Newbie Terminal Question

Fluffy
Contributor III

I am in the process of enrolling devices that have been wiped over the summer. They had been sitting for a while as we were upgrading our server(s). When trying to enroll, I get the 'The MDM server for your organization returned an unexpected status (500)' error. Then I found this thread:

https://community.jamf.com/t5/jamf-pro/device-enrollment-installation-failed-the-mdm-server-for-your...

I have been attempting to delete the keychain as it has worked for others, but I am running into other problems due to inexperience. When using the rm command it returns Permission denied (even after asking to override permissions). I see that the permissions are rw-r--r-- for apsd.keychain. So I thought of trying sudo, but it asks for a password and I do not know of any default passwords.

Edit: Forgot to mention the important part, I am trying to do this at setup since I am unable to proceed.

If someone can point me to a good guide on terminal basics or do a quick step by step, it would be much appreciated. Thanks.

1 ACCEPTED SOLUTION

stevewood
Honored Contributor II
Honored Contributor II

@Fluffy 

You may be able to delete that from recovery. Boot the Mac to recovery, open Terminal from under the Utilities menu, and then in Terminal try:

rm /Volumes/Macintosh\ HD/Library/Keychains/apsd.keychain

If you receive no error, you can restart and try again.

 

One thing you were not clear about, are you attempting to enroll these via ADE (DEP) or are you trying to manually enroll these with either an enrollment invitation URL or using the `/enroll` URL for your JPS?

View solution in original post

9 REPLIES 9

mm2270
Legendary Contributor III

When you use 'sudo' it asks you for the password of whatever account you're using, or more accurately, whatever account you're logged into in Terminal. By default, that's the same account as what you're logged into the Mac with, but you can switch to a different local account on the Mac, provided you know the account password, by doing:

su username

After hitting return it will ask for the password for "username"

But using sudo is dependent on that account being a local admin or having the correct privileges to use sudo. If it's a standard user account, then you most likely won't be able to run any sudo commands even if you enter the password. You can see if an account has local admin rights in Terminal, but if you're more comfortable using the GUI, you can just check the account in the Users & Groups preference pane.

Fluffy
Contributor III

Ah, forgot probably the most important part of the post. I'm trying to do this at setup. So the user is '_mbsetupuser'. Just found that the user has no elevated privileges. I'm unable to proceed in the setup since I have attempted to connect. As far as I can tell, my only option is to wipe the devices and reinstall, which is why I'm confused how others were able to delete the keychain.

stevewood
Honored Contributor II
Honored Contributor II

@Fluffy 

You may be able to delete that from recovery. Boot the Mac to recovery, open Terminal from under the Utilities menu, and then in Terminal try:

rm /Volumes/Macintosh\ HD/Library/Keychains/apsd.keychain

If you receive no error, you can restart and try again.

 

One thing you were not clear about, are you attempting to enroll these via ADE (DEP) or are you trying to manually enroll these with either an enrollment invitation URL or using the `/enroll` URL for your JPS?

Terminal said Macintosh HD didn't exist, but it let me change directory to /Library/Keychains/ and I was able to see the keychain file. Deleted it, verified it was deleted and restarted. Going back through setup gave me the same 500 error. Although, that did allow me to do what I wanted so that's one more thing I know now.

I've been trying to enroll via ADE when it works, but I've been having trouble with seemingly random devices either giving the 500 error or some other generic server communication error. Since there's only a handful of devices left and our deadline is coming up, I'll most likely resort to wiping them and bypass with no internet to manually enroll.

stevewood
Honored Contributor II
Honored Contributor II

Is your server on premise or Jamf Cloud? A 500 error is typically a "Database busy" type of error. You may be running into a resource issue on your server if you are self hosted. Might try a device at a time when there isn't as much traffic on the server.

Also, if you are self hosted, make sure there is nothing filtering your connection to the server.

Most ADE issues can be attributed to server resource issues and not the apsd.keychain file. Unless that machine has been sitting for a long while.

We recently switched to Jamf Cloud, about two months ago now, and have noticed issues like this over the past week. Most of the devices have sat for 2 to 3 months after they were wiped for space to update to Big Sur. Oddly, fresh MacBooks from Apple have been enrolling without a hitch.

Fluffy
Contributor III

Another update for anyone who is interested. After wiping the devices (five 2015 MBA), they enrolled through ADE without any issues. This leads me to believe it isn't a network problem, as they used the same network as before.

stevewood
Honored Contributor II
Honored Contributor II

When your team wiped them and put them on the shelf, did they shut them down once they got to Setup Assistant, basically at the Country Selector screen? And how long ago were these wiped?

I would just be curious about that for our org, simply because we do have offices that wipe and store in that same manner. Most are not using ADE, so they use an enrollment URL to enroll, but there are a few that are ADE.

I can't say for sure, but I remember just closing the lid whenever they finished updating and put them on the shelf. What I do know is that most of them didn't have a charge, so they at least turned off from lack of power. They were updated and wiped mid to late June this year.