We are having issues with Configuration Profiles. When we push out any configuration profile to machines, we often have this error "Unable to decrypt encrypted profile" when checking to see if it failed in the JSS. Usually if we use terminal and do either sudo jamf recon or sudo jamf manage commands it goes through, but it is not any more. We also just implemented more vLANs in our environment, but all of the other Casper functions like Remote, JSS Policies, Self Service, Managed Preferences, etc work normally. I checked the SSL and Tomcat tickets to make sure they were up to date and they are good. We are using Version 9.32. Any light on this would be great!
It sounds like you’re running into the behavior described in D-007135, in which we’d see that error happen on computers that are already in the JSS or were re-imaged while already in the JSS.
It’s caused by a timing issue between when the profile tried to install and the token update being pushed; when working normally, the profile will wait for the token update to go out before it attempts to install itself. With the defect, it fails to wait, goes first, and gets rejected because there is a mismatch.
D-007135 was fixed in 9.4.
JAMF Software Support
Just to update you all, the defect mentioned earlier in this thread, and by @CasperSally on 2/6 has been re-opened, so if you’re seeing this behavior it may be due to D-007135.
If you have not already opened up a case with your Technical Account Manager, please do so so they can assist with further troubleshooting to either verify that you are experiencing the behavior described in D-007135 or to find out what the underlying cause is if it appears that that is not what you’re seeing in your environment.
You can get in touch with your Technical Account Manager either by giving Support a call, sending an e-mail to email@example.com (it will route directly to their case queue), or by using the My Support section of JAMF Nation.
Thanks for your patience!
JAMF Software Support
I was experiencing similar issues with same scenario. Newly imaged machine already in JSS. with 9.96. What I ended up doing to fix this issue was to: sudo jamf removeFramework command. I restarted machined and then went to the website to enroll it to jss. After that it got the configuration profile within a minute or so. Hope this helps you.
Hi I am having this issue on one mac on 10.11.6 and JSS 9.97. It was previously managed by Profile manager but the old profiles were successfully removed and then enrolled in JSS and added to a configuration profile. I have tried various attempts to resolve but still returns the "unable to decrypt" fail. The mac enrols ok and has the verified MDM Profile in Sys Prefs. I can re enrol it with Profile Manager and it works perfectly again using that system. I have done numerous changeovers from Profile Manager but its just one stubborn iMac that gets this fail.
Creating new profiles doesn't work for us. We're running JSS 10.7.0 and on El Capitan (10.11.6) for 13 iMacs, they get "cannot decrypt encrypted profile".
For an issue created in 2014... there is still no resolution? I have completely wiped the machines, reinstalled OSX from USB, then re-enrolled only to find the same error...