Posted on 08-27-2015 04:36 AM
JSS version 9.72, Mac OSX version 10.10.5
Good Morning, recently we are seeing an error with enrollment in one of our office's in another location. The enrollment completes, all of the policies run, applications install, profiles come down, and config profiles install, however at the end of the enrollment the user receives "The Installation failed." "The installer encountered and error that caused the installation to fail. Contact the software manufacturer for assistance."
I have verified that enrollment works at my location (different office). I have also had the user try enrolling another machine in his office location (brand new MacBook Pro, out of box). He has the same result. No errors that I can see in the console.
Any thoughts?
Thanks in advance!
-Ben
Posted on 08-27-2015 04:47 AM
I have been seeing this as well with 9.73 on 2015 Airs running 10.10.2 and 10.10.3. Everything works fine except the quick shows that it fails.
Posted on 08-27-2015 06:13 AM
The QuickAdd...
(1) installs the /usr/local/sbin/jamf
binary (used to be /usr/sbin/jamf
):
(2) runs a postflight script that creates the plist to point the binary to JSS, sets SSH, and then runs the enrollment command (enforce management framework, including creating the management account, login/logout hooks, etc., etc.).
If QuickAdd fails, its usually because the postflight script fails.
Confirm that the binary installed:
$ which jamf
/usr/local/sbin/jamf
^^^ If this comes back with /usr/sbin/jamf
, your QuickAdd is old.
Once confirmed, you can manually enroll the Mac using the sudo jamf enroll -prompt
command.
The first prompt is asking you to authenticate the sudo command. The next two prompts are for your JSS account name/password. Your account will need rights to enroll computers (there may be a few more rights checkboxes needed).
$ sudo jamf enroll -prompt
Password: <your-admin-password>
JSS Username: <your-jss-username>
JSS Password: <your-jss-password>
SSH Username: <your-jss-username>
SSH Password: <your-jss-password>
Downloading required CA Certificate(s)...
This computer was successfully enrolled to the JSS with the following device certificate: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX"
Retrieving inventory preferences from https://server.domain.com:8443/...
Finding extension attributes...
Locating applications...
...[snip]...
...[snip]...
...[snip]...
Submitting data to https://server.domain.com:8443/...
<computer_id>XXXXX</computer_id>
Getting management framework from the JSS...
Enforcing management framework...
Checking availability of https://server.domain.com:8443/...
The JSS is available.
Enforcing login/logout hooks...
Enforcing scheduled tasks...
Creating launch daemon...
Creating launch agent...
Checking availability of https://server.domain.com:8443/...
The JSS is available.
Checking for policies triggered by enrollmentComplete
NOTE: When you use your JSS credentials for both items in the above command, your JSS username becomes the management account for that Mac. Might want to spin up a policy that checks management account name, so if it isn't the right account, the policy corrects it.
For more info:
$ jamf -help enroll
Usage: jamf enroll [-prompt | -invitation] [-noRecon] [-noManage]
-prompt Prompts for JSS and SSH credentials.
-invitation Uses an invitation ID for credentials instead of a user name and password.
-noRecon Stops enroll from acquiring inventory.
-noManage Stops enroll from enforcing the management framework.
-noPolicy Stops enroll from checking for enrollment policies.
$
Posted on 08-27-2015 09:54 AM
Thanks @donmontalvo ... the office is an hour away, I might have to go down and try this down there. It seems odd that it works properly here in my office location, but in another office it errors.
Posted on 08-27-2015 11:25 AM
@Bhughes - If it errors out in one location and not another, sounds like a DNS or communications issue to me. Something is blocked or unknown.
@donmontalvo - Best explanation of the quickadd ever!
Posted on 08-27-2015 11:32 AM
Its odd that 99% of the process works ok (especially config profiles), that would indicate that the connection to the JSS is working at some stage and is able to enrol with the MDM.
If its location specific I would look at something firewall / DNS related. Do you have a web filter that might be blocking something towards the end of the process?
@donmontalvo Great explanation, thanks!
Posted on 08-27-2015 12:16 PM
Thanks @pblake and @davidacland it does appear to be pointing to something network related. I think I might have to take a trip to that office.
Posted on 08-27-2015 02:55 PM
We see QuickAdd fail mostly over Wi-Fi or where client is many hops away from the JSS (latency?). Manual enroll to the rescue. :) Maybe you can SSH over to the Mac to manually enroll, to save time/gas.
Posted on 08-28-2015 12:04 PM
Nothing firewall/DNS related... no web filters in that office ...(from what I am told). These devices are all wired.
Enrollment has completed, I am just worried that it's presenting the user with "installation failed"
I took a look at the /var/log/jamf.log ...shows everything completing there too.
Thu Aug 27 11:10:39 XXXXXMacBook Air jamf[439]: Creating user casperadmin...
Thu Aug 27 11:10:43 XXXXXMacBook Air jamf[439]: Enforcing management framework...
Thu Aug 27 11:10:46 XXXXXMacBook Air jamf[439]: Enforcing scheduled tasks...
Thu Aug 27 11:10:46 XXXXXMacBook Air jamf[439]: Adding launchd task com.jamfsoftware.task.1...
Thu Aug 27 11:10:46 XXXXXMacBook Air jamf[439]: Creating launch daemon...
Thu Aug 27 11:10:46 XXXXXMacBook Air jamf[439]: Downloading the agent...
Thu Aug 27 11:10:47 XXXXXMacBook Air jamf[439]: Creating launch agent...
