I am having a handful of systems with Configuration Profiles stuck in pending state. Does anyone know of a fix for this?
These systems are all Automatic Device Enrolled, they are checking regularly to jamf. I have tried having them reboot, sending blank push from management commands.
These commands have been pending for months.
No. Once you remove all profiles, it will also remove the MDM profile. You will basically need to re-enroll the computer. This article goes into more details about it -- https://docs.jamf.com/jamf-now/documentation/Re-enrolling_a_Computer_Using_Automated_Device_Enrollme...
Please make sure you read the requirements carefully before removing the profiles.
I was able to resolve the issue on one of the effected computers by doing the sudo jamf removeFramework and then using a User-Initiated Enrollment to re-deploy the MDM framework. It is a less than Ideal solution for a larger group of users, but was helpful in getting the device in front of me resolution.
Having the same issue on about 40 systems. All are checking in fine and most have users logged in. I have tried Jamf recon, launchctl kickstart -k system/com.apple.softwareupdated, renew MDM profile. No of these worked. Rather not have to re-enroll these systems, also sudo profiles renew -type enrollment forces user interaction which is also not ideal. Anyone find why this happens? Seems to be ongoing and happening randomly.
There is a different way to re-enroll using the API that requires 0 interaction.
I've used that to fix a few computers that were not checking-in. The only requirement is the devices still need to be capable of getting MDM commands, which do get send the same way config profiles do I believe, but still worth trying. Definitely fixed a few for me.
Seeing the same thing here, over 75 devices. Checking in, user logged in, MDM Profile Healthy and approved. Varying OS's.
Seems to just be more recent profiles that are stuck in pending, but these same profiles have gone out to hundreds of other devices just fine.
Surely someone has a better solution than re-enroll?
Restarting does not seem to work on a lot of these. Some of them we need re-enroll with the sudo profiles renew -type enrollment which is a pain as the user needs to click on the enrollment notification and approve
Has anyone figured out a way to create a smart group to track these down? I usually run across them when I find another issue, like Crowdstrike is not working (missing profile), or App Installers are not updating installed apps. It would be helpful to have a smart group of all computers with pending management commands.
I'd like a better way too! But for now a search/smartgroup like so should provide a list of stuck pending:
• Profile Name does not have 'whatever.is.your.latest.deployed.profile' AND
• Last Inventory Update after 'whatever.is.your.latest.deployed.profile' deployed date
I've been running into this a LOT lately, and not much luck getting to the bottom of it. However in many cases I'm able to get things going again (at the very least temporarily) without rebooting by kicking the mdmclient.daemon. It's the next best option I've come up with short of the hassle of 'profiles renew -type enrollment'
launchctl kickstart -k system/com.apple.mdmclient.daemon
So after working with Jamf for months on this issue, they said that it is a know issue with apple and told me to contact enterprise support. Specifically they said the apple issue numbers are PI104712 / PI108400.
Contacted Apple enterprise support and got a good engineer who acknowledged there is an issue and apple is working on a fix for new and older OS's. Basicly he said that the device needs to be assigned to a prestage at all times. Here's how they explained what is happening :
The computer tries to talk to Jamf MDM, sometimes it can not communicate with the MDM (they said that this is rare, and kind of a "perfect storm" must happen). At that point the computer talks to Apple School Manager and asks hey what mdm am I assigned to. ASM will respond with the MDM. But if the device is not assigned to a PreStage in Jamf then it responds with NO MDM. Computer will then tries to contact its originally assigned MDM again, if it gets no response it will try ASM again. At some point it stops trying and if it does not get in touch with the MDM, the trust between MDM and the computer is lost. Now the computer will not be able to ever talk to the MDM (through the MDM protocol, it is still able to to communicate using the Jamf binary).
To fix the issue you either need to wipe the device or try sudo profiles renew -type enrollment (the user will need to accept the new MDM profile and make sure the device is assigned to a prestage)
The profiles renew command has worked for me, but user interaction is needed which is annoying.
I also found a script on jamf nation that can detect the issue, I use it as an Extension attribute: https://community.jamf.com/t5/jamf-pro/configuration-profiles-not-pushing-to-macos-devices/m-p/26346...