Posted on 02-28-2024 01:22 PM
I am working on creating a good way to track Macs that are not communicating over MDM properly. I have several Macs that are not getting profiles installed, profile changes, and are generally not working properly with MDM communications. One way I have tracked them down in the past is to create a profile, scope it to all computers and then wait to see which Macs don't get the profile. This works, but I wanted to dig a bit deeper. I have been trying to use this command to find out if Macs are reliably working with MDM:
log show --info --debug --predicate 'subsystem == "com.apple.ManagedClient"' --last 1h
The time can be changed to what ever I want. It seems that this command is only gathering activity from the Mac, not incoming MDM activity. That's what I need. Running the command above will result in a lot of information so I have used grep to make the output more focused. So far, I haven't been able to identify communication coming from APNS. Just running the command from a Mac that is offline will show a lot of activity. It's the logging from incoming activity that I need. I just don't know how to identify what is incoming activity. I see that the output of this command does show a PID so that is likely not incoming activity. Maybe there's another subsystem I should be checking? My goal with this is to create an extension attribute that would tell me if the Mac is communicating or not. I figure if there is incoming activity being logged, it means that the Mac is communicating. No incoming activity would mean that it's not. The EA could look like this:
#!/bin/zsh
mdmCOM=$(/usr/bin/log show --info --debug --predicate 'subsystem == "com.apple.ManagedClient"' --last 30m | grep "OUTSIDE MDM ACIVITY")
if [ -n "$mdmCOM" ]; then
echo "MDM communication is current"
MDMComs="MDM Good"
elif [ -z "$mdmCOM" ]; then
echo "MDM communication is NOT current"
MDMComs="MDM Bad"
fi
echo "<result>$MDMComs</result>"
Does anyone have a better idea for tracking incoming MDM activity?
Solved! Go to Solution.
Posted on 02-29-2024 01:09 PM
We had a number of Macs that had broken MDM communication a while back.. The Jamf support person I was working with gave me three EAs I could use to try and track down the problem Macs. Hopefully this is of some help :)
profileURL=$(system_profiler SPConfigurationProfileDataType | grep "ServerURL" | cut -d'"' -f2)
if [[ "$profileURL" != "" ]]
then
echo "<result>$profileURL</result>"
else
echo "<result>Not Found</result>"
fi
result=$(log show --style compact --predicate '(process CONTAINS "mdmclient")' --last 1d | grep "Unable to create MDM identity")
if [[ $result == '' ]]
then
echo "<result>MDM communicating</result>"
else
echo "<result>MDM broken</result>"
fi
theIDs=$(security find-identity -v | awk '{print $3}' | tr -d '"' | grep -E '^[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}$')
if [[ -z "$theIDs" ]]
then
echo "<result>ERROR - There appears to be zero keychain identities matching a UUID on this system.</result>"
else
for i in $theIDs
do
info=$(security find-certificate -c "$i" | grep issu | awk '{print $6, $7, $8, $9}' | tr -d '"')
if [[ $info == *"BUILT-IN CERTIFICATE AUTHORITY"* ]]
then
expiry=$(security find-certificate -c "$i" -p | openssl x509 -noout -enddate | cut -f2 -d"=")
echo "<result>$theIDs + $expiry</result>"
fi
done
fi
Posted on 02-29-2024 01:09 PM
We had a number of Macs that had broken MDM communication a while back.. The Jamf support person I was working with gave me three EAs I could use to try and track down the problem Macs. Hopefully this is of some help :)
profileURL=$(system_profiler SPConfigurationProfileDataType | grep "ServerURL" | cut -d'"' -f2)
if [[ "$profileURL" != "" ]]
then
echo "<result>$profileURL</result>"
else
echo "<result>Not Found</result>"
fi
result=$(log show --style compact --predicate '(process CONTAINS "mdmclient")' --last 1d | grep "Unable to create MDM identity")
if [[ $result == '' ]]
then
echo "<result>MDM communicating</result>"
else
echo "<result>MDM broken</result>"
fi
theIDs=$(security find-identity -v | awk '{print $3}' | tr -d '"' | grep -E '^[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}$')
if [[ -z "$theIDs" ]]
then
echo "<result>ERROR - There appears to be zero keychain identities matching a UUID on this system.</result>"
else
for i in $theIDs
do
info=$(security find-certificate -c "$i" | grep issu | awk '{print $6, $7, $8, $9}' | tr -d '"')
if [[ $info == *"BUILT-IN CERTIFICATE AUTHORITY"* ]]
then
expiry=$(security find-certificate -c "$i" -p | openssl x509 -noout -enddate | cut -f2 -d"=")
echo "<result>$theIDs + $expiry</result>"
fi
done
fi
Posted on 03-14-2024 03:21 AM
Thanks! I got these from Jamf too. They have helped a lot. I was able to use them to create two smart groups, one for "bad" communication and one for "good" communication. I also created a feature request for the criteria to be built-in to Jamf Pro.