Jamf Nation Community

Update Request

JAMF requested if this was related to Thunderbolt adapters as Steve Wood mention.

Update Response

I can confirm that the mac is question are not portable. They are imac 2010, 2012, and 2013 models.
They are using the built in ethernet adapter.
Something else has come up. Since the machines didnt go through an enrollment, the management account that was used previously has remained in the jss. Regardless of the management account set in the configuration for imaging. As we are going through a transition of changing the management account its become a problem now for us.

Update Report

JAMF reports

So after some testing I have come to a couple of conclusions.

1.) Enrollment does appear to be a defect. For some unknown reason, we are not removing the old SCEP ID when the machine is re-imaged. So when we reboot, enroll again, the JSS is verifying the client to the old signature.

2.) The flush on re-enroll is no longer an option within the JSS. The polices of the previous run are kept intact. While I don't personally agree this "feature", it now the 'standard'. For post enrollment policies, we suggest using the "Enrollment Complete" triggers in conduction with smart-groups.

This is a defect

The defect ID for this particular issue is:
D-006210

The work around we shall be using is
Wipe all autorun data from every machine in the JSS and run imaging. Without autorun data, Casper imaging prompts for a username and password. Logon to Imaging and manually applying the same configuration to each machine. This runs the enroll process as expected after imaging.

JAMF suggests workaround

Workaround both problems by removing the computers from the JSS first. Then setting up Pre-Stage Imaging. If you haven't used it before, pre-stage is like autorun for computers that don't exist in the JSS database. Because we would not have policy history, all existing policies would run on re-enroll.
Let me know if you have any questions about how to set this up or anything else!

I realize this thread is old, but is there an updated solution to this problem? Re-enrolling after imaging negates the functionality of autorun imaging. In a lab environment, having to re-add machines to the JSS after each imaging is a complete headache.

This thread is now much older...
I'm having the same issues with iMacs that needed to be imaged twice because of a mistake in the original config. They fail out with improper device certificates unless I manually run the /Library/Application Support/JAMF/FirstRun/Enroll/enroll.sh script. If I do that they recognize the invitation and everything seems fine.

@noah I noticed the same issue and contacted my support contact at JamF. So a couple of things happened. We had a prestage imaging setup to image the machines. It was failing almost immediately but it goes ahead and creates the JSS record for that machine. Once I fixed the prestage configuration, we would have to delete the record and reuse the computer name from the prestage logs. Then it would prestage again.
As for the Autorun not enrolling, we also asked our guy about that. He relayed the message from the Engineering group that this is actually EXPECTED behavior. The idea being if we have a machine in the JSS already, then using Autorun imaging we shouldn't "re-add" the machine to the JSS.
I wanted the information so I knew the last time a machine was imaged. He suggested on those configurations, adding a QuickAdd package as the last step. That would re-enroll regardless.

We've had to use a quickadd because of autorun since upgrading to 9. Fun times.

Now I'm imaging new MacBook Airs (via Ethernet to Thunderbolt adapters) that have never been in the JSS with the same issues. I even told PreStage Imaging to install a QuickAdd package on reboot but it doesn't seem to do it. My full PreStage is:
1. Set computer name
2. Reboot to internal drive
3. Add two admin users
4. Bind to AD
5. QuickAdd
6. KACE agent
7. Script to turn on SSH
8. Script to Kickstart ARD
9. Script to add IsHidden bit to admins

It renames the computer and reboots, adds my admins and installs the KACE agent but nothing else. I still have to run enroll.sh manually at which point everything comes together.
So far I've tested this on eight machines. I have 43 to go...

Try adding a script to enabled wifi adapter (link to one in feature request below).

If that fixes it, vote up my feature request :)

Casper Imaging - build in enable ethernet adapters functionality

Our wifi network setup requires the user to login with their unique credentials. It also creates a trust certificate for each machine because there's a limit. Gotta do this over Ethernet. I'll try your script though!
I voted up anyway. It's a good cause.

@noah, i had a typo above. the script enables the ethernet adapter (not wifi).

End of the day update:
I added two more scripts to the Configuration/PreStage based on my research here. One that enables the Ethernet adapter as suggested above and one that sets the timezone correctly and turns on ntpd. Still no luck. I'm using an external drive with Casper Imaging set to run on login. The machines are identified by serial number.