Help

Issue with in place devices getting policies after enrolling

lumb1380
New Contributor II

Posted on ‎09-13-2022 08:48 PM

Hello, 

I am fairly new to JAMF Pro and have had mostly good results.  My new devices auto enroll fine and get all required policies.  Most of my older devices have also been fine when completely reloading them before enrolling.  I am however having some issues with devices that are in the wild getting policies after I enroll.  

So I have been visiting offices and manually installing the enrollment profile on devices that used to be enrolled in our Mac Server MDM instead.  While the profile installs fine and it auto pulls the MDM profile and another, the rest of my JAMF configs in at least 1 case haven't installed after 12 hours and multiple reboots and terminal command sends.  Looking in JAMF pro the devices still shows just basic enrollment but no group memberships or config profiles and policies for the device (but  the device HAS been added to several static groups).  

I don't know what to do in these cases?  What is a normal amount of time from enrollment and adding the device to the groups in JAMF to when the device SHOULD have its configs and profiles?  If it doesn't what should I do?

Thank You

Michael 

0 Kudos
Reply
6 REPLIES 6

Samstar777
Contributor II

Posted on ‎09-14-2022 02:02 AM

Hello @lumb1380 

As you are manually installing enrollment profile, that's means you are initiating User-Initiated Enrollment. First Step of troubleshooting should be to check if User Approved MDM (APMDM) is Approved. Please refer screenshot for the same.

 

Screenshot 2022-09-14 at 2.25.24 PM.png

0 Kudos
Reply

lumb1380
New Contributor II

Posted on ‎09-15-2022 08:35 AM

 

lumb1380_1-1663255992605.png

User initiated.  I'm the user installing on the end user device.  It seems enabled.  It gets the initial 3 profiles but none of the device specific profiles, policies, groups, etc...

 

0 Kudos
Reply

lumb1380
New Contributor II
In response to lumb1380

Posted on ‎09-15-2022 09:04 AM

Stupid Question. 

The first time when I sent my self the enrollment invitation I saved the .profile on a file server and use that to manually enroll other devices.  Is there a difference between that and going to ******.jamfcloud.com/enroll and enrolling there?  

I ask because I just did THAT on a computer today and it enrolled and got all policies, etc in under 60 sec.  

0 Kudos
Reply

Samstar777
Contributor II

Posted on ‎09-16-2022 08:34 AM

Hello @lumb1380 

I see an issue in the operating system version of device mention in the screenshot. the macOS is lower than 10.13.2. Man thats a security risk. I recommend testing enrolment on latest macOS version

Screenshot 2022-09-16 at 6.58.14 PM.png.

You are on Jamf binary 10.40.1 and below is the Apple macOS Compatibility with this Jamf Binary and macOS 10.13.x is untested.

Screenshot 2022-09-16 at 9.00.27 PM.png

Hope this helps!

- Sam

0 Kudos
Reply

lumb1380
New Contributor II

Posted on ‎09-19-2022 07:12 AM

It's possible that the OS version vs the binary support may be related.  However I found that when I used the user initiated enrollment url vs just reusing the saved .profile made a huge difference.  I successfully enrolled 3 more manual devices in a very short time.  I then removed all enrollment profiles from the initial problem device and used the url to enroll instead and it worked perfect.  I will assume at this time that the issue was my downloaded enrollment profile file. 

0 Kudos
Reply

Samstar777
Contributor II

Posted on ‎09-19-2022 09:00 AM

@lumb1380 

You are absolutely rights, for user-initiated enrolment the rights approach is to go to browser > enter your Jamf url > https://jamfurl.jamfcloud.com/enroll and follow onscreen instructions.

 

- Sam

0 Kudos
Reply