Both accounts had the same username (_jssadm).Ĭould we be hitting a race condition where the jamf binary tries to create the Management Account even though the local administrator with the same username is already there? And if that happened, could that make macOS go crazy? Wait, what’s the Management Account and why does it matter?.The Computer PreStage Enrolment was configured to Create a local administrator account before the Setup Assistant.Jamf Pro was configured to create a Management Account.Communication between the Jamf Pro server and the computer wasn’t trusted, and therefore not allowed (the jamf binary won’t do anything!).įocusing on point 1 above – could the “user specified” be the Jamf Management Account? Digging further, I noticed this:.It looks like the jamf binary had problems working with a certificate it needed from a keychain in order to enrol the computer.There’s a permission issue that seems to stop the “user specified” (who is that?) from completing the enrolment.What went wrong? It’s not clear, but we can see some problems… Wed Feb 01 09:12:05 MacBook Air jamf:ĭevice Signature Error - A valid device signature is required to perform the action. ![]() ![]() Wed Feb 01 09:12:03 MacBook Air jamf: Error Domain= Code=-25300 "searchForItems:conversionBlock:error: : The specified item could not be found in the keychain." UserInfo= Wed Feb 01 09:12:03 MacBook Air jamf: Restoring JAMF.keychain since an error occurred. Wed Feb 01 09:12:03 MacBook Air jamf: An error occurred while enrolling computer: Permission Error - The user specified does not have permission to perform the action. Wed Feb 01 09:12:03 MacBook Air jamf: Skipping trustJSS command… Jamf tries to create the Management Account: Wed Feb 01 09:10:36 MacBook Air jamf: Creating user _jssadm…īad things happen: Wed Feb 01 09:12:01 MacBook Air jamf: The SSL Certificate for must be trusted for the jamf binary to connect to it. ![]() To answer that question, it’s time to dive into the logs and look for clues! Specifically, /var/log/jamf.log There’s no Policy history but we can see MDM commands have been sent successfully in the Management history… The computer record in Jamf Pro is incomplete, with much of its data missing (because it’s only received telemetry from Apple’s mdmclient and not the jamf binary at this stage).We see the Login Window, showing an avatar for our local administrator account we created in the Pre Stage settings (it’s also the same username as the Jamf Management Account).Watch as the MDM Enrolment Profile is installed, followed by any other profiles, if they’ve been specified in the Pre Stage.Proceed past the Region/Language Choosers and hit the Remote Management screen.Power up and reach the Setup Assistant as usual.Start with a clean/new shiny Mac that’s in Apple Business/School Manager and assigned to a Jamf Pro PreStage, ready to enrol.The failure condition is quite specific and we could repeat it fairly consistently (on most attempts). It turns out we weren’t the only ones – others in the community were experiencing the same thing. ![]() When is a Management Account not a Management Account? When it’s a local administrator… it seems macOS doesn’t like this conundrum…Įarlier last week, following an update to Jamf Pro 10.43, my colleagues and I started to notice an uptick in failed macOS enrolments. When is a local administrator not a local administrator? When it’s a Management Account.
0 Comments
Leave a Reply. |