Jamf Nation Community

You are correct about the "Last Connected" date. I tried refreshing the token, but got a "Problem contacting Apple services" when uploading the new server token to the JSS. Looking at the date, I realized that this was the date that I move the JSS VM to a different host server. I moved the VM back to the original host and it connected with the DEP server right away.

So the question now is, what difference would a different VM host make when everything else about the JSS server was working without any issues? Because the VM host server is scheduled to be replaced, which is why we moved the JSS server off of it.

Hmm that's a stumper. Do you have a backup of the VM you could restore onto the "new" host server and test with?

If you do, I'd try running these commands from the VM.

telnet 35-courier.push.apple.com 5223
telnet albert.apple.com 443
telnet gateway.push.apple.com 2195
telnet gateway.push.apple.com 2196

If any of those fail, you've got a communication issue. There could be a ton of other stuff, but those are the 4 commands I have from JAMF that helped me troubleshoot a past communication issue.

Similarly, when the VM was on the new host, you confirmed the system time was correct? I've had issues before where time was wrong, so the tokens failed. Maybe daylight savings time is involved... maybe??

Thanks for the links. I give them a try. There are also two other new VM hosts that I am going to try moving the JSS server to, but now that I know that this could be an issue I'll be waiting to test off hours.

Checking on an issue with the error: "Unable to contact https://mdmenrollment.apple.com about a new PreStage enrollment or changes to..." and running chlaird's telnet check, all but one worked.

Error as follows with "telnet 35-courier.push.apple.com 5223":

System:~ user$ telnet 35-courier.push.apple.com 5223
Trying 17.172.232.51...
telnet: connect to address 17.172.232.51: Connection refused
Trying 17.172.232.53...
telnet: connect to address 17.172.232.53: Connection refused
Trying 17.172.232.59...
telnet: connect to address 17.172.232.59: Connection refused
Trying 17.172.232.83...
telnet: connect to address 17.172.232.83: Connection refused
Trying 17.172.232.90...
telnet: connect to address 17.172.232.90: Connection refused
Trying 17.172.232.57...
telnet: connect to address 17.172.232.57: Connection refused
Trying 17.172.232.70...
telnet: connect to address 17.172.232.70: Connection refused
Trying 17.172.232.64...
telnet: connect to address 17.172.232.64: Connection refused
telnet: Unable to connect to remote host

Would this be an internal networking issue if the other 3 telnet checks worked?

Checking into 30-courier.push.apple.com, there is an issue inside and outside our network. May not be our network, does this still exist or is the domain incorrect?

Any other thoughts out there?

Checking into 35-courier.push.apple.com, there is an issue inside and outside our network. May not be our network, does this still exist or is the domain incorrect?

Any other thoughts out there?

As of two minutes ago, I can reach all 4:

external image link

Starting Tests.....

APNs tests beginning #info #network
Feedbackhost (gateway.sandbox.push.apple.com): Resolving DNS Name
Pushhost (gateway.sandbox.push.apple.com): Resolving DNS Name
Courierhost (5-courier.sandbox.push.apple.com): Resolving DNS Name
Altcourierhost (5-courier.sandbox.push.apple.com): Resolving DNS Name
Altcourierhost (5-courier.sandbox.push.apple.com): 17.172.232.9
Courierhost (5-courier.sandbox.push.apple.com): 17.172.232.9
Altcourierhost (5-courier.sandbox.push.apple.com): Checking for proxy
Courierhost (5-courier.sandbox.push.apple.com): Checking for proxy
Altcourierhost (5-courier.sandbox.push.apple.com): No proxy found. Attempting to connect
Courierhost (5-courier.sandbox.push.apple.com): No proxy found. Attempting to connect
Registered for APNs with token XXXXX
Connected to Courierhost (5-courier.sandbox.push.apple.com) at IP address 17.172.232.9 on port 5223
Connected to Altcourierhost (5-courier.sandbox.push.apple.com) at IP address 17.172.232.9 on port 443
Pushhost (gateway.sandbox.push.apple.com): 17.172.232.18
Feedbackhost (gateway.sandbox.push.apple.com): 17.172.232.18
Pushhost (gateway.sandbox.push.apple.com): Checking for proxy
Feedbackhost (gateway.sandbox.push.apple.com): Checking for proxy
Pushhost (gateway.sandbox.push.apple.com): No proxy found. Attempting to connect
Feedbackhost (gateway.sandbox.push.apple.com): No proxy found. Attempting to connect
Connected to Pushhost (gateway.sandbox.push.apple.com) at IP address 17.172.232.18 on port 2195
Connected to Feedbackhost (gateway.sandbox.push.apple.com) at IP address 17.172.232.18 on port 2196
Trying to sending ourselves a push notification
Sent Push....Waiting for a response
Received Push Notification
APNs tests completed with 4 passed and 0 failed. #info #network

