Self Service not installing after enrolment. Policies don't run

djrory
Contributor

Intermittently our DEP/Auto-Enrolment devices do not complete the enrolment process. The MDM profile and cert is applied, Config Profiles apply and the device appears in JAMF Inventory however Policies never kick off and Self Service is not installed. 

We've seen similar issue to this over the past few years but never seem to get a solid answer from JAMF support, now we are seeing it on some of our new M1 Macs. It's seemingly completely random, I'll enrol 4 identical devices, 3 will complete as expected and the 4th will do as described above. All on the same network, same model, same Pre-Stage...

Why is this issue so difficult to solve?  Why does it keep happening? When can we expect it to be resolved?

12 REPLIES 12

ericbenfer
Contributor III

First place to look on the unsuccessful Mac systems is the Jamf log.
/var/log/jamf.log

Jamf log reports that the "internet connections appears to be offline"... it wasn't device was hardwired to LAN. 

Eventually the log just stops and the device never makes another attempt to complete enrolment. Rebooting, connecting to different WiFi and LAN. 

The device has been online and connected to LAN for 5 days now, still no sign of JAMF other than the MDM profile and a few profiles that have installed. No Policies have executed. 

 

The 3 other devices I enrolled at the same time on the same network are all working as expected. 

 

Wed Apr 27 20:57:34 Wesley’s MacBook Pro jamf[885]: Removing existing launchd task /Library/Application Support/JAMF/tmp/com.jamfsoftware.task.startssh.plist...
Wed Apr 27 20:57:35 Wesley’s MacBook Pro jamf[917]: The SSL Certificate for https://whlaustralasia.jamfcloud.com/ must be trusted for the jamf binary to connect to it.
Enrolling computer...
Wed Apr 27 20:57:40 Wesley’s MacBook Pro jamf[933]: Skipping trustJSS command...
Wed Apr 27 20:57:40 Wesley’s MacBook Pro jamf[933]: JMFCommons.JamfKeychain.JamfKeychainSecurityError.failedToReadJmfKeychainPassword
Wed Apr 27 20:57:41 Wesley’s MacBook Pro jamf[933]: JMFCommons.JamfKeychain.JamfKeychainSecurityError.failedToReadJmfKeychainPassword
Wed Apr 27 20:57:44 Wesley’s MacBook Pro jamf[933]: Creating user zz-jamflocal...
Wed Apr 27 20:57:49 Wesley’s MacBook Pro jamf[933]: The device certificate was created successfully.
Wed Apr 27 20:57:56 Wesley’s MacBook Pro jamf[933]: No container info found for disk with ID disk4
Wed Apr 27 20:58:03 Wesley’s MacBook Pro jamf[933]: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.jamf.management.daemon.binary was invalidated from this process." UserInfo={NSDebugDescription=The connection to service named com.jamf.management.daemon.binary was invalidated from this process.}
Wed Apr 27 20:58:03 Wesley’s MacBook Pro jamf[933]: Removing existing launchd task /Library/LaunchDaemons/com.jamfsoftware.task.bgrecon.plist...
Wed Apr 27 20:58:03 Wesley’s MacBook Pro jamf[933]: Downloading the Jamf Bundle...
Wed Apr 27 20:58:20 Wesley’s MacBook Pro jamf[933]: The download of /Library/Application Support/JAMF/tmp/JamfBundle.tar.gz failed.
Wed Apr 27 20:58:21 Wesley’s MacBook Pro jamf[933]: An Error Occurred while attempting to manage the computer: Connection failure: "The Internet connection appears to be offline."
Wed Apr 27 20:58:21 Wesley’s MacBook Pro jamf[933]: The management framework will be enforced as soon as all policies are done executing.
Wed Apr 27 20:58:21 Wesley’s MacBook Pro jamf[933]: Flushing the /Library/Application Support/JAMF/tmp directory was successful
Wed Apr 27 20:58:21 Wesley’s MacBook Pro jamf[933]: Connection failure: "The Internet connection appears to be offline."
Wed Apr 27 20:58:21 Wesley’s MacBook Pro jamf[933]: Connection failure: "The Internet connection appears to be offline."
Wed Apr 27 20:58:21 Wesley’s MacBook Pro jamf[933]: Removing existing launchd task /Library/Application Support/JAMF/tmp/com.jamfsoftware.task.policy.plist...
Wed Apr 27 20:58:21 Wesley’s MacBook Pro jamf[933]: Enroll return code: 72
Wed Apr 27 20:58:23 Wesley’s MacBook Pro jamf[1436]: Checking for policies triggered by "enrollmentComplete"...
Wed Apr 27 20:58:24 Wesley’s MacBook Pro jamf[1436]: Could not connect to the JSS. Looking for cached policies...
Wed Apr 27 20:58:25 Wesley’s MacBook Pro jamf[1436]: Adding launchd task com.jamfsoftware.task.checkForTasks...
Wed Apr 27 20:58:27 Wesley’s MacBook Pro jamf[1492]: An Error Occurred while attempting to manage the computer: Connection failure: "The Internet connection appears to be offline."
Wed Apr 27 20:58:27 Wesley’s MacBook Pro jamf[1492]: The management framework will be enforced as soon as all policies are done executing.
Wed Apr 27 20:58:27 Wesley’s MacBook Pro jamf[1492]: Flushing the /Library/Application Support/JAMF/tmp directory was successful

