Prestage Enrolment - Last Sync

simon_brooke
New Contributor III

Hi,

Is anybody having an issue with prestage enrolments not syncing for the last 4 days.

Our devices can be added to the prestage but do not enrol when the device is turned on and connected to the wireless.

Our DEP program is working, and devices are showing in Jamf.

Any ideas?

Thanks
Simon

47 REPLIES 47

bhart
New Contributor II

We have a similar issue. I noticed that our DEP was showing an error connecting to the server. Although the Token was not expired, I went ahead and uploaded the latest public key to the apple business portal and downloaded and installed a new Token.
Under 'All settings> DEP' I see that we are syncing with Apple every 5 minutes as expected. 80666b499e1e42a0922982095f0779ad
However, our pre-stage has not synced in over an hour.
dc164c93407d4497941b08862f42fa15

hdsreid
Contributor III

mine hasn't synced since the 13th, but is still working as normal. that date obviously coincides with my hosted service being upgraded.

Another thing i've noticed is that the additional administrator account created in my DEP prestage is still created, however the account is hidden. The box to hide it is NOT checked, and this only recently began happening, almost randomly.

jmariani
Contributor

Same "issue" here. Our pre-stage enrollment hasn't synced since the 03/25.

arivera
New Contributor III

I just ran into this yesterday. This might not be the solution but I created a new public key and uploaded it to Apple Business Manager and downloaded a new token and uploaded it to Jamf to update it and within a couple of minutes everything was good. Again I’m not sure this is the definitive solution but it worked for me.

simon_brooke
New Contributor III

Hi Arivera,

Tried what you recommended, still no luck.

Also can't seem to add devices to certain pre-stage enrolments.

If i setup a new prestage then i get a jamf server error. 0b30922cf9634ab9bba87f94096e86ab

bhart
New Contributor II

Hi @arivera ,
I also went through this process as you can see from my original post, however, even though everyting is functioning as expected, the "last sync" field has not updated since the Token was updated. Are you seeing the same? 8af72139c622409f8bd1edadf979a115

@simon.brooke does Apple Business Portal show that it has recently 4aeba2588b3b4a6194da8126d4318df9
connected to your MDM?

bhart
New Contributor II

Response from Jamf Support. Appears our environment is operating normally since update 10.11.

"The token sync which syncs devices assignments and settings in the DEP prestages will happen every 5 minutes. That was the new update with DEP prestage refactoring in 10.11. So if we add or remove a device to a prestage that will get updated on the back end during the next token sync. But the "Last Sync" time won't actually update until the DEP prestage settings themselves update. When we make changes to the actual settings in the General pane, such as changing steps that are skipped or not, the phone number, display etc. then that will kick off an update of the DEP prestage settings themselves and that field will then update at next token sync. We will then see a new message in the interim stating "Awaiting next sync". Making changes to other panes will not initiate a new sync of the prestage as those settings are not being sent to Apple, only the General pane settings."

JayDuff
Contributor II

@bhart Thanks for this!  Found this issue while troubleshooting a different problem.  Glad to see it's expected behavior.  Indeed, when I made a change to a setting in the General tab (disable skipping Location), the last sync was reset to seconds ago.

jrussell
New Contributor

I've seen the same thing here but it's been 10 days for me. I even created a new Prestage Enrollment with no luck.

bruth85
New Contributor III

Not to hijack your post but I am seeing the last sync as 4/13 but whats even weirder is just in Prestage Enrollment my Save button is not active. Anyone else seeing that?

a_simmons
Contributor II

@simon.brooke have you been able to fix the problem? I've been having pre-stage issues for a few weeks. New Macs added to the DEP wont pick up the pre-stage groups even though they are scoped to it.

@bruth85 I was seeing this as well. I'd not be able to save the first time try, if I do a refresh I'm able to save the changes.

bruth85
New Contributor III

@a.simmons just an update on the save option not working. Working with Jamf Support found that they are currently having issues with Chrome when there is an ad-blocker enabled on the browser it messes with the Save on PreStage environment. If you use another browser or incognito mode you are able to save just fine.

bruth85
New Contributor III

@a.simmons I just recieved an update the other day that the issue should be resolved in 10.12 when they release it.

MLBZ521
Contributor III

We're massively affected by this.

