Jamf Nation Community

Right. Where do I begin.... I am going to try and be as constructive as possible rather than just complaining. 

We've been running Jamf Pro (currently 11.4.2) for almost two years. Since day one we had issues with out of the box or EACAS Macs fully completing enrolment. The usual state they would end up in was for the profiles to install fine, VPP apps to install, etc, but for no policies to run nor for Self Service to install. When I looked on Jamf Nation and other sources I saw that this can sometimes happen and so because I'm a scripting god I came up with an amazingly complex script that is installed as part of an PreStage Profile's enrolment package workflow. The script does the following:

/usr/local/bin/jamf policy

This immediately caused enrolment to complete, the Self Service app appeared in /Applications and everything was once more right in the world. A reboot would achieve the same, but we didn't want to randomly reboot the Mac halfway through enrolment or ask the user to do so. This simply shouldn't be necessary!

We accepted this workaround for about a year because it Just Worked and I didn't need to involve Jamf Support. Until now...

(no, it's not a firewall issue and it's not DNS (or is it?) - the symptom is the same whether the devices are on the corporate network, tethered to an iPhone or sitting here at home with me on a bog-standard consumer broadband connection)

With one of the recent-ish OS updates, we saw a race condition whereby the enrolment package's attempt to call /usr/local/bin/jamf failed because the jamf binary had not actually been installed at the time the enrolment package's postinstall script was called. Rather than try to work around this with tests in the script to wait for the presence of the binary, I thought I'd try my first attempt at reaching around to Jamf Support. I logged a ticket during the first week of March and the issue is still unresolved. You would have thought that I've found a brand new issue that has completely baffled the most intelligent minds in Minneapolis.

<grumble>

London
45 Mortimer Street
London W1W 8HJ
United Kingdom
Phone +44 (0) 208 164 4053

</grumble>

Now, to be fair, in my time dealing with Jamf Pro I have rarely come across an issue that wasn't able to be resolved by good old fashioned logical troubleshooting or with the aid of the very helpful and generous community here. But symptoms identical or similar to mine keep coming up in search results with no reliable fix.

I spent some more time on the issue today and have discovered what I think is the cause of the stalled enrolment: After the Mac loads the Finder for the first time and drops you at the desktop, a LaunchDaemon named com.jamf.management.enroll.plist is present with the following contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<dict>
<key>SuccessfulExit</key>
<false/>
</dict>
<key>Label</key>
<string>com.jamf.management.enroll</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/jamf/bin/jamf</string>
<string>postMdmEnrollment</string>
<string>-server_url</string>
<string>https://blahblah.jamfcloud.com</string>
<string>-invitation</string>
<string>215477778593833692970966644604081438781</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>root</string>
</dict>
</plist>

The LaunchDaemon is being bootstrapped by whatever process is responsible for that, because it's listed in launchctl print (or lauchctl list for saner humans). `jamf postMdmEnrollment ...` is even listed as a process in ps, so it's been fired but isn't actually completing what it's supposed to do. The jamf log is of no help to me nor seemingly jamf support:

Wed May 01 14:45:07 MacBook Air jamf[984]: Removing existing launchd task /Library/Application Support/JAMF/tmp/com.jamfsoftware.task.startssh.plist...
Wed May 01 14:45:07 MacBook Air jamf[1012]: The SSL Certificate for https://blahblah.jamfcloud.com must be trusted for the jamf binary to connect to it.
Wed May 01 14:45:07 MacBook Air jamf[1012]: Enrolling computer...
Wed May 01 14:45:09 MacBook Air jamf[1012]: JMFCommons.JamfKeychain.JamfKeychainSecurityError.failedToReadJmfKeychainPassword
Wed May 01 14:45:09 MacBook Air jamf[1012]: JMFCommons.JamfKeychain.JamfKeychainSecurityError.failedToReadJmfKeychainPassword
Wed May 01 14:45:12 MacBook Air jamf[1012]: The device certificate was created successfully.

