Skip to main content
Question

Build up of pending management commands


Forum|alt.badge.img+17

Does anyone else notice when poking around their machines management history a build up of pending management commands (CertificateList & ProfileList over and over).

We're seeing this for our shared machines mostly, the ones in carts or labs. Like 10 to dozens of pending commands per machine, but on same machines there are successful management commands same day as well, it's not like they're all stuck pending.

JAMF's answer has been to run a sql command to clear them out, but I'm curious as to why it's happening, and really not sure running a sql command every X days is something that's normal or to be expected.

Appreciate any thoughts.

74 replies

Forum|alt.badge.img+18
  • Valued Contributor
  • 278 replies
  • September 30, 2014

Yes I have seen this. It's almost like the JSS loosees it's ability to push out profiles etc to a machine. Sometimes I've found that if I recon the machine again it then starts to work ok after that. I haven't really looked at it much beyond that. I think the re-reconing operation renews all the certificates on the client machine and then the communication starts back up.


Forum|alt.badge.img+17
  • Author
  • Honored Contributor
  • 1143 replies
  • September 30, 2014

In my case, machine is still communicating fine. I'll have 10-40 pending cert/profile commands in management history , and then some successful ones mixed in with the pending commands going by time stamps.

Jamf says the pending ones queue up and should be manually cleared...


Forum|alt.badge.img+18
  • Valued Contributor
  • 278 replies
  • October 1, 2014

And the solution is to run sql commands ? Does one command clear the pending ones on all machines ? Or do you use separate commands for each machine ? If that's the case what if you have hundreds or thousands of machines with this happening ? Is this Casper 9.32 or higher ?


Forum|alt.badge.img+17
  • Author
  • Honored Contributor
  • 1143 replies
  • October 1, 2014

9.32, the command clears out all pending commands in the system. Just don't really love the idea of running it every X days.


Forum|alt.badge.img+13
  • Contributor
  • 35 replies
  • October 1, 2014

Anyone care to share the command... I'm seeing some of the same build up that I would like to clear. (Yeah.. I know.. backup first!)


Forum|alt.badge.img+10
  • Valued Contributor
  • 159 replies
  • October 2, 2014

I'm seeing this as well. In most cases, configuration profiles are not being set. I also notice on login, these machines are hanging for several minutes, with the 'Updating managed settings..." popup window.


Forum|alt.badge.img+3
  • New Contributor
  • 31 replies
  • October 2, 2014

I see similar behavior with iPads. Sometimes the list of pending gets to 200 or so repeats of Install App List, CertificateList, or ProfileList. When it happens to an iPad, other commands are unable to process.


Forum|alt.badge.img+10
  • Valued Contributor
  • 159 replies
  • October 2, 2014

I've had some luck running the following two commands to get the 'pending commands' to go thru. But it involves using ARD which isn't ideal. It just clears the profiles that are installed and reloads them. This seems to open the gate back up for those stuck config profiles. It also fixes the issue with long login times.

sudo jamf removeMdmProfile
sudo jamf mdm

Forum|alt.badge.img+17
  • Author
  • Honored Contributor
  • 1143 replies
  • October 6, 2014

For me the commands are pending/building it up it seems because I wipe local student home directories on logout. All of the pending commands are tied to student user names (that no longer exist on the machine).

Still working with JAMF on it.


dlondon
Forum|alt.badge.img+14
  • Honored Contributor
  • 375 replies
  • October 14, 2014

Hi Everyone,

We have been seeing this too. James here would love to blame it on our lack of Reverse DNS entries for machines. Anyone getting this who has Reverse DNS?

Regards,

David


Forum|alt.badge.img+5
  • Contributor
  • 16 replies
  • October 16, 2014

I'm seeing the same issue as everyone else. What SQL commands are being run to elevate this issue? Has anyone else seen the issue with RAM being fully utilized by these pending commands? 10.9.5 OSX, Mac Mini 2012, i5, 4Gb of RAM. Run jamf removeFramework, computer was removed from Casper and RAM utilization dropped. Any help would be appreciated.


Forum|alt.badge.img+16
  • Valued Contributor
  • 291 replies
  • October 16, 2014

@denmoff thanks for the suggestion to use those mdm commands. I've been seeing these crop up on quite a few machines after I updated to 9.51, that fixed it up right as rain on the afflicted machines.


Forum|alt.badge.img+5
  • Contributor
  • 16 replies
  • October 16, 2014

We are running 9.52 still seeing same issues, before we were on 9.32 and noticed it there as well.


Forum|alt.badge.img+16
  • Valued Contributor
  • 291 replies
  • October 16, 2014

It's entirely possible it was prevalent prior to 9.51 and I hadn't been paying attention. I made a configuration profile change along with our update to 9.51 and that was when I noticed machines sitting in a pending state with these commands.


Forum|alt.badge.img+8
  • Contributor
  • 58 replies
  • November 4, 2014

We are seeing the same thing where numerous pending commands are building up. We also delete accounts on logout but we do this by a scripted profile.


Forum|alt.badge.img+12
  • New Contributor
  • 7 replies
  • November 6, 2014

I've noticed it as well. We're running 9.32, also running Deep Freeze 5.8 on the machines. Profiles are removed when machines are rebooted.


Forum|alt.badge.img+4

I am seeing this as well along with complaints that the computers are freezing on the login screen.


