Jamf Nation Community

In my case, machine is still communicating fine. I'll have 10-40 pending cert/profile commands in management history , and then some successful ones mixed in with the pending commands going by time stamps.

Jamf says the pending ones queue up and should be manually cleared...

And the solution is to run sql commands ? Does one command clear the pending ones on all machines ? Or do you use separate commands for each machine ? If that's the case what if you have hundreds or thousands of machines with this happening ? Is this Casper 9.32 or higher ?

9.32, the command clears out all pending commands in the system. Just don't really love the idea of running it every X days.

Anyone care to share the command... I'm seeing some of the same build up that I would like to clear. (Yeah.. I know.. backup first!)

I'm seeing this as well. In most cases, configuration profiles are not being set. I also notice on login, these machines are hanging for several minutes, with the 'Updating managed settings..." popup window.

I see similar behavior with iPads. Sometimes the list of pending gets to 200 or so repeats of Install App List, CertificateList, or ProfileList. When it happens to an iPad, other commands are unable to process.

I've had some luck running the following two commands to get the 'pending commands' to go thru. But it involves using ARD which isn't ideal. It just clears the profiles that are installed and reloads them. This seems to open the gate back up for those stuck config profiles. It also fixes the issue with long login times.

sudo jamf removeMdmProfile
sudo jamf mdm

For me the commands are pending/building it up it seems because I wipe local student home directories on logout. All of the pending commands are tied to student user names (that no longer exist on the machine).

Still working with JAMF on it.

Hi Everyone,

We have been seeing this too. James here would love to blame it on our lack of Reverse DNS entries for machines. Anyone getting this who has Reverse DNS?

Regards,

David

I'm seeing the same issue as everyone else. What SQL commands are being run to elevate this issue? Has anyone else seen the issue with RAM being fully utilized by these pending commands? 10.9.5 OSX, Mac Mini 2012, i5, 4Gb of RAM. Run jamf removeFramework, computer was removed from Casper and RAM utilization dropped. Any help would be appreciated.

@denmoff thanks for the suggestion to use those mdm commands. I've been seeing these crop up on quite a few machines after I updated to 9.51, that fixed it up right as rain on the afflicted machines.

We are running 9.52 still seeing same issues, before we were on 9.32 and noticed it there as well.

It's entirely possible it was prevalent prior to 9.51 and I hadn't been paying attention. I made a configuration profile change along with our update to 9.51 and that was when I noticed machines sitting in a pending state with these commands.

We are seeing the same thing where numerous pending commands are building up. We also delete accounts on logout but we do this by a scripted profile.

I've noticed it as well. We're running 9.32, also running Deep Freeze 5.8 on the machines. Profiles are removed when machines are rebooted.

I am seeing this as well along with complaints that the computers are freezing on the login screen.

Have been experiencing similar issues! Have updated JSS to 9.61 and running Mac OS X v10.9.5

I haven't been using Configuration Profiles as yet, but in preparing an image for 2015, was wanting to utilise them more. So have a small test group (2 machines) that I've been using for the Config Profiles. I had both machines with the profiles ok, then I re-imaged them and they no longer would get their config profile, with the status listed as 'Pending'.
Re-enrolling them via a QuickAdd package didn't fix the issue, however running the commands listed by @denmoff did fix the issue!

Doesn't give me a lot of confidence to use these though!!

As I said I have seen this before, but I'm now wondering if the cause was bad or invalid MDM profiles on the client end. Recently I determined that we had a number of machines had invalid or non working MDM profiles. I think the cause was an OS image that was somehow enrolled in the JSS at the time it was converted to an OS Image file via Composer.

What that caused was MDM Profiles on the machines that had SCEP Enrollment Requests that looked rather odd. In the Certificate Field it just said ?Invalid_Keychain_Item? And it didn't have an expiry date. So they really didn't have proper certificates etc.

We did try to just Recon the machines again, but that didn't seem to fix it. So I removed the profile all together and then Reconed the machine again. That fixed this bad MDM profile.

Apparently this is caused the binary that exists on the OS Image ends up conflicting with the one the imaging process is trying to lay down, and we end up with a bad MDM Profile.

