Update: This issue is documented in Jamf’s Known Issues page identified as PI-007522
After upgrading our Jamf Pro server to
10.17.1, I was going through and updating a number of our PreStage Enrollments and noted that the sync was failing to complete. Normally when I’ve had issues with Jamf Pro communicating to DEP (now Automated Device Enrollment) all that’s been needed is to download a new MDM server token from Apple School Manager (or Business Manager) and upload it into our MDM. However, this time it did not resolve our communication issues.
A short call with Jamf Support later and the culprit was how the new version of Jamf Pro was attempting to communicate with DEP: via TLSv1.3. As it turns out, Apple hasn’t yet implemented 1.3, so the fix was to force Tomcat to use 1.1 or 1.2.
To do this, we completed the following in CentOS:
# 1) Remotely connect and navigate to Jamf Pro Server's Tomcat ../bin directory cd /usr/local/jss/tomcat/bin # 2) Make a copy of the 'setenv.sh' file cp setenv.sh /desired/backup/location/setenv.sh.backup # 3) Edit the original setenv.sh file in your editor of choice, adding the # following line ABOVE the existing 'export CATALINA_OPTS=...' line export JAVA_OPTS="$JAVA_OPTS -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2" # 4) Save the file and restart your Jamf Pro service jamf-pro server restart
Note: Initially, after adding this new line to the file the Jamf Pro service failed to start. This was due to the fact that when the command was shared with me it contained a smart quote
“ rather than regular quotes