If the com.jamf.management.enroll.plist LD is manually bootout-ed and then bootstrapped into place then the expected stuff in /Library/Application Support/JAMF and Self Service appear as expected and enrolment is completed as expected. 

launchctl bootout system /Library/LaunchDaemons/com.jamf.management.enroll.plist 
launchctl bootstrap system /Library/LaunchDaemons/com.jamf.management.enroll.plist 

Post bootstrap log:

Wed May 01 14:45:07 MacBook Air jamf[984]: Removing existing launchd task /Library/Application Support/JAMF/tmp/com.jamfsoftware.task.startssh.plist...
Wed May 01 14:45:07 MacBook Air jamf[1012]: The SSL Certificate for https://blahblah.jamfcloud.com must be trusted for the jamf binary to connect to it.
Wed May 01 14:45:07 MacBook Air jamf[1012]: Enrolling computer...
Wed May 01 14:45:09 MacBook Air jamf[1012]: JMFCommons.JamfKeychain.JamfKeychainSecurityError.failedToReadJmfKeychainPassword
Wed May 01 14:45:09 MacBook Air jamf[1012]: JMFCommons.JamfKeychain.JamfKeychainSecurityError.failedToReadJmfKeychainPassword
Wed May 01 14:45:12 MacBook Air jamf[1012]: The device certificate was created successfully.
Wed May 01 23:02:17 Ben’s MacBook Air jamf[5080]: The SSL Certificate for https://blahblah.jamfcloud.com must be trusted for the jamf binary to connect to it.
Wed May 01 23:02:17 Ben’s MacBook Air jamf[5080]: Enrolling computer...
Wed May 01 23:02:23 Ben’s MacBook Air jamf[5080]: Creating user jadmin...
Wed May 01 23:02:28 Ben’s MacBook Air jamf[5080]: The device certificate was created successfully.
Wed May 01 23:02:40 Ben’s MacBook Air jamf[5080]: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.jamf.management.daemon.binary was invalidated from this process." UserInfo={NSDebugDescription=The connection to service named com.jamf.management.daemon.binary was invalidated from this process.}
Wed May 01 23:02:40 Ben’s MacBook Air jamf[5080]: Removing existing launchd task /Library/LaunchDaemons/com.jamfsoftware.task.bgrecon.plist...
Wed May 01 23:02:40 Ben’s MacBook Air jamf[5080]: Downloading the Jamf Bundle...
Wed May 01 23:02:43 Ben’s MacBook Air jamf[5080]: Enforcing management framework...
Wed May 01 23:02:43 Ben’s MacBook Air jamf[5080]: Enforcing scheduled tasks...
Wed May 01 23:02:43 Ben’s MacBook Air jamf[5080]: Adding launchd task com.jamfsoftware.task.1...
Wed May 01 23:02:44 Ben’s MacBook Air jamf[5080]: Updating daemon settings
Wed May 01 23:02:44 Ben’s MacBook Air jamf[5080]: Flushing the /Library/Application Support/JAMF/tmp directory was successful
Wed May 01 23:02:44 Ben’s MacBook Air jamf[5080]: Upgrading jamfHelper.app...
Wed May 01 23:02:45 Ben’s MacBook Air jamf[5080]: Upgrading JAMF notification service...
Wed May 01 23:02:45 Ben’s MacBook Air jamf[5080]: Upgrading Self Service.app...
Wed May 01 23:03:03 Ben’s MacBook Air jamf[5080]: Setting Self Service icon to custom
Wed May 01 23:03:03 Ben’s MacBook Air jamf[5080]: Removing existing launchd task /Library/Application Support/JAMF/tmp/com.jamfsoftware.task.policy.plist...
Wed May 01 23:03:03 Ben’s MacBook Air jamf[5080]: Enroll return code: 0
Wed May 01 23:03:03 Ben’s MacBook Air jamf[5080]: Enrollment Complete. Exiting.
Wed May 01 23:03:03 Ben’s MacBook Air jamf[5855]: Checking for policies triggered by "enrollmentComplete" for user "ben"...

(the sudden jump in time is the timezone changing from Cupertino to GMT)

So..... do I keep digging in an attempt to find out why the jamf postMdmEnrollment command stalls or do I just knock up a quick enrolment package script to bootout and bootstrap the LaunchDaemon (perhaps testing/waiting until its presence but running the risk of unloading it in the middle of the original jamf postMdmEnrollment completing successfully on its own - it hasn't happened yet but a random Jamf Pro or OS update could fix things). Given that I'm like a dog with a bone I'd like to resolve the problem 'properly' without having to resort to a workaround, but I appreciate that nothing in life is perfect!

Thanks for reading and apologies for the length of post.