Ok, if I still get the error for "telnet 35-courier.push.apple.com 5223", then it has to be our network as other are able to connect. Am I right in the assumption? Curious.

I believe so. I don't believe anything changed on the Apple side, so the directions from JAMF should still be current, and that's what they told me. "connect to all 4. if you can't hit any of them, that's a problem"

I had the same problem today and tested everything that is in this discussion:
Created a new Public Key;
Created a new MDM server;
Tested the telnet commands as cited by @chlaird;
Removed the DEP settings from JSS.

All of these worked fine but I still couldn't add a new DEP setting on my JSS. Then I checked the time on my server and for some reason it was 5 minutes behind, even using an internal NTP server. Anyway, I corrected the time and it worked straight away.

If in case someone is getting the same error, check the time on the server first just to avoid spending time and effort.

@luispalumbo Ran into this issue today, checked my time on the JSS and sure enough it was off by about 6min, and reseting the NTP server setting on the JSS fixed it! Thanks!

I had the same issue after updating my Apple ID

I Fixed the issues by Generating a new Server Token on the DEP website and uploading it to the JSS.

I also just had this issue. For me, it was one single iPad in my prestage scope that was causing the issue. Once I removed that iPad from the scope, everything worked perfectly. I'll have to check with apple to see what might have caused that device to throw an error.

I had the same thing happen today:

"Unable to contact https://mdmenrollment.apple.com to add a device to a PreStage enrollment"

and

"The DEP service reported an error. (https://mdmenrollment.apple.com [403])"

Found out that Apple changed their terms and conditions for the DEP program and had to agree to them. Need to sign in with the program Agent account. After doing that the error messages went away in the JSS.

Just another "me too."

In this case it turned out Apple was wanting two-step verification to be set up, as well as accepting new terms. After that was set up all was well.

Refreshed my MDM token from the DEP portal and that resolved my problems.

I was seeing the same errors. I had to log in to DEP and agree to the two updated User Agreements. Problem solved.

Thank you mramsay -- this should be on the Jamfnation frontpage. Problem solved here, after a restart of our JSS.

We had the same problem of JSS not contacting the DEP servers, even though we recently updated our DEP token. Logging into DEP and accepting Apple's new terms and conditions fixed the problem. You know the old saying, mind your Ts and Cs.

I'm receiving the same error. I did accept the new terms but under Device Enrollment Program in JSS we have two DEP entries, both pointing to the same Apple ID. While the new token made the first entry happy, the second one states that token is in use. If I create another key and token for this account, is that going to cause my first DEP entry to flake out?

Not sure if this is related but I have resolved our "NSURLErrorDomain error -1012" issue shown at the start of the DEP process for our iPhones.

Our solution was to restore a copy of our server.xml file and restart tomcat service. The difference between the two server.xml file that I noticed was that the restored file had more ciphers settings. The keystorefile and keystorepassword were also different.

I believe the server.xml file was changed or replaced during an failed upgrade to 8.91. An uninstall and reinstall of JSS was then preformed to get 8.91 working.

My Fix was similar to @dboeshart , Agreeing the the new Terms and Conditions and assignments started happening again.

