Computer Profile are not removed after computer taken out of scope

I have an issue were computers are retaining a profile even after the computer has been removed from the scope of the profile.

I have a need to allow users to create computer level WiFi Profiles using their own user level credentials.

Having been advised (by JAMF back when they offered support to customers) that it is better to remove a computer from scope then to delete the profile I have another script for de-scoping the WiFi Profile.

Unfortunately this does not result in the computer removing the profile. I have a hunch this might be caused by a fault in our Managed JAMF instance since previously we had a very similar issue that could only be resolved by marking a profile with a duplicate UUID as deleted. Since JAMF no longer provide support to their customers I have no way of getting this resolved.

Does anyone have any suggestions on how to ensure a de-scoped profile is removed? or how to get support from JAMF?

Page 1 / 1

Is the computer actually in communication with Jamf at the time you pull it from scope? They need to be activly communicating.

I regularly add an individual device in as an exception to a profile, and within seconds you see that change happen on the device. Apply to new devices only is the choice I make on save.

If you are simply removing a device from a group, and then waiting for the Jamf server to catch up with the change, it may be better for you to add the device as an exception to the policy, and then once the policy has dropped, to remove it from the group that put it in scope in the first place. Not so scriptable I know. Maybe script adding the computer to an exception group.

Removing the policy will require you to get the device to communicate with the Jamf server, for it to pick up the change. If you have deleted the policy, but it hasnt gone from the device, then you have a problem. I have a Null group set up, and when I have a policy I no longer want I will assign it to the Null group, there are no members of this group - ever, it is always empty for this purpose. That way the policy has something in scope, but no devices. It seems to work for me.

Hi PaulHazelden,

Thanks for the reply, as the profile is for just one computer it is initial scoped to just that computer.

To remove the profile I change it to be scoped to no computers.

I would normally expect the profile to be removed fairly quickly and even manual trigger

sudo jamf policy

on the device to try and make it happen immediately, the command runs to completion on 3 of the 4 computers I have tested with but the profile is not removed from the computer.

is there another way to double check connectivity?

In the computer record, Look at last check in, make sure that is very recent.
It should say Yes to ... Managed, Supervised, MDM Capability, User approved MDM
I also run an EA to check on MDM connection...

#!/bin/bash
result=$(log show --style compact --predicate '(process CONTAINS "mdmclient")' --last 1d | grep "Unable to create MDM identity")
if [[ $result == '' ]]
then
echo "<result>MDM is communicating</result>"
else
echo "<result>MDM is broken</result>"
fi

I would be tempted to move the computer to the exclusions for the policy, and resend the policy. See if that removes it.

I have had policies stuck before and the only way I found to completly remove them was to erase the device.

Hi Paul

The computer is showing a last check in 15 minutes ago,

Managed: is “Managed”

Supervised: is “Yes”

User Approved MDM: is “Yes”

in addition to checking for "Unable to create MDM identity" I also scan for the uuid of my enrolment profile.

#!/bin/bash 

mdmProfile=$(/usr/libexec/mdmclient QueryInstalledProfiles | grep "00000000-0000-0000-YOUR-PROFILEUID") 

if [[ $mdmProfile == "" ]]; then 
result="MDM Profile Not Installed" 
else 
result="MDM Profile Installed" 
fi 
echo "<result>$result</result>"

This might never work as with the profile missing it may not be able to report back that the profile is missing however I also have a Launch Daemon which will attempt to reconnect to the MDM if the profile is lost by triggering.

sudo profiles renew -type enrollment

Which appears to allow users to re-enrol as a computer provided their credentials would be accepted by the self enrolment page ( https://yourdomain.jamfcloud.com/enroll ) and has worked a couple of times for users in the wild when we had a spate of computers failing to renew their enrolments.

I added the computer to the exclusions for the policy yesterday but this afternoon the policy still has not been removed.

Many thanks for the good ideas but unfortunately I’m still stuck.

Do the computers having issues have any issues connecting to jamf because if you are removing a wireless profile can they still communicate? Also does the previous profile have any certs?

sudo jamf checkJSSConnection

Do the computers having issues have any issues connecting to jamf because if you are removing a wireless profile can they still communicate? Also does the previous profile have any certs?

sudo jamf checkJSSConnection

It’s definitely the sort of logic fail that will occasionally catch me out but the computers in question are on ethernet…..

% sudo jamf checkJSSConnection
Password:
Checking availability of https://YOURJAMF.jamfcloud.com/...
The JSS is available.
%

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded