Posted on 03-22-2022 06:21 AM
Not sure what I'm missing here. We have configured our Jamf ADE enrollment process and everything is working great on wired connection. However when we try and enroll via Wireless, it will install the MDM profile but fails to deploy the enrollment package/policies.
Is there something obvious we are missing? Is there a setting somewhere that needs to be enabled for wireless enrollment to work properly? The wireless Macs are still enrolled in Jamf, it's just that the enrollment package won't deploy. Looking at the logs for the enrollment package deployment, it continually lists "Could not connect to the JSS" when trying to run the enrollment policies. However after it's done, I can install apps etc from the Self Service, so it seems the issue is only during the initial enrollment process. Thanks for any help.
Posted on 03-22-2022 06:34 AM
Is your jamf on-prem or cloud?
Posted on 03-22-2022 06:35 AM
Cloud
Posted on 03-22-2022 06:38 AM
The wifi you are connecting to on the Mac, is it a guest wifi or an internal corporate wifi? Also, to elmininate your wifi is the issue, can you connect to a hotspot and try to enroll that way?
Posted on 03-22-2022 07:18 AM
Are you using your production network to enroll
or
are you using an enrollment or guest network?
How is your Wi-Fi profile distributed?
If you are enrolling on the network you are installing the Wi-Fi profile for as part of the enrollment process, you may see disruption in your network traffic.
As stated earlier test, try
- enroll on a mobile hotspot
- enroll on your guest network
You may also want to try to enroll, and let the computer bake for 5 minutes before you sign in for the first time.
Posted on 03-22-2022 07:28 AM
We have two wifi options in our organization - a guest wifi that requires a generic username and password, and the main wifi that requires specific user account credentials (this wifi also requires trusting a cert when joining).
We have no wi-fi profile at the moment - allowing clients to connect to their preferred wifi prior to enrolling.
I'll try letting it wait for 5 mins or so after joining the network to see if that helps. If not, I'll see if I can use a hotspot for testing.
Posted on 03-23-2022 01:50 AM
I had a similar issue in our WiFi environment. I got the following tool from the Apple Seed website which was a great help to troubleshoot the issue: "Mac Evaluation Utility"
https://appleseed.apple.com/sp/de/downloads/projects/1001315/downloads/1015469
Posted on 03-23-2022 03:34 AM
I believe it's timing and saw similar issues during enrollment (802.1x) when devices are scoped with a wi-fi profile set to auto connect.
Depending where you are in the process it can be enough for Jamf to dump the enrollment, leaving a half enrolled (sometimes no binaries) machine. There's a known issue for similar;
A drop in network connectivity may cause policies with an Enrollment Complete trigger to fail.
A couple of things;
- I moved to 1 x enrollment complete policy only using the run processes payload to call policies needed during enrollment eg. jamf policy -event xx.. In and out, the rest can be done on startup / check in etc.
- If you have a network wi-fi profile scoped to devices either un-scope until later in the enrollment and test (eg I use touch command for a enrollcomplete.pkg).
Or (what I did) if there's wpa2 network available, create a wi-fi profile that uses this network purely for onboarding, then remove after enrollment (select this profile to be installed first as part of the pre-stage enrollment). It looks like this;
DEP -> Onboard wi-fi installs -> All other profiles install-> Jamf / Enrollment complete tasks -> Install 802.1x profile
Lastly, get up and around this great article by Mr Purves, I'm about to myself! (It should be a feature of Jamf but hey, go community)
https://richard-purves.com/2022/03/10/repairing-broken-jamf-enrollments-for-fun-and-profit/
Posted on 03-23-2022 03:41 AM
Sorry I just saw your post above about the guest wi-fi.
Try using the guest network in a profile installed first via the pre-stage (assuming it has appropriate network access to internal / external resources) then remove after enrollment for your usual wi-fi + cert profile.
Doing it this way allows me to enroll devices using either the wpa2 ssid or 802.1x + cert network, config profiles sort the rest out
Posted on 03-23-2022 08:46 AM
Another option is to spin up a SSID for enrollment.
Depending on your organization and configuration, it can be made available to only one (or several) access points and depending on your organization you might have the physical access to these items and you connect it to power to spin up the enrollment SSID. You can rotate the password as well as needed.
Posted on 03-23-2022 10:25 AM
Thanks for the suggestions! @Bol I'm going to try this route out - a config profile during prestage, specifying the username and password and I'll see how that goes. Out of interest, do you still have to select a wireless network during the OOBE process before the config profile kicks in (wondering as by the wireless stage we haven't connected to Jamf yet). Thanks!
Posted on 03-23-2022 02:45 PM
Yes, we always need to either plug in a network cable or choose a wireless network (be it 802.1x or wpa2 that we have available).
I've even tried an older imac nearby and shared wi-fi out with no auth (although I believe you need to specify a password now).