Disappearing Profiles Lion Computers

GabeShack
Valued Contributor III

So I just started seeing computers that previously had many profiles installed just showing the MDM profile. Casper thinks all the other profiles are still installed however they are not shown in pending or on the client computer.
Anyone else seeing this?

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools
13 REPLIES 13

nextyoyoma
Contributor

We're seeing something similar. Profiles do not appear to install on many computers, or disappear after making changes to the profile. Only solution we have found is to delete the machine from JSS and re-add it with recon or quickadd package.

bajones
Contributor II

Same issue here. I've found that running "sudo jamf mdm" on the affected machine resolves the issue in most cases. I've made a self service policy that runs that command available on all of our computers to empower users to restore their missing dock icons.

russeller
Contributor III

We've also been seeing this and I'm considering packing up the mobileconfig files. You can download them from the JSS by going here: https://yourjssurl.com/exportOSXConfigurationProfile.html Got this info from:
https://jamfnation.jamfsoftware.com/discussion.html?id=4867
and put them in a PKG with a post-flight script running the profiles command

/usr/bin/profiles -I -F [location of profile]

Some more info on the 'profiles' command:
http://krypted.com/iphone/profile-manager-and-profiles/
I understand this would require more work when we make changes to the profiles, but if its more reliable and there isn't any other suggestion to resolve this issue we might have to go that route.

tomt
Valued Contributor

I just had this happen right now on a brand new, freshly imaged (10.7.5) laptop. Everything was fine and then all of a sudden there were zero configuration profiles on the machine.

JSS version 8.6.2

mscottblake
Valued Contributor

I've seen this as well. I can guarantee a machine had all of its profiles installed, then later find them all removed when no admins had logged in to provide authentication. The JSS doesn't show any attempts to remove the profiles either.

lisacherie
Contributor II

When testing the profiles saw a couple things to consider:

- If creating the profile on the JSS and then downloading and installing manually via the profiles command, the profile will be removed from the client if the scope does not cover the client. To work around this if you have created a profile on the JSS and downloaded for manual use, remove the profile from the JSS then it will remain on the client.

- If scoping profiles on smart groups, eg. install profile for certificate if client does not have certificate. Will not be successful, because as soon as the smart group changes (eg. the computer now has the certificate) then the profile removes and you end up in a messy loop.

blutz
New Contributor

I too have run into disappearing profiles. Specifically my profile which binds clients to Active Directory.

It's very frustrating. It seems to occur most often during a reboot of the client's iMac. I can't find a common thread that ties each of these clients together, however it does seem to happen more to some than others.

Interestingly enough, when I look in the JSS profile management history for the clients, there is usually an entry saying "Remove Configuration Profile Active Directory" meaning that something is actually pushing the command to remove it...?

russeller
Contributor III

@lisacherie
If you download the profile from the JSS, then install it manually, then remove the profile from the JSS.

Like you explain here:

- If creating the profile on the JSS and then downloading and installing manually via the profiles command, the profile will be removed from the client if the scope does not cover the client. To work around this if you have created a profile on the JSS and downloaded for manual use, remove the profile from the JSS then it will remain on the client.

Do you end up with those Errors in the "Management History" under the "Details" link that shows an Error removing the profile because it doesn't exist?

tomt
Valued Contributor

Bringing this one back from the dead.

I've got a newly imaged 10.7.5 machine that is doing this as I watch. I logged into the machine as a standard user and was prompted by the Profile Utility for admin credentials. At that time I opened the System Prefs and watched as the three profiles that were installed vanished one by one.

