Help me make a Smart Group of computers with the Device Signature Error.

New Contributor III

I'm trying to find Macs that have the Device Signature Error - computers where the certificate trust between Jamf and the endpoint is broken.  Anyone already have a good way to do this?  My thought was to make a Smart Group of computers with at least 7 days between the date of their last check-in and the date of their last inventory update, but I don't know how to get Jamf to compare those two fields.  Ideas?  Thanks!


Valued Contributor

You can't. 

Contributor II

I would love a good way to tell this as well.

I've been able to identify some through a manual process. This only really works if they're all on the same LAN.

1. Find device that hasn't checked-in for some time

2. Look in asset management system and confirm it's still in-use

3. Do an export on the DHCP scope that the device last checked-in at (i,e. you suspect it's still connected to that buildings network)

4. Search DHCP scope for that computer's hostname to find current IP address 

5. Ping that IP to see if you get a reply, if you do, you just found a device with a signature error that's still on your network.

And then to fix, I've been:

6. ARD to computer when it's not in-use, login with local admin account

7. sudo jamf enroll -prompt (re-enroll it that way)

8. Devices enrollment may change to user-initiated enrollment from Automated Device Enrollment, which isn't ideal, so you should be able to run a sudo profiles renew -type enrollment to change it back to ADE. 

Pretty sure you can't push MDM update commands, etc.. if a device has user-initiated enrollment. 

It's really not the best workflow, but it's just one I've found to work.

I've put in a ticket with Jamf about the device signature error / MDM fall-off issue, but didn't get anything super helpful. Their main suggestion was that the computers weren't getting rebooted often enough.

I was going to implement this when I had time:

New Contributor III

Thanks!  I ended up making a Smart Group that shows computers that have checked in within the past 7 days but haven't submitted inventory for at least 7 days.  I didn't see the ability to have "last check in" as one of the criteria because I was assuming that all criteria would be listed in the "Advanced Criteria" list, but the non-advanced criteria aren't in it! (whaa??!??)  Not ideal, but this will help.  Thanks for sharing your workflow.  Sadly I have to stop following it at Step 2 since our asset management system is to inaccurate to use at the moment.  Ugg...