Detecting covertly broken macOS clients?

foobarfoo
Contributor

As you may know, macOS devices can break in numerous ways and stop behaving as expected in JAMF. Many of these scenarios have been fixed now that JAMF considers the device managed even without a management account. However, there's one covert issue that I've noticed recently that I'd like some help on both detecting and fixing, in some automated way.

First, what's the problem? Well, difficult to say, but it manifests itself in the following way:

When an MDM command is issued to the device, the command fails with the following reason:

"The device token is not active for the specified topic."

My assumption at this point is that the MDM profile on the client is somehow broken as this isn't a general problem. But anyway, is there some way we can detect these devices in bulk somehow? By search? By data in the JAMF DB? Or by looking for error messages in the jamf pro server logs?

Now, once a method to identify affected devices has been found, how can this be remedied? Note that the JAMF agent is still active, checks in and executes policies as usual. What command can be run through a policy to resolve this automatically?

 

..or is the real-world method here to just ignore it as it's difficult to find and difficult to fix? The users will notice sooner or later once their wifi certificate expires anyway. :)

3 REPLIES 3

dsavageED
Contributor III

MDM Watchdog might help you here, see this thread https://community.jamf.com/t5/jamf-pro/mdm-watchdog/m-p/298797

 

AJPinto
Honored Contributor III

I have noticed most issues with MDM are caused by long up times. I have a policy to reboot devices after 7 days of uptime. Keeps things pretty fresh. Unfortunately there is no way to report on MDM Command responses. You could look in to using API to push some MDM Commands and report of the responses in CLI.

foobarfoo
Contributor

So both of you essentially believe a restart of select services or a reboot would clear this? I'm not so sure about it as I don't have access to the device in question. But yeah, the sane solution in general would be to enforce a maximum uptime limit (which we do, just more lax than 7 days ;) ). I'm just not sure if this particular error would disappear. The reason why I'm guessing this is because of this documentation:

https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/...

Since the device is unregistered for APNS MDM push notifications, would it be fair to assume that the MDM profile is permanently broken on the device and thus the device requires a new MDM profile? Can this be accomplished with a non-interactive CLI command that's invisible to the user? Our JAMF pro instance requires user authentication for enrollment, so I would assume "no".