DEP issue - configuration could not be downloaded, "cancelled"?

DanJ_LRSFC
Contributor III

When trying to wipe and restore a couple of DEP/JSS managed iPads I am getting a message:

"The configuration for your iPad could not be downloaded from Long Road Sixth Form College"

"cancelled"

Does anyone know what might cause this? There's no firewall between the iPad and our JSS, they're both on the same network, same subnet. Is there some Internet related thing that has to happen when downloading a configuration profile via DEP? We already set up our JSS with an externally-trusted HTTPS certificate, and it hasn't expired, so it shouldn't be that.

Thanks,
Dan Jackson (Senior ITServices Technician)
Long Road Sixth Form College

1 ACCEPTED SOLUTION

DanJ_LRSFC
Contributor III

This turned out to be that we had renewed our JSS SSL certificate but had forgotten to add the new cert in to the PreStage Enrolments settings. Our iPads are now working again.

View solution in original post

21 REPLIES 21

IT-CKrape
New Contributor II

Good Morning Dan,

I am not sure it is the same issue, and you may have already tried it, but we had a lot of iPad minis display a similar message lately. We were able to remedy this issue with a software restore from iTunes. To be honest, I am not sure what the disconnect with the server was or what the restore cleared from the system, but I do know that it worked for us.

Good luck and I hope this helps you!

Chad Krape
Technology Department
Jersey Shore Area School District

DanJ_LRSFC
Contributor III

Yes I've tried the restore from iTunes method - holding down Home and Power to put it in recovery mode while connected to a Mac. It restored fine but then when the DEP kicks in during the setup process we get the "cancelled" error again. Unassigning the devices in Apple School Manager does allow us to get in, but then we can't enrol them to the JSS as non-DEP devices require that MDM profiles have to be removable, which we don't want.

DanJ_LRSFC
Contributor III

Could it be that our Jamf Pro installation needs to be on the latest version in order to successfully manage iOS 13 devices?

Klenke_daniel
New Contributor III

I've tried to upgrade to 10.15.1 with no success as we are facing the same issue as you. Devices with iOS 13+ will not enroll and the ones already enrolled stop communicating with Jamf. Luckily we pushed out the profile to defer updates for 90 days but a few managed to update before we realized it was a problem. Currently talking with support over it.

lehmanp00
Contributor III

We just updated to 15.1 and have the same issue with iOS 13. In MacOS 15, Self-Service and policies still don't work either.

DanJ_LRSFC
Contributor III

This turned out to be that we had renewed our JSS SSL certificate but had forgotten to add the new cert in to the PreStage Enrolments settings. Our iPads are now working again.

This post saved my sanity. Thanks 

Was this for on-prem Jamf Pro? We're having the same issue after migrating to Jamf Cloud, but Jamf said to leave the anchor certificate empty.

Jamf Pro

lehmanp00
Contributor III

Interesting. The pre-built cert from the primary server is automatically added to the prestage. We also have 3 JSS servers behind a load-balancer for device communication. The primary just handles APN communication. Does iOS 13/macOS 15 also need the the load-balancer cert added now? That wasn't the case before.

Klenke_daniel
New Contributor III

We are still working with Jamf over this issue. We actually have the same setup as lehmanp00 and are running into the same thing. It is strange, like lehmanp00 said, that the SSL cert would be needed in prestage as we never needed that before with the built in certs. I'll give that a try on our test prestage and see what happens.

DanJ_LRSFC
Contributor III

We're using a 3rd party SSL certificate for our JSS rather than the built in certificates, if that makes a difference.

lehmanp00
Contributor III

https://support.apple.com/en-us/HT210176

So iOS 13 and MacOS 15 need new/extra attributes in your keys. So we need to generate a new cert, from our JSS system, to the load balancer with the new requirements.

My Network Manager and I are guessing Apple and JAMF are assuming most customers are using a 3rd-party cert, not the built-in certs, and didn't need to worry about this.

Klenke_daniel
New Contributor III

Got this figured out. We had to take the keystorepass from the tomcatconf folder and use the keytool in Java to separate the files into the cert.pem and key.pem. Once that was done we uploaded them to our load balancer.

mischko86
New Contributor

@DanJ_LRSFC

We have the Same Problem with Profile Manager. How did you add the new cert into the PreStage Enrolments settings?

reyagarcia88
New Contributor

Having same issue. Was able to use Apple Configurator and enroll a device a few short months ago. Now I keep getting "The configuration for your iPhone could not be downloaded...cancelled". Need help.

Morgsy
New Contributor

reyagarcia88 , Same issue yesterday across multiple schools and accounts. found the server url was slightly different in the AC2 blueprint than that displayed in JAMF under enrol new devices. Rewrote the "prepare" steps in each blueprint with a "new" server... all was good.

ASVtechnology
New Contributor III

I set up a new Blueprint with the server I see on Jamf and get the same error.

Can someone check

mplisd
New Contributor II

Anyone found a working solution to this hell?

I only experience it on my iPads.

s_janson
New Contributor

Hi,
Have you checked your DEP server token if hasn't expired? If so then the server token needs to be renewed from ASM. Hopefully that helps.

s_janson
New Contributor

Have you checked if the DEP server token is not expired? If expired then it needs to be renewed from ASM. Hopefully that helps.