Skip to main content

We are in the middle of migrating between Sophos and Defender and have observed a large percentage of our devices don't have the right Defender Configuration profiles required to onboard our devices.  Defender has installed fine through policy, but can't work without its settings which are applied via Config profiles.

The Config profiles for Defender on a lot of active machines were discovered to be "Pending" from the Configuration Profiles view within Jamf, but for most Macs, there are no pending Management commands from the Inventory view, and for some they simply sit there indefinitely saying Pending.

I've managed to replicate the problem with really simple config profiles, such as some Finder config, without finding a fix.  We've just upgraded to 10.34.0 in the hope it magically fixed things, but it hasn't.

The devices affected are all active, checking in and updating inventory.  There's no obvious commonality between devices affected, almost everything comes in through Prestage enrolment, is running Big Sur, Catalina, or Monterey, etc.

Are you sure its not somting to do with your prestage? I saw something similar when installating configs with networks filters in the past. the app would install and drop the network connection and configs would be left as pending.

As a test set your prestage software install for anything with a network filter to cache only. have the configs apply and prestage, then have another install policy for devices with the app cached  with  (trigger for enrolement and reoccuring checkin). See if that gets around it.

@pchrichard Have you had the users on Macs with the profile stuck on Pending try restarting? This is a problem we see occasionally in our environment, especially on Macs with uptimes of more than a few weeks, and for some (but not all) restarting allows the profile to install. If that's not helping open a support case with Jamf and they can help you troubleshoot (I've got a case open for this problem myself).

Are you sure its not somting to do with your prestage? I saw something similar when installating configs with networks filters in the past. the app would install and drop the network connection and configs would be left as pending.

As a test set your prestage software install for anything with a network filter to cache only. have the configs apply and prestage, then have another install policy for devices with the app cached  with  (trigger for enrolement and reoccuring checkin). See if that gets around it.


@SCCM we don't have anything like that in prestage

@pchrichard Have you had the users on Macs with the profile stuck on Pending try restarting? This is a problem we see occasionally in our environment, especially on Macs with uptimes of more than a few weeks, and for some (but not all) restarting allows the profile to install. If that's not helping open a support case with Jamf and they can help you troubleshoot (I've got a case open for this problem myself).


@sdagley - it's not the easiest thing to troubleshoot with end users working remotely, but I'm seeing no improvements post-reboot.  There is an open case with Jamf but the suggested advice isn't particularly helpful.

@SCCM we don't have anything like that in prestage


But you are setting the config profiles to install before the application installs right? your not running both in parallel?

But you are setting the config profiles to install before the application installs right? your not running both in parallel?


Yes, in our experience the config profiles immediately post enrolment, long before any associated application installs via policy

@sdagley - it's not the easiest thing to troubleshoot with end users working remotely, but I'm seeing no improvements post-reboot.  There is an open case with Jamf but the suggested advice isn't particularly helpful.


@pchrichard 

Did you ever find a solution? We appear to be running into the same problem.

We also have exactly the same problem. Changing from ESET to Defender. Anyone has a suggestion ?

We also have exactly the same problem. Changing from ESET to Defender. Anyone has a suggestion ?


Interesting that this is brought up. Currently the defender profiles being pushed Macs are installed, but also sitting in the pending section. 

Interesting that this is brought up. Currently the defender profiles being pushed Macs are installed, but also sitting in the pending section. 


Yes - we noticed this to ?

Anyone know why ?

Same Here... Awaiting an answer from JAMF hopefully?

Yes - we noticed this to ?

Anyone know why ?


We ended up submitting a ticket in and was eventually working with a level 3 engineer to try to solve the issue. It wasn't with Defender but it was related to a issue when configuration profiles are removed. Until the issue is resolved on their end they recommend that you don't outright delete the config profile but instead unscope the computers and leave it alone until the PI is resolved.  They had to clear the database from all the pending configs and after that there wasn't as many issues. 

Terms & ConditionsCookie settingsAccessibility statement