Skip to main content

SOLVED
The title is a bit confusing so here's a better explanation.



We have an established policy that has been working great since we starting using Jamf earlier this summer. Lately, when I go to add a Mac to the policy(scoping to individual computers) sometimes the Mac will not take the policy. I'll set up another Mac and it will take just fine. I can seem to figure out why on some Macs the policy will take and others it just wont. Below is what I've tried thus far.




  • Remove and re-add policy to ma

  • Force check for policies with sudo jamf policy

  • Unenroll, delete from Jamf Pro, enroll again

  • Re-image Mac

  • Removed MDM profile and re-enrolled

  • Clone the policy and scoped to just the troubled Mac



All of the above has not resolved the issue. However, if I create a brand new policy(without cloning) it works fine.



At first I thought it might be an issue with replication of policy with Jamf Cloud but, that doesn't seem to be it since I can create a brand new policy and it takes and works immediately after running sudo jamf policy

@miotke A couple of things to check:




  • If you click the Logs button when viewing the Policy, do the machines that won't apply the policy appear with a Status of Pending?

  • Have you set any Exclusions in the Scope of that Policy that might match the problematic machines?

@sdagley thanks for the reply. I should have added that to the original post. I have checked logs and the problematic Macs don’t appear in the logs at all. There’s one exclusion group that’s states the following.



FileVault 2 Eligibility is eligible
and FileVault 2 Partition Encrytion State is not

@miotke I take it you're not expecting the problematic Macs to be in that group? Since they're not showing in the Policy logs makes be think they are. If you click View in your Smart Group for those FV2 settings, do the problematic Macs show up?

@miotke what is the situation on the machine policy logs?
History > Policy Logs



Any error?

@sdagley You hit the nail on the head, it was the exclusion group.I appreciate your help! I need to figure out why it was there as the group name isn't very descriptive. It was a exclusion that was recommended to us during our Jamf kick start so not sure what the logic was behind it.

@miotke Good to hear you got it figured out. That Smart Group basically tells you a machine could have FileVault 2 turned on, but it’s not. That probably isn’t an exclusion you’d want to use the for the majority of your policies

We are running Jamf 9.101 and I see this some times. It will take a few check-ins, or triggers, before a policy will run. I was working on a station where half the policies did not run until four hours later, while doing there re-occuring check-in the whole time.

@sdagley I agree, I'm trying to figure out why we were directed to do so. So much for that exclusion, I already nixed it. ¯_(ツ)_/¯



Again, thanks for your help, and nice 911 :P

Terms & ConditionsCookie settings