Skip to main content

Hello Everyone,

I have seen multiple discussions on this topic, but I was unable to glean anything that would solve our situation.

We are using DEP and our Macs are coming into the JSS just fine. We can even use the erase install command to remotely wipe and get our Macs back to an out of box state.

Somewhere along the way though, we are seeing Macs losing their MDM capability. We have tried just about everything. Granted, if I do something manual in front of the Mac stuff to restore MDM, we might be able to get things going. Something like removing the framework or taking the Mac out of the JSS. I am trying to find a way to do this remotely or the next time one of these systems checks in.

MOST of the profiles seem to be loading and working. We have tried to remove the keychain pieces and running quick add again. Still no go. We have tried running sudo jamf manage, this didn't fix it. We tried to renew our MDM, still no good.

I do have a support ticket open and they have escalated the cause. As this is the first day back for faculty and I found 124 out of 800+ with this problem, I am little freaked out as this really just blew up.

I am wondering if anyone is seeing this? I did a smart group on Macs where MDM is equal to No and found the 124 systems.

Thanks in advance, kind of frantic here.

Thanks, @mconners - re-imaging, etc. is not an option at all for us.
I really hope that there are some dedicated brain cells allocated at Jamf for this.

@scottb I can't remember the exact steps, but support did mention steps about removing the MDM profile when it is not allowed in your PreStage. Found this blog that talks about disabling SIP and then being able to remove the profiles, might be your only other option.

Just to throw my hat into the ring. We are moving to a provisioning workflow with DEP. I have a campus that provisioned a lab of computers, reassigned them to the static group. The appropriate profiles were applied life is beautiful. Then the tech changed the building in a mass action from Jamf. All of the computers disappeared from the static group. After investigating the computers were unmanaged, MDM capability no and User approved MDM No. The profiles were still on the computer even though they were no longer in the static group that the profile was scoped to. The MDM was verified and approved on the machine.

Hello All, it appears we have run into a critical product issue, PI-004892 - Enabling User Level MDM on 10.13.2+ Removes 'User Approved MDM Enrollment' Approval. Talking with Jamf this morning, they have identified as being the case.

Well it certainly makes me feel better to know this wasn't anything I could have controlled. It is still upsetting knowing I don't have a work around.

From Jamf this morning, The language is slightly different from the exact behavior we're seeing, but from the logs it's definitely the same cause. Right now the issue is marked as critical, and there's no workaround aside from the two we did talk about (manually touching each machine with an erase or temporarily turning off SIP).

Unfortunately that leaves us stuck where we are until this product issue is resolved.

I think as I run into these computers, I will have to touch them one way or another. I also expect after the fix is in place, I will still have to touch them. Going to be a rocky start to the semester.

We are now running into this issue.

Same here. It's alarming since it's more than a year ago that it was discovered according to this thread. We are soon handing out about 350 new MacBooks...

We are also starting to see this issue. I have had to wipe 3 computers in the last week.

After seeing your updates @miwe01 and @coachdnadel I looked and guess what, I am too seeing this on a couple of Macs. I don't get how this is happening. These are showing up the majority are faculty computers so I can't do much in the way of wiping these to reset back to MDM yes. So we will have to wait this out until they have issues or we find a fix.

same here, starting seen this issue

This has been happening for us as well, multiple older computers that were not "imaged" via the New way or via the MDM enroll via the Prestage Enrollment will have this. when i looked at this month ago , the only SOLID way to shake this is to "reimage" the mac completely and re-install the os with all Prestage enrollment stuff already setup, they will install the JAMF binary via the "supported" way and MDM will not be an issue going forward.

For me this is a huge headache, as we can't "Yank out" older 2-4 year old machines just to correct this issue. , on a filp side they are still checking in and are not going 'DARK" But this "RED" MDM is really Vexing.

The perfect solution is without doing the action

sudo jamf mdm -userLevelMdm
sudo Jamf manage

MDM Capability: Yes will be changed

Did you check your ports for Apple Push Notifications (APNs) ? 
If your Apple devices aren't getting Apple push notifications - Apple Support

The perfect solution is without doing the action

sudo jamf mdm -userLevelMdm
sudo Jamf manage

MDM Capability: Yes will be changed


Hi, when I run 

sudo jamf mdm -userLevelMdm

I get: The mdm verb is not available on this version of macOS.

We have a very small handful of machines like this. They still have all of our profiles installed and are checking in, but no management commands available in Jamf + MDM Capability shows 'No'.

sudo profiles renew -type enrollment

Running the above, even with an existing MDM Profile installed, fixed the issue.

I tried a sudo jamf enroll -prompt to re-enroll first, which completed without issue, but still MDM Capability 'No' and no management commands for the computer in Jamf.

Only after running the profiles renew command and accepting the little message that pops-up did the computer get fixed. This computer was an M1 iMac on 13.2.1.

Appears some computers lose their MDM Capability for no apparent reason.

Terms & ConditionsCookie settingsAccessibility statement