Unable to decrypt encrypted profile - Configuration Profiles

rhoward
Contributor

Hello,

We are having issues with Configuration Profiles. When we push out any configuration profile to machines, we often have this error "Unable to decrypt encrypted profile" when checking to see if it failed in the JSS. Usually if we use terminal and do either sudo jamf recon or sudo jamf manage commands it goes through, but it is not any more. We also just implemented more vLANs in our environment, but all of the other Casper functions like Remote, JSS Policies, Self Service, Managed Preferences, etc work normally. I checked the SSL and Tomcat tickets to make sure they were up to date and they are good. We are using Version 9.32. Any light on this would be great!

Ryan

41 REPLIES 41

were_wulff
Valued Contributor II

@rhoward

It sounds like you’re running into the behavior described in D-007135, in which we’d see that error happen on computers that are already in the JSS or were re-imaged while already in the JSS.

It’s caused by a timing issue between when the profile tried to install and the token update being pushed; when working normally, the profile will wait for the token update to go out before it attempts to install itself. With the defect, it fails to wait, goes first, and gets rejected because there is a mismatch.

D-007135 was fixed in 9.4.

Thanks!
Amanda Wulff
JAMF Software Support

CasperSally
Valued Contributor II

FYI I'm seeing 'unable to decrypt profile' issue again in 9.62, similar to above only on reimaged computers. Working with support on it.

jacob_salmela
Contributor II

Still seeing this in 9.62 as well.

CasperSally
Valued Contributor II

@jacom_salmela - are you seeing unable to decrypt issue with all OS's on reimage? So far I consistently see it with 10.9.4 base image, but not 10.10.1

jacob_salmela
Contributor II

We are not on Yosemite yet, but I see it very often with 10.9.5 and 10.9.4

david_kittle
New Contributor
New Contributor

@rhoward @CasperSally @jacob_salmela are you still seeing this behavior?

jacob_salmela
Contributor II

@david.kittle Affirmative. However, it is inconsistent. I have a test machine that I have imaged about a dozen time and it happened ~40% of the time.

CasperSally
Valued Contributor II

@david.kittle][/url - yes. you have my base OS image and are working with me on it through support I believe. It's 100% reproducible in our environment with machines that exist in JSS.

Edit: works with 10.10 fine, but consistently gets error with 10.9

casper_ghost
New Contributor

Add 10.8.5 to the list.

CasperSally
Valued Contributor II

@jacob_salmela and @casper_ghost - is your JSS windows by chance? Looking for a common thread. Support hasn't been able to replicate the issue but it's 95% consistent for me on 10.9 with 9.62.

jacob_salmela
Contributor II

@CasperSally negative. Ours is on Ubuntu. I still see this with 9.63.

CasperSally
Valued Contributor II

@jacom_salmela are you working with support too? thanks for letting me know it happens on 9.63 too.

CasperSally
Valued Contributor II

FYI for anyone else who may see this issue, my issue was filed with defect D-007135.

marktaylor
Contributor

We are still seeing this with 9.65 on 10.9.5 clients

jacob_salmela
Contributor II

Same here.

CasperSally
Valued Contributor II

Glad I'm not alone. There's misery in company... I guess.

were_wulff
Valued Contributor II

@marktaylor @jacob_salmela

Just to update you all, the defect mentioned earlier in this thread, and by @CasperSally on 2/6 has been re-opened, so if you’re seeing this behavior it may be due to D-007135.

If you have not already opened up a case with your Technical Account Manager, please do so so they can assist with further troubleshooting to either verify that you are experiencing the behavior described in D-007135 or to find out what the underlying cause is if it appears that that is not what you’re seeing in your environment.

You can get in touch with your Technical Account Manager either by giving Support a call, sending an e-mail to support@jamfsoftware.com (it will route directly to their case queue), or by using the My Support section of JAMF Nation.

Thanks for your patience!

