Unable to contact https://mdmenrollment.apple.com PreStage enrollment

King13p
New Contributor

I keep getting this error using the new 9.3 stable.

Unable to contact https://mdmenrollment.apple.com to add a device to a PreStage enrollment

I see this under PreStage Enrollments when I create a new one and save it.

My iPads are erroring out :

The configuration for your iPad could not be downloaded from ****
The operation couldn't be completed. (NSURLErrorDomain error -1012.)

Please help. Thanks

EDIT: When I go to this site https://mdmenrollment.apple.com
I see this:

The requested URL was not found on this server.

Thanks

95 REPLIES 95

chlaird
Contributor

@musat, please log into your DEP, look at your server list, and look for the "last connected" date. I'd bet that date is the last time your enrollment worked. I had the same problem, exactly as you described. I set up new tokens (uploaded a new token from the JSS to the DEP, and uploaded a new token from the DEP to the JSS). It was fixed within minutes. I have no idea why it happened, but somehow the tokens stopped allowing communication and that "last connected" date reflected it.

musat
Contributor III

You are correct about the "Last Connected" date. I tried refreshing the token, but got a "Problem contacting Apple services" when uploading the new server token to the JSS. Looking at the date, I realized that this was the date that I move the JSS VM to a different host server. I moved the VM back to the original host and it connected with the DEP server right away.

So the question now is, what difference would a different VM host make when everything else about the JSS server was working without any issues? Because the VM host server is scheduled to be replaced, which is why we moved the JSS server off of it.

chlaird
Contributor

Hmm that's a stumper. Do you have a backup of the VM you could restore onto the "new" host server and test with?

If you do, I'd try running these commands from the VM.

telnet 35-courier.push.apple.com 5223
telnet albert.apple.com 443
telnet gateway.push.apple.com 2195
telnet gateway.push.apple.com 2196

If any of those fail, you've got a communication issue. There could be a ton of other stuff, but those are the 4 commands I have from JAMF that helped me troubleshoot a past communication issue.

Similarly, when the VM was on the new host, you confirmed the system time was correct? I've had issues before where time was wrong, so the tokens failed. Maybe daylight savings time is involved... maybe??

musat
Contributor III

Thanks for the links. I give them a try. There are also two other new VM hosts that I am going to try moving the JSS server to, but now that I know that this could be an issue I'll be waiting to test off hours.

jbutler47
Contributor II

Checking on an issue with the error: "Unable to contact https://mdmenrollment.apple.com about a new PreStage enrollment or changes to..." and running chlaird's telnet check, all but one worked.

Error as follows with "telnet 35-courier.push.apple.com 5223":

System:~ user$ telnet 35-courier.push.apple.com 5223
Trying 17.172.232.51...
telnet: connect to address 17.172.232.51: Connection refused
Trying 17.172.232.53...
telnet: connect to address 17.172.232.53: Connection refused
Trying 17.172.232.59...
telnet: connect to address 17.172.232.59: Connection refused
Trying 17.172.232.83...
telnet: connect to address 17.172.232.83: Connection refused
Trying 17.172.232.90...
telnet: connect to address 17.172.232.90: Connection refused
Trying 17.172.232.57...
telnet: connect to address 17.172.232.57: Connection refused
Trying 17.172.232.70...
telnet: connect to address 17.172.232.70: Connection refused
Trying 17.172.232.64...
telnet: connect to address 17.172.232.64: Connection refused
telnet: Unable to connect to remote host

Would this be an internal networking issue if the other 3 telnet checks worked?

jbutler47
Contributor II

Checking into 30-courier.push.apple.com, there is an issue inside and outside our network. May not be our network, does this still exist or is the domain incorrect?

Any other thoughts out there?

jbutler47
Contributor II

Checking into 35-courier.push.apple.com, there is an issue inside and outside our network. May not be our network, does this still exist or is the domain incorrect?

Any other thoughts out there?

chlaird
Contributor

As of two minutes ago, I can reach all 4:

external image link

millersc
Valued Contributor

Starting Tests.....

