Little bit stuck with where to go next with our external JSS and not being able to enrol from it.
Downloading required CA Certificate(s)... verbose: Successfully downloaded the certificate "JSS Built-in Certificate Authority". verbose: Successfully added the certificates to the System keychain... verbose: Unable to find a JAMF Device Identity in the JAMF Keychain. verbose: Unable to find a JAMF Device Identity in the JAMF Keychain. verbose: Error submitting enrollment status to the JSS: Security Error - A security error has occurred. There was an error. Error enrolling computer: Connection failure: "The request timed out."
Anyone else seen these messages?
Time is correct (it happens on all macs I try).
The JAMF.Keychain gets added around the same time as the 'verbose: Unable to find a JAMF Device Identity in the JAMF Keychain.' error.
Testing the same method internally gives the same JAMF Keychain error, but then goes on to enrol using the device certificate.
The two things I can think of:
1 - It's not pulling down a correct certificate/corrupt JAMF Keychain.
2 - There's a port that's blocking it externally.
Had the same error - latency between JSS Webapp hosts and the database. (hosts in data centers on opposite coasts).
Not sure your infrastructure - test out enrollment to specific webapp hosts:
sudo jamf enroll -prompt -overrideJSS https://yourjsshost1:8443 -verbose
sudo jamf enroll -prompt -overrideJSS https://yourjsshost2:8443 -verbose
Also check recon to the hosts after enrolled via the internal host- you might see recons and checkins successful, however enrollment failing (which will help you confirm ports are open).
sudo jamf recon -overrideJSS https://yourjss:8443 -verbose
@keaton helped us with this problem.
I did some testing last night and copied the TomcatSSLKeystore file from my internal to my external JSS and tested enrolling.
While the QuickAdd package doesn't work still, doing a jamf enroll -prompt does. It does take a lot longer than if I were to enrol internally.
I wonder if it's just a time out problem whereby it's not finished sending all of the information in 60 seconds now. Any way to up the timeout limit?
@lisacherie Thanks, I'll try an enrol to a specific box to see if that gives us any more information.