Help

High Sierra MDM Profile Unverified

nikgio
New Contributor III

Posted on ‎07-02-2018 12:31 PM

Anyone know why our MDM profile says unverified? I'm using JAMF 10.3.1, and I'm in the process of updating all our macs to 10.13.5, and regardless how how we do this - reimage, erase and install, etc. and regardless of enrollment method - user-initiated (for upgrades) or DEP, every computer that I've worked on at some point forgets the wireless password usually at the same time the MDM profile says unverified. I generally notice when none of my policies or scripts are working anymore. It's easy enough to put the wifi pw back in, and to type "sudo jamf trustjss" to verify the profile, but only once or twice. When EVERY. SINGLE. COMPUTER does it, it's a huge PIA. Anyone else dealing with this? What's causing it?

0 Kudos
5 REPLIES 5

c_archibald
Contributor II

Posted on ‎07-02-2018 12:45 PM

As of Mac OS 10.13, our MDM requires physical OK at the machine. 10.12 allows remote OK. So manually going to all 10.13, Sys Pref, Profile, MDM, & OK is how it works here. We set up a user notification that asks them to do it. Some didn't, so we had to go do it.

merps
Contributor III

Posted on ‎07-02-2018 03:17 PM

We're dealing with this also. I was under the impression that enrolling the device using DEP would solve it, but we currently only have iOS on DEP so it hasn't been tested.

Following thread...

0 Kudos

blackholemac
Valued Contributor III

Posted on ‎07-03-2018 06:20 AM

I'm guessing maybe your Tomcat cert expired or your JSS Cert Authority cert? Easy way to test...if you navigate in the web browser to your JSS on a brand new machine with nothing on it, do you get a security warning in Safari talking about the cert?

0 Kudos

nikgio
New Contributor III

Posted on ‎07-11-2018 08:46 AM

@c.archibald - Yes, that's the User-Approved MDM change that Apple made, but even after you hit Approve in the Sys Prefs profile, it will at some point not receive policies or scripts and show up as Unverified until you type the trustjss command. This has happened also with DEP enrolled computers (which shouldn't require additional approval), which is what throws me the most.

@blackholemac - Thanks... I get no expired cert message doing what you say. I haven't fixed this yet... but I think I read somewhere that it may have to do with our certificate being self-signed. Later this fall we are moving over to the JAMF cloud server for hosting our data, and in theory their own certificate should resolve this issue. So I guess we just put up with this until then.

@merps - Do you have a server in-house that you use, or does JAMF host it in their cloud?

putnajoe
New Contributor III

Posted on ‎07-13-2018 07:10 PM

I was having this same issue when imaging computers with High Sierra 10.13.5. What I found that worked for me was to repartition the hard drive by open Terminal and using disktuil. After doing this and applying the image, the profiles would all be verified again.

0 Kudos