10-27-2022 03:20 AM - edited 10-27-2022 03:22 AM
I run into an issue when I want to register a mac M1 with macOS Ventura to our Jamf Pro management. While installing the MDM profile, the installation stops with a message "mdm profile could not be installed, ssl failure" (I hope, this will be the right translation from German to English).
I tried to deactivate the ssl check on our Jamf Pro, but without any success.
All clients with macOS Monterey (version 12.6.1 included) can be registered and the MDM profile will be installed without any issues.
Has anyone an idea, where I could configure the MDM installation on mac M1® (and oder INTEL®) under macOS Ventura® ?
At this time, we are running Jamf Pro 10.41.0. Because of the certificate theme, I did not update to 10.42..
I would be glad for some thoughts :)
Posted on 10-27-2022 08:33 AM
That's very strange.
Are you using a verified 3rd party SSL? is it DEP or user-initiated enrollment?
I just tested it on an Intel mac running Ventura and seems to be working fine for me.
11-03-2022 04:24 AM - edited 11-24-2022 06:47 AM
sorry for my late reply.
We are using the built in certificate of our Jamf Pro Server. All macs with OS earlier than macOS 13 can be registered without issues, but when I want to register a mac with macOS 13, the SSL failure appears.
The enrollment is user initiated. The test mac is a M1 mac. At this time, i do not have an INTEL mac to test.
Posted on 10-30-2022 04:41 PM
I am in the same boat. Fresh install of MacOS 13 Ventura so I can test our JAMF environment. Self-initiated enrolment and the CA Certificate downloads and installs fine. The MDM Profile Certificate downloads and will not install
Posted on 11-02-2022 10:56 AM
Same thing here. We have upgraded a few of our machines (Macbook Air 13" 2020, 1.1GHz Quad core Intel Core i5). Just like P-Featherstonha said. The CA installs fine. The MDM does not. Same SSL error has occured, a connection to the server can not be made; message.
Posted on 11-02-2022 03:55 PM
I have had a little tiny success on this issue (also have a Support Ticket with JAMF). I have setup SSL for the Enrolment and on the Apache side and the MDM on Ventura is now installing with no issues (so far). I will be doing some further testing with the entire process from JAMF in our environment tomorrow and will let you know how it goes :)
As always - anything Apple related is frustrating and time-wasting :)
11-03-2022 04:32 AM - edited 11-24-2022 06:50 AM
are you running Version 10.41 , too or are you running Version 10.42?
We configured SSL for e
nrollment and on the Apache side, too.
The Enrolment is user initiated, too. The registration URL is an "https" URL. The first step of the registration is downloading and installing the built in Jamf Certificate. The second step is to download the MDM profile. When the MDM profile should be installed, the SSL failure appears.
Maybe you could explain, how you configured these parts?
We also testet a registration on Microsoft INTUNE. This is working like a charm and with no issues.
Posted on 11-03-2022 03:16 PM
Currently running 10.42 on our DEV JAMF Server (on-prem) and SSL setup......doing more testing today and also noticed JAMF have released 10.42.1 overnight - So I am also testing this on the DEV server. The Prod JAMF server is being snaped this morning and I will be applyig SSL to this as well as upgrading to 10.42.1 and will test from Ventura as well as currently enrolled Macs. Will update later in the day......what a mess :)
Posted on 11-03-2022 09:46 PM
So - The SSL stuff done on the server and within JAMF seems to have corrected the issue......kind of. Machines are now getting the dreaded stupid Device Signature error - so something is still amiss. I will be investigating further next week.......
Posted on 11-04-2022 11:18 AM
What are you doing when you say SSL stuff done on the Server and within Jamf? Just curious. We run a our Jamf Pro on Windows Servers 1 for Tomcat, the other houses the Database.
Posted on 11-04-2022 02:17 PM
very curious as well. I updated one of my macs from 12.6.1 to 13.0 yesterday and noticed all of my profiles no longer show at the device level and per Self service my MDM profile is not installed. Jamd Pro shows I have profiles installed. Upon trying to re-enroll via quickadd, profiles -N or user initiated enrollment all seem to fail. I am a Jamf cloud user as well
Posted on 11-15-2022 02:34 PM
I was able to reaolve my issue by reinstalling OS from recovery without wiping
Posted on 11-07-2022 05:13 PM
OK - It seems to be sorted for one of our prod JAMF Servers. The SSL part is two-fold. IIS on the server has a CA assigned to it and the same CA from the server is converted to a pfx for input into JAMF. Within JAMF you set the Apache Tomcat Settings with the CA and the User Initiated Enrolment and also set the Security for SSL to be "Always" for JAMF version less than 10.42.
So all seems to work so far with Ventura as it now "trusts" the MDM Profile upon enrollment. We have had a few Macs already in JAMF give Device Signature errors that can be easily fixed by removed the MDM Profile and re-enrolling and installing the SSL-updated MDM Profile on the Mac.
Our other JAMF server has had to be rolled back to version 10.41 as the new version completely remove the use and functionality of JAMF Remote - which is highly used in our environment.
The testing continues.....the issues will always arise.......and the management of Apple stuff will continue to waste too much of my time lol
Cheers - Paul
11-14-2022 12:36 AM - edited 11-14-2022 12:45 AM
tnx for your time and for sharing your experiences here!
Meanwhile I am testing with INTUNE® and I am extremely surprised, how smooth it works. Because of these problems that are appearing at nearly every Jamf update and the very much time I have to invest, to get my environment running again, we are thinking about changing to INTUNE. The tests are still running right now, and, at this point, I can say, it is much easier to handle than Jamf. The last three years, the expense for holding our Jamf Pro server on running was growing more and more, after every update from macOS and from Jamf. Meanwhile it is nearly the same "rabbit and hedgehog" game like at that time, when we installed our only about 60 Macs manually. I am absolutely disappointed because of this.
Posted on 11-15-2022 01:33 PM
just ran into the same problem with an intel mac that we installed ventura on.
Posted on 11-16-2022 04:14 AM
it is no matter, if the mac is an Intel or a Silicon. The issue is faced on both of them.
Posted on 11-23-2022 05:04 AM
on Ventura the trust of self-signed certificates seemed to have changed.
You can enroll your devices by doing these steps:
11-24-2022 06:39 AM - edited 11-24-2022 06:41 AM
hello @flens that seems that the certificates trust will not work properly.
On all macOS versions, but Ventura, the enroll process is working. The certificate is fully trusted by default.
The users are registering their mac themselves in Jamf. Seems, that we have to instruct them to do the steps, that you described. Thanks for your advising! (btw: my layout is German, too :) )
11-25-2022 01:43 AM - edited 11-25-2022 01:44 AM
@flens The steps, that you described, are working, but it is no way to demand this from our users.
There must be a way to set the Jamf certificate to "always trust" automatically. If the users have to do this themselves, it is not practical to enroll Jamf via user initiated enrollment.
Maybe someone can give a hint, how to reach, that the certificate will be set automatically to always trust.
Posted on 12-15-2022 09:54 AM
I'm running into similar problem. Upgraded one of my test machine to Ventura and got the SSL error when I tried to install tHE MDM profile but on my Monterey machine it installed without an issue
Posted on 04-25-2023 08:41 AM
Keychain access, Certificates, "Trust" set "When using this certificate:" to "Always Trust". Re-install MDM profile and your device will be enrolled.