I'm trying to get Jamf Protect offline client/policy talking from Mac to SIEM. It appears that protectctl is only useful with the full cloud product, or else my clients are broken. If protectctl needs cloud version, why is it installed on my Macs? And how do you debug without it. The files in the db folder are totally opaque for debugging. It appears that protectctl diagnose is also useless without cloud. Ideas?

protectctl with offline HA product

Sorry, should say HC (High Compliance)

Support said try re-scope / reinstall, but so far 2 Macs have the same problem. I have uploaded to Jamf Pro for deploy multiple times too. Working on a third one now that has never had Protect before.

The deployment of Protect, be that the regular or Offline Mode/High Compliance is made in 2 steps:
- the package installer
- the Configuration Profile
Ref: https://learn.jamf.com/en-US/bundle/jamf-protect-offline-deployment/page/Configuring_Offline_Deployment_Mode.html

If only the package is deployed, Protect won't be able to properly configure on the device as information like the license key and the SIEM details are contained on the Configuration Profile.

Actually with Sequoia it's a package and two profiles, but apparently the tenant is producing a profile with no license attached, so nothing works. The license "says" it expires next April.

There's 2 + 1 steps involved, depending on the macOS version targeted.

- Package downloaded from "Downloads"
- Configuration Profile downloaded from "Plans" - this profile will contain the:

<key>offlineToken</key>

which is the License Key.
This part is covered here: https://learn.jamf.com/en-US/bundle/jamf-protect-offline-deployment/page/High_Compliance_Protect_Deployment.html

The 3rd step is for macOS 15 and later devices which is the non-removable system extension, which can be obtained from the "Downloads" section.

There's 2 + 1 steps involved, depending on the macOS version targeted.

- Package downloaded from "Downloads"
- Configuration Profile downloaded from "Plans" - this profile will contain the:

<key>offlineToken</key>

which is the License Key.
This part is covered here: https://learn.jamf.com/en-US/bundle/jamf-protect-offline-deployment/page/High_Compliance_Protect_Deployment.html

The 3rd step is for macOS 15 and later devices which is the non-removable system extension, which can be obtained from the "Downloads" section.

Thanks, support helped me sort this out today. My logs are hitting the forwarder now, and blocked from the SIEM. One step "forward" at least.

Hey there! We are seeing a similar issue in our environment. We migrated from Compliance Reporter to JP Offline Mode in October and everything was fine until mid-December when everything stopped forwarding randomly. I've reached out to our Splunk and Network teams and all seems to be good on their end, and our deployment of JP Offline hasn't changed either, so we're not sure what's going on.

You mentioned support helped you out - what did you end up doing to get your logs to forward?

Thank you!

Hey there! We are seeing a similar issue in our environment. We migrated from Compliance Reporter to JP Offline Mode in October and everything was fine until mid-December when everything stopped forwarding randomly. I've reached out to our Splunk and Network teams and all seems to be good on their end, and our deployment of JP Offline hasn't changed either, so we're not sure what's going on.

You mentioned support helped you out - what did you end up doing to get your logs to forward?

Thank you!

Adding that I have already tried what @matteo_bolognin has mentioned above a few different times. Essentially just re-deploying what we pushed out in October that was working.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded