Jamf and DEP Intermittent Sync Issue

CoryCooper
New Contributor III

Hello,

We are running Jamf 10.15.1 and have done the switchover for VPP/DEP on Apple School Manager. Yesterday and today, if we setup a new iOS device, the default apps like Contacts, iTunes Store, Notes, etc. show a small cloud at the beginning of their name. The cannot be downloaded/installed on our local Wi-Fi network, but do on outside networks. This only seems to affect Jamf managed devices, not people's personal iOS devices. VPP-purchased apps scoped from Jamf install normally.

We have created new Public Key and Server Tokens for DEP, checked firewall settings, restarted our Jamf server, etc.

Any ideas on what could be causing this?

Thanks in advance,

Cory

13 REPLIES 13

Phantom5
Contributor

Same here, after updating JAMF Pro to version 10.15.1, MDM synchronization with DEP services is broken. We've uploaded the public key to ASM, downloaded the new token and uploaded it to JAMF several times. But after a couple of minutes sync between the MDM and DEP breaks again. Even some times when we try to upload the new token we get the error "Problem contacting Apple Services".

snowfox
Contributor II

I'm seeing the same issue on our server after upgrading to 10.15.1. One minute the DEP sync is not reporting any alerts, check back 10 minutes later there's a red sync triangle saying sync failed. Then it disappears again. Comes and goes. Thought I was going nuts. Glad its not just me.

jamesandre
Contributor

schiemsk
New Contributor III

Hi,

We solve that issue by disabling TLSv1.3 as explained on macmule.

Add

-Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2

Into

<jsshome>/tomcat/bin/setenv.sh

Result :

#! /bin/sh

# Place any and all customizations to your Tomcat instance here.
# Examples:
#
#   export JAVA_OPTS="$JAVA_OPTS -Xmx1024M -Xms256M -Djava.awt.headless=true"
#   export CATALINA_OPTS="$CATALINA_OPT -Xss=192k"
#   export CATALINA_TMPDIR="/tmp"
#
# This file will be backed up and restored on upgrades.

export JAVA_OPTS="$JAVA_OPTS -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Xmx1024M"

# Sets JAVA_HOME if it is NOT set

And restart tomcat & check the entire process command line (ps -auxwww)

Regards.

blackholemac
Valued Contributor III

@bentoms Thank you for your post...I noticed this yesterday and you came through with a fix that worked well...for the record we were using Amazon Corretto 11.0.4_10 on Windows and corrected this issue on our cluster simply by adding this line quoted above to our Tomcat Java settings on the master node:

-Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2

PS for anyone who's ever met @bentoms ...he spared us of the donkey work of solving this problem by doing the "faffing around" for us in the macmule post.

bentoms
Honored Contributor III
Honored Contributor III

@blackholemac np! glad it worked.. fwiw the post can be found at: https://macmule.com/2019/10/01/more-dep-sync-errors/

truong_dao
New Contributor

We are using Mac OS X, how to disabling TLSv1.3? Thanks.

sgrall
New Contributor III

@bentoms Ben, thanks for this workaround! I contacted a rather high up colleague of mine at Apple, and he wasn't aware of the issue at all.

I modified your line to be as follows, since TLS 1.0 and 1.1 are deprecated:

-Djdk.tls.client.protocols="TLSv1.2"

I simply added it to the tomcat8w.exe on our Windows Server, present in: C:Program FilesJSSTomcatin

@truong.dao For Mac OS X Server, you will need to add it to the /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist file.

truong_dao
New Contributor

Thanks sgrall.

CoryCooper
New Contributor III

Thanks to all...

Adding the line to disable TLSv1.3 worked like a charm. We initially added the incorrect one, JAVA_OPS, but changed it to the correct CATALINA_OPS for our server and the issue is resolved.

Thanks again,

Cory

levans
New Contributor II

Solution for macOS includes the following, as modifying just the tomcat plist isn't enough, as you also need a modified setenv.sh file in /Library/JSS/Tomcat/bin.

1, Open Terminal and run:
sudo plutil -convert xml1 /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist

2, Then open the file:
sudo nano /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist

3, Add the below new string:
<string>-Djdk.tls.client.protocols=TLSv1.2</string>

4, Then save and convert the file: sudo plutil -convert binary1 /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist

&

Create a new file (setenv.sh) that is the one that catalina.sh will read (by default is not present).

1, Create the new file: sudo touch /Library/JSS/Tomcat/bin/setenv.sh
2, Open the new file: sudo nano /Library/JSS/Tomcat/bin/setenv.sh

3, Paste in the below and save:
export CATALINA_OPTS="$CATALINA_OPTS -Xms512m"
export CATALINA_OPTS="$CATALINA_OPTS -Xmx8192m"
export CATALINA_OPTS="$CATALINA_OPTS -Djava.awt.headless=true"
export CATALINA_OPTS="$CATALINA_OPTS -Djdk.tls.client.protocols=TLSv1.2"

4, Then run: sudo chown -R _appserver:_appserveradm /Library/JSS/Tomcat/bin/setenv.sh

5, Stop Tomcat: sudo launchctl unload /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist

Start Tomcat using the catalina script, this should allow tomcat to startup reading the setenv.sh file that contains the "TLS specification"

sudo su
cd /Library/JSS/Tomcat/bin/
./catalina.sh run

Provided and tested by Jamf Support, I can confirm that the above fix does work for macOS.

CoryCooper
New Contributor III

Spoke a bit too soon...

The above fix worked for the DEP sync, but we still cannot download/install and default iOS apps - they are still showing the cloud icon. Any Jamf-scoped apps do install, because they are coming from our caching servers.

Any thoughts?

mberardinelli
New Contributor

Same issue here after upgrading to JAMF 10.15.1 two days ago. Our DEP/Apple School Manager sync stopped working and when I tried to download a new token from ASM and upload to JAMF, I would get the "Problem connecting to Apple Services" error message.

Confirmed that the above fix did work for us as well (we are running Ubuntu 18.04). Disabled TLS1.3 by editing the setenv.sh file as suggested. After that I was able to successfully upload the new token and sync appears good again.

According to that Mac Mule article it seems like there will be a fix for this in the OpenJDK v.11.0.5 patch slated for release on October 15.