Can anyone help, I have just setup a test JSS for demo purposes but every time I try and enroll a machine I get an error when installing the MDM profile , the error is saying that it can't contact the SCEP server?
i have setup the correct url in the "JSS URL" section and imported a fresh MDM Push certificate but with no success, also tried taking all machines out of JSS and re-adding but with the same result, it is building an inventory but in the"General" listing it tells me that MDM Capability is "NO
" ...Any Ideas?
The main thing that stands out to me is that your JSS URL is an IP address; generally for MDM to work as expected, we need to have an FQDN (not a .local, as anything with iOS 8 or higher will have difficulties communicating with that) there, not an IP address.
If there is a URL Global Management >> JSS URL >> JSS URL for Enrollment Using Built-in SCEP and iPCU we’ll want to remove that, specify a proper FQDN for the JSS URL in the JSS URL field, then regenerate your Tomcat certificate (if using the built in) through System Settings >> Apache Tomcat Settings, then restart Tomcat to get that URL cleared out.
If it's still giving you trouble after getting those things changed/fixed, it may be fastest to get in contact with your Technical Account Manager and set up a call or a WebEx session so they can help you dig into it a bit deeper.
JAMF Software Support
Sorry to bring up an old thread. We are having the same issue as the OP.
We don't have access to the external firewall but the team has stated nothing is happening with outgoing traffic. The other thing is our traffic is routed through a load balancer. The question I am wondering, is the jss.domain address is not the actual FQDN of the server. That resolves to the IP address on the load balancer. SSL terminates there as well and all traffic back to the server is routed via 8080. Anyway, since the FQDN that it is trying to connect to is at the load balancer could that be causing an issue here? This is not my strong suit so any help would be appreciated.
If that is the issue, what would be recommended to resolve it. We need to keep that shorter name as our server naming convention here is way long.
My situation is very similar w/ the load balancer, though we don't terminate SSL. We let the server do that. We have no troubles at all. Might try re-doing the cert, checking permissions on the directory. Also, I would check nat translation or other settings with the firewall. Can you test or connect to a webpage on the same server? Can you ping it?
We're also having this issue with our jss that also has a FQDN. We're using a third-party wildcard cert and we're also having the same issue that @csm0004 is having with DEP and prestage enrollment not working.
I currently have a ticket open with jamf regarding this and I'll TRY to update here if I find a solution.
Our issue was resolved by 1: Not using a wild card cert (jamf still cannot give me a reason why wile card certs don't work) and 2: renewing tomcat cert and restarting tomcat.
We have since moved to a third-party cert for the server and no issues since.
Very late response but just in case someone runs into it and reads this thread. My issue was at my last job and we abandoned using a load balancer. We ended up setting a more traditional setup with a server in the DMZ (our case it was a firewall context).
Out issue ended up being the SSL cert. Testing again later before I left letting the SSL cert go through as Chris Miller recommended resolved the issue. This was with a new cert as well.
Just to chime in here and clarify for others. Here was my scenario and resolution:
1. Setup a Jamf pro server URL originally with IP address (this was for a PoC) as well as a Push Cert with Apple and User-Initiated Enrollment feature 2. Needed to change the URL so it wasn't using an IP, so I changed it in the JSS and restarted Tomcat 3. Tried to enroll a device; got the "Unable to Contact SCEP Server" error 4. Renewed both the Push Cert (not sure that was needed) and Apache Tomcat cert (using the "Generate a certificate from the Jamf Pro's built-in CA" option) 5. Restarted Tomcat again 6. Was able to successfully enroll a device using User-initiated enrollment feature!
Hope this makes it more clear for some. :)