process outlined in this JAMF document. Automated Device Enrollment Integration - Jamf Pro Documentation 11.3.0 | Jamf