Is anybody having an issue with prestage enrolments not syncing for the last 4 days.
Our devices can be added to the prestage but do not enrol when the device is turned on and connected to the wireless.
Our DEP program is working, and devices are showing in Jamf.
We have a similar issue. I noticed that our DEP was showing an error connecting to the server. Although the Token was not expired, I went ahead and uploaded the latest public key to the apple business portal and downloaded and installed a new Token.
Under 'All settings> DEP' I see that we are syncing with Apple every 5 minutes as expected.
However, our pre-stage has not synced in over an hour.
mine hasn't synced since the 13th, but is still working as normal. that date obviously coincides with my hosted service being upgraded.
Another thing i've noticed is that the additional administrator account created in my DEP prestage is still created, however the account is hidden. The box to hide it is NOT checked, and this only recently began happening, almost randomly.
I just ran into this yesterday. This might not be the solution but I created a new public key and uploaded it to Apple Business Manager and downloaded a new token and uploaded it to Jamf to update it and within a couple of minutes everything was good. Again I’m not sure this is the definitive solution but it worked for me.
Hi @arivera ,
I also went through this process as you can see from my original post, however, even though everyting is functioning as expected, the "last sync" field has not updated since the Token was updated. Are you seeing the same?
@simon.brooke does Apple Business Portal show that it has recently
connected to your MDM?
Response from Jamf Support. Appears our environment is operating normally since update 10.11.
"The token sync which syncs devices assignments and settings in the DEP prestages will happen every 5 minutes. That was the new update with DEP prestage refactoring in 10.11. So if we add or remove a device to a prestage that will get updated on the back end during the next token sync. But the "Last Sync" time won't actually update until the DEP prestage settings themselves update. When we make changes to the actual settings in the General pane, such as changing steps that are skipped or not, the phone number, display etc. then that will kick off an update of the DEP prestage settings themselves and that field will then update at next token sync. We will then see a new message in the interim stating "Awaiting next sync". Making changes to other panes will not initiate a new sync of the prestage as those settings are not being sent to Apple, only the General pane settings."
@simon.brooke have you been able to fix the problem? I've been having pre-stage issues for a few weeks. New Macs added to the DEP wont pick up the pre-stage groups even though they are scoped to it.
@bruth85 I was seeing this as well. I'd not be able to save the first time try, if I do a refresh I'm able to save the changes.
@a.simmons just an update on the save option not working. Working with Jamf Support found that they are currently having issues with Chrome when there is an ad-blocker enabled on the browser it messes with the Save on PreStage environment. If you use another browser or incognito mode you are able to save just fine.
We're massively affected by this.
DEP Tokens show they sync without issues, but our PreStage Profiles are having issues. Devices are not DEP enrolling as they're not pulling a Device Enrollment Configuration. So on Apple's Device Enrollment server/service side, it doesn't know the device is assigned to a PreStage.
Every time we have a DEP Issue after an Jamf Pro Upgrade, support wants us to renew our Tokens, but we have roughly ~100 Tokens (because we have that many Sites, so we have to have that many DEP Tokens, but I am working to consolidate these). It's not feasible for us to renew our DEP Tokens at the drop of a hat, mostly because we have to rely on oodles of Site Admins to do this for every Site/DEP Token.
And this time they want us to REPLACE all of the DEP Tokens.....? Sigh...
Every upgrade we have another DEP issue. Oh and every time they touch something in DEP, they break being able to move devices between DEP Tokens without having to unassign it from the original PreStage first.... This has been going on since v9.100.0... -_-
@bruth85 Thank you for this bit of information. Been banging my head all day wondering why my pre-stage was not working since I got to 10.12. I noticed it hadn't updated for 2 days, but when I checked the general DEP config page, it was syncing normally. Launched the JSS in Edge and saved the prestage, not it actually synced right away and my device enrolled no problem. What a stupid problem. FYI, I came from 10.10.1 and did not have this problem until 10.12. Must be related to how they changed DEP syncing in 10.11.
My main issue was that we had a DEP PreStage that was assigned to a Site that didn't have a DEP Token.
