Jamf Nation Community

Frankly I don't see why Jamf couldn't add a smart group criteria value for 'profile pending'.  Then we could at least get crafty with detection.  ¯\_(ツ)_/¯

I created this feature request to give us the smart group criteria to track down Macs with MDM issues.

https://ideas.jamf.com/ideas/JN-I-28425

After I opened a case with Jamf about our MDM communication issues, I got these three extension attributes.

#!/bin/bash
result=$(log show --style compact --predicate '(process CONTAINS "mdmclient")' --last 1h | grep "Unable to create MDM identity")
if [[ $result == '' ]]
then
echo "<result>MDM is communicating</result>"
else
echo "<result>MDM is broken</result>"
fi

#!/bin/bash

APNS_certificate=`/usr/sbin/system_profiler SPConfigurationProfileDataType | awk '/Topic/{ print $NF }' | sed 's/[";]//g'`

if [[ "$APNS_certificate" = "" ]]; then
      echo "<result>"NA"</result>"
  else
      echo "<result>"$APNS_certificate"</result>"
  fi

#!/bin/bash


theIDs=$(security find-identity -v | awk '{print $3}' | tr -d '"' | grep -E '^[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}$')

echo $theIDs

if [ -z "$theIDs" ]; then
	echo "<result>ERROR - There appears to be zero keychain identities matching a UUID on this system.</result>"
	exit 1
else
	echo "At least one keychain identity found on this system, proceeding..."
fi

for i in $theIDs; do
	info=$(security find-certificate -c "$i" | grep issu | awk '{print $3, $4, $5, $6, $7}' | tr -d '"')
	echo $info
	if [[ $info == *"BUILT-IN CERTIFICATE AUTHORITY"* ]]; then
		echo "found you!"
		expiry=$(security find-certificate -c "$i" -p | openssl x509 -noout -enddate | cut -f2 -d"=")
		echo "<result>$theIDs + $expiry</result>"
	fi
done
exit 1

For the first one you may want to change the timeframe. I changed it to "--last 1h". Originally, it was "--last 1d". That may take a while to generate results. I figure 1 hour should be enough time to analyze in the log. These have helped a lot. They basically solve the problem of tracking which Macs are having MDM issues. I created two smart groups, one called "MDM Communication Bad" and another called "MDM Communication Good". If a Mac fails any of the three tests, it is "bad". To be "good", it must pass all three tests. I am a Jamf Now customer. I ran these through CodeRunner on my personal MacBook Pro. They work the same as with a Mac enrolled in Jamf Pro. I hope these help others with MDM issues.

re-enroll machine in jamf sudo jamf removeframework , noway around 

I have 15 machines with couple of configuration profiles stuck on pending very annoying.

I made some changes to the EAs that I posted earlier this year to make using them with smart groups easier. They're posted below:

MDM identity certificate check

#!/bin/bash


theIDs=$(security find-identity -v | awk '{print $3}' | tr -d '"' | grep -E '^[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}$')

echo $theIDs

if [ -z "$theIDs" ]; then
	echo "<result>"Failed"</result>"
	exit 1
else
	echo "At least one keychain identity found on this system, proceeding..."
fi

for i in $theIDs; do
	info=$(security find-certificate -c "$i" | grep issu | awk '{print $3, $4, $5, $6, $7}' | tr -d '"')
	echo $info
	if [[ $info == *"BUILT-IN CERTIFICATE AUTHORITY"* ]]; then
		echo "found you!"
		expiry=$(security find-certificate -c "$i" -p | openssl x509 -noout -enddate | cut -f2 -d"=")
		echo "<result>"Success"</result>"
	fi
done
exit 1

MDM APNS certificate check

#!/bin/bash

APNS_certificate=`/usr/sbin/system_profiler SPConfigurationProfileDataType | awk '/Topic/{ print $NF }' | sed 's/[";]//g'`

if [[ "$APNS_certificate" = "" ]]; then
      echo "<result>"Bad"</result>"
  else
      echo "<result>"Good"</result>"
  fi

MDM client communication

#!/bin/bash
result=$(log show --style compact --predicate '(process CONTAINS "mdmclient")' --last 1h | grep "Unable to create MDM identity")
if [[ $result == '' ]]
then
echo "<result>"Good"</result>"
else
echo "<result>"Bad"</result>"
fi

I used these to create a smart group called "MDM Communication Bad". If any of the criteria using these EAs is not a positive (good) result, then the Mac will be added to this group. I also added the MDM enrollment status found in a Mac's Jamf inventory record. I hope this helps. In most cases, a re-enroll of a Mac in JAMF Pro is what is needed. Sometimes, I have had to also run a "jamf removeFramework" command first. A Mac that is in Apple Business Manager can be re-enrolled by running "sudo profiles renew -type enrollment".