Apple Classroom – Configuration Not Valid

In the past couple months, we have been getting reports of teachers randomly getting this error on their iPads:

Configuration Invalid

Classroom must be configured with a valid education configuration profile. Contact your network administrator for assistance.

Error message appearing on teacher iPads

We were able to fix this by assigning the iPad to a different user and then assigning if back to the teacher. If you want to know why that works, read on.

The error was a surprise, because Apple Classroom has been one of those things that has always “just worked” in our environment. Apple School Manager syncs with our SIS to get classes, then we import those classes into Jamf. Jamf populates these classes with roster information that includes student and teacher names and email addresses. When an iPad is enrolled or assigned to a user, Jamf checks to see if the user’s email address matches that of a student or teacher associated with a roster. If it finds a match, the iPad downloads the EDU profile and Apple Classroom magically works. The teacher can see all of their student iPads that are within Bluetooth range.

(In the past, we have seen some odd issues with the EDU profile. This usually stems from user information not exactly matching. I will write a post about that someday and how we check for it and what we do to fix it, but today we are dealing with this issue.)

We did the usual troubleshooting steps – check for Bluetooth connection, make sure the iPad is online, etc. Everything looked okay. Then we looked in Jamf and saw that it did have the EDU profile and the user information was all correct. I started a ticket with Jamf and found out that this is a known bug and it relates to iPadOS 15:

PI-010204: The EDU profile is sometimes improperly installed and gives an error that the configuration is invalid. Occurs when an iOS devices is updated to iOS 15 and the EDU profile is updated on the device.

Since the EDU profile is the culprit, the only workaround is to reinstall it. This can be done either by enrolling a new iPad (a lengthy process that may or may not work) or assigning the iPad to a different user and back to the original. This clears out the “bad” EDU profile and downloads a new version of it.

Update 11/18/21 – Neil Martin pointed out on Twitter that reassigning the iPad to another user may affect any profiles or apps that are scoped to that user. He suggests this:

Ahh we’ve hit this as well… because we do a lot of LDAP group based app/profile scoping for customers, swapping users causes stuff to get removed/changed. We’ve been creating an empty class in Jamf and adding affected users to that, then removing them, re-pushing the EDU profile

@neilmartin83

The workarounds are fine for one-offs when a teacher puts in a ticket, but it would be better if we could prevent this from happening. While we wait for Jamf to fix the PI (which could take a while), we looked for other signs that something was off. One of our techs was bright enough to notice that the iPads having the issue were missing some certificates. In particular, they were missing leader: JSS Built-In Signing Certificate (there should be two of these) and member: JSS Built-In Signing Certificate.

These 3 certificates are present on an iPad when Classroom is working correctly. They are missing when it is not.

So we had an easy way to find iPads that were having the issue before they made a ticket in frustration! I created a search in Jamf for iPads that had the EDU profile but did not have the member: JSS Built-In Signing Certificate installed.

Advanced Search criteria for finding iPads that are having this issue.

In our case, there were only 6 iPads so it was easy enough to assign the EDU profile to another user and back manually. If you have a lot of these to do, you could certainly create a script with the Jamf API to fix this issue. You would want to:

  1. Loop through devices in the advanced search.
  2. For each device, go to the device record and get the username.
  3. Store the username.
  4. Change the username to something else (could be anything as long as it isn’t associated with a user that has a roster).
  5. Send an update inventory command to the iPad.
  6. Check to see if the device still has the EDU profile installed. If it does, sleep and then try again until the EDU profile is gone.
  7. Once the EDU profile is gone, change the username back to what you stored in step 3.

Hopefully Jamf fixes this very annoying bug soon!

Leave a Comment

Your email address will not be published. Required fields are marked *