Jamf Nation Community

I am having the same issue, and I dont have a cert payload.

I've seen this and all I needed to do to resolve it was to reformat the machine.

I just finish repartitioning a Mac and I still get the same error.

How about can you reach your JSS from the same network that you are trying to enroll on?

C

I saw this for the first time today testing DEP on one machine while a different machine worked fine. Came back an hour later and the machine throwing this error went through DEP without issue..

Yes, my Jamf Pro Rep had me remove the Anchor Cert payload. Also, I reinstalled the macOS on the DEP enrolled MacBook Pro two times but got the same result.
* Tried using the company public Wi-Fi, my cell phone hot spot, my Wi-Fi at home, the free public Wi-Fi in a community center; the Wi-Fi in a public library - result: the same "Unable to configure your Mac..."

@SVC-SBDJamfAdmin do you have any network filtering/NAC in place? We use Forescout and for us if our key isn't there or the MAC address of my dongle isn't trusted through our DHCP filter, (or we placed on a dedicated build segment) our DEP doesn't reach both Apple and our internal JSS JAMF Pro and the DEP fails. What I have seen is that I can usually take it to the GUI and it will DEP enroll there with a

sudo profiles renew -type enrollment

but that only applies to 10.13 machines.

@easyedc Hi, We have NAC in place and we are seeing the same issue. If I do "no network" at setup assistant and try the (sudo profiles renew -type enrollment" command I get an error that a certificate chain is not configured properly.
Once I install our company cert, I can install the profile.
Do I need to upload our company cert as an anchor certificate in the DEP PreStage?

Did anyone get this resolved? I've just started experiencing same problem, but it all used to work a month or two ago when I've tested last. The only change happened since was me upgrading our JSS to 10.3.1.

I am also having the same issue. I have tried multiple different networks to include wired and wifi. We also have a separate external network for our department that isn't part of the regular network and that is no bueno either. I got it to work one time out of 4 machines this week by reinstalling macOS but beyond that each one I have done the same thing to it has not worked.

We have also started to run into this issue frequently. During employee onboarding on the 22nd we had the issue occur across 3 separate offices at the same time. Today while doing a hardware upgrade for an employee we ran into the same issue. We initially thought it may have been network congestion during our onboarding, but today proved otherwise.

I was able to scope a prestage to my laptop and run the sudo profiles renew -type enrollment and receive the error as well. I've reached out to jamf support, but if anyone has any interim solutions that would be awesome.

Have you tried on an external network? Quite possible you need to make sure the correct ports are open. We had this previously where DEP worked in one office and didn't in another.

This is what JAMF supplied:

https://www.jamf.com/jamf-nation/articles/34/network-ports-used-by-jamf-pro

Be sure to allow outbound connections to Apple’s 17.0.0.0/8 block over TCP port 5223 / 443 from all client networks and on ports 2195 and 2196 from Jamf Pro servers to make sure APNs will function correctly on your network.

Yup we've trie dover multiple networks, as well as connecting through a mobile hotspot. I'll pass some of those details to our networking team as well just to review the ports.

Following this. Having the same issue. I've worked with JAMF CS and they are researching a solution, but nothing yet. Sorry to say it's kind of nice know that I'm not the only one.

I am following because I am now seeing problems with this same thing.

This is also happening to me. I just updated to 10.4.1.

i saw this today for about an hour but now it's working again.

Has anyone heard a solution for this yet?

Something is broke at Jamf and they don't seem to be too quick to acknowledge or fix it. I'm new to Jamf so I'm wondering if this is typical? I've attempted to get two brand new MacBook Pros into DEP from work and home resulting in the same configuration error window. So far the Jamf Support people I've talked with are only offering desperate guesses. If you haven't opened a ticket yet please do so!

We also saw this same problem , We tried to create new prestage enrollment, reformat device so many times, also update the DEP token problem still cannot solved. Any solution?

Anyone had any luck diagnosing this yet? I'm starting to see same issue in our test lab.

Well, I say same, it's likely closely related...

Running sudo profiles renew -v -type enrollment gives an Error -34006. I cannot find any reference to this on the inter tubes..

And in fact -34011 error too...

As you can see below, we're definitely ok out to Apple on 5223/443

dep-test-machine:~ testuser$ ~/telnet 5-courier.push.apple.com 5223
Trying 17.249.108.77...
Connected to pop-namer-ne-courier.push-apple.com.akadns.net.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
dep-test-machine:~ testuser$ ~/telnet 5-courier.push.apple.com 443
Trying 17.249.108.90...
Connected to pop-namer-ne-courier.push-apple.com.akadns.net.
Escape character is '^]'.
ehlo
Connection closed by foreign host.
dep-test-machine:~ testuser$ sudo profiles renew -verbose -type enrollment
Password:
profiles: verbose mode ON
profiles: returned error: 34011

I am currently seeing this issue as well. We are starting to move to DEP for faculty now and not just labs. I need a solution before school starts again. Between our ordering process on campus and the DEP troubles, I am wondering if this is worth the transition. I would be interested to know the number of admins that use DEP for a majority of their devices.

I am seeing this also on a batch of Macs we are trying to enroll. Was working yesterday.

I am also seeing this same issue. We just made the switch to JAMF and not a promising start....

This may be in relation to an open product issue with Jamf (PI-002379) which generates excess DeviceInfoAccountHash, DeviceInfoITunesActive, and ProfileList MDM commands. When these build up, MDM seems to slow down and DEP also seems affected. I would reach out to your TAM/Jamf support to see if you can confirm that you are experiencing this PI. They have a temporary fix for it until they address the issue in product.

Restarting DNS services did the trick for us

I do not know what is causing this but I do know how I was able to fix it for the systems experiencing it in my organization. I took their serial numbers and searched in "Devices" (where iOS devices would go) and found that they were all in there with the name: [No Name] After I deleted these entries and reinstalled a fresh copy of MacOS on each system they connected via DEP without issue.

I ought to follow up on this for posterity...

Turns out that the 34011 error relates to the device being able to contact DEP servers (iprofile/albert), but not being able to reach the CRL servers (.symcb.com, .symcd.com) in order to validate that the certificate being presented to by the DEP servers has not been revoked.

Anyone has a good fix for this? My instance intermittently gets bug down with this issue. I would get this issue for a few days and suddenly, it would start working again.

I had the same issue on different servers:
1. Check the Jamf Pro URL in the settings
2. Check the Organization Name (don‘t use special characters like „ä“)

We had exactly the same issue.
Turned out to be a policy scoped to a (static) group that did not existed anymore.
Jamf is going to fix this is in the new update.

We fixed it by re-creating the missing groups.

If you still having issues, then go to the deploy wsite, download the token and upload it back to the JSS..

done!

Hi all need your help on below error while i am trying to register my iMc to DEP

We have allowed 17.0.0.0 subnet with port allow ports 80, 5223, 2195, 2196, 443

We were recently having issues with apps not installing in iOS and in particular the Native apps at activation Apple has updated this document:

https://support.apple.com/en-us/HT201999

Our fix was to whitelist: bag.itunes.apple.com

Since we did this I am also not seeing the random messages on my prestages saying they cannot connect

We have the exact problem at the moment. svc-sbdjamfadmin Did you find any proper solution?

We are still having enrollment failures. This seems to be the only source of knowledge on the matter
https://nstrauss.github.io/mitigating-mac-enrollment-failures/

We had the same issue and I flushed DNS cache on the client machine which fixed it.

Big sur:  sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder