Posted on 08-22-2014 09:06 AM
We are having issues with Configuration Profiles. When we push out any configuration profile to machines, we often have this error "Unable to decrypt encrypted profile" when checking to see if it failed in the JSS. Usually if we use terminal and do either sudo jamf recon or sudo jamf manage commands it goes through, but it is not any more. We also just implemented more vLANs in our environment, but all of the other Casper functions like Remote, JSS Policies, Self Service, Managed Preferences, etc work normally. I checked the SSL and Tomcat tickets to make sure they were up to date and they are good. We are using Version 9.32. Any light on this would be great!
Posted on 08-22-2014 10:35 AM
It sounds like you’re running into the behavior described in D-007135, in which we’d see that error happen on computers that are already in the JSS or were re-imaged while already in the JSS.
It’s caused by a timing issue between when the profile tried to install and the token update being pushed; when working normally, the profile will wait for the token update to go out before it attempts to install itself. With the defect, it fails to wait, goes first, and gets rejected because there is a mismatch.
D-007135 was fixed in 9.4.
JAMF Software Support
Posted on 12-15-2014 12:46 PM
FYI I'm seeing 'unable to decrypt profile' issue again in 9.62, similar to above only on reimaged computers. Working with support on it.
Posted on 12-15-2014 12:55 PM
Still seeing this in 9.62 as well.
Posted on 12-22-2014 10:15 AM
@jacom_salmela - are you seeing unable to decrypt issue with all OS's on reimage? So far I consistently see it with 10.9.4 base image, but not 10.10.1
Posted on 12-22-2014 10:24 AM
We are not on Yosemite yet, but I see it very often with 10.9.5 and 10.9.4
Posted on 01-02-2015 11:18 AM
Posted on 01-02-2015 11:22 AM
@david.kittle Affirmative. However, it is inconsistent. I have a test machine that I have imaged about a dozen time and it happened ~40% of the time.
Posted on 01-05-2015 05:36 AM
@david.kittle][/url - yes. you have my base OS image and are working with me on it through support I believe. It's 100% reproducible in our environment with machines that exist in JSS.
Edit: works with 10.10 fine, but consistently gets error with 10.9
Posted on 01-09-2015 12:43 PM
Add 10.8.5 to the list.
Posted on 01-26-2015 12:49 PM
@jacob_salmela and @casper_ghost - is your JSS windows by chance? Looking for a common thread. Support hasn't been able to replicate the issue but it's 95% consistent for me on 10.9 with 9.62.
Posted on 01-27-2015 07:23 AM
Posted on 01-27-2015 10:09 AM
@jacom_salmela are you working with support too? thanks for letting me know it happens on 9.63 too.
Posted on 02-06-2015 04:47 AM
FYI for anyone else who may see this issue, my issue was filed with defect D-007135.
Posted on 03-04-2015 09:50 AM
We are still seeing this with 9.65 on 10.9.5 clients
Posted on 03-04-2015 10:18 AM
Posted on 03-04-2015 10:24 AM
Glad I'm not alone. There's misery in company... I guess.
Posted on 03-04-2015 10:27 AM
Just to update you all, the defect mentioned earlier in this thread, and by @CasperSally on 2/6 has been re-opened, so if you’re seeing this behavior it may be due to D-007135.
If you have not already opened up a case with your Technical Account Manager, please do so so they can assist with further troubleshooting to either verify that you are experiencing the behavior described in D-007135 or to find out what the underlying cause is if it appears that that is not what you’re seeing in your environment.
You can get in touch with your Technical Account Manager either by giving Support a call, sending an e-mail to firstname.lastname@example.org (it will route directly to their case queue), or by using the My Support section of JAMF Nation.
Thanks for your patience!
JAMF Software Support
Posted on 01-05-2017 08:07 AM
Hello Seems I am getting this on JSS 9.96
Posted on 01-18-2017 08:40 AM
I was experiencing similar issues with same scenario. Newly imaged machine already in JSS. with 9.96. What I ended up doing to fix this issue was to: sudo jamf removeFramework command. I restarted machined and then went to the website to enroll it to jss. After that it got the configuration profile within a minute or so. Hope this helps you.
Posted on 02-14-2017 01:47 AM
Hi I am having this issue on one mac on 10.11.6 and JSS 9.97. It was previously managed by Profile manager but the old profiles were successfully removed and then enrolled in JSS and added to a configuration profile. I have tried various attempts to resolve but still returns the "unable to decrypt" fail. The mac enrols ok and has the verified MDM Profile in Sys Prefs. I can re enrol it with Profile Manager and it works perfectly again using that system. I have done numerous changeovers from Profile Manager but its just one stubborn iMac that gets this fail.
Posted on 12-01-2017 10:07 AM
Is anyone still seeing this on 10.13 with JAMF Pro? I am attempting to setup a plist for Chrome settings via configuration profile and it gives me this error.
Posted on 12-08-2017 07:41 AM
I have it as well... computer was initially enrolled and encrypted. I reformatted the hard drive HFS+ and still I get the error "Unable to decrypt encrypted profile."
Posted on 12-08-2017 10:48 AM
Tried the terminal command listed above: sudo jamf removeFramework
Still cannot decrypt encrypted profile...
Posted on 12-12-2017 11:33 AM
Any suggestions? Sigh... I'm going to try and reformat using APFS Encryption and see what Jamf Pro does after enrollment then...
Posted on 03-06-2018 09:49 PM
We're seeing this issue as well running Jamf Pro JSS 9.101.0. Has there been any solution found as yet?
Posted on 03-23-2018 07:09 AM
Am also having this issue with newly imaged Macs and we are on JSS version 10.1
Posted on 04-12-2018 05:59 PM
Yeah, I'm getting this problem. I think I'll wipe the machine, reinstall 10.;13 and re-enroll just for giggles.
Posted on 05-07-2018 03:00 PM
I am seeing this problem (one instance) running JAMFPRO 10.3 on a mac running 10.13.3
Posted on 06-05-2018 02:48 PM
Just got off chat with Jamf Support, Creating a brand new Configuration Profile (do not clone!) and adding the IDs again resolved my issue. No root cause but worked like a charm for me. We're on 10.3.0 for the record.
Posted on 07-19-2018 05:39 AM
I ran into this as well and can confirm @gleethorp's solution of creating a new config profile, rather than cloning, resolved the issue.
Posted on 10-04-2018 02:21 PM
So is the fix for this really a fix? Are we expected to recreate Config Profiles from scratch every time this error occurs?
Posted on 10-30-2018 03:08 PM
Creating new profiles doesn't work for us. We're running JSS 10.7.0 and on El Capitan (10.11.6) for 13 iMacs, they get "cannot decrypt encrypted profile".
For an issue created in 2014... there is still no resolution? I have completely wiped the machines, reinstalled OSX from USB, then re-enrolled only to find the same error...
Posted on 02-11-2019 08:50 AM
Creating a brand new (not clone) configuration did the trick for me. Had this come up after moving to Jamf Cloud.
Posted on 06-25-2019 09:49 PM
As with @cruess we have completely reformatted the computers and enrolled but still get this issue. Please fix this or provide a 100% reliable workaround, not just create Configuration Profiles from scratch.
macOS 10.13.x, macOS 10.14.x
JSS version 10.9.0-t1544463445
Posted on 06-26-2019 10:28 AM
I'm also experiencing this issue, when trying to deploy a mobileconfig file that I created on my local machine and then imported to JAMF Cloud. Running Recon and Policy does nothing.