Help

Jamf Configuration Profiles Stuck Pending

dthompson1
New Contributor II

Posted on ‎11-11-2021 09:18 AM

I am having a handful of systems with Configuration Profiles stuck in pending state. Does anyone know of a fix for this?

 

These systems are all Automatic Device Enrolled, they are checking regularly to jamf. I have tried having them reboot, sending blank push from management commands. 

 

These commands have been pending for months.

dthompson1_0-1636651073828.png

 

42 REPLIES 42

howie_isaacks
Valued Contributor II
In response to jonw

Posted on ‎02-29-2024 02:24 PM

It's time for a feature request!

0 Kudos

howie_isaacks
Valued Contributor II

Posted on ‎03-04-2024 12:43 PM

I created this feature request to give us the smart group criteria to track down Macs with MDM issues.

https://ideas.jamf.com/ideas/JN-I-28425

howie_isaacks
Valued Contributor II

‎03-14-2024 03:33 AM - edited ‎03-14-2024 03:35 AM

After I opened a case with Jamf about our MDM communication issues, I got these three extension attributes.

 

#!/bin/bash
result=$(log show --style compact --predicate '(process CONTAINS "mdmclient")' --last 1h | grep "Unable to create MDM identity")
if [[ $result == '' ]]
then
echo "<result>MDM is communicating</result>"
else
echo "<result>MDM is broken</result>"
fi

 

 

 

#!/bin/bash

APNS_certificate=`/usr/sbin/system_profiler SPConfigurationProfileDataType | awk '/Topic/{ print $NF }' | sed 's/[";]//g'`

if [[ "$APNS_certificate" = "" ]]; then
      echo "<result>"NA"</result>"
  else
      echo "<result>"$APNS_certificate"</result>"
  fi

 

 

 

#!/bin/bash


theIDs=$(security find-identity -v | awk '{print $3}' | tr -d '"' | grep -E '^[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}$')

echo $theIDs

if [ -z "$theIDs" ]; then
	echo "<result>ERROR - There appears to be zero keychain identities matching a UUID on this system.</result>"
	exit 1
else
	echo "At least one keychain identity found on this system, proceeding..."
fi

for i in $theIDs; do
	info=$(security find-certificate -c "$i" | grep issu | awk '{print $3, $4, $5, $6, $7}' | tr -d '"')
	echo $info
	if [[ $info == *"BUILT-IN CERTIFICATE AUTHORITY"* ]]; then
		echo "found you!"
		expiry=$(security find-certificate -c "$i" -p | openssl x509 -noout -enddate | cut -f2 -d"=")
		echo "<result>$theIDs + $expiry</result>"
	fi
done
exit 1

 

For the first one you may want to change the timeframe. I changed it to "--last 1h". Originally, it was "--last 1d". That may take a while to generate results. I figure 1 hour should be enough time to analyze in the log. These have helped a lot. They basically solve the problem of tracking which Macs are having MDM issues. I created two smart groups, one called "MDM Communication Bad" and another called "MDM Communication Good". If a Mac fails any of the three tests, it is "bad". To be "good", it must pass all three tests. I am a Jamf Now customer. I ran these through CodeRunner on my personal MacBook Pro. They work the same as with a Mac enrolled in Jamf Pro. I hope these help others with MDM issues.

0 Kudos