DEP Tokens show they sync without issues, but our PreStage Profiles are having issues. Devices are not DEP enrolling as they're not pulling a Device Enrollment Configuration. So on Apple's Device Enrollment server/service side, it doesn't know the device is assigned to a PreStage.

Every time we have a DEP Issue after an Jamf Pro Upgrade, support wants us to renew our Tokens, but we have roughly ~100 Tokens (because we have that many Sites, so we have to have that many DEP Tokens, but I am working to consolidate these). It's not feasible for us to renew our DEP Tokens at the drop of a hat, mostly because we have to rely on oodles of Site Admins to do this for every Site/DEP Token.

And this time they want us to REPLACE all of the DEP Tokens.....? Sigh...

Every upgrade we have another DEP issue. Oh and every time they touch something in DEP, they break being able to move devices between DEP Tokens without having to unassign it from the original PreStage first.... This has been going on since v9.100.0... -_-

Dr_Jones
New Contributor III

Having the same issue, currently running 10.9.0

a_simmons
Contributor II

Thanks @bruth85 We havent been able to use the DEP process since the start of April, since Jamf upgraded our cloud server to 10.11. We have an open ticket with Support but we have made no progress so far. I've been forced to go back to using Thin Imaging.

MLBZ521
Contributor III

Yeah, I'm not getting any where either. Jamf Support just wants us to replace our DEP Tokens, which is always their requested action and has never resolved an issue. I just spent an hour today it today, because of the number of tokens we have and no change in behavior.

bmccune
Release Candidate Programs Tester

@bruth85 Thank you for this bit of information. Been banging my head all day wondering why my pre-stage was not working since I got to 10.12. I noticed it hadn't updated for 2 days, but when I checked the general DEP config page, it was syncing normally. Launched the JSS in Edge and saved the prestage, not it actually synced right away and my device enrolled no problem. What a stupid problem. FYI, I came from 10.10.1 and did not have this problem until 10.12. Must be related to how they changed DEP syncing in 10.11.

MLBZ521
Contributor III

My main issue was that we had a DEP PreStage that was assigned to a Site that didn't have a DEP Token.

Now we can DEP Enroll new devices, but still seeing other issues with PreStages:

  1. "Automatically Assign New Devices" does not seem to be honored
  2. Devices have to be unassigned from a PreStage before a device can be reassigned to the DEP Token

luispalumbo
Contributor

I did notice that in my case, the PreStage enrolment only syncs once I change any settings on its configuration. It's not syncing when adding or removing computers manually.

This week I had to create a new PreStage enrolment profile with 5 computers that were assigned to different profiles. When checking the scope for this new profile, these computers were checked in there however, when checking the same computers in the DEP settings, they were still stuck to their old profiles.

To me it's either a bug on the Jamf Cloud system or in the 10.11 or 10.12. I'm saying it because after seven years using Jamf Pro in an internal server, we migrated in April to the Cloud. Our internal server was still running 10.8 and I've never had this issue before. Also, our tokens were created in April with the migration, so the token might not be the issue either.

I've also opened a ticket with the support and hopefully it can be solve this coming week.

I hope it helps you guys too.

Thanks,
Luis

rfaruk
New Contributor II

I had all the issues described above since 24 May but as suggested, I re uploaded my token from ASM to JAMF and it started working.

SionAdmin
New Contributor

Had our DEP token stop talking to Jamf sometime in the last 24hrs, reuploaded it and it's talking to ASM now but our prestage still hasn't synced for a solid hour. Tried to modify some of the pre-stage enrollment settings but still no dice.

ctarbox
Contributor II

I am experiencing these issues starting this week (we don't PreStage often and just noticed this behavior on Wednesday). Currently at 10.11. I have followed all the suggestions here:
Downloading new Public Key from JSS
Uploading new Public Key to ASM
Downloading new token from ASM, then uploading into JSS DEP.

Reassigned device just to start cleanly.
Scoped device to the PreStage (newly created)

My Sync dates in both PreStage, DEP and ASM all are current.

Still, No PreStage action from Setup assistant.

Can anyone confirm if upgrading to 10.12 has resolved this?

Cheryl

a_simmons
Contributor II

@ctarbox upgrading to 10.12 didn't fix the problem for us. Our Jamf server is hosted in the cloud and Jamf support ended up finding a corrupt entry in the database pointing to DEP token that is no longer in use. Once the removed the corrupt entry it started working correctly.

