Help

Having issues with getting some machines to install the MDM piece......

fedagain
Contributor

Posted on ‎10-26-2017 06:20 AM

Hello all,

I have some machines that were enrolled quite some time ago, and for some reason have stopped being managed. These machines are still enrolled and receiving policies, but no config profiles, etc...

I have tried everything I can think of:

  1. removeFramework
  2. Enroll via Quickadd
  3. Reinstall base OS from restore and then Quickadd
  4. reenroll -prompt
  5. mdm
  6. I've tried some other things I have found on the web, but still cannot get some machines to manage. In the past, and maybe still, I have just reimaged, but some of these machines have a ton of software and user data, so I would like to avoid that if at all possible!

This is the error I get:

Error installing the computer level mdm profile: profiles install for file:'/Library/Application Support/JAMF/tmp/mdm.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)
Problem installing MDM profile.

Any ideas as to whether this issue is client or server side, and what may resolve this for me?

TIA
David

Reply
6 REPLIES 6

dtommey
New Contributor III

Posted on ‎10-26-2017 06:35 AM

Have you tried the following commands, this always kicks it back in for me...

sudo jamf removeMDMprofile
sudo jamf manage
0 Kudos
Reply

dpertschi
Valued Contributor

Posted on ‎10-26-2017 06:41 AM

Strange timing... just yesterday I started digging into why some machines were not receiving a new profile I pushed and why some machines that should have several profiles had none.

I suppose this is the sledgehammer approach and I've not vetted the potential unintended consequences but I'm removing the MDM profile with: 

jamf removeMdmProfile

then pull the MDM profile back down with

jamf manage

and then all the scoped profiles reload.

In cases where I get

error installing computer level mdm profile / unable to contact SCEP server

I'm re-enrolling the machine and it resets MDM.

I'd love to see what others are doing to troubleshoot the MDM and or individual profiles.

(ok so David types faster than I , HA)

0 Kudos
Reply

kowsar_ahmed
Contributor

Posted on ‎10-26-2017 09:25 AM

Some machines or all new ones? Sometimes you need to renew the tomcat cert before it lets you push commands out...

0 Kudos
Reply

fedagain
Contributor

Posted on ‎10-26-2017 10:16 AM

I have tried all the suggestions before and again today with the same results....

The JSS is available.
Enforcing login/logout hooks...
Error installing the computer level mdm profile: profiles install for file:'/Library/Application Support/JAMF/tmp/mdm.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)
Downloading required CA Certificate(s)...
Retrying the user level mdm profile install.
Error installing the computer level mdm profile: profiles install for file:'/Library/Application Support/JAMF/tmp/mdm.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)
Problem installing MDM profile.
Enforcing scheduled tasks...
Creating launch daemon...
Creating launch agent...
The management framework will be enforced as soon as all policies are done executing.

However, the management framework never really gets laid down.

0 Kudos
Reply

fedagain
Contributor

Posted on ‎10-26-2017 10:29 AM

I just spoke with tech support and my issue is that in my DEP Prestage I don't had "Allow MDM Profile Removal" checked. I have no idea that was linked.

I will try this now by "re-enrolling" by removing .AppleSetupDone

Best
David

0 Kudos
Reply

fedagain
Contributor

Posted on ‎10-27-2017 04:42 AM

I'm going to test this further being marking this solved. I actually used this script in the end to fix this machine, so not sure that TechSupport was correct.

!/bin/sh

jamf removeMDMProfile
rm -rf /var/db/ConfigurationProfiles
sleep 20
jamf mdm
sleep 20
jamf manage

0 Kudos
Reply