Alan Siu's Blog

Fixing Jamf device signature error

Even though this Jamf Nation thread is five years old, as of this writing, it’s still got the solution to the Device Signature Error - A valid device signature is required to perform the action error message.

In my experience, the actual working solution is to run sudo jamf enroll -prompt and then enter credentials when prompted. Repeatedly running sudo jamf recon (even after a reboot) or sudo jamf policy doesn’t fix the issue, nor does verifying that the system clock time is correct.

Now why this comes up in the first place on a freshly factory-reset computer that DEP-enrolled in Jamf—who knows but Jamf?

Posted

in

by

alanysiu

Tags:

, ,

Comments

10 responses to “Fixing Jamf device signature error”

  1. Jason Rambo Avatar
    Jason Rambo

    THANK YOU for the referehser. I’m so glad you closed with “who knows but Jamf?” – thought I was insane that my factory reset dep enrolled 10.15.6 machine was throwing this error. Did wonder if it was a 10.15.7 software update issue but even if it was … it seems like a long-lived issue. Saved my bacon though being on a tight timeline and having not used the enroll -prompt to refresh the cert (that looks, otherwise, to be valid…) … in a number of years when I was hitting this problem frequently due to problems, or so it seemed, between JAMF/MacOS 10.13.x and the T2 machines the special 10.13 build ran on. I frankly forgot all about it (PTS I’m sure).

    Reply
  2. Byrd Avatar
    Byrd

    Fixed the issue! Thanks!!

    Reply
  3. Cheryl Avatar
    Cheryl

    Thanks for this quick fix. Worked perfectly!

    Reply
  4. LukeD Avatar
    LukeD

    It’s back in Monterey.

    This doesn’t work since by it is no longer Pre-Stage enrolled so isn’t supervised, misses its ‘Enrolment Complete’ trigger and does not fall into any groups based on the Prestige group.

    Reply
  5. Sharif Khan Avatar
    Sharif Khan

    It is happening on Monterey 12.3 and above. Machine assigned in pre-stage and ADE finish but machine went to shutdown. Since we created JMA account during pre-stage that actually help me to get on the machine and then run sudo profiles renew -type enrollement fix the enrollment issue. I have a service ticket open with Jamf support on this issue but still they are looking this issue.

    Reply
    1. alanysiu Avatar
      alanysiu

      Yeah, I tried sudo profiles renew -type enrollment recently, and that seemed a better fix.

      Reply
      1. Mike Avatar
        Mike

        Thank you for posting this!!!!!! you just saved my butt with a mac that dropped communication with Jamf. Nothing else worked but ran this command and it came right back in!

        Reply
      2. James Anderson Avatar
        James Anderson

        Tried this today and it worked for me as well. Thanks for sharing this.

        Reply
  6. Kerem Avatar
    Kerem

    Device was brand new unboxed and enrolled for first time via DEP successfully and yet somehow not enrolled and giving the Device signature error.

    Sure enough, this fix worked but hilarious in terms of “who knows why but Jamf.”

    Reply
  7. Fabio Cerullo Avatar
    Fabio Cerullo

    Since Jamf Pro version 10.36, there is a new feature called Jamf Binary self-heal that a lot of admins have been waiting to see for a long time.

    You now have a way to redeploy the Jamf management framework without having to unenroll and re-enroll a computer.

    A brief overview of how to utilize the new feature in Jamf Pro 10.36:

    1) Locate the Jamf Pro Computer ID for the computer in its current state. You can find it either within the URL of the computer record or under the attribute ‘Jamf Pro Computer ID’ within a computer record in Jamf Pro.

    2) Access the Jamf Pro API (not the Classic API) by navigating to yourserver.com/api. Authenticate using an account that possesses sufficient privileges to issue commands, or use your administrator account.

    3) Identify the ‘jamf-management-framework’ endpoint and expand the available options. You will notice it supports the POST method.

    4) Click the ‘Try it out’ button. Input the computer ID into the designated field and click ‘Execute.’

    5) In the Management tab of the computer record, you will observe a pending command for ‘InstallApplication.’ Please note that this is a user interface peculiarity, as any application installation via MDM on 10.14+ systems inherently utilizes ‘InstallEnterpriseApplication’ by default.

    6) Assuming the computer remains connected online, you will witness the command execution, and the computer will undergo re-enrollment once the QuickAdd installation is completed. This process will adhere to the re-enrollment settings as configured within the Jamf Pro server.

    7) Voila!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *