Problem Contacting Apple Services DEP

Daikonran
New Contributor III

I am trying to set up DEP on our JSS and when ever I get to the point where I have to upload the server token file, I get the error "Problem contacting Apple services"

I've redownloaded the private key, deleted and recreated the Management server on Apple's side and tried again but always this error. Anyone got any idea why?
0a477ea6bb5d454badb24919481438b4

1 ACCEPTED SOLUTION

Daikonran
New Contributor III

With the help of JAMF support we just figured out the issue. The token was being denied by Apple due to the time on our server not being correct. We run our JSS on ubuntu so I had to set a NTP server, and force it to update the time. After this the token uploaded as it should.

Without JAMF support on this one I would have been at this for who knows how long.

View solution in original post

40 REPLIES 40

joecurrin
New Contributor III

Check your firewall. Review the DEP documentation and make sure all the necessary ports aren't blocked.

Daikonran
New Contributor III

This makes the most sense and was my thought too. But other than 443 for https listed as a requirement, I cannot find any mention of other ports that need to be open.

MischaB
New Contributor

@besteves Did you solve this or do you still have the "Problem contacting Apple services" error
we also get this one now so i am curious.

Chris
Valued Contributor

Do you have a proxy in place?

Daikonran
New Contributor III

With the help of JAMF support we just figured out the issue. The token was being denied by Apple due to the time on our server not being correct. We run our JSS on ubuntu so I had to set a NTP server, and force it to update the time. After this the token uploaded as it should.

Without JAMF support on this one I would have been at this for who knows how long.

View solution in original post

MischaB
New Contributor

Nive to know about the time server, but in our case the next day we could import the DEP token without a problem so i think Apple had a error or something.

Emmert
Valued Contributor

This could also fail if your JSS site certificate is expired.

mfadmin
New Contributor

I have also come across this.

Our JSS is behind Microsoft TMG server (not for long) but after running logs on traffic during the Upload I couldnt actually see a specific denial to an outbound address.
Does anyone know the specif IP or URL this process needs to communicate to?

Vasean
New Contributor

@besteves, we had the same issue. Updating the date/time on the JSS resolved this problem for us.

kirk_magill
New Contributor

SOLVED Posted: 4/28/16 at 5:10 PM by besteves

This solution worked for me - server was 5 minutes out! Thanks!

Andreas_Schenk
New Contributor III
New Contributor III

We had just seen the same issue after a clean and fresh install.
In our case we solved it by installing Oracle Java on the JSS instead of open JDK.

With OpenJDK the JSS could not contact Apple Servers for DEP and VPP, after changing to Oracle Java, everything started working.
Might be a 9.98 product issue...

sbruns01
New Contributor

We are running 9.98, the time on our server is correct, we are running Oracle Java, the fire wall is configured correctly per JAMF support, and this is a clean installation. However we get the problem contacting apple services error and can not configure DEP. Any other ideas?

eric_difulvio
New Contributor II

I continue to have this issue. Did anyone come up with a confirmed resolution?

DesktopMgmt
New Contributor

It seems that the DEP portal is "down" since a few hours

EREAFSNJAMF
New Contributor III

After a support call to JAMF Support and examining many support articles - we followed these steps to resolve:

  • Apple School Manager - "Get a new Token" from desired MDM Server

  • JAMF Pro - upload new "Server token file" Settings | Global Management | Device Enrollment Program

Once uploaded, errors went away and missing devices from ASM started populating in Pre-stage Enrolments.f1189be4f9704d73b6e4cdbf476279ce

lynnp
New Contributor

Running into this currently. ntpd is configured properly and the time on the server is accurate. Firewall certainly shouldn't be an issue given that it's 443. I've tried downloading the token from multiple different admin and device manager accounts in apple school manager.

hepl!

lynnp
New Contributor

seems like no one saw this or has an answer.

MichaelC
New Contributor III

No answer, but we're currently experiencing this issue as well. I suspect it started when we shifted to daylight savings time about a week back - GMT/UTC+13. We do occasionally and unpredictably sneak a DEP sync or token update through, but not due to any changes on our end.

bcourtade
New Contributor III

We have been noticing this too. 10.15.1. I'm not sure how long its been happening, but if we retry enough times we can get a new token to take. But I can't seem to sneak an ASM roster sync through at all.

bcourtade
New Contributor III

Looks like this was our issue: https://macmule.com/2019/10/01/more-dep-sync-errors/

Sync is working after applying the fix.

amityaccounts
New Contributor II

This issue just crept up for me and my team, and I am looking at the macmule.com/2019/10/01/more-dep-sync-errors/ post, and am more lost than anything, and the problem is, I inherited this setup, and the last major update that was ran was to 10.15.1, and installed the prerequisite Amazon Corretto 11.0.4.11.1, and was running fine up until this afternoon. I noticed there was an update to 10.17.1 that was supposed to fix issues with EDU sync, but still nothing.

