Skip to main content
Jamf Nation, hosted by Jamf, is a dynamic and knowledgeable community of Apple-focused IT admins and Jamf Pro users. Join us in person, in October, for the annual Jamf Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.

Issues / Stability of 9.101 update

Hey guys, just checking to see how the new update is settling in before I make the jump. We have our JSS on a Windows 2016 server. Would move from 9.98 to 9.101. Thanks!

Like Comment
CCA Badge CCE Badge
SOLVED Posted: 9/13/17 at 12:49 PM by hkabik

Was just about to start one of these myself... I'll keep an eye on this one. thanks!

Like
CCT Badge CCA Badge CJA Badge CSE Badge
SOLVED Posted: 9/13/17 at 1:49 PM by benducklow

Ditto here @egill and @hkabik ! Would love to see/hear what people's experiences are with this latest release (issues, bugs with current macOS's as well as how its working with the latest beta version of High Sierra).

Like
CCA Badge
SOLVED Posted: 9/13/17 at 1:57 PM by mm2270

I'm also interested. I looked over the Release Notes, but so far I'm not seeing any issues addressed that were affecting us here to my knowledge. The couple of issues that I'd like to see fixed don't appear to be in this release, unless I'm just missing them.

Like
SOLVED Posted: 9/14/17 at 2:34 PM by rcorbin

Looks like everyone is wondering (Including me) but no one has installed it yet.

Like
CCT Badge CCA Badge CCE Badge CJA Badge
SOLVED Posted: 9/14/17 at 3:04 PM by dan.snelson

We're running 9.101.0 in our Dev and Stage lanes and have just started testing. (We deploy from ROOT.war.)

My current understanding is that 9.101.0 is required for full compatibility with macOS High Sierra 10.13 and most concerning for us is fresh FileVault encryptions to escrow Personal Recovery Keys for users running macOS 10.13.

Like
CCA Badge
SOLVED Posted: 9/14/17 at 3:07 PM by emily

@dan.snelson have you played around with the new configuration profile payloads for FV2 escrow in 101? I had asked Jamf a question about it in the beta discussions but the beta discussions are gone now…

I was curious about how the helper text in the new payload options says:

Create an individual recovery key. To store the individual recovery key in the JSS, you must also configure the FileVault Recovery Key Redirection payload

Does this mean that the Filevault Recovery Key Redirection payload (deprecated) should still be enabled for escrow on 10.13 machines to work even though it's not honored by the OS? Or is that text implying something else?

Like
SOLVED Posted: 9/15/17 at 3:21 AM by lnu_casper

Hi, after we update to 9.101 we having problems with new- and reinstallation's. Computer could not bind to AD with Casper Imaging and the computer did not get into Casper. We had to build new netbootimage "nbi". Now it´s work well again. (We upgrade from 9.96)

Like
CCA Badge CJA Badge CMA Badge
SOLVED Posted: 9/15/17 at 1:05 PM by predfern

We upgraded our environment on Wednesday night and took the time to incorporate a pair of Memcached servers into our cluster at the same time. We have not seen any issues so far, infact it is performing significantly better than before the upgrade. We did have to make sure that all of our NBIs were updated with Casper Imaging 9.101 and our techs could authenticate AutoRun imaging at our checkout stations.

Like
CCT Badge CCA Badge
SOLVED Posted: 9/15/17 at 2:30 PM by dcgagne

@emily

In my testing thus far it appears the original redirection policy will stay in place for 10.12 and below. For 10.13 and up the old redirection policy will not load if FileVault is configured with the newer escrow recovery key option set. In fact, if both are loaded you will see this error under Management Commands under the old redirect CP:

A profile with a “FileVault Recovery Key Escrow” payload is already installed on the system.

The kicker is, in my early testing using the new escrow option and 10.13 GM, it doesn't work. The key is invalid if it is regenerated manually and running the regeneration as a policy fails.

Like
CCA Badge
SOLVED Posted: 9/15/17 at 4:13 PM by emily

We tested this on 10.13 by doing the following:
- Created a combined Security & Privacy + FileVault 2 escrow settings configuration profile scoped to 10.13 machines
- Changed scope of old FileVault 2 escrow and Security & Privacy config profiles to exclude 10.13 machines

It enabled FileVault 2 on next login, like we wanted, but it didn't actually escrow the key until a recon ran. I don't remember that being the behavior with the old payload.

Like
CCT Badge CCA Badge CCE Badge CJA Badge
SOLVED Posted: 9/16/17 at 8:56 AM by dan.snelson

@emily The description in your screenshot above confuses me. Did you get any feedback from Jamf?

In our Jamf Pro 10 Beta 2 lane, we're excluding our legacy "FileVault Recovery Key Redirection" from High Sierra machines, but I've been so focused on re-generating keys with High Sierra and 9.101.0 that I can't remember if you really need the legacy profile on High Sierra machine.

Like
CCA Badge CCE Badge
SOLVED Posted: 9/18/17 at 3:59 AM by Boughen

We upgraded a test environment last week, The master tomcat server upgraded without issue, the 2 slaves tomcat servers have failed, we get the following error when starting tomcat

"The following error was encountered during initialization:
Error initializing object caches"

It looks like its having a problem reading a certain object in the database.

We have a support ticket in with JAMF, no solution as yet.

Like
CCA Badge CCE Badge CJA Badge CMA Badge
SOLVED Posted: 9/18/17 at 2:41 PM by ssrussell

@Boughen I'm not saying this is a solution, but the nice thing about those child webapps is that you can just dump the VM and rebuild it from a template or scratch. I'd usually keep a copy of the DataBase.xml (from /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/xml) and server.xml (from /usr/local/jss/tomcat/conf/) and possibly the keystore (if you keep it in /usr/local/jss/tomcat/) if you need it.

By rebuilding it from scratch you can install your current version of the JSS on that child webapp without having any sticky icky bits from previous installs. Also ensures all your supporting services are current (java, etc).

I agree it would be nice to figure out what is causing it to fail. Have you examined all the logs? What is happening in the catalina log and the JAMFSoftware log during startup?

Like
SOLVED Posted: 9/20/17 at 6:56 PM by rcorbin

We were running Jamf Pro 9.99.0 up until about a week ago when we upgraded to 9.101.0. We skipped 9.100.0. So far since upgrading about a week ago all as been fine. The upgrade was super easy. We run it all under Red Hat. So far all seems good with the JSS and iOS 11 as well. Haven't really done much testing with 10.13 yet.

Like
CCA Badge CCE Badge
SOLVED Posted: 9/20/17 at 8:28 PM by frank

Only issue we've seen is any home screen payloads for iOS devices you may have get removed from the configuration profile post upgrade. JAMF has a PI-004439 for it. So if your going to upgrade make note of any configuration profiles for iOS devices that set home screens as you need to recreate them in 9.101.0

Like
SOLVED Posted: Yesterday at 5:09 AM by remyb

@dan.snelson as far as i've seen, the legacy profile does nothing on high sierra. We created a profile with only the filevault 2 escrow enabled, and we enable filevault through a separate policy.

as @emily pointed out, the key didn't get escrowed until a recon ran, but at least it did properly escrow.

The re-generation script we use which is based on https://github.com/homebysix/jss-filevault-reissue failed because the output of $FDESETUP_OUTPUT is different. Commenting out the "elif [[ $ESCROW_STATUS -ne 0 ]]" section lets the script complete without errors and properly sends the key to the JSS

Like