Casper MDM continually prompted for enrollment

  • 1
  • Question
  • Updated 3 years ago
  • Answered
We're using Casper and have MDM enrollment enabled. For initial enrollment, the user is able to connect to the wireless network and install all the profiles from the JAMF server. However, once the device is enrolled, the user is perpetually prompted for device enrollment.

I've done all combinations I can think of for removing profiles, disabling / reenabling wifi, rebooting the device, and the user is still continually prompted for their enrollment credentials after already being enrolled.
Photo of David Heineck

David Heineck

  • 5 Posts
  • 0 Reply Likes
  • frustrated

Posted 4 years ago

  • 1
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Hi David

I had previously tested Casper integration with Aerohive and I don't recall such issues.
I believe I was using HMOP HM version 6.1r3 and JAMF 9.2

Might I suggest that you state all relevant information

such as

HMOP or HMOL
HM version
AP model and Hive OS version
JAMF version

The kind of JAMF configuration you are using
PSK or Dot1X etc...

and posting and relevant configuration info.

generally if a system like JAMF or Clearpass Onboard keeps asking to enroll, it means that the profile is not providing info to indicate that it is already enrolled or the profile did not install properly.This may be different for different client types.

Cheers
A
Photo of David Heineck

David Heineck

  • 5 Posts
  • 0 Reply Likes
Andrew,

Thanks for the quick response.  We're running Enterprise 6.1r6a hosted by Aerohive.  The access points we've tested are AP 120 and AP 230, each running HiveOS 6.1r6.1779.  

JAMF is running JSS 9.3, but I'm not sure how to relay configuration information.  I believe our setup is fairly straight-forward.  

I'm not sure of the exact sequence, but the same configuration was working for isolated test devices 2 weeks ago.  We began enrolling large groups of students last week, and this is when the problems appear to have begun.

I can confirm that the profiles have installed on the device, and I do see the device enrolled in JAMF.  I have deleted the profiles, turned off wireless, rebooted the device, and reenrolled - but the problem continues.

Thanks,

Dave Heineck
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
In the past, I have seen two potential causes for this behavior. 

1) A delimeter mismatch between what Aerohive uses and what JSS expects.  This was a problem with one previous version of JSS, an issue that was subsequently resolved by JAMF.

2) The other issue was if the client never successfully completes the inventory after enrollment.  Once a device enrolls, JAMF would send an inventory request via APNS. If the client never receives the inventory request (perhaps because APNS is blocked by a firewall rule), then JSS does not know the client MAC address.  Since JSS does not know the MAC address to put on the ACCEPT list, the device would fail the enrollment check on the Aerohive AP.   

Does the client record in the JSS inventory show a MAC address for a client experiencing this behavior?


By the way, you can mimic a JSS lookup from HiveManager or from AP CLI. In HiveManager.  From HiveManager, go to Monitor > Active Clients, then find and select a client having this problem.  Click Operation > Show Enrollment.

From AP CLI, you can do the same thing by typing:  exec jss-check mobile-device <YOURMACADDRESS>
Photo of David Heineck

David Heineck

  • 5 Posts
  • 0 Reply Likes
The mac address for the iPad is listed in the JSS inventory.  

When I run the 'show enrollment' command from HiveManager, I get:
'Device 3010:e4dd:e4d6 is not enrolled'
Photo of David Heineck

David Heineck

  • 5 Posts
  • 0 Reply Likes
I did confirm that the mac address for the iPad is the same in HiveManager as it is in JSS
(Edited)
Photo of David West

David West

  • 1 Post
  • 0 Reply Likes
Did you ever resolve this? We are just starting to look into using this set up and a device I know is enrolled get the 'Device 3010:e4dd:e4d6 is not enrolled' type issue
Photo of David Heineck

David Heineck

  • 5 Posts
  • 0 Reply Likes
We haven't seen the issue in a while.  After updating the latest versions of JSS, things have behaved properly.