Help

macOS expired MDM Profile Enrolled via DEP

russell_garriso
New Contributor III

Friday

I have a computer where the MDM profile didn't renew last month, so it is expired. Haven't had the chance to look into why it didn't renew automatically, since I have many others that have. I did dig up some old notes from a SCEP issue I had previously and found the following command:

'sudo profiles renew -type enrollment'

It isn't perfect and I don't have another test with and expired profile. Running it on a test machine did require that I log in as the first "Setup User" that was logged in when the computer enrolled the first time via DEP during the assistant. After straightening that out it pretty much did what the man page suggests. A notification appeared, clicking it took me over into System Settings and a new MDM profile was installed with an expiration set to two years in the future. This does trigger an enrollement and reset some of the once-per-computer policies, so a little care was needed to descope/exclude some things that shouldn't run twice. Apart from that it seems like this could be a fix worth trying.

Does anyone else have any experience running this? I don't like needing to have all the login/access stuff, but for one computer I can coordinate this with the remote user. Planning to try it unless anyone has a better idea. Jamf agent appears to be sane and checking in.

0 Kudos
1 REPLY 1

Tribruin
Valued Contributor II

Friday

I do this regularly enough, maybe once a month, to fix MDM issues. Every once in a while, I get a computer that has just stopped talking to Jamf via MDM. 

What I have done, is I have an EA , called Build Complete, that is keyed to having a specific file written on the computer once the initial enrollment is finished. Then I use a Smart Group (Build Complete = Yes) and exclude that SG from Enrollment Complete enrollment script policy, so doesn't run again. 

The only draw back is that (a) it clears out my policy logs, so I can't go back to the history and (b) some of my Once Per Computer polices are re-triggered since the policy logs have been cleared. I sort of mitigate (b) by having exclusions for certain policies if the application is already installed, but I still have a few policies that just run again. 

TDLR: Yes it works fine, but have some exclusions setup to prevent all your enrollment policies from running again. 

0 Kudos