Skip to main content

Hi all,

We have tested out the Jamf Compliance Editor and it works wonderfully till the point that we wipe the laptop and re enroll it.

 

In order to better understand and troubleshoot the availability of the policies, we have set the remediation and compliance policies to ongoing and also added them to self service so that we can see when we run run them.

 

For some reason, on a wiped laptop the remediation policy will be made available only one time after i ran the audit policy. However, the laptop wont be scoped to the remediation policy after that no matter what we did:

 

Restart, waiting for 24-36 hours, reset baseline, ran audit policy again, delete the device from Jamf before enrolling, erasing the Macbook reinstalling OS from scratch and enrolling.

 

The only thing that did work, was to install the compliance editor on the wiped laptop locally => create a new project => select the standard that we are aiming for (CIS1 in our case) => Create Guidance => Click on audit => Run.

 

After the compliance tests were done the remediation script was made available immediately to the laptop. At that point we removed the Compliance Editor from the laptop along with the project files and folders.

 

On a laptop that has the scripts running for the first time, we encountered no issues. 

Did anyone else came across this behavior on laptops that were wiped and managed to fix it?

 

Many thx!

Do you need to check this off in your Jamf?

Hi,

I enabled it and wiped and enrolled but it still didn't work.

The problem is that after the wipe and after the audit script is running, the laptop isn't being scoped into the remediation smart group and that is why it's not working.

thx,

Itamar

BTW, I also tried to flush all policies when i tried to troubleshoot it and it also didn't work 

If you computer will fall in and out of scope depending on its compliance, maybe you want to set the policy's frequency to Ongoing instead of Once Per Computer.

I'd be curious how you have your policies scoped and triggers setup. As @talkingmoose mentioned, you probably need to adjust the frequency. I have a blog on how I setup my audit and remediation in Jamf for mSCP: https://yearofthegeek.net/posts/running-audit-and-remdiation-on-multiple-os/


In the coming weeks, the video from my PSU Mac Admins talk will also be released which covers using JCE and mSCP from start to finish with Jamf.

If you computer will fall in and out of scope depending on its compliance, maybe you want to set the policy's frequency to Ongoing instead of Once Per Computer.


Hi,

The policy was always set to ongoing from the beginning.

thx,

Hi,

I set it by per the user guide. The only changes i made were:

Audit policy - instead of setting it up to recurring check in and once a day i set it up to Ongoing and recurring checkin and i made it also available to self service so i can see when its available to the laptop.

Remediation policy - I left it on Ongoing and recurring checkin and just made it available in self service.

 

So far i was just testing it in our sandbox and the issue only occurred there... I rolled it out to production today, and i can conform that the issue isnt happening there. Must be some kind of a sandbox bug...

 

thx for all the tips 😊

Reply


Terms & ConditionsCookie settings