JAMF Pro 11.3 GSX no renew for certificate.

dugnl
Contributor

Our GSX connection certificate is about to expire.  We got a new one from Apple's GSX services.   The JAMF pro documentation says there is a renew button.  It's totally missing from our 11.3 cloud instance.  I've opened a ticket with JAMF but heard nothing back.

I went ahead and removed the old certificate and uploaded the new one.  The only way I could to get the certificate in there.   I also loaded up a new API token.    Now, I'm getting unauthorized.  GSX has came back and said it's a Jamf UI problem as the cert and account look good.

Wondering if anyone else has noticed this?

Renewing the Apple Certificate

You can use Jamf Pro to upload a renewed Apple certificate without removing the existing certificate so the connection with GSX is not lost. A notification is displayed 31 days prior to the expiration date of the Apple certificate.

  1. In Jamf Pro, click Settings in the sidebar.
  2. In the Global section, click GSX connection.
  3. Click Edit .
  4. Click Renew.
  5. Follow the onscreen instructions to upload a renewed Apple certificate.

 

23 REPLIES 23

aparten
New Contributor III

@dugnl Ever solve this? Getting similar results lately...

dugnl
Contributor

JAMF Support opened product issue PI117280.   I don't know if that PI has been published to everyone.  I also don't know if this PI is fixed in JAMF 11.4.   

Our GSX connection was working with 11.2 and broke with 11.3.    JAMF support seemed to think it was user error or a configuration issue.  I spent a full week trying to convince them that it wasn't difficult to not see a big "Renew" button.

They must've had some other reports during this time, because JAMF support did come back with the PI number.  I don't think they had one until about the time I brought the issue up.     This did have to get elevated past their initial support techs.

I haven't heard anything back and with JAMF Pro cloud coming April 12th, we will see what happens then.  

In the meantime, our GSX connection is completely broken.

I suggest opening a ticket with support and see if it's the same thing.   Again, you might have to elevate it a bit higher.

Doug

 

There last response to me:

Hi Doug,

I think that we are running into an open product issue - PI117280 - GSX failing due to duplicate calls, that is causing the renew button to fail to appear based on error messages in your server logs"

 

aparten
New Contributor III

Thanks for the response! I contacted GSX support earlier and they told me it's a "known issue with Jamf" so I created a support request with Jamf. Hopefully it will be resolved soon! I notice there's no mention of that PI in the 11.4.0 release notes, so I'm guessing it'll be addressed in a later release.

-Alex

dugnl
Contributor

With 11.4.1, I still never got a renew button and by the time 11.4 was implemented my expiring cert had expired.   I uploaded the new cert.  It tests the connection okay.  But, now I've got a new issue.  When clicking on purchasing on any device and running the lookup, I get a jamfcloud.com says GSX lookup was not successful.  Not sure what the next step is.... I'm fairly confident I did the certificate correctly.

jtrant
Valued Contributor

Same issue here, I have a feeling it's related to the PI linked above.

llitz123
Contributor III

Opened a ticket and the tech didn't really know much.  I pointed him to this thread and he guessed I had the same issue?  He said just keep an eye out for a fix after a JSS update - read the release notes?  Anyone have a fix for this as our days to renew are dwindling quickly.

Thanks.

my time for renewing ran out.   I did have a new certificate.   The new certificate uploads and connection tests OK.    But, when retrieving GSX data, it says GSX lookup is unsuccessful.   Ticket with Apple GSX and they say it's the same JAMF issue.

I opened the ticket again with JAMF.  The same higher tech worked the case.  He put logging on our server.  Rob at JAMF support stated. "ok, the problem is still tied to the original product issue PI117280)."    The logs show duplicate/repeated API queries against GSX from JAMF.   The issue isn't resolved.   My GSX hasn't connected for over a month now.  Rob talks about trying to get additional traction to resolve the issue.    But right now there is no fix.   So, we are all just supposed to keep an eye out for any JSS updates and read the release notes for them.

Just a note that I'm on the 11.4.1 release........ 11.3 wouldn't test the GSX connection successfully at all.  returned unauthorized.  11.4.1 at least the cert loaded and connection was okay.  But I still can't lookup information.

llitz123
Contributor III

Thanks for the thorough response.  Our server for reference as well: 11.4.1-t1712591696

eric_wood
New Contributor II

I'm glad I eventually found this thread.

