Posted on 11-11-2021 09:18 AM
I am having a handful of systems with Configuration Profiles stuck in pending state. Does anyone know of a fix for this?
These systems are all Automatic Device Enrolled, they are checking regularly to jamf. I have tried having them reboot, sending blank push from management commands.
These commands have been pending for months.
Posted on 02-29-2024 01:14 PM
Frankly I don't see why Jamf couldn't add a smart group criteria value for 'profile pending'. Then we could at least get crafty with detection. ¯\_(ツ)_/¯
Posted on 02-29-2024 02:24 PM
It's time for a feature request!
Posted on 03-04-2024 12:43 PM
I created this feature request to give us the smart group criteria to track down Macs with MDM issues.
03-14-2024 03:33 AM - edited 03-14-2024 03:35 AM
After I opened a case with Jamf about our MDM communication issues, I got these three extension attributes.
#!/bin/bash
result=$(log show --style compact --predicate '(process CONTAINS "mdmclient")' --last 1h | grep "Unable to create MDM identity")
if [[ $result == '' ]]
then
echo "<result>MDM is communicating</result>"
else
echo "<result>MDM is broken</result>"
fi
#!/bin/bash
APNS_certificate=`/usr/sbin/system_profiler SPConfigurationProfileDataType | awk '/Topic/{ print $NF }' | sed 's/[";]//g'`
if [[ "$APNS_certificate" = "" ]]; then
echo "<result>"NA"</result>"
else
echo "<result>"$APNS_certificate"</result>"
fi
#!/bin/bash
theIDs=$(security find-identity -v | awk '{print $3}' | tr -d '"' | grep -E '^[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}$')
echo $theIDs
if [ -z "$theIDs" ]; then
echo "<result>ERROR - There appears to be zero keychain identities matching a UUID on this system.</result>"
exit 1
else
echo "At least one keychain identity found on this system, proceeding..."
fi
for i in $theIDs; do
info=$(security find-certificate -c "$i" | grep issu | awk '{print $3, $4, $5, $6, $7}' | tr -d '"')
echo $info
if [[ $info == *"BUILT-IN CERTIFICATE AUTHORITY"* ]]; then
echo "found you!"
expiry=$(security find-certificate -c "$i" -p | openssl x509 -noout -enddate | cut -f2 -d"=")
echo "<result>$theIDs + $expiry</result>"
fi
done
exit 1
For the first one you may want to change the timeframe. I changed it to "--last 1h". Originally, it was "--last 1d". That may take a while to generate results. I figure 1 hour should be enough time to analyze in the log. These have helped a lot. They basically solve the problem of tracking which Macs are having MDM issues. I created two smart groups, one called "MDM Communication Bad" and another called "MDM Communication Good". If a Mac fails any of the three tests, it is "bad". To be "good", it must pass all three tests. I am a Jamf Now customer. I ran these through CodeRunner on my personal MacBook Pro. They work the same as with a Mac enrolled in Jamf Pro. I hope these help others with MDM issues.