Updating Management Account Password Broke Recon and Enrollment

HashMaster9000
New Contributor II

We needed to update the Management Account Password for our Enrolled machines, so we created a policy that simply changed the Management Account's Password to the newest one. After pushing the policy out to the machines, suddenly no new machines can become enrolled into JAMF and whenever I do a recon of the machine it returns an error.

The Recon Error is:

2019-06-06 17:17:35.294 jamf[11784:607212] CFNetwork SSLHandshake failed (-9807)

And the Error we get when trying to install the MDM Config Profile is:

The profile “MDM Profile (00000000-0000-0000-A000-4A414D460009:84af064b-dfaf-4403-a073-8b70e2a04c17)” could not be installed due to an unexpected error. <NSOSStatusErrorDomain:-50>

We really need to figure out what went wrong, because this means that computers can't check in and we're dead in the water for new enrollments or re-enrollments. I don't feel like a hidden user password change should do this.

If anyone has any ideas or solutions, I'm open to it until JAMF support gets back to me.

Thanks!

6 REPLIES 6

bentoms
Release Candidate Programs Tester

@HashMaster9000 Management Account Password & Recon are not related.

2019-06-06 17:17:35.294 jamf[11784:607212] CFNetwork SSLHandshake failed (-9807)

Is an error with the SSL cert the JPS is presenting, could be Tomcats end.. or a MITM proxy.

The profile “MDM Profile (00000000-0000-0000-A000-4A414D460009:84af064b-dfaf-4403-a073-8b70e2a04c17)” could not be installed due to an unexpected error. <NSOSStatusErrorDomain:-50>

This error correlates with the 1st.

I'd be looking at the certificate your JPS is presenting clients.

HashMaster9000
New Contributor II

How would changing the Management account password alter anything about the SSL certificate? Does it use the Management account to authenticate? And how would we roll it out/revert it back?

bentoms
Release Candidate Programs Tester

@HashMaster9000 it doesn’t.

They are unrelated things.

mdaymude
New Contributor II

I'm also seeing the <NSOSStatusErrorDomain:-50> when attempting to install MDM on a single Mojave computer in our company. We've managed to get all the other Macs (Sierra through Mojave) either DEP or Self-Enrolled. We have multiple computers daily both before and after the issue started which have been both DEP and manually enrolled. It's strange to me that this single computer could be having the issue... what's more is I'm not seeing anything correlating to possible causes.

We have a hidden admin account with a JAMF set password but as above it's working for all the other computers...

This seems to be the most recent similar thread; any advice would be greatly appreciated.

...even though i'm unsure if any of this is relevant:
Mojave 10.14.05, 2017 model MBA
is correctly bound and syncing with ADUC
user domain account (admin mobile managed) working as intended, local admin account as well
tested both on and off VPN (due to location, we have people all over the world but most of the people in his country are on Windows not Macs... figured i'd rule it out)
no framework installed (sudo jamf [anything] fails as jamf isn't a command)
isn't appearing in the JAMF Pro Dashboard
CA appears to install fine... but it's odd it's not even appearing in dashboard as a serial number as I've seen some others who didn't install/approve the MDM.

fr33silver
New Contributor

We're also getting this error.
I opened a ticket, hoping the support will shed some light on the error

mdaymude
New Contributor II

Never did find a solution for that one computer.