Freshly imaged mac not getting any profiles

AVmcclint
Honored Contributor

This is a first for me. I have a Mac that was freshly wiped clean and imaged with a 10.12.1 image. After the first reboot it actually ran the EnrollmentCompleted policies on its own (which haven't been happening lately). All the Enrollment policies and check-in policies were successful as well as binding to AD. Everything looks normal EXCEPT the only profile it got was the MDM. That's it. When I check the computer record in JSS it says it is in the scope for 3 others it's supposed to automatically get. I waited over an hour and none of them installed as expected. I've had situations where a lone profile just didn't want to install so I went through the drill that usually works: I ran jamf RemoveMdmProfile and jamf mdm and jamf manage but still the only profile installed is MDM. I've rebooted several times. I am able to manually install the profiles if I download them from JSS to the computer but I need to be able to push and pull and change settings so a manual approach is not going to work for this computer.

Additional weirdness: I had to manually updated to 10.12.3 via a full installer because the 10.12.3 updater I've been using in Self Service said it couldn't be applied to Macintosh HD (no further elaboration beyond that). Other profiles are able to install just fine from Self Service. Any ideas?

2 ACCEPTED SOLUTIONS

JustDeWon
Contributor III

@AVmcclint on the computer General tab, does it say yes for MDM Capability or does it say No? if it says no, this is why you wouldn't see it in Config profiles to scope to it

View solution in original post

AVmcclint
Honored Contributor

I have found the probable cause. Found this on https://developer.apple.com/library/content/technotes/tn2265/_index.html :

Yet another possibility is that there is a firewall blocking access to the ports used by APNs. Please see IP Address Range Used by the Push Service for details. Try running a telnet command on your server to see if the server can reach APNs, like this: $ telnet 1-courier.push.apple.com 5223 $ telnet gateway.sandbox.push.apple.com 2195 $ telnet gateway.push.apple.com 2195

I tested it and sure enough, on the network that this particular Mac is on, the connection attempt times out. What's really stupid is that it wasn't blocked on that network before and so far it is only that particular network location that's experiencing this. This then leads me to my other recent post: https://www.jamf.com/jamf-nation/discussions/23477/paranoid-infosec-doesn-t-trust-apple-at-all Thanks to input from my fellow MacAdmins, I'm going to use this as the leverage I need to try to convince management that we need to open 17.0.0.0/8 on all our networks. Wish me luck.

View solution in original post

16 REPLIES 16

mconners
Valued Contributor

Hello @AVmcclint could it be the profiles are sitting as completed and not pending? I have had in the past where I had to exclude a Mac from the scope of a profile or two, then I remove it from the exclusion and the profile flips back to pending in order to push out again. Just a thought.

ifbell
Contributor

Not sure if this is applicable but this thread might be something to be aware of.

https://www.jamf.com/jamf-nation/discussions/18646/java-errors-in-serverlog

AVmcclint
Honored Contributor

One thing I forgot to mention is that for Profiles that aren't automatically scoped but need to be manually assigned, this computer doesn't even show up as an option to assign! This also means I can't exclude it as you suggest @mconners . It's like it is invisible to JSS in the way of config profiles.

mconners
Valued Contributor

That is a strange situation @AVmcclint for sure. I have not seen it, hopefully others will chime in to lead you don't the correct path.

JustDeWon
Contributor III

@AVmcclint .. try cloning that config profile, and scoping it to that machine in particular, see if it comes down

AVmcclint
Honored Contributor

@JustDeWon That's just it, that computer doesn't even show up in the list as being eligible to be included or excluded from the scope. Its like it doesn't exist, but it certainly exists in every other JSS aspect. It shows up in Smart Groups, it processes check-in and login policy triggers, it installs from Self Service and runs scripts.... everything BUT Config Profiles. it's baffling.

bvrooman
Valued Contributor

Has it been repaired recently, and/or does it have a serial number reported in its inventory?

AVmcclint
Honored Contributor

The computer did exist in JSS previously, but I had done some local software testing on it and when I finished, I completely removed it from all the systems it connected to (JSS, AD, McAfee EPO, etc) It stayed removed from all those systems for at least a week before I wiped the drive and re-imaged it.

JustDeWon
Contributor III

@AVmcclint on the computer General tab, does it say yes for MDM Capability or does it say No? if it says no, this is why you wouldn't see it in Config profiles to scope to it

AVmcclint
Honored Contributor

oooooohhh it says

MDM Capability: No

I didn't notice that because it does install an MDM profile. That's something to work with... now where to look for the cause.

JustDeWon
Contributor III

I've seen this eventually turn to yes after a few hours if it installs the MDM profile... Being that you stated you wiped clean, this sounds like a re-image.. Did you make note of the JSS ID before the re-image, just wondering if it got a new JSS ID after the re-image. If not, it means, it's still seeing the same machine record somewhere..

AVmcclint
Honored Contributor

The computer did get a new JSS ID. I don't know what the old ID was (it was previously imaged and enrolled in 2015), but the new JSS ID was next in sequence to the previous Mac I imaged. I'm confident it is a new one. I'll try to leave the computer plugged in and turned on overnight to see if it does eventually magically start installing the Profiles.

AVmcclint
Honored Contributor

I have found the probable cause. Found this on https://developer.apple.com/library/content/technotes/tn2265/_index.html :

Yet another possibility is that there is a firewall blocking access to the ports used by APNs. Please see IP Address Range Used by the Push Service for details. Try running a telnet command on your server to see if the server can reach APNs, like this: $ telnet 1-courier.push.apple.com 5223 $ telnet gateway.sandbox.push.apple.com 2195 $ telnet gateway.push.apple.com 2195

I tested it and sure enough, on the network that this particular Mac is on, the connection attempt times out. What's really stupid is that it wasn't blocked on that network before and so far it is only that particular network location that's experiencing this. This then leads me to my other recent post: https://www.jamf.com/jamf-nation/discussions/23477/paranoid-infosec-doesn-t-trust-apple-at-all Thanks to input from my fellow MacAdmins, I'm going to use this as the leverage I need to try to convince management that we need to open 17.0.0.0/8 on all our networks. Wish me luck.

blackholemac
Valued Contributor III

Now I see what prompted the InfoSec thread...sighss...I wish you good luck @AVmcclint ...like I said in my other post, I feel you, my infrastructure guys didn't like clearing the 17.0.0.0/8 either, but kind of had their hand forced. That is why I am actively following your thread...I don't want someone revisiting that policy. I have to remind people of needing it clear anyway when we mess with proxies and such on our network. If you use proxies, remember that...not only must 17.0.0.0/8 be open, but a direct connection is needed to it.

AVmcclint
Honored Contributor

Actually the InfoSec thread was a separate thought that I've been dealing with since forever. Some other, smaller issues came up that kinda pushed me to make that plea to the rest of the MacAdmin community. It just happened to occur around the same time I was dealing with this Config Profile failure. I'm glad I was able to tie them together in the end.

blackholemac
Valued Contributor III

@AVmcclint I guess this is a rally the community moment indeed... you responded to quite a few of my posts in the past if I can help you in anyway, don't hesitate to ask ...like I said my guys are bitter about the whole thing too. From time to time I'll say something to our SE, but he lacks most of the ability to deal with it.