Macs not checking in Jamf Pro

D1anna
New Contributor

Hello,

We have a few devices that have not checked in to Jamf pro since 9/23/23. These are active devices. 

What are the reasons Macs stop check-in, and how to fix these issues? 

 

Thanks

19 REPLIES 19

jcarr
Release Candidate Programs Tester

Is it possible to try to check in manually?  If you have physical access to one of the devices, or can have the user run one or both of the following commands:

 

sudo /usr/local/bin/jamf policy

or

sudo /usr/local/bin/jamf recon

 

obi-k
Valued Contributor II

What do you see when you open Terminal and enter: 

jamf checkJSSConnection
 
 

D1anna
New Contributor

JSS is available

 

obi-k
Valued Contributor II

Try this on one of the Macs:

sudo profiles renew -type enrollment
or 
sudo jamf enroll -prompt

D1anna
New Contributor

What I do next after running the sudo profiles renew -type enrollment

 

Sorry I'm new to jamf 

obi-k
Valued Contributor II

After you enter the admin password in Terminal, did you see any profile prompts? Might depend on what OS you're on.

Try going to System Preferences/Settings, Privacy and Security, Profiles. Find MDM profile. Does it ask you to install or accept?

D1anna
New Contributor

The profiles icon is greyed out. 

obi-k
Valued Contributor II

Is this what you're seeing? https://discussions.apple.com/thread/253657493

Try to remove Jamf framework and then try to re-enroll to Jamf.

D1anna
New Contributor

I was not able to re-enroll in the device. 

 

 

D1anna
New Contributor

I don't see any profile prompt after running the enrollment command

obi-k
Valued Contributor II

Back up the data, wipe, and re-provision?

D1anna
New Contributor

Yes, I was thinking of doing that. I tried to get other solutions before doing that, so I can try if this happens again. 

jcaleshire
New Contributor III

As obi-k and jcarr mentioned above, you can run 

 

sudo jamf checkJSSconnection

 

 to make sure that the Mac can contact your server,

 

sudo jamf recon

 

to have the Mac check-in and update inventory, and finally

 

sudo jamf policy

 

 to run any pending policies that are waiting for check-in.

If the Mac is unable to check-in, however, then you may be looking at some other problems. Since it sounds like only a handful of machines are exhibiting the issue, it's safe to say that it's not a server-side issue (again, probably). Assuming that the Mac is powered on and connected to a known-good network, but is still unable to check-in, the cause could be a few things:

  • The management profile has expired/is missing
  • Local endpoint protection software could be blocking MDM traffic
  • Broken Jamf agent on the Mac
  • Missing/expired identity certificate on the Mac

The best way to figure it out is to get your hands on one of the Macs with the problem and run a few terminal commands, then go from there.

When  I run  the sudo jamf recon I get :  Device Signature Error - A valid device signature is required to perform the action.

How can we check these? IT will give me an idea of what was causing this issue

  • The management profile has expired/is missing
  • Local endpoint protection software could be blocking MDM traffic
  • Broken Jamf agent on the Mac
  • Missing/expired identity certificate on the Mac

bhabibintercom
New Contributor

Try redeploy the Jamf management framework https://pro4tlzz.github.io/JamfHealComputer.html

 

The device will reenroll and trigger enrollment policies

d_sutton
New Contributor III

I too recently had a bunch of machines failing to check in. What I found is that majority/all of these machines were stuck running "jamf policy", some of them went back a month or more even.

After working with support who suggested re-enrolling devices, which is not ideal in a hybrid work status or working with 30-40+ people giving them instructions.  I did some trial and error on my end. What I found was that if I ran a "sudo killall jamf" on impacted devices, followed by "jamf policy" and they would start checking in again without the need to re-enroll the device(s).

I do have a 3rd party patching tool though that allows me to push out scripts and stuff to machines, so that helped bypass Jamf where it couldn't talk to machines.

Hope this help others.

ganidran
New Contributor III

Interesting point! What tool is that by the way?

d_sutton
New Contributor III

We are using Endpoint Central Cloud UEM edition, its made by ManageEngine. They have just a patching tool the supports many 3rd party apps on windows and macs, but we went with the full suite as we also have their ticketing system so they all integrate. The full suite gives you the ability to push out scripts without needing to install another MDM, just requires a small lightweight on all machines/servers it runs on.