Help

Fix for Mac App Store installs from Self Service fails to install software, but instead leaves Self Service and opens the Mac App Store

jasonroos
New Contributor

Posted on ‎01-26-2018 07:40 AM

We have had issues where Mac App Store installs from Self Service will not install software, but instead leaves Self Service and opens the Mac App Store. The error in the Console on the workstation shows that the userLevelMdm profiles are not able to be installed.

Here is what we have done to make this work.

  1. run: sudo rm -R /var/db/ConfigurationProfiles
  2. run: sudo jamf manage
  3. run: sudo jamf mdm -userLevelMdm

[Here are the commands ran in the Terminal]
$ sudo rm -R /var/db/ConfigurationProfiles/
$ sudo jamf manage
Getting management framework from the JSS...
Enforcing management framework...
Checking availability of https://jss.yourdomain.us:8443/...
The JSS is available.
Enforcing login/logout hooks...
The computer was successfully enrolled in MDM with the JSS.
Enforcing scheduled tasks...
Creating launch daemon...
Creating launch agent...
Checking availability of https://jss.yourdomain.us:8443/...
The JSS is available.
$ sudo jamf mdm -userLevelMdm
Getting management framework from the JSS...
Enabling MDM at the user level...
The computer was successfully enrolled in MDM with the JSS.

Reply
3 REPLIES 3

khelm
New Contributor

Posted on ‎03-19-2018 09:47 AM

You are a sanity saver, thank you!

Reply

WhippsT
Contributor

Posted on ‎07-19-2018 03:46 PM

@jasonroos

sudo rm -R /var/db/ConfigurationProfiles/ returns an "Operation not permitted" error...

sudo jamf mdm -userLevelMdm returns "user: 'root' returned 102 (New profile does not meet criteria to replace existing profile)".

Running on 10.13.6 and JAMF Pro 10.1.1.

Any ideas?

Reply

sharriston
Contributor III

Posted on ‎07-20-2018 05:04 AM

So I'm pretty sure that High Sierra now protects these as part of SIP, so you would have to disable sip. As far as the second message if you have Restrict MDM from being deleted you will get this message if the first command fails. What I did was allow the mdm to be removed and then used a config profile to block people from accessing (or even seeing) Profiles in their system preferences.

Reply