Thu Aug 27 11:10:47 XXXXXMacBook Air jamf[525]: Informing the JSS about login for user xxxx
Thu Aug 27 11:10:48 XXXXXMacBook Air jamf[525]: Informing the JSS about login for user xxxx
Thu Aug 27 11:10:49 XXXXXMacBook Air jamf[538]: Checking for policies triggered by "enrollmentComplete"...
Thu Aug 27 11:10:50 XXXXXMacBook Air jamf[538]: Upgrading jamfHelper.app...
Thu Aug 27 11:10:51 XXXXXMacBook Air jamf[538]: Upgrading JAMF notification service...
Thu Aug 27 11:10:51 XXXXXMacBook Air jamf[538]: Upgrading Self Service.app...
Thu Aug 27 11:10:53 XXXXXMacBook Air jamf[538]: Executing Policy 1 Computer Name...
Thu Aug 27 11:10:54 XXXXXMacBook Air jamf[525]: Network state changed, checking for policies...
Thu Aug 27 11:10:54 XXXXXMacBook Air jamf[525]: Network state changed, checking for policies...
Thu Aug 27 11:10:55 Computer name jamf[654]: Checking for policies triggered by "adbind"...
Thu Aug 27 11:10:55 Computer name jamf[650]: Checking for policies triggered by "networkStateChange"...
Thu Aug 27 11:10:58 Computer name jamf[654]: Executing Policy 2 Bind to AD...
Thu Aug 27 11:10:58 Computer name jamf[654]: Binding "computername to mycompany.ad.com".
Thu Aug 27 11:11:14 Computer name jamf[654]: Bound to Active Directory (ad.com)
Thu Aug 27 11:11:14 XXXXXMacBook Air jamf[538]: Executing Policy 4 Security Settings...
Thu Aug 27 11:11:17 XXXXXMacBook Air jamf[538]: Verifying package integrity...
Thu Aug 27 11:11:18 XXXXXMacBook Air jamf[538]: Installing SEPRemote.pkg...
Thu Aug 27 11:12:09 XXXXXMacBook Air jamf[538]: Successfully installed SEPRemote.pkg.
Thu Aug 27 11:12:09 XXXXXMacBook Air jamf[538]: Executing Policy 5 Bomgar...
Thu Aug 27 11:12:09 XXXXXMacBook Air jamf[538]: Verifying package integrity...
Thu Aug 27 11:12:09 XXXXXMacBook Air jamf[538]: Installing Bomgar.pkg.zip...
Thu Aug 27 11:12:20 XXXXXMacBook Air jamf[538]: Successfully installed Bomgar.pkg.zip.
Thu Aug 27 11:12:20 XXXXXMacBook Air jamf[538]: Executing Policy 6 Junos Pulse VPN Client...
Thu Aug 27 11:12:20 XXXXXMacBook Air jamf[538]: Verifying package integrity...
Thu Aug 27 11:12:21 XXXXXMacBook Air jamf[538]: Installing JunosPulse.pkg...
Thu Aug 27 11:12:27 XXXXXMacBook Air jamf[538]: Successfully installed JunosPulse.pkg.
Thu Aug 27 11:12:27 XXXXXMacBook Air jamf[538]: Executing Policy 7 Local Admin Account...
Thu Aug 27 11:12:28 Computer name jamf[538]: Creating user LocalSupport...
Thu Aug 27 11:12:32 XXXXXMacBook Air jamf[538]: Executing Policy 8 Configure Proxy...
Thu Aug 27 11:12:33 XXXXXMacBook Air jamf[538]: Executing Policy 9 Add Dock Items and Run Recon...
Thu Aug 27 11:12:47 XXXXXMacBook Air jamf[538]: Executing Policy Disable Password Change Prompt...
Thu Aug 27 11:12:47 XXXXXMacBook Air jamf[538]: Executing Policy Set Search Domains...
------This is where enrollment completes -------
Thu Aug 27 11:19:45 xxxxxxxx jamf[1978]: Checking for policy ID 8...
Thu Aug 27 11:19:47 xxxxxxxx jamf[1978]: Executing Policy Microsoft Office 2011...
Thu Aug 27 11:19:49 xxxxxxxx jamf[1978]: Verifying package integrity...
Thu Aug 27 11:20:59 xxxxxxxx jamf[1978]: Installing Office Installer.pkg...
Thu Aug 27 11:22:34 xxxxxxxx jamf[1978]: Successfully installed Office Installer.pkg.
Posted on 08-29-2015 02:54 AM
As far as the enrollment goes, the last step will be:
Thu Aug 27 11:10:51 XXXXXMacBook Air jamf[538]: Upgrading Self Service.app...
After that its just policies kicking in.
It doesn't look like its breaking anything, although it could be worth testing with a Mac that doesn't run any policies after enrollment.
Posted on 09-01-2015 07:53 AM
Thanks. I also tried running
sudo jamf enroll -prompt -verbose
and found no errors.
Is there any logging anywhere else that I could check?
Posted on 09-01-2015 08:52 AM
There are logs on the server (JAMFSoftwareServer.log) that might have some more information. The possibilities I'm currently thinking are:
Just out of interest, are you using a web based self enrollment from https://your.jss.com:8443/enroll or a recon generated quickadd.pkg?
If time permits, I would probably pick the quickadd.pkg apart, manually deploy the files in the payload and then step through the postinstall script step by step in the terminal. That usually tells you what line it is failing on.
Could also be worth asking JAMF support in case they have any other secret methods for troubleshooting.