Jamf Nation Community

Hi all,

I've been working with support, but I wanted to get some community feedback regarding this critical issue as well. I've recently started managing an existing JamfCloud instance (now on V10.3). My previous experience with Jamf has always been On Prem, and I've never run into this issue.

Twice within a month we've hit a brick wall where Configuration Profile distribution simply will not push.

All of our Macs get 7 Configuration Profiles (all machine level) shortly after enrolling. In 1 month, we've noticed on two occasions (lasting 3-5 days) where Configuration Profiles stop functioning. CP's already on a given system work to govern their settings just fine however we cannot push or pull CP's from any systems - However we CAN "Remove MDM Profile" to un-enrol any Mac.

As you can imagine this really inhibits our ability to efficiently on-board or re-enrol any Mac as they will pick up only three (3) of the seven (7) profiles and hang:

• MDM Profile
• CA Certificate (if UIE occurs)
• Login Window CP

Strangely, the JSS reports in the Event Logs that the CP push "Started" for all scoped profiles and "Completed" for our Login Window CP, but just keeps repeatedly trying to push the same Login Window profile over and over again, and logging that each push "Completed" in the log. This will continually repeat indefinitely once per min. If I scope the Mac out of this CP, it stops attempting to re-push and ALL other profiles sit in pending, indefinitely. Any subsequent new (re)enrolment results the same issue. The same profile just keeps repeating.

On the device side, the same thing occurs - However with a different CP and its re-attempts at pushing are far more aggressive. the iOS device will attempt to pickup the repeating CP 30 times every min, even though it has "Completed" and it functioning on the device. All other CP's are stuck in pending. It is this aggressive behaviour that 'appears' to be the catalyst of the issue, in both known cases. When we trace back thru the Event Logs, it has been an iOS CP that appears to trigger this behaviour. However, there is no clear way to kick the JSS or APNS or whatever it is, out of the funk.

The last time this occurred, it just started working again after about 5 days of this behaviour.

What we know:
- Issues occur across multiple JSS versions (V10.0.0 and V10.3 tested)
- Issues occur on any network (internal, external, wired, wifi, phone tether)
- Issues occur on any multiple OS's (Sierra and High Sierra tested)
- Issues occur regardless of enrolment method (DEP PreStage, UIE, etc).
- No expired Push Certs

Hoping someone out there has had a similar experience and might know two important details:

1) What is kicking the system into this mode
2) How can we resolve it, rather than just waiting it out with a gimped JSS after 5 days.

Thanks in advance,

Dev