Is MCX broken in Mountain Lion?

ckirschner
New Contributor

Ran into a problem when I tried adding some MCX profiles that were created to be used with 10.6 on a test Mountain Lion machine. The profiles work correctly but when I remove the machine from the MCX profile, the settings keep reappearing in /Library/Managed Preferences, and even if I delete the files manually they reappear after a reboot seemingly without even checking in with the JSS. Is there something that I'm missing or should I recreate as much of the functionality as I can with the Profile Manager method?

1 ACCEPTED SOLUTION

jhbush
Valued Contributor II

Craig, you may want to have a look at this Kbase article. https://jamfnation.jamfsoftware.com/article.html?id=144

View solution in original post

6 REPLIES 6

jhbush
Valued Contributor II

Craig, you may want to have a look at this Kbase article. https://jamfnation.jamfsoftware.com/article.html?id=144

ckirschner
New Contributor

Thanks for the tip Jason, I figured it was something ridiculously simple. The -mcxdelete command took care of getting rid of those settings, still not sure what caused it to stick like that though.

daworley
Contributor II

It feels like directory services takes the mcx commands as input, and caches the end result as a managed user experience. Sometimes, deleting the mcx files doesn't seem to make any change, but adding a different mcx plist will.

I occasionally set scripts with -mcxdelete flags at both user and computer level, then jamf commands to pull down new mcx. This seems to do the trick pretty well.

ckirschner
New Contributor

Ok thanks, that's a really good idea, I'll have to do that.

daworley
Contributor II

Here is my script I run when troubleshooting MCX from the Casper Suite. It has a verbose shell so everything (and i mean EVERYTHING) is visible in the policy logs.

If anybody else feels like adding/modifying/correcting, please comment back to this thread. :)

#!/bin/bash -v
exec 2>&1

# Written by Douglas Worley
# v2.0 on June 1 2012

# Verify that the user is running this script with Super User credentials.
[ $EUID != 0 ] && echo "This script requires root privileges, please run "sudo $0"" && exit 1

# determine current user
CurrentUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

# To remove User-Level MCX Settings:
dscl . -mcxdelete /Users/$CurrentUser
    ##  if command was successful, output success
if [ "$?" = "0" ]
then
    echo "Successfully removed user-level MCX Settings for $CurrentUser."
    ##  if command was unsuccessful, output error message
else
    echo "NOTICE - Unable to remove user-level MCX Settings for $CurrentUser."
    echo "       - Is the computer managed?"
fi
sleep 1
echo ""
# To remove System-Level MCX Settings:
dscl . -mcxdelete /Computers/localhost
    ##  if command was successful, output success
if [ "$?" = "0" ]
then
    echo "Removed system-level MCX Settings."
    ##  if command was unsuccessful, output error message
else
    echo "NOTICE - Unable to remove system-level MCX Settings."
    echo "       - Is the computer managed?"
fi
sleep 1
echo ""
# nuke the files
rm -R /Library/Managed Preferences/
    ##  if command was successful, output success
if [ "$?" = "0" ]
then
    echo "Removed cached MCX files."
    ##  if command was unsuccessful, output error message
else
    echo "NOTICE - Unable to remove cached MCX files."
    echo "       - Is the path /Library/Managed Preferences valid?"
fi
sleep 1
echo ""
echo "Pulling down new global management policies"
/usr/sbin/jamf mcx -verbose
    ##  if command was successful, output success
if [ "$?" = "0" ]
then
    echo "Successfully pulled down new global management policies"
    ##  if command was unsuccessful, output error message
else
    echo "NOTICE - Pull down new global management policies from the JSS"
    echo "       - Is the computer managed?"
fi
sleep 1
echo ""
echo "Pulling down new user specific management policies for $CurrentUser"
/usr/sbin/jamf mcx –username $CurrentUser -verbose
    ##  if command was successful, output success
if [ "$?" = "0" ]
then
    echo "Successfully pulled down new user specific management policies for $CurrentUser"
    ##  if command was unsuccessful, output error message
else
    echo "NOTICE - Unable to pull down new user specific management policies for $CurrentUser"
    echo "       - Is the computer managed?"
fi
sleep 1

ckirschner
New Contributor

Well this will save me some time for sure, thanks for posting!