Forcing Jamf Pro 10.17.1 to Not Use TLSv1.3 – Known Issue

Update: This issue is documented in Jamf’s Known Issues page identified as PI-007522

After upgrading our Jamf Pro server to 10.17.1, I was going through and updating a number of our PreStage Enrollments and noted that the sync was failing to complete. Normally when I’ve had issues with Jamf Pro communicating to DEP (now Automated Device Enrollment) all that’s been needed is to download a new MDM server token from Apple School Manager (or Business Manager) and upload it into our MDM. However, this time it did not resolve our communication issues.

A short call with Jamf Support later and the culprit was how the new version of Jamf Pro was attempting to communicate with DEP: via TLSv1.3. As it turns out, Apple hasn’t yet implemented 1.3, so the fix was to force Tomcat to use 1.1 or 1.2.

To do this, we completed the following in CentOS:

# 1) Remotely connect and navigate to Jamf Pro Server's Tomcat ../bin directory

cd /usr/local/jss/tomcat/bin

# 2) Make a copy of the '' file

cp /desired/backup/location/

# 3) Edit the original file in your editor of choice, adding the
# following line ABOVE the existing 'export CATALINA_OPTS=...' line

export JAVA_OPTS="$JAVA_OPTS -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2"

# 4) Save the file and restart your Jamf Pro service

jamf-pro server restart

Note: Initially, after adding this new line to the file the Jamf Pro service failed to start. This was due to the fact that when the command was shared with me it contained a smart quote rather than regular quotes ".

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s