Machines unable to re-enroll

eosrebel
New Contributor III

Hey all,

We in a 10.1 environment that we host ourselves and lately we've had a few machines stop talking to our JSS. However, when we attempt to re-enroll the devices the enrollment using a fresh QuickAdd.pkg the process stalls out and eventually fails. Looking at the installer log show that it stalls out at this point with the following output.

Removing client SUUpdateServiceClient pid=1521, uid=0, installAuth=NO rights=(), transactions=0 (/usr/sbin/softwareupdate)

The binary appears to be installed as jamf help responds in terminal, but recon as well as manual enrollments stall out during locating hardware information.

Currently this is happening on a 10.12.6 and a pair of 10.13.3 machines.

Any ideas?

13 REPLIES 13

mm2270
Legendary Contributor III

Related to this issue maybe?

eosrebel
New Contributor III

@mm2270 It does not appear to be related to that unfortunately as recon does not get that far to post the error and we have already patched for the max character limit

ThijsX
Valued Contributor
Valued Contributor

deleted the old entries from the JSS? or try modified the re-enrollment opties under settings in case of UIE.

tcandela
Valued Contributor II

sometimes i clear up re-enrollment issues by doing sudo jamf removeFramework

afterwards i then re-enroll with quickadd.pkg

eosrebel
New Contributor III

@txhaflaire We've tried both ways and it gives the same results.

@tcandela Unfortunately sudo jamf removeFramework has not helped with this at all nor has running sudo jamf flushCaches prior to it.

lashomb
Contributor II

We've seen this too, and as for the 'Supplemental Update' bug, we don't track software updates in the JSS so the db schema wouldn't need a change to accommodate.

Enrollment processes never finish when using DEP, because recon hangs. QuickAdd reenrollments fail because recon hangs. Working with Jamf on the issue, but haven't figured it out yet.

eosrebel
New Contributor III

@lashomb I'm curious as to what you figure out. I have a support call scheduled on Friday so we'll see what happens. What does your JSS environment look like?

lashomb
Contributor II

@eosrebel We had an EA hanging up the process, but after that was remedied, our DEP enrollment never finishes. If we kill the bash processes or killall jamf and run a sudo jamf policy then things kick in... but whatever condition that enroll is hitting just hangs it.

Our environment is a cluster of 3 tomcat nodes, 1 db server, 1 memcached server.

eosrebel
New Contributor III

@lashomb Are you running any AV? I was just able to track down the problem to the AV software, Cylance, that we are in the middle of a POC with as the issue.

szultzie
Contributor II

Hi All, We are seeing similar issue with using any quickadd package, even the self enrolled one using the jamfcloud URL.

I also have tracked it down to Cylance. The problem is that we have had Cylance for almost a year, and this issue didn't start till recently.

But now no matter which version of cylance we install seems to hang Quickadd.

We use a DeployStudio workflow to install the OS then name the computer join it to domain install Office (in process to moving more of this workflow into Jamf) do some other customizations that SIP doesn't allow while booted intot he OS like set DefaultUSer Template (like in the old days of phatimaging) part of this workflow i would install Cylance and then the final was a quickadd package. All was working for about a year. Then something changed, at first I thought it was Jamf Pro 10 upgrade, but after a week or so of troubleshooting it was Cylance. It just would allow Quickadd to finish. Then i moved Cylance into an enrollment policy which also wouldn't finish quickadd process. So finally i moved Cyalnce to a check in policy after quickadd already finished.

So the only issue i need to solve now is, if Cylance is installed and we run the quickadd package (manually by a tech or using the URL by the end user) on a wild machine that has not been in Jamf yet with out reimaging.

I am working with my AV tam so hope to have a solution in the next few days, I will report back here if I find one.

-Peter

szultzie
Contributor II

@eosrebel Have you contacted Cylance about this issue yet? Wondering what they have to say about it. We are putting in a ticket to them today.

-Peter

szultzie
Contributor II

@eosrebel By any chance do you have an extension attribute to get the Cylance version in your environment?

mapurcel
Contributor III

@eosrebel we are seeing our DEP Jamf enrollments stall out for 10 or 15 minutes, always correlated to the same line you referenced in the install log, in your investigation did this line play into the root cause?

MacBook-Pro softwareupdated[391]: Removing client SUUpdateServiceClient pid=2715, uid=0, installAuth=NO rights=(), transactions=0 (/usr/sbin/softwareupdate)