User Initiation enrollment failing

pshouston
New Contributor II

We have been using the User Initiation Enrollment where we send an email to the user, they log in, and the management profile is installed. This is our second year using this with no problem. This afternoon, this seems to have stopped working. The user clicks the link within the email. He gets the typical "Log in to enroll your device." He logs in with the username/password we have provided, then he clicks the "Enroll" button. He then gets the "To continue, you need to install the CA certificate for your organization," and he clicks Continue. It's at this point a white window pops up that we have never seen before...and it pops up VERY briefly. See attached. Then it seems the installation fails and we get two more messages (see attached.) d7821ffacdd14e48ad15b74b67d7d2b7
5426ec2cb24349568b20aa98e125f354
196f03aa77b8488daa8387e9478ee9bf

4 REPLIES 4

michellem812
New Contributor

Does this fix it for you?

I did Option B from this link: https://www.jamf.com/jamf-nation/articles/464/changes-in-user-initiated-enrollment-with-untrusted-certificate-authority-ca-signed-ssl-certificates-in-ios-10-3-and-later for an iPad to fix that issue once:

After installing the CA certificate during user-initiated enrollment, but before installing the MDM profile, your end users must manually trust your server's SSL certificate by doing the following:

  1. On the device, go to Settings > General > About > Certificate Trust Settings.
  2. Verify the certificate listed is the correct certificate for your Jamf Pro server. Warning: Enabling full trust for the incorrect certificate will put your devices at risk.
  3. Enable full trust for your server's untrusted SSL certificate.
  4. Click Continue on the Root Certificate pop-up. The CA certificate is now trusted. Return to the enrollment page in your web browser, and proceed with the installation of the MDM profile.

stevevalle
Contributor III

I have just opened a case with our JAMF rep regarding this issue.

Unfortunately, the above does not work for us as the certificate is not installed before the error.

Using a 3rd party certificate instead of the built-in JSS cert will solve this issue.

dmw3
Contributor III

We now have the same issue as described above. yes we do have a trusted third party certificate, but still have the same issue.

Even installing the certificate via Apple Configurator 2, we still cannot enrol any iOS devices. This getting very frustrating as it is the start of a new project with the iOS devices. We also are seeing the attached pop-up being displayed.e234f90257e74c3d9f077d39c2eec58e

Normal laptops and desktops are not affected by this, yes have checked ports open and even enabled full trust, still no go.

Any help with this would be appreciated.

michael_devins
Contributor II
Contributor II

iOS devices running iOS 10.3.3+ (including iOS 11) introduce a new behavior during the user-initiated enrollment. iOS now offers an additional prompt before opening the CA in Settings. Jamf Pro 9.100 should properly handle this new behavior and pause to allow users to install that CA before advancing to the MDM Profile. If you are experiencing this issue with 9.100, please contact your Jamf Buddy.