![]() ![]() If you create a Management Account and a local administrator account in the PreStage Enrolment settings, they must not share the same username. The Management Account does not need to exist on the computer at all! You don’t have to create the Management Account if you don’t need a workflow for FileVault users as described above.The computer record needs that information for Jamf to consider it as “Managed” and send MDM commands etc. You should Enable user-initiated enrollment for computers and enter credentials for the Management Account.You create this account (if you want to), in Settings > User-initiated enrolment > macOS Jamf Remote is gone, but now the Management Account lives on as a means to allow management of FileVault enabled users. Its original purpose was to have an account on the computer that could be used for SSH access for Jamf Remote, a tool used to run ad-hoc policies and start tunnelled Screen Sharing (VNC) sessions on computers connected to the same local network. The Management Account has been a staple in Jamf, and previously the Casper Suite for a long time. Both accounts had the same username (_jssadm).Ĭould we be hitting a race condition where the jamf binary tries to create the Management Account even though the local administrator with the same username is already there? And if that happened, could that make macOS go crazy? Wait, what’s the Management Account and why does it matter?.The Computer PreStage Enrolment was configured to Create a local administrator account before the Setup Assistant.Jamf Pro was configured to create a Management Account. ![]() Communication between the Jamf Pro server and the computer wasn’t trusted, and therefore not allowed (the jamf binary won’t do anything!).įocusing on point 1 above – could the “user specified” be the Jamf Management Account? Digging further, I noticed this:.It looks like the jamf binary had problems working with a certificate it needed from a keychain in order to enrol the computer.There’s a permission issue that seems to stop the “user specified” (who is that?) from completing the enrolment. ![]() What went wrong? It’s not clear, but we can see some problems… Wed Feb 01 09:12:05 MacBook Air jamf:ĭevice Signature Error - A valid device signature is required to perform the action. ![]() Wed Feb 01 09:12:03 MacBook Air jamf: Error Domain= Code=-25300 "searchForItems:conversionBlock:error: : The specified item could not be found in the keychain." UserInfo= Wed Feb 01 09:12:03 MacBook Air jamf: Restoring JAMF.keychain since an error occurred. Wed Feb 01 09:12:03 MacBook Air jamf: An error occurred while enrolling computer: Permission Error - The user specified does not have permission to perform the action. Wed Feb 01 09:12:03 MacBook Air jamf: Skipping trustJSS command… Jamf tries to create the Management Account: Wed Feb 01 09:10:36 MacBook Air jamf: Creating user _jssadm…īad things happen: Wed Feb 01 09:12:01 MacBook Air jamf: The SSL Certificate for must be trusted for the jamf binary to connect to it. To answer that question, it’s time to dive into the logs and look for clues! Specifically, /var/log/jamf.log There’s no Policy history but we can see MDM commands have been sent successfully in the Management history…
0 Comments
Leave a Reply. |