Configuration Profiles not removed when out of scope

CCNapier
Contributor

I have a Mac configuration profile with a scope set to a dynamic group.
It installed on all machines in that group.

I now have a machine that has left that group, but it still reports the configuration profile is applied. It's been a long time, so this is well after several reboots and inventory updates.

  1. Should it be removed if it falls out of scope?
  2. If not, how do we deal with such issues.

JAMF Pro 10.10.1
Older device 10.11.6

Thanks

4 REPLIES 4

sdagley
Esteemed Contributor II

@CCNapier If you look at the Management tab for the computer record in Jamf Pro is the removal showing as pending or as having failed?

CCNapier
Contributor

Yes, completely forgot to look here!
Showing as failed.

Getting someone to go to the machine and resolve. Hopefully.
Thanks for the reminder!

SamuelHarvey
New Contributor

I'm having the same issue. We had setup a mobileconfig configuration for WiFi profile - we had removed this from our jamfcloud, yet under all machines it seems to be applying it (thought, reporting as failed) I can navigate to the profile in jamf, but as it has already been deleted there's no further options to edit/hard delete. How can we delete it fully so that we do not see these "errors" in our logs?

Thanks a lot :)

BOBW
Contributor II

We have been seeing the same thing for a while now and have found if you delete the profile before ensuring all clients have the profile removed correctly it will just continually fail.
I have even attempted to rebuild the profile and remove it but it will continue to show failures...

In general, we have been making sure the profile is not pending for any devices before deletion.

I have resorted to doing a failed command flush on lab devices where we were using our 8021x profile in question through the API.

see below, you will need to change the base64 encrypted string for your environment but I would suggest making sure you don't want to see the failed policies as it will clear them all. this is fine for us due to them just being labs. We run this on labs once per day.

#!/bin/bash

idtype=computers

status=Failed
jssurl=$(defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url)



#get the serialnumber
sn=$(system_profiler SPHardwareDataType | awk '/Serial Number/{print $4}')

#get the jamf pro id based off serialnumber
id=$(curl -ks --header 'authorization: Basic #################' -H "accept: text/xml" "$jssurl"JSSResource/computers/serialnumber/$sn | xmllint --xpath "computer/general/id/text()" -)
# force individual computer by replacing ID here and uncomment
# id=2641

#Delete pending & failed commands for the mac
curl -ks --header 'authorization: Basic #########################' -H "content-type: text/xml" "$jssurl"JSSResource/commandflush/computers/id/$id/status/$status -X DELETE