I run into an issue when I want to register a mac M1 with macOS Ventura to our Jamf Pro management. While installing the MDM profile, the installation stops with a message "mdm profile could not be installed, ssl failure" (I hope, this will be the right translation from German to English).
I tried to deactivate the ssl check on our Jamf Pro, but without any success.
All clients with macOS Monterey (version 12.6.1 included) can be registered and the MDM profile will be installed without any issues.
Has anyone an idea, where I could configure the MDM installation on mac M1® (and oder INTEL®) under macOS Ventura® ?
At this time, we are running Jamf Pro 10.41.0. Because of the certificate theme, I did not update to 10.42..
I would be glad for some thoughts :)
sorry for my late reply.
We are using the built in certificate of our Jamf Pro Server. All macs with OS earlier than macOS 13 can be registered without issues, but when I want to register a mac with macOS 13, the SSL failure appears.
The enrollment is user initiated. The test mac is a M1 mac. At this time, i do not have an INTEL mac to test.
I have had a little tiny success on this issue (also have a Support Ticket with JAMF). I have setup SSL for the Enrolment and on the Apache side and the MDM on Ventura is now installing with no issues (so far). I will be doing some further testing with the entire process from JAMF in our environment tomorrow and will let you know how it goes :)
As always - anything Apple related is frustrating and time-wasting :)
are you running Version 10.41 , too or are you running Version 10.42?
We configured SSL for e
nrollment and on the Apache side, too.
The Enrolment is user initiated, too. The registration URL is an "https" URL. The first step of the registration is downloading and installing the built in Jamf Certificate. The second step is to download the MDM profile. When the MDM profile should be installed, the SSL failure appears.
Maybe you could explain, how you configured these parts?
We also testet a registration on Microsoft INTUNE. This is working like a charm and with no issues.
Currently running 10.42 on our DEV JAMF Server (on-prem) and SSL setup......doing more testing today and also noticed JAMF have released 10.42.1 overnight - So I am also testing this on the DEV server. The Prod JAMF server is being snaped this morning and I will be applyig SSL to this as well as upgrading to 10.42.1 and will test from Ventura as well as currently enrolled Macs. Will update later in the day......what a mess :)
very curious as well. I updated one of my macs from 12.6.1 to 13.0 yesterday and noticed all of my profiles no longer show at the device level and per Self service my MDM profile is not installed. Jamd Pro shows I have profiles installed. Upon trying to re-enroll via quickadd, profiles -N or user initiated enrollment all seem to fail. I am a Jamf cloud user as well
OK - It seems to be sorted for one of our prod JAMF Servers. The SSL part is two-fold. IIS on the server has a CA assigned to it and the same CA from the server is converted to a pfx for input into JAMF. Within JAMF you set the Apache Tomcat Settings with the CA and the User Initiated Enrolment and also set the Security for SSL to be "Always" for JAMF version less than 10.42.
So all seems to work so far with Ventura as it now "trusts" the MDM Profile upon enrollment. We have had a few Macs already in JAMF give Device Signature errors that can be easily fixed by removed the MDM Profile and re-enrolling and installing the SSL-updated MDM Profile on the Mac.
Our other JAMF server has had to be rolled back to version 10.41 as the new version completely remove the use and functionality of JAMF Remote - which is highly used in our environment.
The testing continues.....the issues will always arise.......and the management of Apple stuff will continue to waste too much of my time lol
Cheers - Paul
tnx for your time and for sharing your experiences here!
Meanwhile I am testing with INTUNE® and I am extremely surprised, how smooth it works. Because of these problems that are appearing at nearly every Jamf update and the very much time I have to invest, to get my environment running again, we are thinking about changing to INTUNE. The tests are still running right now, and, at this point, I can say, it is much easier to handle than Jamf. The last three years, the expense for holding our Jamf Pro server on running was growing more and more, after every update from macOS and from Jamf. Meanwhile it is nearly the same "rabbit and hedgehog" game like at that time, when we installed our only about 60 Macs manually. I am absolutely disappointed because of this.
on Ventura the trust of self-signed certificates seemed to have changed.
You can enroll your devices by doing these steps:
hello @flens that seems that the certificates trust will not work properly.
On all macOS versions, but Ventura, the enroll process is working. The certificate is fully trusted by default.
The users are registering their mac themselves in Jamf. Seems, that we have to instruct them to do the steps, that you described. Thanks for your advising! (btw: my layout is German, too :) )
@flens The steps, that you described, are working, but it is no way to demand this from our users.
There must be a way to set the Jamf certificate to "always trust" automatically. If the users have to do this themselves, it is not practical to enroll Jamf via user initiated enrollment.
Maybe someone can give a hint, how to reach, that the certificate will be set automatically to always trust.