Skip to main content
Question

External JSS Enrol Errors

  • May 28, 2015
  • 11 replies
  • 28 views
J
Forum|alt.badge.img+7

Hey guys,

Little bit stuck with where to go next with our external JSS and not being able to enrol from it. 

Downloading required CA Certificate(s)...
 verbose: Successfully downloaded the certificate "JSS Built-in Certificate Authority".
 verbose: Successfully added the certificates to the System keychain...
 verbose: Unable to find a JAMF Device Identity in the JAMF Keychain.
 verbose: Unable to find a JAMF Device Identity in the JAMF Keychain.
 verbose: Error submitting enrollment status to the JSS: Security Error - A security error has occurred.

There was an error.

     Error enrolling computer: Connection failure: "The request timed out."

Anyone else seen these messages?

    11 replies

    T
    Forum|alt.badge.img+9
    • tron_jones
    • Contributor
    • May 28, 2015

    Is your time correct? Also do you have the JAMF keychain in /Library/Application Support/JAMF/JAMF.keychain.

    Check this discussion out, helped fix mine a while back.

    M
    Forum|alt.badge.img+7
    • MAD0oM
    • Contributor
    • May 29, 2015

    @jonnydford Certainly could be time. If not.. could be a port not opened? externally for your internal JSS?

    J
    Forum|alt.badge.img+7
    • jonnydford
    • Author
    • Contributor
    • May 29, 2015

    Time is correct (it happens on all macs I try).

    The JAMF.Keychain gets added around the same time as the 'verbose: Unable to find a JAMF Device Identity in the JAMF Keychain.' error.

    Testing the same method internally gives the same JAMF Keychain error, but then goes on to enrol using the device certificate.

    The two things I can think of: 1 - It's not pulling down a correct certificate/corrupt JAMF Keychain.
    2 - There's a port that's blocking it externally.

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • May 30, 2015

    @jonnydford I'd speak to JAMF & double check that all prerequisites for an external JSS have been met (ports etc to internal).

    It kind of sounds like the SCEP enrolment part is failing.

    L
    Forum|alt.badge.img+19
    • lisacherie
    • Valued Contributor
    • June 1, 2015

    Had the same error - latency between JSS Webapp hosts and the database. (hosts in data centers on opposite coasts).

    Not sure your infrastructure - test out enrollment to specific webapp hosts:

    sudo jamf enroll -prompt -overrideJSS https://yourjsshost1:8443 -verbose
    sudo jamf enroll -prompt -overrideJSS https://yourjsshost2:8443 -verbose

    Also check recon to the hosts after enrolled via the internal host- you might see recons and checkins successful, however enrollment failing (which will help you confirm ports are open).

    sudo jamf recon -overrideJSS https://yourjss:8443 -verbose

    @keaton helped us with this problem.

    davidacland
    Forum|alt.badge.img+18
    • davidacland
    • Valued Contributor
    • June 1, 2015

    Sounds like SCEP enrollment to me which I think is port 1640 inbound to the server.

    A
    Forum|alt.badge.img+18
    • andyinindy
    • Valued Contributor
    • June 1, 2015

    Not sure if this is applicable in your situation, but we were having the same issue with enrollments timing out, and it was because of database issues (table locks). Adding the following to the my.cnf fixed it:

    optimizer_search_depth = 3

    Is your database using MyISAM or Innodb?

    L
    Forum|alt.badge.img+19
    • lisacherie
    • Valued Contributor
    • June 2, 2015

    Database is using innodb, switched over from MyISAM some time ago and saw improved performance.

    L
    Forum|alt.badge.img+19
    • lisacherie
    • Valued Contributor
    • June 2, 2015

    I'm pretty sure the default port for SCEP enrollment is also 8443 for Casper, however Apple uses 1640 for Profile Manager.

    Though happy to learn something new if I'm wrong.

    davidacland
    Forum|alt.badge.img+18
    • davidacland
    • Valued Contributor
    • June 2, 2015

    @lisacherie quite possible that I'm getting the two mixed up! If it's easy for you to do it could be worth ruling it out I guess.

    J
    Forum|alt.badge.img+7
    • jonnydford
    • Author
    • Contributor
    • June 2, 2015

    Thanks guys.

    I did some testing last night and copied the TomcatSSLKeystore file from my internal to my external JSS and tested enrolling.

    While the QuickAdd package doesn't work still, doing a jamf enroll -prompt does. It does take a lot longer than if I were to enrol internally.

    I wonder if it's just a time out problem whereby it's not finished sending all of the information in 60 seconds now. Any way to up the timeout limit?

    @lisacherie Thanks, I'll try an enrol to a specific box to see if that gives us any more information.

    Terms & ConditionsCookie settingsAccessibility statement