Jamf Nation Community

Definitely a smart group with only criteria being the serial number

I just checked again and it seems I was mistaken about policies as it does show up in scope tab for these, just not configuration profiles. I just created a new one to see if maybe the older ones were holding on to something, but still not there. Very strange

OK, well the fact that it shows up for policies and in Smart Groups is making a little more sense. I'm not sure what Configuration Profiles require for a machine to be available for these since I don't use them all that much, Still odd though, since you'd think if it shows up for one type it would show up for others?

I believe if it doesnt show up in scope for configuration profiles, it isnt enrolled, or isn't enrolled properly. The OS has to be at least 10.7.x. You can verify if the machine is setup properly for MDM (read config profiles) by checking on the computer details tab and seeing if says "Yes" or "no" next to MDM Capable. If it says no, it is probably not enrolled properly. In this case, I would check to make sure you have certificate based communication turned on, and then run a sudo jamf enroll on the machine to see if it pulls down the MDM profile correctly.

OK, we're definitely on the right track. In inventory it is marked as MDM=no. I tried running sudo jamf enroll, but got "Error enrolling computer: Unable to create a device certificate. Valid credentials are required." I then tried running it as root, but got same error.

I tried removing the MDM enrollment from System Prefs, then rebooted. Logged in as root and ran jamf enroll. this time it said "Downloading the JSS CA Certificate...There were (1) previous JAMF device identities found on this computer. Removing..." Then it goes through the whole enrollment process, but it still says no under MDM and doesn't show up in scope tab. Since I already deleted that profile from the machine manually, this makes me think JSS is holding on to some record of this machine. Any way to force a clean sweep of this machine on the JSS as if it never saw it before? As I said in earlier posts, I've deleted it from inventory multiple times.

From my experience it doesn't show up in Configuration Profiles due to the machine not being able to get a APNS token. This can happen for a couple of reasons:

1) You are using a VM. I've filed a bug on this. Apple kicked it back and said it's VMware's fault (I don't buy that).
2) You have issues with your SSL certificate and or not using your FQDN for your server. You NEED https://server.domain.tld:8443/ for your JSS. You may try to refresh your CA in Settings => General => Server Configuration. Then revoke, renew your APNS certificate with Apple. 3) Network ports are not open. 2195, 2196, 1640, 5223... you know the ones from apple or JAMF's kbase article: https://jamfnation.jamfsoftware.com/article.html?id=34

- Justin

These all sound like good suggestions, except it's only happening with the 1 machine. I've imaged about 3 more since this one and they've been all good. As an answer to the earlier question about why I need it to show up in configuration profile scope, I run one manually after imaging on laptops to set up the 3 VPN connections we need...don't ask.

I've had this. I believe I ran sudo jamf manage and it flipped to MDM Capable: Yes.

You could also try ```
sudo jamf mdm
```

I'm not @ my JSS, but what does the "management status" say. (Will be under the computers details somewhere).

I'm guessing it says unmanaged.

Sorry, I meant to write sudo jamf mdm.

@ Ben

You rock, that helped me with a different issue !!!

C

Ran jamf mdm as root and it said "Previous (1) MDM Identities found on this machine. Removing...". If I run it again, says the same thing, even though I see in System Prefs that the profile is gone. In fact, the whole prefpane is gone since there are no profiles. If I run manage, it goes through the whole deal and also says removing previous profile. It's got to be the server that is recognizing the machine, not the other way around because the machine has no profiles and has been re-imaged, even if it did. Need to figure out a way to give the JSS amnesia when it comes to this machine. Argh

You'll need to restart after the ```
sudo jamf mdm
``` command.

Also, what does the management status say on the mac?

If you mean "MDM capable", it says no.

I've had this happen a few times, and to get it to work, i just ran a sudo jamf enroll a couple times. Then check in the JSS to see if there are any pending commands. If so, send an empty push notification. If not, just be patient. The worst one i had took like 4 hours to finally start working, but once it figured itself out, it was fine.

Have you confirmed the Mac is getting a new JSS ID after deleting and re-enrolling it in the JSS? If its truly been wiped off the JSS, its supposed to get a new ID assigned to it. If its somehow getting enrolled with the same ID, then it means its still seeing the machine record somewhere and re-pairing it up. Curious.

Will, create a search with the below criteria. Does the mac appear in the search results?

external image link

Also, on the mac. After running the ```
sudo jamf mdm
command & restarting, run
netstat | grep tcp4

You should see something containing, ```
courier 5223

Now this is odd, Managed is not an option under advanced search/CPU info... Can you only add an image as an attachment via a link?

OK, so the nomenclature changed. Enrolled = managed. It is not showing up when I run that search. Under enrolled in CPU info, it shows the enroll account I set for imaging.

Will. The screen shot I showed was from the inventory page > advanced search > criteria > computer information > managed.

NOT under the computers information as I lead you to believe earlier. Sorry.

After running jamf mdm and rebooting, then running netstat | grep tcp4, I do not get anything with courier 5223. I get 7 entries for tcp4, and ESTABLISHED. I'm going to delete the record from the JSS again to see if it gets a new ID

The machine is getting a different ID. Still no joy. This is very strange! Enjoy your 4th, guys