MDM installation on Ventura mac M1 fails - SSL failure

Anonymous
Not applicable

Hello together,

I run into an issue when I want to register a mac M1 with macOS Ventura to our Jamf Pro management. While installing the MDM profile, the installation stops with a message "mdm profile could not be installed, ssl failure" (I hope, this will be the right translation from German to English).

I tried to deactivate the ssl check on our Jamf Pro, but without any success.

All clients with macOS Monterey (version 12.6.1 included) can be registered and the MDM profile will be installed without any issues.

Has anyone an idea, where I could configure the MDM installation on mac M1®  (and oder INTEL®) under macOS Ventura® ?

 

At this time, we are running Jamf Pro 10.41.0. Because of the certificate theme, I did not update to 10.42.. 

 

I would be glad for some thoughts :)

greetings,

NOVELLUS

23 REPLIES 23

kay-_-
New Contributor III

That's very strange.
Are you using a verified 3rd party SSL? is it DEP or user-initiated enrollment?
I just tested it on an Intel mac running Ventura and seems to be working fine for me.

Anonymous
Not applicable

sorry for my late reply.
We are using the built in certificate of our Jamf Pro Server. All macs with OS earlier than macOS 13 can be registered without issues, but when I want to register a mac with macOS 13, the SSL failure appears.

The enrollment is user initiated. The test mac is a M1 mac. At this time, i do not have an INTEL mac to test.

P_Featherstonha
New Contributor III

I am in the same boat. Fresh install of MacOS 13 Ventura so I can test our JAMF environment. Self-initiated enrolment and the CA Certificate downloads and installs fine. The MDM Profile Certificate downloads and will not install

 

P_Featherstonha_0-1667173248424.png

 

C_Long
New Contributor II

Same thing here. We have upgraded a few of our machines (Macbook Air 13" 2020, 1.1GHz Quad core Intel Core i5). Just like P-Featherstonha said. The CA installs fine. The MDM does not. Same SSL error has occured, a connection to the server can not be made; message. 

P_Featherstonha
New Contributor III

I have had a little tiny success on this issue (also have a Support Ticket with JAMF). I have setup SSL for the Enrolment and on the Apache side and the MDM on Ventura is now installing with no issues (so far). I will be doing some further testing with the entire process from JAMF in our environment tomorrow and will let you know how it goes :) 

As always - anything Apple related is frustrating and time-wasting :)

Anonymous
Not applicable

are you running Version 10.41 , too or are you running Version 10.42?
We configured SSL for e

nrollment and on the Apache side, too.
The Enrolment is user initiated, too. The registration URL is an "https" URL. The first step of the registration is downloading and installing the built in Jamf Certificate. The second step is to download the MDM profile. When the MDM profile should be installed, the SSL failure appears.

Maybe you could explain, how you configured these parts?

We also testet a registration on Microsoft INTUNE. This is working like a charm and with no issues.

P_Featherstonha
New Contributor III

Currently running 10.42 on our DEV JAMF Server (on-prem) and SSL setup......doing more testing today and also noticed JAMF have released 10.42.1 overnight - So I am also testing this on the DEV server. The Prod JAMF server is being snaped this morning and I will be applyig SSL to this as well as upgrading to 10.42.1 and will test from Ventura as well as currently enrolled Macs. Will update later in the day......what a mess :)

P_Featherstonha
New Contributor III

So - The SSL stuff done on the server and within JAMF seems to have corrected the issue......kind of. Machines are now getting the dreaded stupid Device Signature error - so something is still amiss. I will be investigating further next week.......

 

  What are you doing when you say SSL stuff done on the Server and within Jamf? Just curious. We run a our Jamf Pro on Windows Servers 1 for Tomcat, the other houses the Database. 

markacorum
New Contributor II

very curious as well. I updated one of my macs from 12.6.1 to 13.0 yesterday and noticed all of my profiles no longer show at the device level and per Self service my MDM profile is not installed. Jamd Pro shows I have profiles installed. Upon trying to re-enroll via quickadd, profiles -N or user initiated enrollment all seem to fail. I am a Jamf cloud user as well

I was able to reaolve my issue by reinstalling OS from recovery without wiping

P_Featherstonha
New Contributor III

OK - It seems to be sorted for one of our prod JAMF Servers. The SSL part is two-fold. IIS on the server has a CA assigned to it and the same CA from the server is converted to a pfx for input into JAMF. Within JAMF you set the Apache Tomcat Settings with the CA and the User Initiated Enrolment and also set the Security for SSL to be "Always" for JAMF version less than 10.42.