APNs tests beginning #info #network
Feedbackhost (gateway.sandbox.push.apple.com): Resolving DNS Name
Pushhost (gateway.sandbox.push.apple.com): Resolving DNS Name
Courierhost (5-courier.sandbox.push.apple.com): Resolving DNS Name
Altcourierhost (5-courier.sandbox.push.apple.com): Resolving DNS Name
Altcourierhost (5-courier.sandbox.push.apple.com): 17.172.232.9
Courierhost (5-courier.sandbox.push.apple.com): 17.172.232.9
Altcourierhost (5-courier.sandbox.push.apple.com): Checking for proxy
Courierhost (5-courier.sandbox.push.apple.com): Checking for proxy
Altcourierhost (5-courier.sandbox.push.apple.com): No proxy found. Attempting to connect
Courierhost (5-courier.sandbox.push.apple.com): No proxy found. Attempting to connect
Registered for APNs with token XXXXX
Connected to Courierhost (5-courier.sandbox.push.apple.com) at IP address 17.172.232.9 on port 5223
Connected to Altcourierhost (5-courier.sandbox.push.apple.com) at IP address 17.172.232.9 on port 443
Pushhost (gateway.sandbox.push.apple.com): 17.172.232.18
Feedbackhost (gateway.sandbox.push.apple.com): 17.172.232.18
Pushhost (gateway.sandbox.push.apple.com): Checking for proxy
Feedbackhost (gateway.sandbox.push.apple.com): Checking for proxy
Pushhost (gateway.sandbox.push.apple.com): No proxy found. Attempting to connect
Feedbackhost (gateway.sandbox.push.apple.com): No proxy found. Attempting to connect
Connected to Pushhost (gateway.sandbox.push.apple.com) at IP address 17.172.232.18 on port 2195
Connected to Feedbackhost (gateway.sandbox.push.apple.com) at IP address 17.172.232.18 on port 2196
Trying to sending ourselves a push notification
Sent Push....Waiting for a response
Received Push Notification
APNs tests completed with 4 passed and 0 failed. #info #network

jbutler47
Contributor II

Ok, if I still get the error for "telnet 35-courier.push.apple.com 5223", then it has to be our network as other are able to connect. Am I right in the assumption? Curious.

chlaird
Contributor

I believe so. I don't believe anything changed on the Apple side, so the directions from JAMF should still be current, and that's what they told me. "connect to all 4. if you can't hit any of them, that's a problem"

luispalumbo
Contributor

I had the same problem today and tested everything that is in this discussion:
Created a new Public Key;
Created a new MDM server;
Tested the telnet commands as cited by @chlaird;
Removed the DEP settings from JSS.

All of these worked fine but I still couldn't add a new DEP setting on my JSS. Then I checked the time on my server and for some reason it was 5 minutes behind, even using an internal NTP server. Anyway, I corrected the time and it worked straight away.

If in case someone is getting the same error, check the time on the server first just to avoid spending time and effort.

NowAllTheTime
Contributor III

@luispalumbo Ran into this issue today, checked my time on the JSS and sure enough it was off by about 6min, and reseting the NTP server setting on the JSS fixed it! Thanks!

mks007
New Contributor II

I had the same issue after updating my Apple ID

I Fixed the issues by Generating a new Server Token on the DEP website and uploading it to the JSS.

jaymckay
New Contributor II

I also just had this issue. For me, it was one single iPad in my prestage scope that was causing the issue. Once I removed that iPad from the scope, everything worked perfectly. I'll have to check with apple to see what might have caused that device to throw an error.

stutz
Contributor

I had the same thing happen today:
cfe6126c71c74911aa258c288b710de4
"Unable to contact https://mdmenrollment.apple.com to add a device to a PreStage enrollment"

and

"The DEP service reported an error. (https://mdmenrollment.apple.com [403])"

Found out that Apple changed their terms and conditions for the DEP program and had to agree to them. Need to sign in with the program Agent account. After doing that the error messages went away in the JSS.

gskibum
Contributor III

Just another "me too."

In this case it turned out Apple was wanting two-step verification to be set up, as well as accepting new terms. After that was set up all was well.

easyedc
Valued Contributor II

Refreshed my MDM token from the DEP portal and that resolved my problems.

Matthew_Ramsay
New Contributor III

I was seeing the same errors. I had to log in to DEP and agree to the two updated User Agreements. Problem solved.

mburkey
New Contributor

Thank you mramsay -- this should be on the Jamfnation frontpage. Problem solved here, after a restart of our JSS.

dboeshart
New Contributor

We had the same problem of JSS not contacting the DEP servers, even though we recently updated our DEP token. Logging into DEP and accepting Apple's new terms and conditions fixed the problem. You know the old saying, mind your Ts and Cs.

tferguson
New Contributor

I'm receiving the same error. I did accept the new terms but under Device Enrollment Program in JSS we have two DEP entries, both pointing to the same Apple ID. While the new token made the first entry happy, the second one states that token is in use. If I create another key and token for this account, is that going to cause my first DEP entry to flake out?

EdLuo
Contributor II

Not sure if this is related but I have resolved our "NSURLErrorDomain error -1012" issue shown at the start of the DEP process for our iPhones.

Our solution was to restore a copy of our server.xml file and restart tomcat service. The difference between the two server.xml file that I noticed was that the restored file had more ciphers settings. The keystorefile and keystorepassword were also different.

I believe the server.xml file was changed or replaced during an failed upgrade to 8.91. An uninstall and reinstall of JSS was then preformed to get 8.91 working.