grecopj
Contributor

DJrory,

Were you ever able to find a reason why Policies never kick off and Self Service is not installed? 

Nope, JAMF Support weren't sure either. I made an empty "Enrollment Saver" package that is a one line post-install "sudo jamf policy" and deployed that in pre-stage and it seems to help.

Given the pre-stage packages always seem to run this just gives it an extra kick to get going. 

Andruschki
New Contributor

djrory I know this thread is a little bit older but is it possible that you did that enrollment on an unencypthed Wi-Fi network? I had the same issue today, with the excact same log files entries but only while on a open Wi-Fi network, with a cable connection or WPA2 network no problems.

Turned out that the ports were blocked to Apple. This prevented the full enrollment to complete. Mine was happening with the wired connection. The WiFi connection that you were using probably has those ports blocked.

airvine01
New Contributor II

Hi there, which ports did you find that were blocked?

im currently having this issue

Ahadub
New Contributor III

having this issue as well, both in the office and from home network so doubt our issue is port blocked.

wlew
New Contributor II

I also don't believe it's a port blocking issue. Onboarded three people today and all three had similar issues where policies would not kick in or install correctly. Two of the users were in the office and one remote. They all enrolled and setup their Macs at the same time while i was on a call with them. checking the jamf logs, i see many of these errors : 

Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.jamf.management.daemon.binary was invalidated from this process." UserInfo={NSDebugDescription=The connection to service named com.jamf.management.daemon.binary was invalidated from this process.}

Ahadub
New Contributor III

In my situation, Jamf Support said that we need to go into Jamf Pro and change the SMTP off of port 25, that Jamf is intentionally blocking it for cloud customers and once you change to a different port for SMTP, it will start working again.  Support then tried to make it sound like our SMTP settings that were working for a few years were misconfigured and causing the issue.

So try changing the SMTP relay port in Settings and see if this magically start working again.

wlew
New Contributor II

 

That just sounds... off.  If Jamf Support suggested that as the solution, i'm really questioning their troubleshooting tactics...

I don't see how SMTP settings (sending emails) has anything to do with policies not installing or related to the jamf binary...

Did this actually work for you? Did they give an explanation?

gonzague
New Contributor

Hey.. I had the same problem and was chasing the wrong rabbit: my problem was that I was pushing two WiFi profiles to the devices (one at prestage / the two as regular profiles)  and they were switching to a different SSID while Jamf was setting up.

 

Removing one of the profiles has fixed the issue