ReEnroller icon indicating copy to clipboard operation
ReEnroller copied to clipboard
verified publisher icon jamf

mismatched tag at line 10, column 2, byte 404:

Open AxeKR opened this issue 9 months ago • 8 comments

Hello,

i have tried to run the tool with api client. but it throws an error. the response suggests that a site is being called that does not return the correct response? Or have I overlooked something?

mismatched tag at line 10, column 2, byte 404:

Mon Mar 31 11:56:07 XXX-22-L0607.xxxxx.de [ReEnroller]:    command result: Checking for policies triggered by "apiMDM_remove" for user "username"...
Executing Policy apiMDM_remove
Submitting log to https://jamf.xxx.de:8443/
Executing Policy apiMDM_remove Script
Running script apiMDM_remove...
Script exit code: 0
Script result: computer UUID: A0D31007-2D55-54FB-B421-FE81F064EA51
get computer ID: curl -m 20 -s https://jamf.xxxx.de/JSSResource/computers/udid/A0D31007-2D55-54FB-B421-FE81F064EA51/subset/general -H "Accept: application/xml" -H "Authorization: Bearer ..."

mismatched tag at line 10, column 2, byte 404:
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
	Please continue your visit at our <a href="/">home page</a>.
</p>
=^
</body>
</html>
 at /System/Library/Perl/Extras/5.34/darwin-thread-multi-2level/XML/Parser.pm line 187.
computer ID: 
unmanage machine: curl -m 20 -s https://jamf.xxxxx.de/JSSResource/computercommands/command/UnmanageDevice/id/ -X POST -H "Authorization: Bearer ..."
<html>
<head>
	<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
	Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>

Submitting log to https://jamf.xxxx.de:8443/

AxeKR avatar Mar 31 '25 10:03 AxeKR

ah it looks like the same issue in #16. after using the Display Name of the API Client instead of the client ID, the issue persists.

AxeKR avatar Mar 31 '25 10:03 AxeKR

Definitely want to use client ID and secret generated on the server you are migrating from. Any chance we can look at the policy log that calls the mdm removal script? Should start out something like:

Script result: using server read from com.jamfsoftware.jamf.plist: https://<your>.jamfcloud.com/
computer UUID: 341BF159-C62B-59EB-R549-39B98F7633F6
get computer ID: curl -m 20 -s https://<your>.jamfcloud.com/JSSResource/computers/udid....

Be sure to mask sensitive info, like bearer token, maybe server name, UUID... Sounds like we might not be getting a bearer token.

BIG-RAT avatar Apr 02 '25 23:04 BIG-RAT

Got it. I think my proxy server killed the bearertoken, addressing the local on prem url without nginx proxy solved it.

on my testdevices the management profie was not installed. the framework was installed and i was able to locate the device in the new jamf instance but the management profile was missing.

did i forgot something?

AxeKR avatar Apr 03 '25 11:04 AxeKR

Are the devices in apple buisness/school manager? Scoped to a prestige? If not you'll need to have the user perform a manual enrollment (user initiated enrollment). Since the device has the jamf binary you can use policies/self service to guide the user to the web page for enrollment.

BIG-RAT avatar Apr 04 '25 01:04 BIG-RAT

Yes all devices are scoped to prestage enrollment. my test device is running into the error "Enrollment Configuration: Client is not DEP enabled."

We have moved all our Devices to the new MDM Server in ABM. And it is synced with the prestage enrollment scope. But the Enrollment Script is running into this error. Jamf Binary is installed but the profiles are missing.

with sudo profiles renew -type enrollment i was able to install the profile manually

maybe i don't have a good overview of the requirements or i'm not following the correct sequence?

Device is managed by old Jamf. ABM move Devices to NEW Jamf MDM Device is scoped to normal Prestage Enrollment Profile like all other or new Devices Run ReEnroller Policy on OLD Jamf Script is called and installes NEW Jamf Binary OLD Jamf MDM is removed "Enrollment Configuration: Client is not DEP enabled."

AxeKR avatar Apr 07 '25 12:04 AxeKR

Just to be sure, you're running v5.8.1? That version essentially runs the profiles command you ran: /bin/launchctl asuser $(id -u "$(stat -f%Su /dev/console)") /usr/bin/profiles renew -type enrollment

BIG-RAT avatar Apr 07 '25 17:04 BIG-RAT

Yes, i'm using latest version of reenroller. I should be able to run the command through the policy on the new jamf to make sure.

AxeKR avatar Apr 08 '25 05:04 AxeKR

Hello,

I have to take up the issue again, but it is probably not necessarily an issue with the tool but rather a different topic. I manage to remove the system with the ReEnroller from the old jamf and also register it in the new jamf.

But what is missing in the end are the profiles. The command /bin/launchctl asuser $(id -u “$(stat -f%Su /dev/console)”) /usr/bin/profiles renew -type enrollment always leads to an error, whether manually or directly via the script with version 5.8.1.

Error: DEP enrollment failed: The cloud configuration server is unavailable

We have already assigned the OnPrem macOS devices to the new JamfCloud server via the ABM and scoped them in a prestage enrollment.

What are we missing, what have we forgotten? Hoping for help, we remain with kind regards

I have attached the log file. The System is bound to the cloud jamf server binary is fine, profiles are missing.

`Fri Apr 25 09:19:44 COP-20-L0293.company.de [ReEnroller]:  running command: /bin/launchctl asuser $(id -u "$(stat -f%Su /dev/console)") /usr/bin/profiles show -type enrollment Fri Apr 25 09:20:00 COP-20-L0293.company.de [ReEnroller]:  command result: Error fetching Device Enrollment configuration: (34006) Error Domain=MCCloudConfigurationErrorDomain Code=34006 "The cloud configuration server is unavailable." UserInfo={CloudConfigurationErrorType=CloudConfigurationFatalError, NSLocalizedDescription=The cloud configuration server is unavailable., NSUnderlyingError=0x600000424030 {Error Domain=com.apple.MobileActivation.ErrorDomain Code=-1 "Failed to create reference key." UserInfo={NSLocalizedDescription=Failed to create reference key., NSUnderlyingError=0x600000424750 {Error Domain=com.apple.MobileActivation.ErrorDomain Code=-1 "Failed to create ref key." UserInfo={NSLocalizedDescription=Failed to create ref key., NSUnderlyingError=0x6000004247b0 {Error Domain=NSOSStatusErrorDomain Code=-25308 "Failed to generate keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed with the Security Server.) UserInfo=0x600001f25e40 (not displayed)}}}}}}

reenroller.txt

`

AxeKR avatar Apr 25 '25 07:04 AxeKR