Damien
New Contributor

My Fix was similar to @dboeshart , Agreeing the the new Terms and Conditions and assignments started happening again.

davidwbeaty
New Contributor II

On JAMF's advice I regenerated the token on Apple's deployment website, and loaded it into our JSS server. The "DEP service reported an error..." message is gone now. Here are the steps they sent me:

1.)Go in the JSS to Settings>Global Management>Device Enrollment Program
2.)Download the Public Key by clicking the key button that says Public Key right next to it
3.)Log into deploy.apple.com
4.)Upload the PublicKey.pem that was just downloaded into the DEP portal. We'll hit "Replace Key.."
5.)Then we are going to select generate a Server-token and this will be uploaded into the JSS
6.)Go back into the JSS Device Enrollment Program select the DEP group, hit edit and Upload Server Token File
7.)Once we upload the new server token file we are going to click save

jezerski
New Contributor III

I just started receiving this error today. I've tried updating the key and token, but I'm still getting an error. We're using the cloud portal, so I can't verify time on the server, or use telnet. Any suggestions? Update-Our vendor did add two new devices today, and they do show in the prestage enrollment page, but are listed as unassigned. 2bfc5a20b1444e0286f7f1a2731f586a

Aufderhaar
New Contributor II

Exact the same error shows up here in pre-stage enrollment for Macs. Did Apple break something?

mchit
New Contributor II

We are having the same exact issue for our JSS environment and JAMF support told us that this issue has been escalated to Apple Engineering team. I guess we have to wait for Apple to fix it.

Aufderhaar
New Contributor II

FWIW: in our case it seemed that one single unassigned device we added to the PreStage Enrollments (PSE) caused the error. When i removed the device from the particular PSE-group the thing went back to normal (as in no errors). I'll keep you guys posted on updates. Additional info: i first had to remove all devices drom the group, saved it and then added the 'normal' devices back to the PSE-group.

jgwatson
Contributor

Same happened here to me today. (2/24)

MischaB
New Contributor II
New Contributor II

Same happened here to today. (2/25) But not on all my JSS servers???
But it's only bij the PreStage enrollment of Computers
The PreStage enrollment of Mobile Devices is oke
This is on the same server. So it must be something in the JSS
After making a new PreStage enrollment stage by Computers same error
if i make a new PreStage enrollment stage by Mobile Devices no problem.

whats going on??

NowAllTheTime
Contributor III

I'm not getting any errors, but our Macs aren't getting the JAMF binary, our management account, or Self Service after setup assistant. The MDM profile installs, but no other profiles push down. Gonna submit a ticket to JAMF Support and our Apple TAM.

NowAllTheTime
Contributor III

Hmm, working again on a test machine, but a huge delay after completing setup assistant. Everything pushed down about 30 min after hitting the desktop of the local user. Still have support tickets logged with JAMF and Apple to see what they have to say.

Aufderhaar
New Contributor II

After the rogue device was unpacked, turned on and connected to internet (we didn't had it unwrapped yet) We removed the device from the PSE-group, saved the group and, put it back in, saved again and presto! Error gone.
I'll do some research in the days to come on logs etc, but for now I think it might have something tot do with Apple's DEP and not with the JSS.

@mvdbent Did you made an empty PSE? (without Mac's added to the scope)

MischaB
New Contributor II
New Contributor II

@Aufderhaar we did made a empty PSE-group but we get the same error.
This morning the error message went away after assigning devices in the PSE-group. it was for sure a Apple error but do you know what the error was??

Aufderhaar
New Contributor II

@mvdbent for sure now is that 'something' in the DEP triggers that error. But what exactly is unknown. I could trickle it down to one device as we just got started on DEP/PSE and easily remove devices from groups etc. Oh well, let's all wait for the next hiccup.

wdpickle
Contributor

I looked up this thread as we started getting this error message yesterday morning after updating to JSS 9.92. The issue was resolved this morning by downloading a new token from Apple and installing it. Corrupt token downloaded yesterday?

nsdjoe
Contributor II

Started getting this message yesterday. I remembered seeing this error about 2 years ago and it was due to new Terms and Conditions on Apple's deployment website. However I checked, and there were no new terms. So I tried updating the PublicKey.pem file and token...but no dice. As suggested in this thread, I thought I'd check the time on our JSS.... noticed that my server time was off by about 5 minutes. Fixed it. No more error :)

Daikonran
New Contributor III

Just ran across this one myself and reloading the tokens fixed it.

In the past, the servers time/date being out of sync was also an issue causing a similar error on our end.

jmercier
Contributor II

hi to all... giving this thread a try....

we updated to 9.96... and now we can't configure ipad with prestage anymore...

updated Publickey and token.

Nothing good anymore.... anything im missing ?