Now we can DEP Enroll new devices, but still seeing other issues with PreStages:
I did notice that in my case, the PreStage enrolment only syncs once I change any settings on its configuration. It's not syncing when adding or removing computers manually.
This week I had to create a new PreStage enrolment profile with 5 computers that were assigned to different profiles. When checking the scope for this new profile, these computers were checked in there however, when checking the same computers in the DEP settings, they were still stuck to their old profiles.
To me it's either a bug on the Jamf Cloud system or in the 10.11 or 10.12. I'm saying it because after seven years using Jamf Pro in an internal server, we migrated in April to the Cloud. Our internal server was still running 10.8 and I've never had this issue before. Also, our tokens were created in April with the migration, so the token might not be the issue either.
I've also opened a ticket with the support and hopefully it can be solve this coming week.
I hope it helps you guys too.
I am experiencing these issues starting this week (we don't PreStage often and just noticed this behavior on Wednesday). Currently at 10.11. I have followed all the suggestions here:
Downloading new Public Key from JSS
Uploading new Public Key to ASM
Downloading new token from ASM, then uploading into JSS DEP.
Reassigned device just to start cleanly.
Scoped device to the PreStage (newly created)
My Sync dates in both PreStage, DEP and ASM all are current.
Still, No PreStage action from Setup assistant.
Can anyone confirm if upgrading to 10.12 has resolved this?
DEP Tokens that are missing info and/or have been invalidated, will cause issues.
PreStage Profiles that are assigned to a Site that does not have a DEP Token will cause issues. This was a bug (you were able to delete a DEP Token that had an associated PreStage) in a recent version of Jamf Pro. Jamf fixed it in a more recent version of Jamf Pro. However, what they failed to do, is to check if you're currently affected by it....which leads to a new problem.
@a.simmons. Thanks for the info. Looks like I will be needing to open a support ticket. This is my test/dev server which I recently rebuilt from scratch. Maybe ASM is still pointing to an old token even though I recreated them now a few times. My syncs all seem to be working well, I just can't get the clients to go into the PreStage at Setup. Hopefully Support can get this resolved.
Same thing going on here as well with our Jamf Cloud Prestage. Not to the level some of you are reporting. What I'm seeing is I add a device to a prestige and save. The device is then in the prestage with the box checked but is listed as unassigned. If I wait about 15 min or so the device will then be listed as assigned. However the sync does not update. It's very unstable at the moment.
I found the resolution to my issue with PreStage not being initiated on the client-side. Turns out it was a user permissions setting on my end.
The Management Account I had assigned to the PreStage only had Site Access privileges, not Full Access privileges. Adjusting the permissions fixed it.
I was able to work around the above by unchecking Automatically add new devices then saving, going back into the iOS PreStage and removing the device from scope.
Since the changes to DEP and the addition of Auto Assigning devices in AMS I have found DEP for both Macs and iOS a bit slower and more cumbersome to use.
@morti I ended up making a change and it did update. Now it seems my machines won't even go past the remote management screen. "Failed to connect to Mobile Device Management Server" is what I keep getting. I've opened a ticket with support and they are trying to figure it out. We went through all the troubleshooting steps.
@NGKF Are you running a cluster configuration and have enrollment restricted to just Macs, or just iOS? If so, try allowing both types. Apparently 10.15.0 introduced a bug where an enrollment attempt would incorrectly determine the device type and cause a failure if both macOS and iOS weren't enabled to enroll.
On our Jamf Pro server, although the PreStage Enrollment last sync is also showing the time stamp quite a while ago, it does appear still working. Unticking a device in the PreStage Enrollment scope does show the device assignment status from Assigned - Pending Sync to Not Assigned after a little while. But the device assigned time stamp does not get updated.
It's interesting to note that because we are not automatically assigning the PreStage Enrollment to the DEP device yet, this laptop was the last one we manually assigned the PreStage Enrollment which happened last year in July. Even though I'm making changes to this device now, the device assigned column of the PreStage Enrollment scope view still has the same old time stamp. This is telling me this device assigned attribute is actually referring the MDM server assignment in DEP rather than the PreStage Enrollment assignment.