So all seems to work so far with Ventura as it now "trusts" the MDM Profile upon enrollment. We have had a few Macs already in JAMF give Device Signature errors that can be easily fixed by removed the MDM Profile and re-enrolling and installing the SSL-updated MDM Profile on the Mac.

Our other JAMF server has had to be rolled back to version 10.41 as the new version completely remove the use and functionality of JAMF Remote - which is highly used in our environment.

 

The testing continues.....the issues will always arise.......and the management of Apple stuff will continue to waste too much of my time lol

 

Cheers - Paul

Anonymous
Not applicable

@P_Featherstonha 

tnx for your time and for sharing your experiences here!

Meanwhile I am testing with INTUNE®  and I am extremely surprised, how smooth it works. Because of these problems that are  appearing at nearly every Jamf update and the very much time I have to invest, to get my environment running again,  we are thinking about changing to INTUNE. The tests are still running right now, and, at this point, I can say, it is much easier to handle than Jamf. The last three years, the expense for holding our Jamf Pro server on running was growing more and more, after every update from macOS and from Jamf. Meanwhile it is nearly the same "rabbit and hedgehog"  game like at that time, when we installed our only about 60 Macs manually.  I am absolutely disappointed because of this.

MCfreiz
New Contributor III

just ran into the same problem with an intel mac that we installed ventura on. 

Anonymous
Not applicable

it is no matter, if the mac is an Intel or a Silicon. The issue is faced on both of them.

flens
New Contributor

Hi,
on Ventura the trust of self-signed certificates seemed to have changed.
You can enroll your devices by doing these steps:

  • first downloading the certificate in the user enrollment process.
  • after installing the certificate you have to open up your keychain
  • search for "JSS" and open the certificate you just have installed
  • under "trust" choose "always trust" (I hope the translation is correct, I have German layout)
  • then close the certificate-windows and confirm with an admin user+password
  • You should now be able to install the MDM-Profile in the next steps

Anonymous
Not applicable

hello @flens that seems that the certificates trust will not work properly.

On all macOS versions, but Ventura, the enroll process is working. The certificate is fully trusted by default.

The users are registering their mac themselves in Jamf. Seems, that we have to instruct them to do the steps, that you described. Thanks for your advising! (btw: my layout is German, too :) )

Anonymous
Not applicable

@flens The steps, that you described, are working, but it is no way to demand this from our users.
There must be a way to set the Jamf certificate to "always trust" automatically. If the users have to do this themselves, it is not practical to enroll Jamf via user initiated enrollment.

Maybe someone can give a hint, how to reach, that the certificate will be set automatically to always trust.

ybai9
New Contributor II

I'm running into similar problem. Upgraded one of my test machine to Ventura and got the SSL error when I tried to install tHE MDM profile but on my Monterey machine it installed without an issue

chropue
New Contributor

Keychain access, Certificates, "Trust" set "When using this certificate:" to "Always Trust". Re-install MDM profile and your device will be enrolled.

bcrockett
Contributor III

I just want to report that I have run into this with a client computer upgrading to MacOS Sonoma 14.2.1

I am running into the same issue on 14.2.1. Every version prior to this is working as intended.

I figured out a solution. After narrowing down the problem to a time server issue. 

 

The system would not set the correct time automatically from Apple's time servers.

I found this out after logging into the mac with the admin account. 

Apples time server kept choosing a date 3 months in the past.  Which is why the SSL cert would not validate. 

 

So I manually set the date and time to the correct date-time. 

Then let the system set the date and time again. This time it pulled the correct time from Apple's time server. 

 

Once that was done I ran, sudo jamf recon and sudo jamf policy in the terminal and both commands worked as expected. 

Next, I logged out of the admin account.

 

Restarted the computer. And had the user log in successfully with Jamf Connet.

I suspect this is a bug in 14.2.1