Profiles missing and unable to enroll devices in version 9.0

derivethegeek
New Contributor II

Hey Everyone,

We are currently experiencing a very peculiar case with our new JSS 9.0 installation.

After going through the normal upgrade process from 8.71 to 9.0, our clients are now upgrading their JAMF binaries to version 9.0, which is fine. However, our enrollment profiles have gone missing and we are unable to re-enroll devices that have upgraded to the new version.

When attempting to enroll, we are presented with this error after running "jamf enroll" -- "Error enrolling computer: Permission Error - The user specified does not have permission to perform the action." The user account that is enrolling this device is the same account we have always used to perform this action and so it is sorta scary that this is happening.

Honestly, we are really stuck on this one, so if anyone has any advice to help fix this issue it would be greatly appreciated.

12 REPLIES 12

Sean_M_Harper
Contributor

I should add:

The updated 9.0 Binary on all the machines is functioning normally. That is, software restrictions are active, as well as the machines themselves checking in (hence the updated binaries).

I have completed the following already in an attempt to remedy this situation:
1. Re-applied a renewed (it was not yet expired) APNS cert to the JSS
2. Attempted to re-enroll several machines (using my own as the test) via command line and with recon.

Note that with recon the machine does update in the JSS inventory, but the machine never obtains any profiles at all. However, it does keep blocking things such as terminal use and other programs on the restricted program list (even though I am on the exempt user list).

Frankly it appears to boil down to one of two main solutions, but with question.
1. We do something (I have no idea what) and the whole system is happy again.
OR
2. We teardown and rebuild the JSS with the new released 9.0 build, assuming the corruption is somehow in the appliance itself. (Note that we ran the beta 9 builds and 9.0FC builds without issue)

I would do #2 right now over VPN except I do not know if the machines will be able to retain settings from the imported database if we reinstall the server itself. I am concerned the signing certificate on the profiles (should they even exists anymore) will become invalid, leaving me with an entire sea of iPads that need re-enrollment.

Like my co-worker mentioned above, we are completely stuck. We are planning to call support in the AM, but wanted to post here to not only seek help earlier, but to alert others that this issue has happened to us and may be happening to others.

Thanks for reading this horridly long post, and I hope someone knows where they hid the magic button!

nessts
Valued Contributor II

go to the user management section and make sure your enrollment account has the command line ACL permissions this happened to me on my first beta upgrade. i don't know the path off the top of my head but you should be able to find the user account and add all the permissions on the CLI side.

Sean_M_Harper
Contributor

all accounts in question are the management account or the admin accounts. All accounts we are using have every single permission available.

ike
New Contributor II
New Contributor II

In 9.0, the enroll verb requires some form of authentication for security reasons.

You can either use 'jamf enroll -prompt' or 'jamf enroll -invitation <invite_id>'.

Another option is to enroll again using a QuickAdd package or Recon.app.

As a side note, if you see the MDM profiles missing, one way to fix that without 'jamf enroll' is to run 'jamf manage'. Manage will check to see if MDM enrollment needs to be performed and does not reset the computer's history or device certificate used for secure communication.

Sean_M_Harper
Contributor

This does appear to fix some of the issues we had, but the main issue remains:
Any machine that updates to Binary 9.0 deletes all profiles. How/Why/What can I do to fix this?

libertyuniversi
New Contributor II

I'm having this issue as well when running sudo jamf enroll
Error enrolling computer: Permission Error - The user specified does not have permission to perform the action.

and running sudo jamf manage does not install the profiles.

Sean_M_Harper
Contributor

It looks like I am just going to do a full JSS tear down and rebuild. This lets me have a fresh install (and I am using a self issues SSL cert so the keystore issue should not be a problem), and I can move away from Windows 2K8R2 and unto a Linux environment.

If anyone did happen to see an issue with this, feel free to let me know :)

libertyuniversi
New Contributor II

I also noticed the update to 9 expired all my clients certificates.

martin_rausch
New Contributor

We are having the same problem, tried steps above to no avail.

hunter990
Contributor

Dragging up this thread to see if anyone ever had an answer for this. We are getting this issue and having fits with it.

bentoms
Release Candidate Programs Tester

@hunter990 probably worth starting a new thread, but do you have an APNS cert on the JSS?

hunter990
Contributor

bentoms, We do have an APNS cert. After working with Jamf support it is looking like we need to create an intermediate cert to issue to our clients. We are a gov't agency so the cert signing method isn't trusted automatically like go daddy, etc. Once we get it uploaded i'll post with the result in case someone hits this thread in the future.