Recert
/usr/sbin/jamf removeMdmProfile -verbose /usr/sbin/jamf manage -verbose /usr/sbin/jamf recon
Or
jamf mdm -verbose Jams recon
Check EA’s
Make sure you don’t have any extension attributes that are hanging up recon. For example, we had a script that set the hostname variable with a “scutil –get HostName”
But even if hostname is present in Sharing Preference Pane, it may not be recognized by scutil – especially if hostname was created dynamically. So that command will just hang – causing recon to hang.
When you enroll, a quick computer record is created in JSS, containing very little system info – MAC addresses, Serial Number, etc. And a UUID and JSS Computer ID is generated for the record. But the MDM enrollment does NOT occur until after the recon is done with enrollment.
At any rate – the “No Name” record will appear in JSS until a full recon is done.
For testing – it may be beneficial to create a quick add, but then modify the enroll command with a “-noRecon” option. For example —
/usr/sbin/jamf enroll -invitation 123456789876543212345678976543 -noRecon -verbose
Then, run a
jamf recon -verbose
to try to determine where the hangup is
Verify JAMF Keychain
As part of your troubleshooting, make sure your system is actually receiving its device certificate. The device certificate is NOT in the System Keychain. It’s in the /Library/Application Support/JAMF/JAMF.keychain
To verify
sudo security dump-keychain /Library/Application\ Support/JAMF/JAMF.keychain
You should see a public key, a private key, and a certificate. This of course is assuming that you are using the built-in JSS CA.
IF you get an error like
Error installing the computer level mdm profile: profiles install for file:'/Library/Application Support/JAMF/tmp/mdm.mobileconfig' and user:'root' returned -1202 (The certificate for this server is invalid. You might be connecting to a server that is pretending to be “blah.blah.com” which could put your confidential information at risk.)
Remove the JAMF.keychain and then re-enroll
sudo rm -f Library/Application\ Support/JAMF/JAMF.keychain sudo jamf enroll -prompt
JSS CA Problems
If you have attempted to enroll the computer several times, there is a chance that the internal JSS CA is just plain mucked up and confused, and when it issues a device certificate, it can’t verify it because there have been too many certs issued.
JAMF is aware of this issue. I don’t think a defect is official yet.
The solution below is NOT official by any means, but it worked for me (to an extent)
In JSS – find the computer that is failing to enroll (should be a “No Name”). Find by MAC address, or serial number. Under Inventory / Hardware – find the UUID
Then navigate to Global Management – PKI – Issued Certificates
Search the page for the UUID you found in step 1
Are there more than one for that UUID
If yes – you may need to purge some of those via MySQL
Copy the DEVICE certificate name that corresponds to that UUID. Should look like “CN=C9E7JK12-GH44-63F9-8Z8B-A66777888999,OU=JAMF Device Certificate”
Then in MySQL – as root or user with write access —
use jamfsoftware; SELECT * FROM certificate_authority_issued where subject_name="CN=C9E7JK12-GH44-63F9-8Z8B-A66777888999,OU=JAMF Device Certificate";
That should simply list all the corresponding certificates that are found. Better to do this before running the delete command, just in case. Make sure that all those found are actually ones you want to delete. Then run
delete FROM certificate_authority_issued where subject_name="CN=C9E7JK12-GH44-63F9-8Z8B-A66777888999,OU=JAMF Device Certificate";
Obviously – replace the certificate from my example with the certificate you copied in step 6
Conclusion
Even after saying all that – we are STILL having trouble with clients who were in one JSS enrolling into a new, clean JSS. The steps above helped me with a few scenarios, but we still have many lingering failed enrollments.
Also – for anyone who “wishes” to recreate this issue, we have been able to recreate at will – even in a completely vanilla JSS or even in our JAMF Cloud test instance.
I strongly recommend you only do this on a dev JSS, but by simply enrolling over and over again (sometimes a dozen or so enrolls) – we can produce the same device certificate errors – at least in 9.72 (haven’t tried other versions)