Skip to main content
Solved

Some Policies Will Not Take on Some Macs

  • January 24, 2018
  • 8 replies
  • 58 views
M
Forum|alt.badge.img+4

SOLVED
The title is a bit confusing so here's a better explanation.

We have an established policy that has been working great since we starting using Jamf earlier this summer. Lately, when I go to add a Mac to the policy(scoping to individual computers) sometimes the Mac will not take the policy. I'll set up another Mac and it will take just fine. I can seem to figure out why on some Macs the policy will take and others it just wont. Below is what I've tried thus far.

  • Remove and re-add policy to ma
  • Force check for policies with sudo jamf policy
  • Unenroll, delete from Jamf Pro, enroll again
  • Re-image Mac
  • Removed MDM profile and re-enrolled
  • Clone the policy and scoped to just the troubled Mac

All of the above has not resolved the issue. However, if I create a brand new policy(without cloning) it works fine.

At first I thought it might be an issue with replication of policy with Jamf Cloud but, that doesn't seem to be it since I can create a brand new policy and it takes and works immediately after running sudo jamf policy

Best answer by sdagley

@miotke A couple of things to check:

  • If you click the Logs button when viewing the Policy, do the machines that won't apply the policy appear with a Status of Pending?
  • Have you set any Exclusions in the Scope of that Policy that might match the problematic machines?

8 replies

sdagley
Forum|alt.badge.img+25
  • sdagley
  • Jamf Heroes
  • Answer
  • January 25, 2018

@miotke A couple of things to check:

  • If you click the Logs button when viewing the Policy, do the machines that won't apply the policy appear with a Status of Pending?
  • Have you set any Exclusions in the Scope of that Policy that might match the problematic machines?
M
Forum|alt.badge.img+4
  • miotke
  • Author
  • Contributor
  • January 25, 2018

@sdagley thanks for the reply. I should have added that to the original post. I have checked logs and the problematic Macs don’t appear in the logs at all. There’s one exclusion group that’s states the following.

FileVault 2 Eligibility is eligible and FileVault 2 Partition Encrytion State is not

sdagley
Forum|alt.badge.img+25
  • sdagley
  • Jamf Heroes
  • January 25, 2018

@miotke I take it you're not expecting the problematic Macs to be in that group? Since they're not showing in the Policy logs makes be think they are. If you click View in your Smart Group for those FV2 settings, do the problematic Macs show up?

A_Collins
Forum|alt.badge.img+11
  • A_Collins
  • Contributor
  • January 26, 2018

@miotke what is the situation on the machine policy logs?
History > Policy Logs

Any error?

M
Forum|alt.badge.img+4
  • miotke
  • Author
  • Contributor
  • January 26, 2018

@sdagley You hit the nail on the head, it was the exclusion group.I appreciate your help! I need to figure out why it was there as the group name isn't very descriptive. It was a exclusion that was recommended to us during our Jamf kick start so not sure what the logic was behind it.

sdagley
Forum|alt.badge.img+25
  • sdagley
  • Jamf Heroes
  • January 26, 2018

@miotke Good to hear you got it figured out. That Smart Group basically tells you a machine could have FileVault 2 turned on, but it’s not. That probably isn’t an exclusion you’d want to use the for the majority of your policies

M
S
Forum|alt.badge.img+8
  • strider_knh
  • Contributor
  • January 26, 2018

We are running Jamf 9.101 and I see this some times. It will take a few check-ins, or triggers, before a policy will run. I was working on a station where half the policies did not run until four hours later, while doing there re-occuring check-in the whole time.

M
Forum|alt.badge.img+4
  • miotke
  • Author
  • Contributor
  • January 26, 2018

@sdagley I agree, I'm trying to figure out why we were directed to do so. So much for that exclusion, I already nixed it. ¯_(ツ)_/¯

Again, thanks for your help, and nice 911 :P

Terms & ConditionsCookie settingsAccessibility statement