MLBZ521
Contributor III

DEP Tokens that are missing info and/or have been invalidated, will cause issues.

PreStage Profiles that are assigned to a Site that does not have a DEP Token will cause issues. This was a bug (you were able to delete a DEP Token that had an associated PreStage) in a recent version of Jamf Pro. Jamf fixed it in a more recent version of Jamf Pro. However, what they failed to do, is to check if you're currently affected by it....which leads to a new problem.

CorpIT_eB
Contributor II

We are having the same issue here over a month ago on that last sync. Has there been any developments on how we can get our Enrollments syncing again?

ctarbox
Contributor II

@a.simmons. Thanks for the info. Looks like I will be needing to open a support ticket. This is my test/dev server which I recently rebuilt from scratch. Maybe ASM is still pointing to an old token even though I recreated them now a few times. My syncs all seem to be working well, I just can't get the clients to go into the PreStage at Setup. Hopefully Support can get this resolved.

J_Mukite
New Contributor III

Same thing going on here as well with our Jamf Cloud Prestage. Not to the level some of you are reporting. What I'm seeing is I add a device to a prestige and save. The device is then in the prestage with the box checked but is listed as unassigned. If I wait about 15 min or so the device will then be listed as assigned. However the sync does not update. It's very unstable at the moment.

ctarbox
Contributor II

I found the resolution to my issue with PreStage not being initiated on the client-side. Turns out it was a user permissions setting on my end.
The Management Account I had assigned to the PreStage only had Site Access privileges, not Full Access privileges. Adjusting the permissions fixed it.

Cheryl

FutureFacinLuke
Contributor II

None of mine have Synced since 6th June but I was able to make a new one.dfb14f33abab4b8c93b4f43338617253

A bit of a problem as new devices go to iOS by default and I need to move one I just Assigned to Library Kiosk...

FutureFacinLuke
Contributor II

I was able to work around the above by unchecking Automatically add new devices then saving, going back into the iOS PreStage and removing the device from scope.

Since the changes to DEP and the addition of Auto Assigning devices in AMS I have found DEP for both Macs and iOS a bit slower and more cumbersome to use.

hdsreid
Contributor III

I cannot create a new prestage as a result of this now....my existing ones still work fine however

benducklow
Contributor III

Chiming in here on this topic as it may help others.

It looks like I was unable to save a new PreStage Enrollments object in Jamf Pro using Chrome on my Mac. I was able to create one using Internet Explorer. I am on Jamf Pro v10.11.1.

applesupport-ne
New Contributor III

I seem to be having the same exact issue. My profile shows 11/2/19 last sync but in the DEP settings the date and time is up to date. I even downloaded a new public key and uploaded a new token but no luck.

morti
New Contributor III

Are there some objects missing in the prestageProfile? You can try to make a change at this profile, e.g. changing the contact informations.
It should then update the sync after a change has been done.

applesupport-ne
New Contributor III

@morti I ended up making a change and it did update. Now it seems my machines won't even go past the remote management screen. "Failed to connect to Mobile Device Management Server" is what I keep getting. I've opened a ticket with support and they are trying to figure it out. We went through all the troubleshooting steps.

sdagley
Esteemed Contributor II

@NGKF Are you running a cluster configuration and have enrollment restricted to just Macs, or just iOS? If so, try allowing both types. Apparently 10.15.0 introduced a bug where an enrollment attempt would incorrectly determine the device type and cause a failure if both macOS and iOS weren't enabled to enroll.

bkuhl
New Contributor II

Yeah can confirm the fix to this issue is to go to your PreStage enrollment. Edit. Under the General section, add or make a change to the Support Phone Number field. Click Save. This will FORCE a sync somehow.

cbd4s
Contributor II

On our Jamf Pro server, although the PreStage Enrollment last sync is also showing the time stamp quite a while ago, it does appear still working. Unticking a device in the PreStage Enrollment scope does show the device assignment status from Assigned - Pending Sync to Not Assigned after a little while. But the device assigned time stamp does not get updated.

It's interesting to note that because we are not automatically assigning the PreStage Enrollment to the DEP device yet, this laptop was the last one we manually assigned the PreStage Enrollment which happened last year in July. Even though I'm making changes to this device now, the device assigned column of the PreStage Enrollment scope view still has the same old time stamp. This is telling me this device assigned attribute is actually referring the MDM server assignment in DEP rather than the PreStage Enrollment assignment.