I also had the Console open and was able to observe the following:
(only the relevant parts are listed here, added line breaks for readability)

1/23/13 4:24:04.474 PM mdmclient: ** ERROR ** [Agent:1554192771] Unable to proceed with connection to: https://radar.lux-oo.net:8443//computer/mdm (00000000-0000-0000-A000-4A414D460004) because don't have valid MDM AuthToken

1/23/13 4:24:14.671 PM mdmclient: ** ERROR ** [Agent:1554192771] Unable to proceed with connection to: https://radar.lux-oo.net:8443//computer/mdm (00000000-0000-0000-A000-4A414D460004) because don't have valid MDM AuthToken

1/24/13 12:48:37.699 PM mdmclient: ** ERROR ** [Agent:1554192771] Assertion Failed. File: /SourceCache/MCXTools/MCXTools-320/ConfigProfiles/mdmclient/MDMUserAuthenticator.mm Line: 82

1/24/13 12:48:37.700 PM mdmclient: [Agent:1554192771] Current user is not bound by the MDM configuration: '<Payload: MDM Enrollment (00000000-0000-0000-A000-4A414D460004) from profile: MDM Enrollment (00000000-0000-0000-A000-4A414D460003)>' because it was installed by a different user on the system.

1/24/13 12:49:00.628 PM mdmclient: ** ERROR ** [Agent:1554192771] Removing profile: 10.7 Software Update Server Setting (442A0994-1BA6-4672-8E91-908130D902E5) (<CPProfileManager:-205> Unable to locate configuration profile.)

1/24/13 12:49:00.631 PM mdmclient: ** ERROR ** [Agent:1554192771] Removing profile: FHR-OS10.7-Base (7CEB5133-BF86-429D-9389-7FE126F391D3) (<CPProfileManager:-205> Unable to locate configuration profile.)

1/24/13 2:44:55.438 PM mdmclient: ** ERROR ** [Agent:1554192771] Assertion Failed. File: /SourceCache/MCXTools/MCXTools-320/ConfigProfiles/mdmclient/MDMUserAuthenticator.mm Line: 82

1/24/13 2:44:55.438 PM mdmclient: [Agent:1554192771] Current user is not bound by the MDM configuration: '<Payload: MDM Enrollment (00000000-0000-0000-A000-4A414D460004) from profile: MDM Enrollment (00000000-0000-0000-A000-4A414D460003)>' because it was installed by a different user on the system.

1/24/13 2:46:58.283 PM mdmclient: ** ERROR ** [Agent:1554192771] Removing profile: 10.7 Software Update Server Setting (442A0994-1BA6-4672-8E91-908130D902E5) (<CPProfileManager:-205> Unable to locate configuration profile.)

1/24/13 2:46:58.287 PM mdmclient: ** ERROR ** [Agent:1554192771] Removing profile: FHR-OS10.7-Base (7CEB5133-BF86-429D-9389-7FE126F391D3) (<CPProfileManager:-205> Unable to locate configuration profile.)

This happened once and I was able to get the profiles to reload by running sudo jamf MDM on the machine. What you see here is the second time it has happened to this box.

tomt
Valued Contributor

This just happened to me again today. First time in a few months. Has anyone come up with anything more on this lately?

frozenarse
Contributor II

The problems you are seeing today may be related to this: https://jamfnation.jamfsoftware.com/discussion.html?id=7170

tomt
Valued Contributor

I had read that thread earlier and also knew about the APNS outage from early this morning. The strange thing is that both of these machines were imaged yesterday and working fine. They were left on and logged in overnight. This morning I logged into a different user account and that is when the profiles were removed.

Our network has also been having issues today (failing Bluecoat filter) but I can't figure out how either the APNS outage or our internal internet/DNS issues could trigger removal of previously installed configuration profiles?

bentoms
Release Candidate Programs Tester

@Tom, I have one network segment where the clients are constantly losing a single profile.

The scope is 10.8, & other profiles are installed & staying installed (even with the same scope).

I think the issue for this site is also network related.. I've been speaking to the onsite guy & turns out they have 2 routers being pushed out via DHCP.. The 1st OS for their old environment (including live router etc)... The 2nd is on our MPLS..

I'm going to hardcode our router into some of these macs & will see if that resolves. I'll update here, but might take a little time.