Issues / Stability of 9.101 update

egill
New Contributor III

Hey guys, just checking to see how the new update is settling in before I make the jump. We have our JSS on a Windows 2016 server. Would move from 9.98 to 9.101. Thanks!

26 REPLIES 26

hkabik
Valued Contributor

Was just about to start one of these myself... I'll keep an eye on this one. thanks!

benducklow
Contributor III

Ditto here @egill and @hkabik ! Would love to see/hear what people's experiences are with this latest release (issues, bugs with current macOS's as well as how its working with the latest beta version of High Sierra).

mm2270
Legendary Contributor III

I'm also interested. I looked over the Release Notes, but so far I'm not seeing any issues addressed that were affecting us here to my knowledge. The couple of issues that I'd like to see fixed don't appear to be in this release, unless I'm just missing them.

rcorbin
Contributor II

Looks like everyone is wondering (Including me) but no one has installed it yet.

dan-snelson
Valued Contributor II

We're running 9.101.0 in our Dev and Stage lanes and have just started testing. (We deploy from ROOT.war.)

My current understanding is that 9.101.0 is required for full compatibility with macOS High Sierra 10.13 and most concerning for us is fresh FileVault encryptions to escrow Personal Recovery Keys for users running macOS 10.13.

emily
Valued Contributor III
Valued Contributor III

@dan.snelson have you played around with the new configuration profile payloads for FV2 escrow in 101? I had asked Jamf a question about it in the beta discussions but the beta discussions are gone now…

I was curious about how the helper text in the new payload options says:

Create an individual recovery key. To store the individual recovery key in the JSS, you must also configure the FileVault Recovery Key Redirection payload

Does this mean that the Filevault Recovery Key Redirection payload (deprecated) should still be enabled for escrow on 10.13 machines to work even though it's not honored by the OS? Or is that text implying something else?

5f8d03921849423b8f17410f4874f0db

lnu_casper
New Contributor

Hi, after we update to 9.101 we having problems with new- and reinstallation's. Computer could not bind to AD with Casper Imaging and the computer did not get into Casper. We had to build new netbootimage "nbi". Now it´s work well again. (We upgrade from 9.96)

predfern
New Contributor

We upgraded our environment on Wednesday night and took the time to incorporate a pair of Memcached servers into our cluster at the same time. We have not seen any issues so far, infact it is performing significantly better than before the upgrade. We did have to make sure that all of our NBIs were updated with Casper Imaging 9.101 and our techs could authenticate AutoRun imaging at our checkout stations.

dcgagne
Contributor

@emily

In my testing thus far it appears the original redirection policy will stay in place for 10.12 and below. For 10.13 and up the old redirection policy will not load if FileVault is configured with the newer escrow recovery key option set. In fact, if both are loaded you will see this error under Management Commands under the old redirect CP:

A profile with a “FileVault Recovery Key Escrow” payload is already installed on the system.

The kicker is, in my early testing using the new escrow option and 10.13 GM, it doesn't work. The key is invalid if it is regenerated manually and running the regeneration as a policy fails.

emily
Valued Contributor III
Valued Contributor III

We tested this on 10.13 by doing the following:
- Created a combined Security & Privacy + FileVault 2 escrow settings configuration profile scoped to 10.13 machines
- Changed scope of old FileVault 2 escrow and Security & Privacy config profiles to exclude 10.13 machines

It enabled FileVault 2 on next login, like we wanted, but it didn't actually escrow the key until a recon ran. I don't remember that being the behavior with the old payload.

dan-snelson
Valued Contributor II

@emily The description in your screenshot above confuses me. Did you get any feedback from Jamf?

In our Jamf Pro 10 Beta 2 lane, we're excluding our legacy "FileVault Recovery Key Redirection" from High Sierra machines, but I've been so focused on re-generating keys with High Sierra and 9.101.0 that I can't remember if you really need the legacy profile on High Sierra machine.

Boughen
New Contributor

We upgraded a test environment last week, The master tomcat server upgraded without issue, the 2 slaves tomcat servers have failed, we get the following error when starting tomcat

"The following error was encountered during initialization:
Error initializing object caches"

It looks like its having a problem reading a certain object in the database.

We have a support ticket in with JAMF, no solution as yet.

russeller
Contributor III

@Boughen I'm not saying this is a solution, but the nice thing about those child webapps is that you can just dump the VM and rebuild it from a template or scratch. I'd usually keep a copy of the DataBase.xml (from /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/xml) and server.xml (from /usr/local/jss/tomcat/conf/) and possibly the keystore (if you keep it in /usr/local/jss/tomcat/) if you need it.

By rebuilding it from scratch you can install your current version of the JSS on that child webapp without having any sticky icky bits from previous installs. Also ensures all your supporting services are current (java, etc).

I agree it would be nice to figure out what is causing it to fail. Have you examined all the logs? What is happening in the catalina log and the JAMFSoftware log during startup?

rcorbin
Contributor II

We were running Jamf Pro 9.99.0 up until about a week ago when we upgraded to 9.101.0. We skipped 9.100.0. So far since upgrading about a week ago all as been fine. The upgrade was super easy. We run it all under Red Hat. So far all seems good with the JSS and iOS 11 as well. Haven't really done much testing with 10.13 yet.

frank
New Contributor III

Only issue we've seen is any home screen payloads for iOS devices you may have get removed from the configuration profile post upgrade. JAMF has a PI-004439 for it. So if your going to upgrade make note of any configuration profiles for iOS devices that set home screens as you need to recreate them in 9.101.0

remyb
Contributor

@dan.snelson as far as i've seen, the legacy profile does nothing on high sierra. We created a profile with only the filevault 2 escrow enabled, and we enable filevault through a separate policy.

as @emily pointed out, the key didn't get escrowed until a recon ran, but at least it did properly escrow.

