Help

Jamf On-Premise - Apple DEP & Jamf - A server with the specified hostname/ Invalid Profile etc.

ajcharsley11
New Contributor II

Posted on ‎02-01-2018 02:52 AM

Hi Everyone,

Here is how to fully setup/ fix DEP intergration with Jamf!

So, I'd spent a while tearing my hair out trying to figure out why the above errors kept appearing on IOS devices... The DEP was linked into Jamf with the certificates setup (see https://www.jamf.com/jamf-nation/articles/359/integrating-with-apple-s-device-enrollment-program-dep) and everything was happy both sides. DEP page showed the server connected and Jamf showed devices in the DEP setup.

I had setup a pre stage enrollment and a configuration profile > assigned it to the DEP scope > unboxed the new phone > proceeded to setup > error: A server with the specified hostname could not be found.

Problem: This is a certificate authentication issue with between your device, DEP and Jamf.

FIX: You need to confirm the Jamf Pro URL in the settings page of Jamf, renew a certificate in the tomcat settings to match that, restart the tomcat services and make the URL externally accessible on port 8443.

To do this: Go to settings > Global Management > Jamf Pro URL - Enter a URL you want to be externally accessible (e.g. https://jss.mycompany.com:8443/)

Now Go to Settings > Apache Tomcat settings > Edit > Change the SSL Certificate used for HTTPS > Generate a certificate from the Jamf Pro's Built in CA > Complete!

Now restart Tomcat Services > I'm on a windows machine so just went to Services.msc > right clicked Apache Tomcat and restarted.

I then added the new URL to our external DNS records (matching the one that the DEP lists as its IP) > and allowed port 8443 inbound to the internal server.

NOTE!

Once I completed the above - the phones still would not enroll.

YOU NEED TO DO THE FOLLOWING - re setup JAMF and DEP with new keys and tokens for clarity. You will NEED set up a NEW Prestage Enrollment profile though otherwise your phones will still not enroll - this wouldn't work for me until I did this.

Now you've done this - You should now be able to enroll the configuration profile as normal :)

Sidenote: I noticed once all of the above was complete - I got the error 'Invalid Profile' instead - this is more often than not related to the connection to the Apple time servers. In the UK we are setup with Vodafone but for some reason when activating on the tarrifs data sim the time was set to LA time, which evidently did not match the phone set in UK mode. I put the phone onto a local wifi and the setup went straight through!

Hope this helps at least one of you! Feel like this info wasn't fully evident in documentation for setting up Jamf on Premise solutions.

Thanks,

Andrew

Labels:
1 REPLY 1

blackholemac
Valued Contributor III

Posted on ‎02-01-2018 04:11 AM

@ajcharsley11 ’s post is a worthy read for folks. This also speaks to the occasional post I see on jamf boards about someone wanting to know what’s involved with changing the URL of the JSS. In short, a road you do NOT want to go down, unless reenrolling your fleet is considered a fun activity or the benefits outweigh the work involved.