Jamf Nation Community

Thanks Christopher - it was getting lonely there for a while. Hopefully someone is listening and will send us a solution!

Are you both US based?

I reached out to our Apple rep to clarify, but DEP is US only.

Maybe that is the issue??

I was experiencing the same error, and the symptoms were caused by my own cluelessness.

When enabling Configurator Enrollment via URL, I had the wrong certificate specified as anchor.

The pane for enabling enrollment by Configurator URL should link you to your trust anchor cert, if you use a self-signed anchor/JSS.

I use a third party wildcard cert on the JSS for web access and other things and didn't think about the conspicuous absence of the download link for the trust anchor in the 'enable' screen for Configurator enrollment - I had imported a few other certs and they all gave me the NSURLErrorDomain error -1012 when trying to config devices.

The moment I imported my chained 3rd-party cert into my keychain and specified that cert chain in Configurator things worked perfectly.

It had nothing to do with DEP for me - my organization is not a member of DEP, nor do we have any configuration related to it turned on.

This worked for me https://jamfnation.jamfsoftware.com/article.html?id=365 after having a similar problem.

I've been having issues with the DEP/JSS recently too and got the same error. I followed the steps in the article and it seemed to help and I got one enrolled successfully. Since then however, I've tried enrolling yet another iPad and am back to getting the same error. I'm hoping I don't have to go back into Tomcat AGAIN and do this copying/renaming of the .pem file. I wish there was better documentation on the whole process for using DEP with the pre-stage enrollment in terms of exactly what attachments/certs to put in the profile and how the whole process is supposed to work. Documentation on this is severely lacking.

CairoXP: I've also returned to having this same error during Configurator-initiated enrollment. Like you, I had successfully enrolled some devices with next to no touching. Came back to it last week to roll out another 100, and I have not yet been able to successfully enroll another.

Just installed 9.31, will try again.

@JesseNCSD We didn't actually use configurator at all. We unsupervised the iPads we used from the AC we had them on. We did the OTA enrollment with the DEP by putting in the serial numbers etc. I created a config profile on JSS, downloaded it, then uploaded it as an attachment to the pre-stage enrollment and did it that way. When the iPad reset, it went through the chosen process, then installed the profile and cert associated with the pre-stage enrollment.

Hello out there!

I wanted to report after working through this with JAMF support we were able to get Apple Configurator enrollment to work. Turns out if you use a 3rd party cert for tomcat, or there is any URL mismatch between your CA and your JSS URL, enrollment will fail. (NSURLErrorDomain error -1012)

The way around this, believe it or not, is to simply not include an Anchor cert in the Device Enrollment config! Once I took it out, enrollment went right through as expected.

Hope that helps if you are still stuck!

Does using the Device Enrollment Payload (Configurator > Prepare > Device Enrollment > MDM Server URL
https://jss.mycompany.com:8443/configuratorenroll) as opposed to an enrollment profile require the user to log in when the device becomes active or does it enroll while still plugged into Configuartor like th Enrollment profile does??
Confusing?

Not sure what is different between these two Configurator options or why you would use one over the other???

Does using the Device Enrollment Payload (Configurator > Prepare > Device Enrollment > MDM Server URL https://jss.mycompany.com:8443/configuratorenroll) as opposed to an enrollment profile require the user to log in when the device becomes active or does it enroll while still plugged into Configuartor like th Enrollment profile does??

Enrollment via Configurator and MDM URL allows enrollment via prompt when device is first used, not at time of configuration. It does not require a login. It binds the device with no assigned user and authenticates with certificate that you assign via the Configurator MDM enrollment pane.

Enrollment profile enrolls at time of installation via Configurator.

Using enrollment profiles is more tapping on a device than with MDM URL enrollment in my use case.

Hello,

I just started getting this error on 9.73. Just like @JesseNCSD , I was able to successfully use configurator to auto enroll supervised devices into the JSS last week. I came back to it today and now am unable to. Was going to try the Beta of Configurator 2, but need to run 10.11 which I'm not willing to do yet.

Has anyone had any more success with this?