I keep getting this error using the new 9.3 stable.
Unable to contact https://mdmenrollment.apple.com to add a device to a PreStage enrollment
I see this under PreStage Enrollments when I create a new one and save it.
My iPads are erroring out :
The configuration for your iPad could not be downloaded from ****
The operation couldn't be completed. (NSURLErrorDomain error -1012.)
Please help. Thanks
EDIT: When I go to this site https://mdmenrollment.apple.com
I see this:
The requested URL was not found on this server.
@musat, please log into your DEP, look at your server list, and look for the "last connected" date. I'd bet that date is the last time your enrollment worked. I had the same problem, exactly as you described. I set up new tokens (uploaded a new token from the JSS to the DEP, and uploaded a new token from the DEP to the JSS). It was fixed within minutes. I have no idea why it happened, but somehow the tokens stopped allowing communication and that "last connected" date reflected it.
You are correct about the "Last Connected" date. I tried refreshing the token, but got a "Problem contacting Apple services" when uploading the new server token to the JSS. Looking at the date, I realized that this was the date that I move the JSS VM to a different host server. I moved the VM back to the original host and it connected with the DEP server right away.
So the question now is, what difference would a different VM host make when everything else about the JSS server was working without any issues? Because the VM host server is scheduled to be replaced, which is why we moved the JSS server off of it.
Hmm that's a stumper. Do you have a backup of the VM you could restore onto the "new" host server and test with?
If you do, I'd try running these commands from the VM.
telnet 35-courier.push.apple.com 5223
telnet albert.apple.com 443
telnet gateway.push.apple.com 2195
telnet gateway.push.apple.com 2196
If any of those fail, you've got a communication issue. There could be a ton of other stuff, but those are the 4 commands I have from JAMF that helped me troubleshoot a past communication issue.
Similarly, when the VM was on the new host, you confirmed the system time was correct? I've had issues before where time was wrong, so the tokens failed. Maybe daylight savings time is involved... maybe??
Thanks for the links. I give them a try. There are also two other new VM hosts that I am going to try moving the JSS server to, but now that I know that this could be an issue I'll be waiting to test off hours.
Checking on an issue with the error: "Unable to contact https://mdmenrollment.apple.com about a new PreStage enrollment or changes to..." and running chlaird's telnet check, all but one worked.
Error as follows with "telnet 35-courier.push.apple.com 5223":
System:~ user$ telnet 35-courier.push.apple.com 5223
telnet: connect to address 188.8.131.52: Connection refused
telnet: connect to address 184.108.40.206: Connection refused
telnet: connect to address 220.127.116.11: Connection refused
telnet: connect to address 18.104.22.168: Connection refused
telnet: connect to address 22.214.171.124: Connection refused
telnet: connect to address 126.96.36.199: Connection refused
telnet: connect to address 188.8.131.52: Connection refused
telnet: connect to address 184.108.40.206: Connection refused
telnet: Unable to connect to remote host
Would this be an internal networking issue if the other 3 telnet checks worked?
Checking into 30-courier.push.apple.com, there is an issue inside and outside our network. May not be our network, does this still exist or is the domain incorrect?
Any other thoughts out there?
Checking into 35-courier.push.apple.com, there is an issue inside and outside our network. May not be our network, does this still exist or is the domain incorrect?
Any other thoughts out there?
APNs tests beginning #info #network
Feedbackhost (gateway.sandbox.push.apple.com): Resolving DNS Name
Pushhost (gateway.sandbox.push.apple.com): Resolving DNS Name
Courierhost (5-courier.sandbox.push.apple.com): Resolving DNS Name
Altcourierhost (5-courier.sandbox.push.apple.com): Resolving DNS Name
Altcourierhost (5-courier.sandbox.push.apple.com): 220.127.116.11
Courierhost (5-courier.sandbox.push.apple.com): 18.104.22.168
Altcourierhost (5-courier.sandbox.push.apple.com): Checking for proxy
Courierhost (5-courier.sandbox.push.apple.com): Checking for proxy
Altcourierhost (5-courier.sandbox.push.apple.com): No proxy found. Attempting to connect
Courierhost (5-courier.sandbox.push.apple.com): No proxy found. Attempting to connect
Registered for APNs with token XXXXX
Connected to Courierhost (5-courier.sandbox.push.apple.com) at IP address 22.214.171.124 on port 5223
Connected to Altcourierhost (5-courier.sandbox.push.apple.com) at IP address 126.96.36.199 on port 443
Pushhost (gateway.sandbox.push.apple.com): 188.8.131.52
Feedbackhost (gateway.sandbox.push.apple.com): 184.108.40.206
Pushhost (gateway.sandbox.push.apple.com): Checking for proxy
Feedbackhost (gateway.sandbox.push.apple.com): Checking for proxy
Pushhost (gateway.sandbox.push.apple.com): No proxy found. Attempting to connect
Feedbackhost (gateway.sandbox.push.apple.com): No proxy found. Attempting to connect
Connected to Pushhost (gateway.sandbox.push.apple.com) at IP address 220.127.116.11 on port 2195
Connected to Feedbackhost (gateway.sandbox.push.apple.com) at IP address 18.104.22.168 on port 2196
Trying to sending ourselves a push notification
Sent Push....Waiting for a response
Received Push Notification
APNs tests completed with 4 passed and 0 failed. #info #network
I believe so. I don't believe anything changed on the Apple side, so the directions from JAMF should still be current, and that's what they told me. "connect to all 4. if you can't hit any of them, that's a problem"
I had the same problem today and tested everything that is in this discussion:
Created a new Public Key;
Created a new MDM server;
Tested the telnet commands as cited by @chlaird;
Removed the DEP settings from JSS.
