Build up of pending management commands

Here's my solution for cleaning up MDM profiles for a client who is on a wireless connection which is installed by an MDM profile. As the wireless connection will be lost when the MDM profile is removed, the script checks for which wireless network it is on and displays a jamfHelper dialog asking the user to reconnect to the wireless network before proceeding to run jamf manage and jamf recon.

#!/bin/bash
JAMFHELPER="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
# Constants
mdmAirport="AirportNetworkName"
jhWindowType="utility"
jhTitle="System Management"
jhDescription="Please select the $mdmAirport network from the AirPort menu in the menu bar."
# The icon to show in the jamfHelper dialog box
jhIcon="/Library/Application Support/JAMF/icon.png"
# Name of the AirPort network which will be removed and added by removing and adding MDM profiles
wifiDevice=$(networksetup -listallhardwareports | grep -A 1 Wi-Fi 2> /dev/null | grep Device 2> /dev/null | awk '{print $2}' 2> /dev/null)
if [[ -z "$wifiDevice" ]]; then 
    echo "No Wi-Fi device found"
else
    echo "Wi-Fi found on device: $wifiDevice"
    wifiNetwork=$(networksetup -getairportnetwork "$wifiDevice" | sed 's/Current Wi-Fi Network: //')
    if [[ -n "$wifiNetwork" ]]; then
        echo "Wi-Fi network: $wifiNetwork"
    else
        echo "No Wi-Fi network on device $wifiDevice"
    fi
fi
echo "Removing MDM Profile"
/usr/sbin/jamf removeMdmProfile -verbose
echo "Sleeping"
sleep 5
if [[ "$wifiNetwork" = "$mdmAirport" ]]; then 
    echo "Displaying dialog"
    killall jamfHelper
    "$JAMFHELPER" -windowType "$jhWindowType" -icon "$jhIcon" -title "$jhTitle" -description "$jhDescription" 2> /dev/null &
    while true; do
        echo "Checking connection"
        jssConnection=$(/usr/sbin/jamf checkJSSConnection > /dev/null; echo $?)
        if [[ "$jssConnection" -eq 0 ]]; then
            echo "Connected to JSS"
            killall jamfHelper 
            break;
        fi
        echo "Connection timed out"
    done
fi
echo "JAMF manage"
/usr/sbin/jamf manage -verbose
/usr/sbin/jamf recon
exit 0

bump

Experiencing this behavior with a lot of machines since a few months. Didn't noticed it at first but a few machines didn't received the config profiles that I've build so after some digging I stumbled upon this:

5 out of the 15 machines that I've checked had a few commands pending so I think that roughly 1 third of my clients has this issue.

I would like to try the sql commands to clear out the "stuck" entries. Which commands are used to do this? Running Casper 9.81 btw.

Thanks!

Anyone?

I'v seen this behavior as well.
I'd love some sort of solution to this as I feel a bit stuck with my hands tied when this stuff happens.

I'm having issues with this as well, seems to have started a few days ago. It is happening with our iOS and OS X clients. The management commands are stuck in a "pending" state but occasionally move to the "failed" with the following error:

There was a problem communicating with a push server

After a few seconds, it cycles back to "pending."

@jescala

Are you using JAMF Cloud or on Prem?

After examining an affected system I came to the conclusion that this occurred in my environment due to the fact that the user deleted his System.keychain which holds the certs that Casper uses to do mdm related stuff.

Re-enrolling fixed this! Ugh, users with local admin rights sometimes give me a headache...

@bwiessner We have an on prem cluster.

We have the same issue here, we are using Jamf Cloud, Jamf client 9.82.

The issue is still going on, commands are getting pushed but the client is not executing them. Is there anything that could help me to debug it on the client? I checked /var/log/jamf.log but nothing in there.

Casper 9.82

I'm too am having similar issues pushing out specific profiles to random machines in our fleet at this time. Using the command @denmoff proposed has worked for us. Would someone mind sharing the SQL commands used to purge the database of pending commands?

Thanks,
Roger

I'm beating my head against this problem as well. As with CasperSally above, the problem may be exacerbated by the fact that we also delete home directories.