Version 11.4.1-t1712591696 here and experiencing the same issue.

I had just renewed my PEM files for my GSX Sold-To this very morning, after having let it lapse for a few months, and thought I had done something wrong in the process.

eric_wood
New Contributor II

An update:

I opened a case a week ago, and after a lot of back and forth of them not believing my issue was related, them having me perform endless debug level log collecting, and them collecting debug level back end logs, changing support engineers, and so on, today they have finally attributed my issue to product issue PI117280.

Hope they roll a fix into an update soon.

aparten
New Contributor III

I will assume they're still working on the issue as 11.4.2 does not address this PI either. Hopefully it can be resolved soon! 🤞

eric_wood
New Contributor II

I can concur that 11.4.2 does not resolve this issue for my instance. No change in GSX lookup behaviour here.

ChkYerSelf
New Contributor II

Same issue here, great if Jamf took some accountability

marlink
New Contributor III

Glad to see I'm not the only one. Our purchasing lookups worked fine until about a week or so ago, and I've gotten multiple responses from JAMF support referencing the "product issue" and the PI number. I've been escalated twice, but still no resolution. 

JAMF version 11.4.2 with a GSX cert that doesn't expire for over a year. Come on, JAMF, get this fixed!

dugnl
Contributor

Not fixed in 11.5.0 coming out in a couple weeks.  The below is in the known issues of the release notes

PI117280 Due to an authentication error, new or expired GSX integrations cannot be configured or renewed in Jamf Pro, and existing integrations may experience an error when performing a “Look up Purchasing Information from GSX” mass action.

 

llitz123
Contributor III

It looks like this may be fixed in latest update?

New Features and Enhancements - Jamf Pro Release Notes 11.5.1 | Jamf

  • [PI118360] Populating GSX purchasing data in a computer or mobile device inventory record functions as expected after removing and re-uploading the GSX certificate.

I'll try and verify when we get the cloud update...

ChkYerSelf
New Contributor II

About to test, curious if anyone has tested to see if issues is fixed?

 

Mine is now working. Didn't work right away.   I had to turn off the connection (slider bar) and turn it back on....then I had to upload a new API token.   After that it worked.

ChkYerSelf
New Contributor II

Looks like it is fixed, we are working also after updating the API Token

llitz123
Contributor III

My GSX expired and JAMF Support is less than helpful.  They referred me to this article yet it doesnt tell me how to get the CSR from Apple and I don't know my contacts at Apple.  I remember from the time I did this years ago I had to send certain info to a certain email.  Does anyone have more detailed info on this process?

Thanks.

 

The thing is, that article is the detail.  GSX can be frustrating because very, very, very specific steps have to be followed. How to do the CSR and what needs to be filled out is an article within GSX that you have to search for and follow the instructions exactly.

You also have to know your Apple account manager.  Because GSX requires you to CC them and if you don't GSX is gonna come back and tell you that you didn't.

The instructions are in that article until you get to the point of creating the CSR but then you need the article that's within the GSX system itself.  Once you get that article, copy it out and write the instructions down yourself.  The first time is a huge challenge.   GSX system and JAMF system being two different things.  JAMF isn't kidding about the fact some of those steps are dictated by Apple and might change.  Once of the reasons I think why JAMF doesn't put the how to do the CSR in the article, cause GSX wants you to read their article in their GSX system.

It's really not JAMFs fault.  GSX has very specific requirements and rules that you have to follow.  (I'm actually being nice there cause they've annoyed me more than once...but I've learned to follow those rules)

Must have a GSX account.  Must have certain managerial administrative requirements for that account.  Must log onto that account and pull down the how to create a CSR instructions.   Must follow the email requirements to GSX exactly as written in that document.   ship to, customer numbers and the other requested information must be correct or else the cert won't be correct.  Do it once, write it down for yourself cause you'll have to do it again two years later.

 

llitz123
Contributor III

All I really needed was the email address to search from the last time I did it.

I was having trouble getting started and it seems like no one knew the answer, so I found it!

This article is legit for anyone needing guidance.  This is the post in that article.

The apple email address is: GSX Web Services Support <gsxws@apple.com>

Good luck out there.

Thanks.