Jamf Nation Community

It might also be possible that the second device didn't receive the APN Token from Apple. I have this problem with more than half of my Macs. I am pretty sure that once the devices get the MDM policy from JAMF they reach out to albert.apple.com on port 443 to get the APN Token. Our devices cannot get there because of our proxy requiring authenticated access. Some of our devices that have connected to the internet outside of the office were able to get the token and appear as MDM Capable. We are working through this issue with our network team to get the issue resolved.

donmantalvo - i tried to manuall enroll the one that is not getting policy (MDM Capable: No) still no joy.

jconte - we noticed on our firewall we are having some https packets blocked by our firewall, i'm also working with our network admin on getting this resolved, I currently have a port that the network admin allowed unauthenticated access for testing. I have tried to reenroll the probalem mac with the non auth port but still no luck at this stage.
If you find anything useful please let me know, once i have found something i will also post.

if your network team is allowing unauthenticated access out to albert.apple.com on port 443 it should be working. you shouldn't have to re-enroll as long as the MDM profile shows up in sys prefs. can you connect the machine to am ISP line ? if the token comes down it would lead me to think that there is still an issue with your network.

I am still waiting for mine to be opened, I will let you know if t works.

We were getting to albert.apple.com as we have allowed unauth traffic to apple, but not receiving the token back.

What have found is we are inspecting SSL traffic, which was breaking the response from albert.apple.com somehow.
We have allowed ssl tunneling to *.apple.com which seems to be working for us, so if you are inspecting SSL traffic that might be an issue for you aswell?

I guess the next question is it a once off activation or does it need to happen every single time a mac is imaged?

If you reimage the machine then yes because config profiles need get installed on it again.

Hobbs155 - Every time a MAC is imaged or reimaged it will need to communicate with Apple to receive the APN Token at albert.apple.com port 443. I am still waiting on my connection to albert to be turned on, I also captured (2) 17. subnets that might need to be opened if albert.apple.com doesn't work for me.

I will update this post as soon as i get results from my test.

We had this issue for some MDM capable macs. The following command in a policy fixed it:

jamf mdm

The only way we were able to get it to work was to open port 5223 on our firewall, to apple's 17.0.0.0/8. We now get our token every time consistently on 10.8.

However, 10.7 machines don't get the token and I cannot figure it out.

We also allow unauthenticated access to albert.apple.com via the proxy.

We have allowed 5223, 2195 and 2196 to 17.0.0.0/8 but it appears it is trying to use 443, from what i can read this is a fall back port if 5223 is unreachable.