I'm trying to use device assignments to push an AppStore app out to all of my lab machines, and so far, of 103 targeted machines, only 11 have actually installed the app. Checking a random sampling, all of the computers have a fairly lengthy list of stacked up MDM commands, and on most of them, the install app command is mixed in.

More frustratingly, the "Cancel all pending and failed management commands" action doesn't seem to do anything. I've run that, then gone in and the list is untouched.

I've just updated us to 9.96, and we're running 10.11.6 on our clients.

I'm totally fed up with this as well. We have about 600 macs and as others have said, we delete any local student accounts on a restart.

We have constant build up of pending and failed commands I can't keep going through and manually clearing them all of the time!

I'm thinking about creating a policy that will run once a day, outside of the hours between 9am and 6pm which just removes the mdm profiles and reapplies them. I've asked Jamf if there's any danger in doing this.

Hopefully no 802.1x profiles are required else computers won't connect again to get profiles reapplied.

Question i am having the same issue as many when looking at the Management console on multiple systems i find that alot of the commands are pending and a few systems have all configuration profiles going through with no problem.

I went to one of the systems in question and ran the following :
sudo jamf removeMdmProfile
sudo jamf manage

And all the pending files have went through with no problem. Has anyone created a script that you can run that will run those commands and take care of the issue?

I have an On Prem setup and the Jss is 9.96 thanks in advance.

@bjones I think that Jamf IT made a script along those lines https://github.com/jamfit/Reset-MDM

Anyone know if this is still an issue in 9.97?

@ABigRock Just tested this and it is still an issue. I think it may be worse now actually.

I ran the sudo jamf removeMdmProfile and sudo jamf mdm -- resulted in the MDM profile not being re-installed. I am getting the generic 'Error installing the computer level mdm profile: profiles install for file: '/Library/Application Support/JAMF/tmp/mdm.mobileconfig' and user:'root' returned 500 (The operation couldn't be completed. (MDMResponseStatus error 500.))

I have this same error message now on 3 different machines.

I had a lot of machines that were doing this and it was really tiresome when trying to push updates and configs and never knowing how many of them were actually going to the damn things.
then i found Casper Check it automated the entire process of checking a machine's connection to casper, and re enrolling if necessary to fix this issue. its literally saving me from pulling my hair out on a daily basis.

@slewis59 I actually have a policy ready to go to install Casper Check. After reviewing the script, it seems to attempt to fix things by either reinstalling a quickadd package, or by running jamf mdm. I've tried both things on my affected machines however, and I still cannot get the MDM profile to get re-installed. Consequently, those machines do not have our configuration profiles installed.

Were you able to figure out how to get MDM working again? I can run recon, I can even run the custom trigger from Casper Check and JSS responds with "up".

The post by @denmoff worked for me (running 9.93)

sudo jamf removeMdmProfile
sudo jamf mdm

It's pretty maddening that 3 years later from the original thread of this post the problem still exists. No suggestion here helped me until I re-read rcorbin's post. I had to go into JSS and remove the mdm profile manually. Then recon the machine again. Reboot twice. Then it finally took hold. 3 hours later I finally have ONE machines pending apps all sent out. I have over 300+ machines...I can't do this for each and every one of them. Sigh.

This is the response I got:
If you have iPads that have an app that is no longer available in the App Store you will be unable to deploy it to any other devices. If the app is currently installed on a device it should still be usable. All other iPads have the app go into pending commands. Deleting all pending commands didn't do it because it will continually try to install.
I had to go in and exclude the iPads that were getting the pending commands.
I don't know if this is the problem you are having but it solved mine.

These are managed apps that the state gives us so we have x amount of licenses, it's still showing I have plenty left available. Once I went through the process of removing the mdm profile, rebooting, reinstalling recon, rebooting and then rebooting again I noticed the pending apps disappeared on my server and they started installing on the users macbook. The problem comes in when I can't physically touch over 300 machines to make sure this happens. The interesting part is that I can see what apps, etc are pending for each user and there's no consistency to it. For example one user currently has a pending app for pages only (out of the whole suite), another user has ALL the mac app store apps pending that the state gives us. No rhyme or reason to it.

I have this issue as well on 9.98. It is disappointing that something so basic like I don't know the agent taking commands from the server can stop working. But self service and software installs keep working.