All of these worked fine but I still couldn't add a new DEP setting on my JSS. Then I checked the time on my server and for some reason it was 5 minutes behind, even using an internal NTP server. Anyway, I corrected the time and it worked straight away.
If in case someone is getting the same error, check the time on the server first just to avoid spending time and effort.
I also just had this issue. For me, it was one single iPad in my prestage scope that was causing the issue. Once I removed that iPad from the scope, everything worked perfectly. I'll have to check with apple to see what might have caused that device to throw an error.
I had the same thing happen today:
"Unable to contact https://mdmenrollment.apple.com to add a device to a PreStage enrollment"
"The DEP service reported an error. (https://mdmenrollment.apple.com )"
Found out that Apple changed their terms and conditions for the DEP program and had to agree to them. Need to sign in with the program Agent account. After doing that the error messages went away in the JSS.
We had the same problem of JSS not contacting the DEP servers, even though we recently updated our DEP token. Logging into DEP and accepting Apple's new terms and conditions fixed the problem. You know the old saying, mind your Ts and Cs.
I'm receiving the same error. I did accept the new terms but under Device Enrollment Program in JSS we have two DEP entries, both pointing to the same Apple ID. While the new token made the first entry happy, the second one states that token is in use. If I create another key and token for this account, is that going to cause my first DEP entry to flake out?
Not sure if this is related but I have resolved our "NSURLErrorDomain error -1012" issue shown at the start of the DEP process for our iPhones.
Our solution was to restore a copy of our server.xml file and restart tomcat service. The difference between the two server.xml file that I noticed was that the restored file had more ciphers settings. The keystorefile and keystorepassword were also different.
I believe the server.xml file was changed or replaced during an failed upgrade to 8.91. An uninstall and reinstall of JSS was then preformed to get 8.91 working.
On JAMF's advice I regenerated the token on Apple's deployment website, and loaded it into our JSS server. The "DEP service reported an error..." message is gone now. Here are the steps they sent me:
1.)Go in the JSS to Settings>Global Management>Device Enrollment Program
2.)Download the Public Key by clicking the key button that says Public Key right next to it
3.)Log into deploy.apple.com
4.)Upload the PublicKey.pem that was just downloaded into the DEP portal. We'll hit "Replace Key.."
5.)Then we are going to select generate a Server-token and this will be uploaded into the JSS
6.)Go back into the JSS Device Enrollment Program select the DEP group, hit edit and Upload Server Token File
7.)Once we upload the new server token file we are going to click save
I just started receiving this error today. I've tried updating the key and token, but I'm still getting an error. We're using the cloud portal, so I can't verify time on the server, or use telnet. Any suggestions? Update-Our vendor did add two new devices today, and they do show in the prestage enrollment page, but are listed as unassigned.
FWIW: in our case it seemed that one single unassigned device we added to the PreStage Enrollments (PSE) caused the error. When i removed the device from the particular PSE-group the thing went back to normal (as in no errors). I'll keep you guys posted on updates. Additional info: i first had to remove all devices drom the group, saved it and then added the 'normal' devices back to the PSE-group.
Same happened here to today. (2/25) But not on all my JSS servers???
But it's only bij the PreStage enrollment of Computers
The PreStage enrollment of Mobile Devices is oke
This is on the same server. So it must be something in the JSS
After making a new PreStage enrollment stage by Computers same error
if i make a new PreStage enrollment stage by Mobile Devices no problem.
whats going on??
I'm not getting any errors, but our Macs aren't getting the JAMF binary, our management account, or Self Service after setup assistant. The MDM profile installs, but no other profiles push down. Gonna submit a ticket to JAMF Support and our Apple TAM.
Hmm, working again on a test machine, but a huge delay after completing setup assistant. Everything pushed down about 30 min after hitting the desktop of the local user. Still have support tickets logged with JAMF and Apple to see what they have to say.
After the rogue device was unpacked, turned on and connected to internet (we didn't had it unwrapped yet) We removed the device from the PSE-group, saved the group and, put it back in, saved again and presto! Error gone.
I'll do some research in the days to come on logs etc, but for now I think it might have something tot do with Apple's DEP and not with the JSS.
@mvdbent Did you made an empty PSE? (without Mac's added to the scope)
I looked up this thread as we started getting this error message yesterday morning after updating to JSS 9.92. The issue was resolved this morning by downloading a new token from Apple and installing it. Corrupt token downloaded yesterday?
Started getting this message yesterday. I remembered seeing this error about 2 years ago and it was due to new Terms and Conditions on Apple's deployment website. However I checked, and there were no new terms. So I tried updating the PublicKey.pem file and token...but no dice. As suggested in this thread, I thought I'd check the time on our JSS.... noticed that my server time was off by about 5 minutes. Fixed it. No more error :)
hi to all... giving this thread a try....
we updated to 9.96... and now we can't configure ipad with prestage anymore...
updated Publickey and token.
Nothing good anymore.... anything im missing ?