Posted on 12-12-2023 03:50 PM
Hi everyone,
I'm having a somewhat urgent issue with 46 instructor desktop machines at our college. Somehow a configuration profile that was scoped to these machines created another random profile called 'General' that keeps replicating over and over, reaching 3900 unique ID installations of the same profile name on each of the desktops.
I've never seen this before, and other than removing the scope I haven't been able to stop it trying to create more and more General profiles. It's causing users not to be able to log in, and reboots are taking 15-20 minutes even on new M2 Mac desktops. It's happening on Monterey and Ventura OS, Intel and Silicon.
Anyone seen this before? Hoping I won't have to rebuild each of these machines.
Solved! Go to Solution.
Posted on 12-13-2023 02:40 PM
@syed_hyder do you have a jamf ticket number that you've been working with them on? Keen to add our experience to the same ticket when we raise our own.
A solution we've found is to run the following in recovery:
rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/*
mkdir /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.profilesAreInstalled
Posted on 12-13-2023 06:33 AM
Hello, we are encountering the same problem. Happened on 8th and 9th of December on more than 1000 devices in our organization. Hundreds of profiles named ‘General’ was pushed to computers.
Posted on 12-13-2023 06:41 AM
Hi there,
Did you find a solution to the issue? It's causing really slow logins for our AD users, sometimes up to 40 minutes to log into the machine.
Posted on 12-13-2023 06:45 AM
Posted on 12-13-2023 02:40 PM
@syed_hyder do you have a jamf ticket number that you've been working with them on? Keen to add our experience to the same ticket when we raise our own.
A solution we've found is to run the following in recovery:
rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/*
mkdir /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.profilesAreInstalled
Posted on 12-13-2023 09:16 PM
Confirming this one - Max found a solution to this for one of our customers this week after a couple of days of our team troubleshooting the issue.
Piggy-backing off Max's comment, after you apply the above fix in recovery you will need to re-enroll devices into Jamf Pro as the MDM profile was deleted after running the rm -rf command of the Configuration Profiles directory.
Posted on 12-14-2023 10:14 AM
Thanks @maxhewett - funny you mentioned this because I found this as a solution as well and have started applying it to our machines as of yesterday. I didn't know if someone had a different method but this seems to be working on Intel Macs. Silicon are slightly different with this script and I'll try to make some changes and publish it for everyone on that processor type.
Posted on 12-13-2023 09:27 PM
@maxhewett @And @James_NZ Thank you for your response, much appreciated. We use this solution to re-enroll devices in our environment but we have more than 1000 affected computers spread across a very large area and it is impossible to manually delete profile directory from recovery on each device.
Posted on 12-14-2023 10:17 AM
Thanks everyone for the comments. This script method is working for us, just a little time consuming so I might try to automate some more of it, but that may not be possible due to the recovery mode process.
Posted on 12-14-2023 10:29 AM
Also, Jamf evidently is coming up with a hot fix for this. It's a known issue :
PI115634 | Computer configuration profiles with a Security and Privacy payload may unexpectedly lose the configured settings, causing blank or null values in the os_x_configuration_profiles database table. As a result, Jamf Pro endlessly sends new configuration profiles with unique identifiers to the computers in scope. Workaround: Remove target computers from the scope. Contact Jamf Support and reference PI115634. |
Found that here: account.jamf.com/products/jamf-pro/known-issues
So if they can do something about it on the backend so I don't have to go to all 50 of my affected machines that would be nice. The commands mentioned above are working otherwise.
Posted on 12-14-2023 11:00 AM