The re-generation script we use which is based on https://github.com/homebysix/jss-filevault-reissue failed because the output of $FDESETUP_OUTPUT is different. Commenting out the "elif [[ $ESCROW_STATUS -ne 0 ]]" section lets the script complete without errors and properly sends the key to the JSS

jon_heyd
New Contributor II

We've actually had some pretty significant issues with the update, and are unsure where they've come from. Once the update was complete, hundreds of iPads using group-assigned apps suddenly lost their configuration profile (which contained their WiFi connectivity info). When they were reconnected, they began spontaneously deleting and re-downloading their web clips and applications. We have been fighting them for weeks now. It's a bloody nightmare; the one school building that's 1:1 for students and devices is basically at a standstill. Having 500+ iPads trying to re-download 30+ apps each is destroying our WiFi, even with two Apple caching servers and a gigabit backbone. The only fix, so far, is to "erase all contents and settings"...which we're not entirely sure will fix it. Angry emoji.

thejenbot
Contributor III

we've had issues with 9.101 as well. have seen the issue @frank mentioned above with home screen payloads - 1/3 had been blown away and we had to start from scratch.

also re: what @jon_heyd mentioned above, we were having a similar problem so after working with jamf to sort it out i started this discussion [https://www.jamf.com/jamf-nation/discussions/25665/change-in-smart-mobile-device-group-membership-pulls-config-profiles-9-101](link URL). so that sucks.

we're also having problems clearing passcodes when iPads are not connected to WiFi, which there are about a bajillion threads on, but this seems more like an apple control issue and basically requires DFUing devices. we used to use ethernet > usb > hub > usb > lightning to wire up devices, but sometime after 10.3 that stopped working. so based on recommendations we got the camera adapter and applied the firmware update, but commands still don't go through. iOS 11 seems to be better when it comes to this, but i hear others are still having problems; i just don't know what version of the JSS they're running.

it seems like with every update some things get fixed and others get broken. with all that we've dealt with, we kind of wish we hadn't updated; but 9.101 came out almost a month ago and we didn't notice most of the problems until a couple of weeks in. also, with the way apple herds people into updating, at some point you kind of have to move. a lot more people have been having problems because they haven't updated and have devices at iOS 11 while still running older versions of the JSS.

if you're aware of the above info and can easily recreate any home screen configurations if they get lost, and if you ditch smart mobile device groups, etc. ahead of time, you'll be in a better boat than we were :)

jness
New Contributor

I'm having many problems going from 9.96 to 9.101.

A known product issue where apps and profiles scoped to ldap groups are being removed and are supposed to be installed again overnight, but one of them is the wifi payload and without it, the iPads are not receiving the install commands.

JSS has been crashing quite a bit. Often times even a full server restart doesn't fix it. The JSS url fails to load even on the server itself, even trying localhost:8443 instead of the normal URL.

I'm half tempted to try to roll it back to an earlier version and see if I can reclaim some stability. I'd sacrifice the few iOS11 devices that 9.96 couldn't work with in order to get the rest of my fleet and JSS operational again.

murph
New Contributor III

@jnelson64 Have you tried the new Tethered Caching setup to unlock devices? I have not tried this, but I have heard that it should work better than the ethernet adapter approach. If I understand correctly, when a Tethered connection begins, it prompts the device to immediately check in to the MDM server for pending commands.

murph
New Contributor III

@jnelson64 I agree with you that every update seems to fix/break things. This has prompted us to start looking at other MDMs. I know several schools that I've talked to are planning on abandoning JAMF at the end of this school year. So far on a couple of other MDMs we've looked at, they are education focused and they cost a lot less than JAMF, and people on them seem very happy. I have yet to talk to another school that is happy with the state of JAMF Pro.

thejenbot
Contributor III

@murph we have pairing restricted with a config profile so tethered caching didn't work, though i read on another thread that if the machine you hook up to is also in DEP it overrides the fact that there is no trust relationship between the devices. haven't tested this out to see if it will work in our situation; it's early enough in the school year, and everything backs up to the cloud, so i don't feel too evil when i have to wipe a device and make the kid start again. plus it teaches them they need to effing remember their password; we'll probably never see them again for a similar issue, it forces them to get their stuff together.

interesting that others are considering jumping ship and good to know we're not alone. we've not been too pleased for awhile; all the growing pains have been very disruptive and i miss my TAM. it's like an indie band you love goes mainstream and then you just can't stand them anymore once you hear them on the top 40...

jriv
New Contributor III

@remyb

I'm having the same issue. Could you tell me exactly which lines you commented out on the script?

Thanks!

remyb
Contributor

@jriv the author of the script uploaded a High Sierra compatible (beta) version of the script on github, use that: https://github.com/homebysix/jss-filevault-reissue

marktaylor
Contributor

We have issues with iPads since upgrading, we can no longer add classes created manually in the JSS to our shared iPads, ASM imported classes are still ok. Our kiosk iPads in single app mode keep failing and dropping off the wifi. Mac OS devices seem ok apart from the usual MDM issues but most of that is down to changes in Sierra & HS.

elliotjordan
Contributor III

Hi all! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!