Help

All Broken - Perfect Storm

Go to solution
NeiSpe77
New Contributor III

2 weeks ago

Hey guys,

I have no idea how to get out of this one. Any help is greatly appreciated.

I support a High School and a University. The High School started using Jamf a few years ago. This year the University decided to finally get a MDM. They decided to use the High School Instance so I created Sites.

This busted my Configuration Profiles. We use a Enterprise WIFI similar to eduroam. When I moved the lab computers to the site it lost the WIFI. I can't connect a Ethernet to USB-C connector because they are running Sonoma and you need to Allow to use Accessories. I can't login, more on that...

In addition when I did a erase/install with the laptops last summer Jamf broke my Lab Admin account. It was working at first but then stopped. I created a case with them but they were unable to give me any answers. I thought it was LAPS but I never turned it on and confirmed it is not on. The recommended solution they gave me would be to wipe and re-enroll the computer (and delete the inventory record to be safe). At this point I should have created a policy to create a new admin but I did not.

To top things off I have a Configuration Profile - Login Window - Access which seemed to turned off Local-only users to login. This had taken effect for one of the labs. I was able to fix a different one yesterday using a local student account to login and then it would grab the Configuration Profiles. I have since double checked and made sure local account logins are turn on for all the labs.

I thought I'd boot to a USB installer and then Erase the macs and start over but in order to Activate them again you need an admin password. Even at this stage it doesn't take my Lab Admin password. In recovery mode I opened Terminal and did a passwordreset and changed the Lab Admin password to what it should be (after typing it twice to confirm when you do a password change) and the Mac still isn't taking the password.

So to sum it up, I can't login with a network account because of no wifi (the network accounts are not mobile accounts) and I can't use a student local account because of the Configuration Profile and my labadmin is broken. The Wifi is broken because when I changed sites it look away the wifi CP and Sonoma needs you to first login to allow accessories.

My garmin watch tells me my stress level is off the charts lol. Any ideas guys?

Take care,

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
agungsujiwo
Contributor II

2 weeks ago

Hi @NeiSpe77 ,

Have you ever tried restoring Mac firmware using Apple Configurator?
If not, you might want to give it a try.
I use it frequently, and during activation, it doesn’t ask for an admin password—only a Wi-Fi connection to check activation or validate iCloud lock status.
https://support.apple.com/en-us/108900

View solution in original post

Reply
8 REPLIES 8

Go to solution
MatthewGV
Contributor

2 weeks ago - last edited 2 weeks ago

Can you get a hold of an Apple Thunderbolt to Ethernet adapter? The Apple Thunderbolt adapter won't be blocked like a normal USB-C Ethernet adapter.

I recently had to do some of this when I was merging two companies into an existing Jamf server that was already being used by one of the companies. This assumes that all policies and configurations are not attached to a site.

  1. Move all existing devices into the site.
  2. Move all the policies that will continue to be specific to the new site.
    1. You don't normally need to republish to the devices, they already have the policy.

That's just about it. The existing devices will now maintain the policies they had, and any new devices won't get those policies. This is a good time to go through and audit the policies you have in place and maybe do some clean up. Be careful with deleting configuration profiles. If they exist on any machines, make sure to unscope them, and give it some time before deleting them. If you delete a config policy, and it still resides on a device, you won't be able to easily remove it later. Support can sometimes restore deleted config policies, but they don't like doing it, and it doesn't always work.

Reply

Go to solution
NeiSpe77
New Contributor III
In response to MatthewGV

2 weeks ago

Does Apple make a Apple Thunderbolt to Ethernet adapter for M1/2s? I can only find Original Thunderbolt to Ethernet. These macs only have USB-C ports. I went to the Apple Store and they didn't have any on the shelf and they showed me they could only order in Belkin.

0 Kudos
Reply

Go to solution
jamf-42
Valued Contributor III

2 weeks ago - last edited 2 weeks ago

TL:DR Don't use sites.. ever.. 

 

lots to unpack here.. but moving forward.. don't use sites.. they are only really designed to manage JAMF admins access.. and its never worked well since its inception and is a massive complicated overhead.  

There is a key / profile you can send to disable the USB allow requirement ( I think.. been a while since Sonoma) 

I'd suggest moving a few pilot / test devices out of the site, back to 'main' so they get the correct profiles.. see if that helps.

the joyful restrictions profile

jamf42_0-1741809987335.png

 

 

Reply

Go to solution
AJPinto
Esteemed Contributor

2 weeks ago

@jamf-42 saved their post before I could save mine, I second this; don’t ever use sites. Just use smart and static groups to target the correct things at the correct devices. I’m sure there is some niche MSP use case for Sites, but Sites are horribly underdeveloped and a total pain to use and even worse to manage.

 

My suggestions.

  1. Tear down your sites. Get your core configurations targeting devices not in sites, if you need to copy profiles to have duplicates targeting different sites or rather the lack of sites for now, then do it.
  2. Reset the password for the local admin account you are creating in the prestage or policy (however you create that account)
  3. Use DFU restore on the Macs you flat out cannot log in to. If they are Apple Silicon, this will also remove the Recovery Lock password assuming you have it set.

 

If you must go with sites. Keep 3 copies of everything, one for your High School, one for your university, and one for your devices that are not in a Site so they have configurations before you add them to a Site.

Once you have both sites, and the “non-site” fully setup with ALL your Configuration Profiles and policies, start moving devices to the Sites one at a time and validating everything. Once everything is working, then you can go adjust settings in the configurations for the high school and university to whatever is uniquely needed for each environment. You will need to keep the "non-site" also fully configured with what you need to apply to devices that are not in a site so you can log in to them if the device is not in a site. 

Reply

Go to solution
jamf-42
Valued Contributor III

2 weeks ago

my 2c.. don't use static groups... another overhead.. you can do 'cool stuff' programatically to add anything to a smart group.. 

0 Kudos
Reply

Go to solution
agungsujiwo
Contributor II

2 weeks ago

Hi @NeiSpe77 ,

Have you ever tried restoring Mac firmware using Apple Configurator?
If not, you might want to give it a try.
I use it frequently, and during activation, it doesn’t ask for an admin password—only a Wi-Fi connection to check activation or validate iCloud lock status.
https://support.apple.com/en-us/108900

Reply

Go to solution
NeiSpe77
New Contributor III
In response to agungsujiwo

2 weeks ago

Thanks for this. I have used Apple Configurator before but it was a long time ago. I was able to use it on the one mac I erased. Re-installing macOS now.

Reply

Go to solution
NeiSpe77
New Contributor III
In response to agungsujiwo

Wednesday

Thanks again for this. I needed to do this on a couple of the macs. You're a life saver!

Reply