On JAMF's advice I regenerated the token on Apple's deployment website, and loaded it into our JSS server. The "DEP service reported an error..." message is gone now. Here are the steps they sent me:

1.)Go in the JSS to Settings>Global Management>Device Enrollment Program
2.)Download the Public Key by clicking the key button that says Public Key right next to it
3.)Log into deploy.apple.com
4.)Upload the PublicKey.pem that was just downloaded into the DEP portal. We'll hit "Replace Key.."
5.)Then we are going to select generate a Server-token and this will be uploaded into the JSS
6.)Go back into the JSS Device Enrollment Program select the DEP group, hit edit and Upload Server Token File
7.)Once we upload the new server token file we are going to click save

I just started receiving this error today. I've tried updating the key and token, but I'm still getting an error. We're using the cloud portal, so I can't verify time on the server, or use telnet. Any suggestions? Update-Our vendor did add two new devices today, and they do show in the prestage enrollment page, but are listed as unassigned.

Exact the same error shows up here in pre-stage enrollment for Macs. Did Apple break something?

We are having the same exact issue for our JSS environment and JAMF support told us that this issue has been escalated to Apple Engineering team. I guess we have to wait for Apple to fix it.

FWIW: in our case it seemed that one single unassigned device we added to the PreStage Enrollments (PSE) caused the error. When i removed the device from the particular PSE-group the thing went back to normal (as in no errors). I'll keep you guys posted on updates. Additional info: i first had to remove all devices drom the group, saved it and then added the 'normal' devices back to the PSE-group.

Same happened here to me today. (2/24)

Same happened here to today. (2/25) But not on all my JSS servers???
But it's only bij the PreStage enrollment of Computers
The PreStage enrollment of Mobile Devices is oke
This is on the same server. So it must be something in the JSS
After making a new PreStage enrollment stage by Computers same error
if i make a new PreStage enrollment stage by Mobile Devices no problem.

whats going on??

I'm not getting any errors, but our Macs aren't getting the JAMF binary, our management account, or Self Service after setup assistant. The MDM profile installs, but no other profiles push down. Gonna submit a ticket to JAMF Support and our Apple TAM.

Hmm, working again on a test machine, but a huge delay after completing setup assistant. Everything pushed down about 30 min after hitting the desktop of the local user. Still have support tickets logged with JAMF and Apple to see what they have to say.

After the rogue device was unpacked, turned on and connected to internet (we didn't had it unwrapped yet) We removed the device from the PSE-group, saved the group and, put it back in, saved again and presto! Error gone.
I'll do some research in the days to come on logs etc, but for now I think it might have something tot do with Apple's DEP and not with the JSS.

@mvdbent Did you made an empty PSE? (without Mac's added to the scope)

@Aufderhaar we did made a empty PSE-group but we get the same error.
This morning the error message went away after assigning devices in the PSE-group. it was for sure a Apple error but do you know what the error was??

@mvdbent for sure now is that 'something' in the DEP triggers that error. But what exactly is unknown. I could trickle it down to one device as we just got started on DEP/PSE and easily remove devices from groups etc. Oh well, let's all wait for the next hiccup.

I looked up this thread as we started getting this error message yesterday morning after updating to JSS 9.92. The issue was resolved this morning by downloading a new token from Apple and installing it. Corrupt token downloaded yesterday?

Started getting this message yesterday. I remembered seeing this error about 2 years ago and it was due to new Terms and Conditions on Apple's deployment website. However I checked, and there were no new terms. So I tried updating the PublicKey.pem file and token...but no dice. As suggested in this thread, I thought I'd check the time on our JSS.... noticed that my server time was off by about 5 minutes. Fixed it. No more error :)

Just ran across this one myself and reloading the tokens fixed it.

In the past, the servers time/date being out of sync was also an issue causing a similar error on our end.

hi to all... giving this thread a try....

we updated to 9.96... and now we can't configure ipad with prestage anymore...

updated Publickey and token.

Nothing good anymore.... anything im missing ?