Skip to main content
Answer

JAMF Pro Enrollment Issue After Computer Migration

  • December 4, 2019
  • 5 replies
  • 99 views
Z
Forum|alt.badge.img+3

Hello,

I recently migrated an employee to a new laptop. I used migration assistant to migrate the files over to the new machine. I ensured I removed all MDM profiles with the old machine to ensure certificate from the previous machine don't land on the new computer.

The new computer was DEP device so it enrolled it self before the migration started

The migration was successful however the new computer isn't taking management tasks. Check screenshot of management commands pending.

These commands have been pending for days now. Odd thing, the computer updates inventory and check in entirely fine

Here's what I tried

Command Run
sudo jamf recon
sudo jamf manage
sudo jamf policy
sudo jamf enroll -prompt (to see if the CA certificates will help)

Best answer by larry_barrett

Sudo jamf removeMDMprofile
Sudo jamf removeFramework
Sudo rm /var/db.AppleSetupDone

Restart and go through setup assistant again. I did not test this.

A

5 replies

Z
Forum|alt.badge.img+3
  • zake
  • Author
  • New Contributor
  • December 4, 2019

Any ideas?

L
Forum|alt.badge.img+13
  • larry_barrett
  • Contributor
  • Answer
  • December 4, 2019

Sudo jamf removeMDMprofile
Sudo jamf removeFramework
Sudo rm /var/db.AppleSetupDone

Restart and go through setup assistant again. I did not test this.

T
K
C
M
Forum|alt.badge.img+16
  • mainelysteve
  • Contributor
  • December 4, 2019

@zake If Larry's suggestion above doesn't work then try issuing a sudo profiles -N while logged in as the user. If it still has an mdm profile then you'll need to remove it using the command above. Using the profiles -N command ensures the machine still reports a DEP enrollment.

You may need to nuke the contents of /var/db/ConfigurationProfiles/Store/ as well as /Library/Keychains/apsd.keychain before trying another re-enrollment if the management command to remove the mdm profile doesn't work.

A
T
L
rstasel
Forum|alt.badge.img+13
  • rstasel
  • Valued Contributor
  • September 24, 2020

Just ran into this. Seems to be caused by running Migration Assistant and migrating everything (rather than just migrating user account). Causes overwriting of something that breaks the configuration profile functionality. Policies would run okay after re-enrolling, but push didn't work (couldn't remove via "Remove MDM" on Jamf end either.

Had to talk customer through disabling SIP, then Bomgar'ing in and deleting /var/db/ConfigurationProfiles/Store, and reenrolling via "sudo profiles renew -type enrollment". Then customer re-enabling SIP.

Shame apple doesn't give us some possibly sledge hammer to fix this remotely. I get the point of SIP, and agree with it, but when things wedge, it's a pain in the rear.

K
A
Forum|alt.badge.img+6
  • abrunner
  • Contributor
  • July 21, 2021

@zake If Larry's suggestion above doesn't work then try issuing a sudo profiles -N while logged in as the user. If it still has an mdm profile then you'll need to remove it using the command above. Using the profiles -N command ensures the machine still reports a DEP enrollment.

You may need to nuke the contents of /var/db/ConfigurationProfiles/Store/ as well as /Library/Keychains/apsd.keychain before trying another re-enrollment if the management command to remove the mdm profile doesn't work.


sudo profiles -N worked like a charm. Thank you!

Terms & ConditionsCookie settingsAccessibility statement