Failed management commands generated during DEP enrollment (on machines that already exist in jss) PI-005972

CasperSally
Valued Contributor II

We are a K12 and each summer we wipe and reprovision our fleet of thousands of devices. We have several config profiles scoped to each device based on a smart group (based on computer naming convention). For existing devices, each enrollment produces failed management commands because of a race condition surrounding the existing name in the database, and the rename of the machine at enrollment to the generic "macbook air" like name.

This is a problem for multiple reasons:
- buildup of failed commands in database
- more importantly, if computer name changed from X to Y, profiles scoped to X and Y remain because the removal of X commands fail until I clear failed commands

I'm having to clear failed commands from the database daily. Yes, they could be cancelled one by one, but our techs in the field don't have those permissions, and there's hundreds of failures a day.

Jamf has identified the issue as PI-005972, and this post is more a plea if you're having issues with failed commands during enrollment, please report it and mention the PI. Jamf has said I'm the only one who has reported this PI and it's unlikely to get traction I'm afraid.

12 REPLIES 12

Not applicable

Seeing the exact same. Jamf Cloud 10.4, 10.5 and still present in 10.6

Kaltsas
Contributor III

only one who has reported this PI lolwut. I've raised this issue multiple times. At one point they suggested we clear the existing record on every re-enrollment and maintain a shadow database for historical data.

CasperSally
Valued Contributor II

@Kaltsas @rypowell88 can you please make sure if you have tickets in they are tied to the PI-005972? thank you.

hstanley
New Contributor III

I reported this back in April and was referred to PI-005744. I just sent off a note asking for an update and referenced this post.

ginakung
New Contributor III

@CasperSally any updates on this PI? we are experiencing this with our existing device rebuilds. I sent your PI number over support.

CasperSally
Valued Contributor II

@hstanley @ginakung I haven't heard anything. I know they plan to improve config profile deployment, but no idea if it will help this issue. I'm still manually canceling commands via sql (bleh). I just asked for clarification on the difference between PI-005972 and PI-005744.

ginakung
New Contributor III

@CasperSally how often are you canceling commands via sql? is that something that can be automated? thank you for sharing your knowledge!

CasperSally
Valued Contributor II

@ginakung - i cancel failed commands at least once a week. During our busy period where we reprovision thousands of machines over a few weeks, I was doing it daily. It stinks.

from jamf below. I have asked again if 5972 can be broadened because this race condition is happening regardless if profile is scoped to smart group based on computer name or not. It happens on profiles I have scoped to "all 10.13 machines."

PI-005744 speaks to a situation when the re-enrollment of a computer without deleting that computer record from Jamf Pro inventory will result in Configuration Profiles we expect to be deployed to a device to not actually be deployed until an inventory update occurs. What we usually end up seeing is that MDM commands are pushed earlier and faster than binary commands (like an inventory update). PI-005972 speaks to a situation when a computer is wiped and re-enrolled via DEP (again without deleting the computer from Jamf Pro inventory), and the name of the computer is changed, which can change whether the device is in scope of a Configuration Profile, especially if those Configuration Profiles are scoped to smart groups that may involve the name of the device in some way. The wipe/re-enroll/name change would remove the device from the scope of previously-scoped configuration profiles, which triggers Jamf Pro to send Profile Removal commands to the device. But because the device is no longer in scope because the name changed, Failed Commands are shown in management history. These failed commands will prevent new commands from being deployed to the device until they're cleared.

mconners
Valued Contributor

Agreed, this should be getting fixed, sooner than later. Seems silly to have to manually work around something that Jamf should be fixing.

bountyman
New Contributor III

K12 here as well, also getting this "PI-005972" 'bug'. Really annoying since we have tons of these errors every day. I really hope the next release will fix that even though I doubt it.

MrP
Contributor III

"Jamf has said I'm the only one who has reported this PI and it's unlikely to get traction" So JAMF doesn't have any intention of fixing bugs, only those which affect N number of people???? I can't wait for a comprehensive challenger to come on the market.

tnielsen
Valued Contributor

It's almost easier to just delete the devices and re-enroll them in mass. Clearing those commands is a burden I'll quickly pass on.