Skip to main content

Hello. I know there are many threads about this already, but I still haven't found out a long term solution for this problem. I also know there is a workaround, which is to re-enroll the device, and yes this works. But this requires scheduling time with the user for 10-15 minutes, and that can add up quickly.

Does anyone know the root cause or how to fix this issue? Here's some info for those that need it.

- We have created an extension attribute that shows if the MDM is communicating or broken

- We have renewed our push certificates

- We have tried the Jamf binary self-heal with the Jamf API, but no luck

It seems the only way to fix this issue is to remove the profile and framework, then re-enroll. This can get even more time consuming when the Profiles do not get removed and you have to wipe the entire system or disable SIP to remove the non-removable profiles.

Cancel all Failed or Crashed commands, then cancel all Pending commands, then send a Blank Push.  The commands to be issued will be recomputed and eventually the device will receive MDM commands successfully.

Remember, MDM stands for 'Maybe Device Management.'

Cancel all Failed or Crashed commands, then cancel all Pending commands, then send a Blank Push.  The commands to be issued will be recomputed and eventually the device will receive MDM commands successfully.

Remember, MDM stands for 'Maybe Device Management.'


This helped quite a bit actually. The solution seems to be a mix of your steps and the self heal. I'll have to test on 10+ more devices to ensure this fix actually works, but here is my solution that has worked on a few machines already.

1. Cancel all Pending/Failed commands on that device within Management > Management Commands

2. Run the Self-Heal using the Jamf API (this redeploys the Jamf Management Framework)

After that, a pending command called "InstallApplication" will pop-up. As long as the device is online, it will resolve itself within 5-10 minutes.

This helped quite a bit actually. The solution seems to be a mix of your steps and the self heal. I'll have to test on 10+ more devices to ensure this fix actually works, but here is my solution that has worked on a few machines already.

1. Cancel all Pending/Failed commands on that device within Management > Management Commands

2. Run the Self-Heal using the Jamf API (this redeploys the Jamf Management Framework)

After that, a pending command called "InstallApplication" will pop-up. As long as the device is online, it will resolve itself within 5-10 minutes.


I use this script on check each day, works well.
https://github.com/rtrouton/rtrouton_scripts/tree/main/rtrouton_scripts/Casper_Scripts/clear_failed_Jamf_Pro_mdm_commands

Hi janzaldua,

We are having the same issues, do you mind sharing the extension attribute you used to track if the MDM is communicating or broken?

Hi janzaldua,

We are having the same issues, do you mind sharing the extension attribute you used to track if the MDM is communicating or broken?


Hi, no problem:

 

#!/bin/bash
result=$(log show --style compact --predicate '(process CONTAINS "mdmclient")' --last 1d | grep "Unable to create MDM identity")
if [[ $result == '' ]]
then
echo "<result>MDM is communicating</result>"
else
echo "<result>MDM is broken</result>"
fi

 

Reply


Terms & ConditionsCookie settings