Fixing Failed Installs of Configuration Profiles

apizz
Valued Contributor

Any chance there is an easy way to fix config profiles which failed to install on a number of machines without having to redistribute the profile to all machines?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Yes, but there is already a feature request for JAMF to add that - https://jamfnation.jamfsoftware.com/featureRequest.html?id=3610
Its not available now, so there is no way to accomplish it (easily), hence the Feature Request.

View solution in original post

11 REPLIES 11

AVmcclint
Honored Contributor

You're asking for the Holy Grail of JSS. :) When you find the answer, share with the world.

lwindram
Contributor

Apologies in advance if I'm not answering the correct question! I abandoned the Casper method of distributing config profiles about a year ago as I needed to ensure complete deployment of many of those profiles across the entire fleet. They would often fail initially, try again, then go into a sort of "failed" limbo. This lack of feedback was frustrating and the deployments were often incomplete.

I now treat config profiles like all of my other policies. I build the config profile into a deployable package, and deploy it against a smart group based on installed config profiles. I have found this to be quick, effective, and much more reliable than continually redistributing. LMK if more specifics would be helpful.

apizz
Valued Contributor

@AVmcclint, well wouldn't it just be a function similar to Policies where you can flush the failures and have it automatically attempt to install it again? It doesn't seem (at least to me) like this would be hard to accomplish ...

mm2270
Legendary Contributor III

Yes, but there is already a feature request for JAMF to add that - https://jamfnation.jamfsoftware.com/featureRequest.html?id=3610
Its not available now, so there is no way to accomplish it (easily), hence the Feature Request.

AVmcclint
Honored Contributor

I think there are several feature requests asking for exactly that kind of functionality. It is extremely frustrating to be able to flush policy failures but not flush config profile failures. I have some Config Profiles that I assign to machines one. at. a. time. It is slow and not at all efficient, but this allows me to troubleshoot individual profile failures (frequently) without redistributing to the entire fleet. But I've got other, simpler Profiles that I distribute to "All Computers" at the same time and I've had very few failures with that. I think the more simple a profile is, the greater chance of success in being pushed. I can say that since I upgraded from 9.65 to 9.81, I've had fewer failures. They still happen, but more like 50% of the time instead of 90% of the time.

bpavlov
Honored Contributor

Frustrating is one way to put it. It really makes it feel that config profiles are quite unreliable.
In addition to the thread that @mm2270 pointed out, I would also vote this up: https://jamfnation.jamfsoftware.com/featureRequest.html?id=3619

gachowski
Valued Contributor II

@AVmcclint

Something is messed up, we are not seeing anywhere near 50% failures, I would guess that it's about 1 to 2% if that much... with my failure rate and the error message I get I assuming it's an Apple issue...

I agree that there should be better to "fix" failed profiles, I am guessing that a good solution isn't easy... I would expect that there are a few undocumented APIs and security related issues when it comes to Profiles. I would also guess that any "fix" Jamf comes up with would be on their own and when Apple makes a change it could cause Jamf and us big issues...

It's quite clear IMO that Apple has kinda done "profiles" halfheartedly on the Mac OS. They should have done a clean break from MCX and started new, like they have in many other products.

C

apizz
Valued Contributor

@lwindram, thanks for the idea. We don't manage thousands upon thousands of machines, so redeploying the profile(s) to everyone isn't such a huge deal. Just wondered.

sncruz
New Contributor

When I got the "Profile installation failed" message and "New profile does not meet criteria to replace existing profile" error, I reinstalled the macOS 10.14 and that fixed the problem.

bradtchapman
Valued Contributor II

We have over 10,000 Macs in our environment, and about 2-4% failure rate for config profiles. The reasons are logged in the computer's management tab, but not in the config profile log.

I saw a tip for retrying failed profiles and it seems to work:

  1. Select the profile in the Jamf console.
  2. Click Edit.
  3. Click Save.
  4. Select 'Distribute to newly assigned devices only.'
  5. Click Save.

The "failed" count resets to zero in the profile summary screen. I can also see fresh entries in the profile's log, indicating that Jamf made an attempt to deliver them.

This is a rather elegant solution to the problem, if altogether obscure.

vanschip-gerard
Contributor

@bradtchapman just tried that and it does not seem to be 100% working the way you described. Well not for me.
I have a profile that is scoped to 160 devices. I had a dozen fails, I hit edit, save and then selected to newly assigned devices only which seems to work but then noticed it now claims on the dashboard to be only on 76 devices?