Jamf Nation Community

@alexjdale Scoped to "All Computers". I would think that would cover it, maybe not though?

It should, but maybe it's happening too early? It will fail to deploy if the MDM profile isn't approved, and it's entirely possible with DEP that it can't apply a profile that needs approval until a bit later in the process. I would check to see if Jamf tried to push the profile to the system early in the DEP process and encountered a failure.

This is all speculation on my part and I could be way off base, but I'd play with the scoping and see if I could come up with a scope that would kick in after initial MDM enrollment but before the app is installed, with a recon triggering the profile push. For example, keying off of the previous step in the process.

My understanding of how it works -- The prestage enrollment happens, which pushes the MDM profile to the machine. So the MDM profile is definitely approved before the configuration. The first thing my policy does is bind the computer to the domain. When I do a directory binding I do force a recon and it still doesn't push down the configuration. This happens before software installation. I tried all 4 of these before software install and still have a problem:

sleep 10
sudo /usr/local/jamf/bin/jamf recon -verbose
sudo /usr/local/jamf/bin/jamf jamf mcx -verbose
sudo /usr/local/jamf/bin/jamf jamf manage -verbose
sudo /usr/local/jamf/bin/jamf jamf mdm -verbose

Are you able to check the JSS for the profile push to see if it was even attempted or successful/failed after enrollment?

@alexjdale To be honest, I am not quite sure where a useful log would be. When I go into the "Configuration Profiles" and select the one for Kernel Extensions, then I select logs, it brings me to a list of computer names. I select the computer name and it just brings me to that computers inventory. Not sure where a useful log would be.

Apparently, there used to be a binary verb "configruationProfile" that was intended to do exactly what I am looking for:

Configuration Profiles - How does this work?

In this discussion @jason.vanzanten talked about the verb and its uses:

jamf configurationProfile -username <username>
jamf configurationProfile <for computer-level>

I am trying to figure out where the relevant logs would be, but I can say that the configuration profiles do not show in my profile pane until after prestage enrollment and site policy is pushed. They seem to take like an hour to show up.

To get DEP working the way it is intended, I really need to be able to get all profiles before site policy. Anyone else experiencing issues or have a workaround?

@chelm We occasionally see that profiles take a few minutes to come down to a DEP built machine, but not too often. You might want to troubleshoot your access to APNS. Check out : https://youtu.be/Z-Lg9uBbmfk

Could you possibly add the presence of your kext profile to your policy scope, policy can't run if profile isn't present? I'm pretty sure recon isn't necessary, just check-in, to update a computer record when a new profile loads.

Also, FWIW, I did hear at JNUC that there will be a feature/option coming to ensure profiles are installed before leaving setup assistant!

@dpertschi APNS are good. Running the policy on a Smart Group is a great idea. I am testing this now. Unfortunately, it seems to add 30-90 minutes to a build. Not really good for a model where you deliver an unconfigured machine to an end user and expect it to build in front of them.