AlanSmith
Forum|alt.badge.img+8
  • Valued Contributor
  • 53 replies
  • December 2, 2014

Have been experiencing similar issues! Have updated JSS to 9.61 and running Mac OS X v10.9.5

I haven't been using Configuration Profiles as yet, but in preparing an image for 2015, was wanting to utilise them more. So have a small test group (2 machines) that I've been using for the Config Profiles. I had both machines with the profiles ok, then I re-imaged them and they no longer would get their config profile, with the status listed as 'Pending'.
Re-enrolling them via a QuickAdd package didn't fix the issue, however running the commands listed by @denmoff did fix the issue!

Doesn't give me a lot of confidence to use these though!!


Forum|alt.badge.img+18
  • Valued Contributor
  • 278 replies
  • December 2, 2014

As I said I have seen this before, but I'm now wondering if the cause was bad or invalid MDM profiles on the client end. Recently I determined that we had a number of machines had invalid or non working MDM profiles. I think the cause was an OS image that was somehow enrolled in the JSS at the time it was converted to an OS Image file via Composer.

What that caused was MDM Profiles on the machines that had SCEP Enrollment Requests that looked rather odd. In the Certificate Field it just said ?Invalid_Keychain_Item? And it didn't have an expiry date. So they really didn't have proper certificates etc.

We did try to just Recon the machines again, but that didn't seem to fix it. So I removed the profile all together and then Reconed the machine again. That fixed this bad MDM profile.

Apparently this is caused the binary that exists on the OS Image ends up conflicting with the one the imaging process is trying to lay down, and we end up with a bad MDM Profile.

If any of you have this issue let me know as I came up with one way to fix it and the folks at Jamf came up with another as well. It's not hard to fix.

Anyway I think this is why we were seeing some of these management commands build up.


Forum|alt.badge.img+13
  • Contributor
  • 35 replies
  • December 19, 2014

Interesting rcorbin. I'd love to hear what you did... I wonder if we have the same issue.


Forum|alt.badge.img+4
  • Contributor
  • 15 replies
  • January 15, 2015

Recon commands aside, anyone know if this has been resolved with the latest release? I have been seeing several machines on our network experiencing this issues (even freshly imaged ones).

Should we be setting up a Monthly (or possibly weekend) check in item, something like this:

sudo jamf manage -verbose
sudo jamf recon

fi

To help MDM along?

Due to the nature of our environment, using sudo jamf removeMdmProfile can't be done. Not with out causing other issues.


Forum|alt.badge.img+18
  • Valued Contributor
  • 278 replies
  • January 16, 2015

We found in some cases were not not able to push profiles to machines because of an invalid MDM profile on the client end. Recently I determined that we had a number of machines had invalid or non working MDM profiles. I think the cause was an OS image that was somehow enrolled in the JSS at the time it was converted to an OS Image file via Composer. That caused an issue where MDM Profiles on the machines that would show SCEP Enrollment Requests that looked rather odd. In the Certificate Field it just said "?Invalid_Keychain_Item?" And it didn't have an expiry date. So they really didn't have proper certificates etc.

To solve that we had a rather simple script that looked like this.

sudo jamf removeMdmProfile
sudo jamf manage

This simply removes all profiles from the other end and re-enrolls the machine back in and it grabs a fresh profile. As we were warned by Jamf support I would do a bit of testing with this first as there is a danger that if something doesn't go correctly you could end up un-enrolling the machine and loose contact with it. But in our testing we didn't have any issues. What I can say is that if you do have a bad or invalid MDM profile simply running recon will not always work. You really need to run the above commands.

Take a real close look at the MDM profiles on the client side. Do they have the "?Invalid_Keychain_Item?" in the Certificate Field. Do they have what looks like a valid expiry date. If that look fine your MDM profile is probably fine.

Other than that I would think that its maybe an APN issue. Most of all of those MDM management commands are all pushed out via MDM.

I have seen a few apps out there that will test to make sure APN's are functioning within your network.

https://itunes.apple.com/ca/app/apn-tester-free/id626590577?mt=12
https://github.com/Zambiorix/Cocoa-APNS-Test
https://developer.apple.com/library/ios/technotes/tn2265/_index.html


Forum|alt.badge.img+6
  • Contributor
  • 14 replies
  • May 29, 2015

The problem I'm seeing with running

sudo jamf removeMdmProfile
sudo jamf manage

is that when it is run on a computer on a Wi-Fi network which has been pushed out using a Configuration Profile, the Wi-Fi profile is removed and the computer looses its network connectivity. At this point the jamf manage step can't run to apply the management framework and Configuration Profiles.

Has anyone run into this issue? One solution is to use networksetup -setairportnetwork to re-establish the network (but this works only on networks with a single fixed password). Otherwise you can bring up a dialog instructing the user to select the network from the Airport menu.

JP


bpavlov
Forum|alt.badge.img+18
  • Esteemed Contributor
  • 1206 replies
  • May 29, 2015

Do your users have access to Ethernet at all? If so, the only thing I can think of is having a check in place so that if Ethernet is active then proceed, if it's not then do not proceed. I'm just laying out the logic. This may be a bit easier too if you have network segments setup in Casper and your network is setup in such a way that wired and wireless are on different IP ranges. Just some things to think about.


Forum|alt.badge.img+6
  • Contributor
  • 14 replies
  • June 1, 2015

Most users are wireless only. Hence the conundrum.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings