MDM Capability No

@gskibum Apologies, How do you do that manually?

Cheers

Bill

raises hand, not working here (located in the Netherlands)

Not working for me either..
I am in London, JSS is in Boston.

opened a ticket yesterday with Jamf about this. They said they had received multiple reports.

So "me too!" Just been confirmed by JAMF that multiple people are reporting this issue. Although no sign of Apple updating their system status.

I've now opened a ticket with Apple enterprise support, and referenced this tread.

Still not working in NYC. I'm assuming once its resolved, we won't need to reimage the machines, and the config profiles will come down automatically?

I am seeing this on a few machines here in Boston (and around the globe in our other offices), but some of the machines imaged in the last day or so do have MDM compatibility set to "Yes" (wish we could report on that!!) and have their config profiles.

As @gskibum mentioned above, I have been imaging and enrolling, then logging into the JSS on the users's laptop using my JSS account and then manually downloading config profiles and installing.

I would assume that MDM will switch to yes automatically, and if not, it would be a case of un-enrolling and then re-enrolling to get it all syncing again.

@billystanton , How do you manually install config profiles? I'm drawing a blank.

Thanks

Mark

@billystanton , Never mind. I just saw the download button on the profiles.

@msnowdon I went onto the users machine that is freshly enrolled and then went to "jss.url" logged into my normal JSS account

• Config profiles
• Go into a Profile you wish to download
• Download button at the bottom of the page

This downloads the .config file to the users machine, and can then be installed manually using admin credentials

This is how I am doing it so I can give machines out to new users with security settings applied, I will then re - enrol once these issues are resolved.

@billystanton and @msnowdon I would not recommend manually installing Config Profiles for your production computers. If it isn't installed by the MDM, then the MDM cannot manage it ( E.g. not removed, updated, or deleted).

@jhbush1973 wrote:

@ryanstayloradobe so far it still seems broken as recently imaged machines are not getting a APNS token.

My apologies, when I responded last night I meant the tool was reporting the issue was not effecting us.

I got an early call that this is indeed effecting our ability to enroll Macs.

Opening a ticket with Apple to get their acknowledgement and ETA for resolution.

Don

For those looking for a way to report on MDM status, while not ideal, you can report on the status via the API. Combine that into an EA script and you can create a Smart Group that gives you all machines that do not have MDM enabled.

#!/usr/bin/env python

import urllib
import subprocess
import os.path
import xml.etree.ElementTree as ET


jssAPIuser = 'apiuser'
jssAPIpass = 'apipass'
jssURL = 'https://' + jssAPIuser + ':' + jssAPIpass + 
    '@' + 'yourjssaddress'

serial = subprocess.Popen("system_profiler SPHardwareDataType |grep -v tray 
    | awk '/Serial/ {print $4}'", shell=True, stdout=subprocess.PIPE).
    communicate()[0].strip()

url = jssURL + 
    '/JSSResource/computers/serialnumber/' + serial + '/subset/General'
uh = urllib.urlopen(url)
data = uh.read()
tree = ET.fromstring(data)
general = tree.findall('general')
mdm_status = general[0].find('mdm_capable').text

print '<result>' + str(mdm_status) + '</result>'

Hope that helps some.

I should point out, the script above provides the status of either True or False. You'd need to set your SG to False, obviously, for machines with MDM not enabled.

Also, you'll need to put in your API user name and password along with the URL to your JSS (just the domain and port like yourserver.com:8443).

@tim.c.arnold You're correct, I should note that i've only set this up for 1 user so far to "get us by" without leaving the laptop unlocked.

I will remove profiles and re enrol once this is all resolved.

Besides enrolling new machines and getting config profiles, what other services are affected? Seems like apps are not getting pushed down to mobile devices.

And I just heard from JAMF themselves that there is an EA Template already in the JSS for this. It's called "Verify MDM Enrollment". So, you can use the template or the Python script I posted.

I noticed this problem yesterday afternoon when I imaged two MacBook Airs out of the box. They were supposed to receive some Config Profiles as part of enrollment, but no joy. JAMF confirmed that they'd been seeing "major outages with MDM communication."

I fired them up this morning, and they still haven't received them even though they've checked in with my JSS a couple of times already.

@tim.c.arnold Very good point!

@stevewood I would say your EA is better as it checks for MDM Capability which is a giveaway that things aren't working as expected. MDM Enrollment has come back as enrolled on machines that fail to acquire profiles.

Hate to add a "me too" but me too...I'm seeing it sporadically though.

Our Apple SE definitely acknowledged a problem on Apple's end, but had little other info.

Same boat rowing right behind everybody...
Patiently stuck in the apple hold que but giving up for lunch!

Opened an escalation with Apple a few hours ago, haven't heard back. A few colleagues say they were told Apple is aware of the issue and is working on it. I'm hoping to get the same response so I can update our internal ticket.