TIA
-Mark

jhalvorson
Valued Contributor

@amityaccounts Sound like you are experiencing the same as being discussed here: https://www.jamf.com/jamf-nation/discussions/34219/dep-sync-failing

Sync failed. Awaiting next sync.

It is occurring for us too, as of today.

jonathan_rudge
New Contributor III

We have the DEP SYNC Issue as of today.

janselmi3953
New Contributor III

same here. I noticed this started happening yesterday morning for us. I get "Problem contacting Apple Services" if I try to upload a new DEP token.

slackermandev
New Contributor II

Same here running 10.15.1 on-prem.

UoS_iSolutions
New Contributor

Us too (10.17 on-prem) . All three of our Jamf environments stopped synching with Apple on 9/12 at about 17:00. I tried to upload a new token to our development instance (to see if it fixed it) but now get the "Problem Contacting Apple Services" message....

CSNavigateurs
New Contributor III

We are experiencing the same issues ALL our DEP-Sync are failing........ but our 6 caching servers are working and syncing fine.
Renewed all tokens... restarted our Jamf Pro and DBServer ... nothing changed all are sync failures

rlandgraf
Contributor

Looks like Apple reinstaed their change that broke TLS 1.3

You need to do the fixes listed in this Post:

https://www.jamf.com/jamf-nation/discussions/34219/dep-sync-failing

We need to add the following line to the JAVA_OPTS area of setenv.sh:
-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2
Default filepath on Linux:
/usr/local/jss/tomcat/bin/setenv.sh
This will need to be done on all Tomcat servers. Tomcat will need to be restarted after doing

janselmi3953
New Contributor III

@jhalvorson the steps from this link worked for me. Needed to allow TLSv1.2, Restart Tomcat, Renew DEP Token, and all was good. The syntax needed is all at the link. Thanks for pointing me in the right direction!

martenblank
New Contributor III

bcourtade´s post solved it for us with JAMF 10.16.1 !
https://macmule.com/2019/10/01/more-dep-sync-errors/

mhegge
Contributor II

@martenblank I appear to be having some DEP issues even after using that method to fix in v10.17.1

Running into PI-006472: UserList mdm command continues to be issued (and fails) when required preconditions are no longer met)

Some computers are having issues re-enrolling via methods provided by support. My theory is DEP related as I see errors in logs and devices assigned to prestages not showing as such in the Automated Device Enrollment section in JAMF Pro.

alexjdale
Valued Contributor III

If you are still having issues, check with your firewall team as well. We had to have our FW team trace our traffic and re-allow it for mdmenrollment.apple.com. Not sure what could have changed since we had all of Apple opened and it was working before, but it was more than the Java/TLS 1.2 change for us.

mhegge
Contributor II

After editing and saving my prestages as suggested by JAMF Support, now getting the following error after invoking

sudo profiles renew -type enrollment

Selecting details, and accepting enrollment

e6c572e8c0a44bd0816f9fc7412c9f0c

olliehudgins
New Contributor

I was having the same issue. Apple School Manager was last connected to the MDM on December 9th. Our infrastructure was upgraded to 10.17.1 on the 4th of December.

Process I used to fix the sync was. 1) Add the TLS first in our Ubuntu server. 2) Then Renew the DEP tokens. Even though we were still within the time frame of expiration, it still worked.

ScottyBeach
Contributor

Cross reference https://www.jamf.com/jamf-nation/discussions/34219/dep-sync-failing for another solution that fixed the problem for us.

andyb28
New Contributor

I just performed an on-premise install (my first install), 10.19.0 here. Ran into the same issue when adding the MDM to Apple Bus. Mgr. The TLS adjustment to Tomcat advice from above fixed it. The page linked from above that showed the Handshake-error log entries were immensely helpful.

howie_isaacks
Valued Contributor

In my case, I needed to forward port 5223 to my Jamf Pro server.

mm2270
Legendary Contributor II

Semi-old thread resurrection, but, is anyone experiencing issues today with this? I just noticed several ABM assigned Macs that I've added to a Prestage are still awaiting sync and in my ABM setup in Jamf it's saying Sync Failed - Awaiting Next Sync.
I tried re-uploading a token from ABM into Jamf and I'm getting the "Problem contacting Apple Services" error.

See, this is the kind of crap that keeps me up at night. ABM + DEP is cool and all, but it's relying on a process that could go down at any moment and we have zero control or influence over it. If this is on Apple's side, the only thing I can do is sit and wait and hope they address it sooner rather than later. I was just about to ship out several Macs to customers when I noticed they weren't syncing over to the Prestage, which I'm glad I checked. Gonna hold onto these machines until I know things are communicating again. *sigh*

oliverr
Contributor

Same issue for me. Been going on for some weeks though.

Awaiting sync is the error I see in the pre-stage and under device enrollment settings.

I AM able to upload a new token without issue.

I have a support ticket open with Jamf but this is yet to be resolved.