Amanda Wulff
JAMF Software Support

kenergy
Contributor

Hello Seems I am getting this on JSS 9.96

bkuhl
New Contributor II

I was experiencing similar issues with same scenario. Newly imaged machine already in JSS. with 9.96. What I ended up doing to fix this issue was to: sudo jamf removeFramework command. I restarted machined and then went to the website to enroll it to jss. After that it got the configuration profile within a minute or so. Hope this helps you.

Mikep62
New Contributor II

Hi I am having this issue on one mac on 10.11.6 and JSS 9.97. It was previously managed by Profile manager but the old profiles were successfully removed and then enrolled in JSS and added to a configuration profile. I have tried various attempts to resolve but still returns the "unable to decrypt" fail. The mac enrols ok and has the verified MDM Profile in Sys Prefs. I can re enrol it with Profile Manager and it works perfectly again using that system. I have done numerous changeovers from Profile Manager but its just one stubborn iMac that gets this fail.

aliebowitz
New Contributor

Is anyone still seeing this on 10.13 with JAMF Pro? I am attempting to setup a plist for Chrome settings via configuration profile and it gives me this error.

ScottOram
New Contributor II

I have it as well... computer was initially enrolled and encrypted. I reformatted the hard drive HFS+ and still I get the error "Unable to decrypt encrypted profile."

ScottOram
New Contributor II

Tried the terminal command listed above: sudo jamf removeFramework

Still cannot decrypt encrypted profile...

ScottOram
New Contributor II

Any suggestions? Sigh... I'm going to try and reformat using APFS Encryption and see what Jamf Pro does after enrollment then...

aburrow
Contributor

We're seeing this issue as well running Jamf Pro JSS 9.101.0. Has there been any solution found as yet?

dshumatepcisd
New Contributor

Am also having this issue with newly imaged Macs and we are on JSS version 10.1

honestpuck
Contributor

Yeah, I'm getting this problem. I think I'll wipe the machine, reinstall 10.;13 and re-enroll just for giggles.

jamesgreennew
New Contributor II

I am seeing this problem (one instance) running JAMFPRO 10.3 on a mac running 10.13.3

gleethorp
New Contributor

Just got off chat with Jamf Support, Creating a brand new Configuration Profile (do not clone!) and adding the IDs again resolved my issue. No root cause but worked like a charm for me. We're on 10.3.0 for the record.

apizz
Valued Contributor

I ran into this as well and can confirm @gleethorp's solution of creating a new config profile, rather than cloning, resolved the issue.

Morningside
Contributor II

So is the fix for this really a fix? Are we expected to recreate Config Profiles from scratch every time this error occurs?

cruess
New Contributor III

Creating new profiles doesn't work for us. We're running JSS 10.7.0 and on El Capitan (10.11.6) for 13 iMacs, they get "cannot decrypt encrypted profile".

For an issue created in 2014... there is still no resolution? I have completely wiped the machines, reinstalled OSX from USB, then re-enrolled only to find the same error...

Please advise...

ben_hertenstein
Release Candidate Programs Tester

Creating a brand new (not clone) configuration did the trick for me. Had this come up after moving to Jamf Cloud.

dmw3
Contributor III

As with @cruess we have completely reformatted the computers and enrolled but still get this issue. Please fix this or provide a 100% reliable workaround, not just create Configuration Profiles from scratch.

macOS 10.13.x, macOS 10.14.x
JSS version 10.9.0-t1544463445

aaron_a
New Contributor

I'm also experiencing this issue, when trying to deploy a mobileconfig file that I created on my local machine and then imported to JAMF Cloud. Running Recon and Policy does nothing.

pinsent
New Contributor III

Four years later and this problem is still a problem. Creating a new config profile did not work for me.

pinsent
New Contributor III

UPDATE - I ended up editing the IP list of our Azure firewalls after I discovered the Jamf announcement of 11/13/23. 

Morningside
Contributor II

I have since switched to Mosyle (where this is not an issue), but if I recall correctly I never found an issue for this in Jamf. Good luck!

Mithrandir
New Contributor III

I'm seeing this problem behavior in Jamf Pro 11.1.1-t1701704198 with 14.2.1 & 13.6.3, and it's effecting some of my VIPs.