QuickAdd.pkg and manual enrollment failing on new M2 mac

JAMFNoob
New Contributor III

We have just received our first M2 mac and it seems off the bat that there are some issues with enrolling it - usually during enrollment from our JAMF site (that we carry out with M1 and Intel macs) we could profiles installed onto the machines but with M2 I see for the first time it needs a QuickAdd package installed that completes installation. This always fails and then when I try manually enrolling with sudo jamf enroll -prompt I get the message - 

An error occurred while enrolling computer: The jamf binary could not connect to the JSS because the web certificate is not trusted. Checking in the background for policies that use the Enrollment Complete trigger

Enroll return code: 70

 

We are currently using the in built JAMF CA cert...would this be causing it?

1 ACCEPTED SOLUTION

JAMFNoob
New Contributor III

Hey guys I found the solution - it looks like my push certs had expired and renewing this got us back on track

View solution in original post

9 REPLIES 9

shaquir
Contributor III

 

Are you enrolling your machines using DEP?
Reposting from https://community.jamf.com/t5/jamf-pro/can-an-m1-chip-be-manually-enrolled-w-out-dep/m-p/231313/high...


@JAMFNoob wrote:

We have just received our first M2 mac and it seems off the bat that there are some issues with enrolling it - usually during enrollment from our JAMF site (that we carry out with M1 and Intel macs) we could profiles installed onto the machines but with M2 I see for the first time it needs a QuickAdd package installed that completes installation. This always fails and then when I try manually enrolling with sudo jamf enroll -prompt I get the message - 

An error occurred while enrolling computer: The jamf binary could not connect to the JSS because the web certificate is not trusted. Checking in the background for policies that use the Enrollment Complete trigger

Enroll return code: 70

 

We are currently using the in built JAMF CA cert...would this be causing it?




 

Also are you seeing errors in Management > Management Commands on the machines?

 

Are you on-prem?  Is your Jamf version above 10.39.1?

JAMFNoob
New Contributor III

Yes it's on-prem version 10.30.0-t1622838506

JAMFNoob
New Contributor III

Not Apple DEP but just the user enroll via our local JAMF environment (log on from device, assign to user and then enroll)

mainelysteve
Valued Contributor II

Quickadd packages can't be used with any version of macOS basically from 10.15 and up. It's doubly impossible on Monty(12.x) because you can only interactively install configuration profiles as the profiles binary(what the Quickadd is using in a script) can no longer install profiles. The error you're seeing probably means the trust profile wasn't installed so your JSS isn't trusted on that Mac.

You need to enroll using both the MDM profile and a trust profile. Of course ADE(DEP) would make this one hundred times easier.

Thanks for the response - we do have an Apple School Manager that we use to deploy certain apps...would it be easy to set up DEP enrollment using this?

mainelysteve
Valued Contributor II

To start with where were was this particular Mac purchased from? Apple Ecommerce, authorized reseller, etc.?

Getting things setup for ADE enrollment is easy-ish, but it really depends on your skill/experience level. Once it's setup and you have time to learn the processes then getting new machines setup will get easier and easier. Right now for instance all I do for my M1 and M2 Macs is unbox, asset tag and hand off to the user to setup. They turn it on, go through some of the setup assistant screens and then it's enrolled. Some background and foreground automation with policies and DEPNotify finish things up.

Ahh yes I used to do DEP enrolls at my previous job with mobile phones however they we had an authorised reseller whereby our phones would automatically populate in our ABM. I don't think we do have this setup currently with our current supplier

JAMFNoob
New Contributor III

Hey guys I found the solution - it looks like my push certs had expired and renewing this got us back on track