I have seen this when the casper admin passwords (what you use for ssh) do not match on the client machine and the JSS. Make sure the machine is managed with the proper ssh password and then self service should work.
I had some problems last year when we rolled out a new test taking app along with a casper password update (the password got leaked, so I was forced to update) and for whatever reason, be it wifi network issues, or client software issues some of the macbooks never updated the ssh account password.
So what I did was go into the JSS and create a local account policy to modify the local casper admin account on the client machines. Set the new password and set it to run once per a machine every 30 minutes. Then I duplicated that exact policy and set it to custom trigger and set the trigger to resetCadmin.
Then on all the machines that the management had some how been jacked up on I would open up ARD Admin on my MBP and do VLAN scans for all client machines and then use the 'send Unix' command via ARD admin to those machines. I ran it as root too, and this was the command
/usr/sbin/jamf policy -trigger resetCadmin
That would then force all of those machines to run that policy as root (so no authentication needed) and it would force a password change to the new and updated password.
On a side note I found out that when you send 400+ clients to the JSS to trigger a custom policy at the same time it can come a bit unresponsive.
This is my only guess as to why it is happening. That or for some reason your clients never got the updated password, or perhaps they weren't added with the quickadd.pkg? Do you have multiple passwords running about for casper?
-tom