If any of you have this issue let me know as I came up with one way to fix it and the folks at Jamf came up with another as well. It's not hard to fix.

Anyway I think this is why we were seeing some of these management commands build up.

Interesting rcorbin. I'd love to hear what you did... I wonder if we have the same issue.

Recon commands aside, anyone know if this has been resolved with the latest release? I have been seeing several machines on our network experiencing this issues (even freshly imaged ones).

Should we be setting up a Monthly (or possibly weekend) check in item, something like this:

sudo jamf manage -verbose
sudo jamf recon

fi

To help MDM along?

Due to the nature of our environment, using sudo jamf removeMdmProfile can't be done. Not with out causing other issues.

We found in some cases were not not able to push profiles to machines because of an invalid MDM profile on the client end. Recently I determined that we had a number of machines had invalid or non working MDM profiles. I think the cause was an OS image that was somehow enrolled in the JSS at the time it was converted to an OS Image file via Composer. That caused an issue where MDM Profiles on the machines that would show SCEP Enrollment Requests that looked rather odd. In the Certificate Field it just said "?Invalid_Keychain_Item?" And it didn't have an expiry date. So they really didn't have proper certificates etc.

To solve that we had a rather simple script that looked like this.

sudo jamf removeMdmProfile
sudo jamf manage

This simply removes all profiles from the other end and re-enrolls the machine back in and it grabs a fresh profile. As we were warned by Jamf support I would do a bit of testing with this first as there is a danger that if something doesn't go correctly you could end up un-enrolling the machine and loose contact with it. But in our testing we didn't have any issues. What I can say is that if you do have a bad or invalid MDM profile simply running recon will not always work. You really need to run the above commands.

Take a real close look at the MDM profiles on the client side. Do they have the "?Invalid_Keychain_Item?" in the Certificate Field. Do they have what looks like a valid expiry date. If that look fine your MDM profile is probably fine.

Other than that I would think that its maybe an APN issue. Most of all of those MDM management commands are all pushed out via MDM.

I have seen a few apps out there that will test to make sure APN's are functioning within your network.

https://itunes.apple.com/ca/app/apn-tester-free/id626590577?mt=12
https://github.com/Zambiorix/Cocoa-APNS-Test
https://developer.apple.com/library/ios/technotes/tn2265/_index.html

The problem I'm seeing with running

sudo jamf removeMdmProfile
sudo jamf manage

is that when it is run on a computer on a Wi-Fi network which has been pushed out using a Configuration Profile, the Wi-Fi profile is removed and the computer looses its network connectivity. At this point the jamf manage step can't run to apply the management framework and Configuration Profiles.

Has anyone run into this issue? One solution is to use networksetup -setairportnetwork to re-establish the network (but this works only on networks with a single fixed password). Otherwise you can bring up a dialog instructing the user to select the network from the Airport menu.

JP

Do your users have access to Ethernet at all? If so, the only thing I can think of is having a check in place so that if Ethernet is active then proceed, if it's not then do not proceed. I'm just laying out the logic. This may be a bit easier too if you have network segments setup in Casper and your network is setup in such a way that wired and wireless are on different IP ranges. Just some things to think about.

Most users are wireless only. Hence the conundrum.

Here's my solution for cleaning up MDM profiles for a client who is on a wireless connection which is installed by an MDM profile. As the wireless connection will be lost when the MDM profile is removed, the script checks for which wireless network it is on and displays a jamfHelper dialog asking the user to reconnect to the wireless network before proceeding to run jamf manage and jamf recon.

