Profile installation failed during mobile device enrolment under Jamf Pro 10

mickgrant
Contributor III

so today i have run into my first issue after updating to Jamf Pro 10.

so i have tested this on multiple devices, and under multiple iOS versions (from 10.3, to 11.1).
i have also told the iPad that to Enable full trust for the root certificate (as its a self signed certificate from the JSS built in authority).
This worked to allow us to install our profile up until the Jamf Pro 10 upgrade.
nothing else has changed about our setup, i have checked all our certificates and they arnt expired.

now when we try to install to install the profile certificate its ticked verified (cause we enabled full trust) but still tells me that Profile installation failed - a connection to the server could not be established

I'm kind of stuck here lads, any help tracking this down would be apreciated

12 REPLIES 12

joecurrin
New Contributor III

Check to make sure you are blacklisting OCSP validation sites.

mickgrant
Contributor III

How would i go about doing this, i have googled it but everything i'm finding is talking about revocation checking...
do you have a list of IP addresses to blacklist?

mschroder
Valued Contributor

I had the same problem with my test JSS, which uses an in-house certificate SSL certificate. I had installed the in-house CA cert on the iPad, but I had not set the iPad to trust that cert. I came across https://support.apple.com/en-ca/HT204477, followed the instructions to set the trust for the CA cert, and after that I could enroll the iPad - by telling the system several times that "yes, I really want to install the profile"...

mickgrant
Contributor III

yea i have already enabled the root trust setting on the certificate, we have been having to do that since iOS 10.3 but now im getting a profile Installation failed notification even with that setting

Malcolm
Contributor II

@mickgrant I'm having the same problem, occurs when attempting to do a safari based manual enrollment, and for DEP enrolments also, currently testing to see if creatign a new prestage will fix the issue for the DEP one, but I am having issues with the test DEP device right now to follow up.

Been bouncing emails back and forth from support, but yet to isolate the cause of the issue.

We sit on a complex network unfortuantely, which adds alot of difficulty to the problem.

all clients auth against wifi, they then get assigned a vlan, so that we dont get bonjour spam.
Groups of vlans are routed internally to any other vlan and have direct access to the mdm server, but for internet access route through 1 of 5 dedicated internet links, via a firewall proxy, proxy up until our upgrade to jamf pro 10 was configured not to be required for apple enrollment traffic. But in the past would also enroll if configured with proxy, but for the most point, we also use global proxy and within the proxy wpad file we exclude the apple range, which for what it is worth doesnt mean much these days.

I am also starting to suspect Apple is more at fault here, and not jamf pro.

Have you found anything further?

Where abouts are you located?

Malcolm
Contributor II

@mickgrant Just been working with support through out all of today, and we found that the webapp was the cause of our enrolment profiles not installing, and we had to revert the web app back to the previous version to resolve the issue.

What was also observed was that the root.war which builds the webapp on first apache launch, had a date modified date, that was before the install of version 10, which suggests that the installer didn't update us properly.

Reverting back got us enrolling devices again, and I am about to try the same method to revert back to revert forward, which will hopefully get version 10 working for us also. I'll update the results of this. but essentially I would suggest getting in contact with support, and mention this thread.

Malcolm
Contributor II

@mickgrant

Further to my problems support found within our jamflogsoftware, our JSS had a smart group in it which, was combining a number of smart groups, and for some reason couldn't locate the naming of the group, as we didn't need this smart group, all we had to do to fix it was to delete the smart group, and this resolved the issue for device enrolment.

Wouldn't surprise me if JSS runs a bit better now too.

jkuo
Contributor

We are encountering this identical problem with iOS devices with both DEP and manual enrollment. Was there any one thing that worked, or is our solution right now to revert the webapp and then try the upgrade again? I can't imagine everyone is encountering this otherwise no enrollments would be working!

BurraSteve
New Contributor

Jamf newbie here. Our school has just started using Jamf 10. It was installed a couple of days ago, so I'm on a roughly vertical learning curve!
I'm having the same problem with not being able to manually enrol. The certificate is installing with no problem, and I can set it to be trusted under About>Certificate trust settings.
When I come to install the MDM profile. I get the generic "Profile Failed to Install" and the certificate then switches to untrusted.
Support are onto it, and I'm hoping they can come up with a solution. As soon as I hear anything, I'll post it here.

jkuo
Contributor

And...we're back! In our case it was a single malformed Smart Group that had as a member a Static Group that no longer existed. Support helped us track it down.

Not sure if this would've prevented that, but I have a feature request here to make it so that groups that are criteria for a Smart Group are tied to unique identifiers instead of simply the text: https://www.jamf.com/jamf-nation/feature-requests/2015/tie-groups-to-group-ids-instead-of-text-names

mickgrant
Contributor III

I have solved the problem as well with the help of support, and in my case it was to do with 2 smart groups that were referencing mistyped smart groups. after repairing them it all back up and working

BurraSteve
New Contributor

I've sorted it as well. Our department-supplied (mandated) filtering system was blocking the MDM profile.