Configuration Profile Tool

Did you ever find a solution to this? My users intermittently have this issue, but not always.

I'm experiencing the same issue. Any ideas?

We are having the issue randomly as well....

Same issue here.

Same here.

And here too.

Hey all,

Just wanted to get a little more information regarding this thread. When the Configuration Profile Tool pops up on a client machine are we seeing anything in regards to, "keychain is MDM_Connect"? If any of you have a screenshot of this message that would be very helpful as well.

Thanks,
Joel

Yes. Here is my screenshot.
external image link

Some more background. In my case, It doesn't happen immediately after imaging. It happens as soon as I manually install a mobileprofile that was exported from JSS. I also noticed that immediately after canceling this prompt (since no password seems to work), that I will see repeated failed attempts to remove this profile from my machine in the system.log file. I figured that perhaps Casper was trying to remove it since it wasn't scoped to that machine. I even deleted the profile on the JSS, but the prompt and errors still persist.

Here is the error that repeats over and over again:

Mar 13 11:30:20 mcmacimg02.local mdmclient[540]: ** ERROR ** [Agent:2081286642] ################################### Mar 13 11:30:21 mcmacimg02.local mdmclient[540]: [Agent:2081286642] Processing server request: RemoveProfile for: <User: 2081286642> Mar 13 11:30:21 mcmacimg02.local mdmclient[540]: [Agent:2081286642] Removing profile: [Redacted](347E6B74-71E7-4236-BD05-6D50692C3ED5) for: <User: 2081286642> Mar 13 11:30:21 mcmacimg02.local mdmclient[540]: ** ERROR ** [Agent:2081286642] ### Errors while processing: RemoveProfile ### Mar 13 11:30:21 mcmacimg02.local mdmclient[540]: ** ERROR ** [Agent:2081286642] <MCMDMErrorDomain:12013> Cannot remove profile '347E6B74-71E7-4236-BD05-6D50692C3ED5' because it was not installed by the MDM server <MDMClientError:96>

Check to make sure that your end user keychain password matches their login password. I've seen this with cached AD accounts.

I'm seeing this as well.

external image link

I am indeed using cached AD accounts, and verified the keychain password matches login password. Any other ideas?

*bump* We're seeing the same issue on occasion. We've verified keychain+login as well... any help would be appreciated!

We wanted to provide an update on this issue. We started seeing clients report this last fall, though we have not noticed it here in normal testing. We looked into this deeper, and can confirm that a temporary keychain is created anytime a push notification is sent to the device. You can see this pretty easily by unloading "/System/Library/LaunchDaemons/com.apple.mdmclient.daemon.plist" and then running "/usr/libexec/mdmclient daemon" in Terminal.

After that, send a push notification to the device and you'll see the keychain get recreated for about 10 to 15 seconds. If by random chance you put your laptop to sleep while you're in the middle of a push notification, then you'll get this prompt when you open your laptop back up. We do not have a fix at this time, but users can just click Cancel and nothing bad will happen.

We reported this to Apple last fall, under RADAR #12634896. This RADAR is still reported as Open as of today, so we do not know when a fix will be in place.

Was a solution ever identified for this?

Thank you for checking in. The RADAR is still open as of this point, and we are still investigating this issue with Apple. There is no workaround, other than instructing your users to just click the Cancel button and ignore the message. Sorry for the inconvenience.

Bump. Getting this message too.

We get it randomly as well. As long as it doesn't happen regularly, it seems like little more than an annoyance. The explanation above from JAMF employees is satisfactory to me. Its not their issue to fix, but Apple's. We've just instructed our users on what causes it and just to click Cancel and move on if they happen to see it. Seems good enough for them.

@dan.kubley - just checking in on this to see if A) people are still having this issue, and/or B) if the RADAR has been addressed by Apple.

Thank you for checking back on this issue. We have seen a big decline in people reporting this issue, so whether it is something Apple fixed in one of the Mavericks releases, or maybe people are just used to ignoring it by now, we are not sure of the reason. Looking at the RADAR, it is still in the open status with Apple. If anything changes, we will be sure to let the community know.

Thanks Dan - we actually just started hearing reports of this here. FYI we're using 8.73 with OS X 10.9 hosts (there's one thing we're waiting for in 9.x before we upgrade).

To confirm Dan it is still out there and I have had the CPT issue through Lion, Mt Lion and still in Mavericks 10.9.2 as well. I think people are just ignoring it at this point or have tried their best to work in a script to try and suppress the CPT popup. We have done this at our school district with limited success. Reported Apple Bug Report about it back in February. I also referenced your previous radar#.

We are seeing similar pop ups, however they are occurring on EVERY network account login.

external image link

Has there been any new developments on the RADAR from Apple or has someone come up with an effective script at neutralizing this annoyance?

Hello all,
I wanted to provide a bit of an update on this issue with the MDM_Connect prompt. Apple has contacted us about RADAR 12634896 and indicated that this behavior should be fixed now in Yosemite. The wait has been a bit long, but this sounds like good news to me! Thank you for your patience.

@mfcfadmin

Did you ever figure out what was causing the "Configuration Profile Tool wants to make changes" popup on network login? I am seeing this on 10.10.1 clients, they report the following error when network users try to login:

mdmclient[5139]: [Agent:1234] Current user is not bound by the MDM configuration: '<Payload: JAMF Manual Enrollment Payload: MDM (00000000-0000-0000-A000-4A414D460004:00000000-0000-0000-A000-4A414D460004) from profile: MDM Profile (00000000-0000-0000-A000-4A414D460003:00000000-0000-0000-A000-4A414D460003)>' because it was installed by a different user on the system.
mdmclient[5139]: [Agent:1234] Removing obsolete MDM profile: MDM Profile (00000000-0000-0000-A000-4A414D460003:00000000-0000-0000-A000-4A414D460003)
mdmclient[5139]: ** ERROR ** [Agent:1234] ([HaveError] Getting ODRecord for uid: 1234 <InternalError:1> CallStack: (
mdmclient[5139]: ** ERROR ** [Agent:1234] Removing profile: MDM Profile (00000000-0000-0000-A000-4A414D460003:00000000-0000-0000-A000-4A414D460003) (Error Domain=CPProfileManager Code=-208 "This user is not allowed to add or remove configuration profiles." UserInfo=0x7fc0caf04e10 {NSLocalizedDescription=This user is not allowed to add or remove configuration profiles.})

@dan.kubley

I am looking for any additional information regarding this issue. Our setup consists of 10.10.1 clients that login using Active Directory credentials to Network Home Directories. Every time a non-admin network user logs into these clients a prompt appears stating "Configuration Profile Tool wants to make changes". Users can click Cancel and the prompt disappears, but it comes back at every login. If you enter an admin username and password into the prompt, it removes the MDM profile from the client machine.

Are there any suggestions on troubleshooting this issue further?

@plawrence

Sorry to hear of the difficulties with the Configuration Profile Tool. The issue that you are experiencing now is different from the original issue in this discussion. The original dealt with the keychain when the MDM process was interrupted with the machine going to sleep. That issue is what the RADAR was filed for, and Apple has fixed that issue with Yosemite.

I have escalated your case internally here so we now have more resources investigating it. Your support specialist will be reaching out with more information shortly.