Machines lock up right after login attempt, "checking for policies"

spowell01
Contributor

Sometime before we started experiencing machines stuck at "checking for policies" we implemented an unsecured guest wireless network within our district. This network is bandwith restricted, and vlan'd so that the traffic is unable to see our internal network. I have noticed a handful of machines over the past weeks that would seemingly be unable to print, or connect to network shares. Sure enough they were automatically connecting to our guest network segment because it was unsecured.

I would expect to see the same behavior when on our guest network as say, not having a connection. I have seen this hangup at checking for policies keep a machine locked up for anywhere from a couple hours to 3 days!( A teacher just dropped her machine off in our office and stated its been checking for policies for 3 complete days!)When this happens, the clock stops working and the logs are literally empty during this period. You can reset the machine, but once you try to login your getting the hangup again. The solution is to wait, yeah maybe a few hours and maybe even longer.

soooo,im not really sure if this issue is related to our guest network or not. The other tech that i work with had read information regarding a hibernation file that would get corrupt or something along those lines...Hes out travelling to our rural sites and cant dig into it with me right now..... Thoughts, Ideas?

5 REPLIES 5

tkimpton
Valued Contributor II

Check the answer here and look at the end

https://jamfnation.jamfsoftware.com/discussion.html?id=5327

You could have a launch daemon and a script that block that SSID, then at the end of the Firstrun scripts just delete the launch daemon and script.

That would fix it in the build. But I would block it for someone reporting the problem and if it is then it is your wireless network.

You could also try to disable asking for new networks. That's in the link as well look near the end where Jared was excited about that kungfu :)

spowell01
Contributor

Thanks for the reply tkimpton, we will definitly look into using the script to block access to our guest SSID. We may have discovered a bit more here....we are collecting mobile device information during inventory as well as account info. noticed when looking at the logs on the machine that was stuck for 3 days, the logs appeared to freeze or stop while it was churning through this users local profile data....path was similar to this:

USERNAME/music/itunes/itunes media/mobile applications/castle craft.ipa...

spowell01
Contributor

so after disabling mobile device inventory, that seemed to solve part of the issue.

I then tried to manually run a recon while watching terminal/console and it started fine but then hung on gather information for printers. Then i noticed HI_WAT_Alert messages popping up in the console. Google says they reference memory issues. Pulled up activity monitor and sure enough there was 8MB free memory! after about 5-10 minutes it caught up with itself, finished recon and released the memory. Why would our machines be hanging up on recon collecitng printer info?

spowell01
Contributor

so i disabled printer collection, ran another recon and this time it hung up on gathering application usage information. Now some of these macbooks have over 180 cached mobile accounts and only 4 gigs of ram....is that the source of our issue?

just saw another machine hit gathering information on application usage, and consume its 4GB of memory in less than 10 seconds....it then proceeded to very slowly use 13GB of swap space before it completed recon!

spowell01
Contributor

Just to clarify, im actually trying to accomplish two things here

  1. determine why recon is hanging(using up all 4 gigs of memory and at times 10+ gigs of swap space!) at collecting application usage information

  2. Block access to our guest network SSID

so im really digging on that link you posted tkimpton. I'm testing out the same script your using with what i think are necessary modifications/substitutions for our environment. My question is should that script truly block access to the specified SSID, or should it just prevent a machine from auto connecting to that network? Im asking because i got the script to complete successfully, but i can still manually select the network i thought i was blocking( i did remove the lines referencing your I.S department). I also cant seem to replicate when a machine automatically connects to our open guest network, i just know its happening. Thoughts?