#!/bin/bash
JAMFHELPER="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
# Constants
mdmAirport="AirportNetworkName"
jhWindowType="utility"
jhTitle="System Management"
jhDescription="Please select the $mdmAirport network from the AirPort menu in the menu bar."
# The icon to show in the jamfHelper dialog box
jhIcon="/Library/Application Support/JAMF/icon.png"
# Name of the AirPort network which will be removed and added by removing and adding MDM profiles
wifiDevice=$(networksetup -listallhardwareports | grep -A 1 Wi-Fi 2> /dev/null | grep Device 2> /dev/null | awk '{print $2}' 2> /dev/null)
if [[ -z "$wifiDevice" ]]; then 
    echo "No Wi-Fi device found"
else
    echo "Wi-Fi found on device: $wifiDevice"
    wifiNetwork=$(networksetup -getairportnetwork "$wifiDevice" | sed 's/Current Wi-Fi Network: //')
    if [[ -n "$wifiNetwork" ]]; then
        echo "Wi-Fi network: $wifiNetwork"
    else
        echo "No Wi-Fi network on device $wifiDevice"
    fi
fi
echo "Removing MDM Profile"
/usr/sbin/jamf removeMdmProfile -verbose
echo "Sleeping"
sleep 5
if [[ "$wifiNetwork" = "$mdmAirport" ]]; then 
    echo "Displaying dialog"
    killall jamfHelper
    "$JAMFHELPER" -windowType "$jhWindowType" -icon "$jhIcon" -title "$jhTitle" -description "$jhDescription" 2> /dev/null &
    while true; do
        echo "Checking connection"
        jssConnection=$(/usr/sbin/jamf checkJSSConnection > /dev/null; echo $?)
        if [[ "$jssConnection" -eq 0 ]]; then
            echo "Connected to JSS"
            killall jamfHelper 
            break;
        fi
        echo "Connection timed out"
    done
fi
echo "JAMF manage"
/usr/sbin/jamf manage -verbose
/usr/sbin/jamf recon
exit 0

bump

Experiencing this behavior with a lot of machines since a few months. Didn't noticed it at first but a few machines didn't received the config profiles that I've build so after some digging I stumbled upon this:

5 out of the 15 machines that I've checked had a few commands pending so I think that roughly 1 third of my clients has this issue.

I would like to try the sql commands to clear out the "stuck" entries. Which commands are used to do this? Running Casper 9.81 btw.

Thanks!

Anyone?

I'v seen this behavior as well.
I'd love some sort of solution to this as I feel a bit stuck with my hands tied when this stuff happens.

I'm having issues with this as well, seems to have started a few days ago. It is happening with our iOS and OS X clients. The management commands are stuck in a "pending" state but occasionally move to the "failed" with the following error:

There was a problem communicating with a push server

After a few seconds, it cycles back to "pending."

@jescala

Are you using JAMF Cloud or on Prem?

After examining an affected system I came to the conclusion that this occurred in my environment due to the fact that the user deleted his System.keychain which holds the certs that Casper uses to do mdm related stuff.

Re-enrolling fixed this! Ugh, users with local admin rights sometimes give me a headache...

@bwiessner We have an on prem cluster.

We have the same issue here, we are using Jamf Cloud, Jamf client 9.82.

The issue is still going on, commands are getting pushed but the client is not executing them. Is there anything that could help me to debug it on the client? I checked /var/log/jamf.log but nothing in there.

Casper 9.82

I'm too am having similar issues pushing out specific profiles to random machines in our fleet at this time. Using the command @denmoff proposed has worked for us. Would someone mind sharing the SQL commands used to purge the database of pending commands?

Thanks,
Roger

I'm beating my head against this problem as well. As with CasperSally above, the problem may be exacerbated by the fact that we also delete home directories.

I'm trying to use device assignments to push an AppStore app out to all of my lab machines, and so far, of 103 targeted machines, only 11 have actually installed the app. Checking a random sampling, all of the computers have a fairly lengthy list of stacked up MDM commands, and on most of them, the install app command is mixed in.

More frustratingly, the "Cancel all pending and failed management commands" action doesn't seem to do anything. I've run that, then gone in and the list is untouched.

I've just updated us to 9.96, and we're running 10.11.6 on our clients.

I'm totally fed up with this as well. We have about 600 macs and as others have said, we delete any local student accounts on a restart.

We have constant build up of pending and failed commands I can't keep going through and manually clearing them all of the time!

I'm thinking about creating a policy that will run once a day, outside of the hours between 9am and 6pm which just removes the mdm profiles and reapplies them. I've asked Jamf if there's any danger in doing this.

Hopefully no 802.1x profiles are required else computers won't connect again to get profiles reapplied.