We are running Jamf Pro on-site 10.25.2 and noticed an issue Friday where we had three computers suddenly report as not user approved MDM that were DEP enrolled. Upon further inspection all profiles were gone from the machine and I get an error -1 when trying to reinstall the MDM profile. I tried removing framework and reinstalling the JAMF agent on each machine to no avail. Since Friday I’ve noticed a few more machines report in with the same issue. Any idea what’s going on? I’m noticing it on 10.13, 10.14 and 10.15 machines. I did confirm I was able to enroll a new machine using DEP late Friday afternoon without error.
can you even remove the MDM profile on a DEP machine when the prestage settings prevent it? Is this some crazy malware I’m seeing?
Yup. FireEye was it for me on Big Sur. I was using an older version that was not compatible with Big Sur. FireEye needed a major server upgrade to deploy the latest Mac FireEye client that was compatible with Big Sur. That was a multi-month process and I was gone before the upgrade ever happened.
I've also had plenty of issues with Symantec DLP. I would work with the DLP admin to see what their protected file/folder/process list looks like. I had so many false/positives with that app. I started with just the base macOS install, then installed only DLP. Anything that gets flagged just from that should be excluded since it's part of the base macOS install.
Trend Apex One I've never heard of.
How did you narrow the problem down to FireEye? Did you find something in a log, etc? How did you remediate it? I'm not seeing this on Big Sur but I'm wondering if it's Fire Eye over here as well.
To clarify, I ran some commands on a macOS 10.15.7 machine affected by this "bug" and observed the following:
"sudo profiles show -type enrollment" gave info on the expected prestage enrollment including IsMDMUnremovable = 1; IsMandatory = 1;.
When I execute the command "profiles status -type enrollment" I receive the following response: Enrolled via DEP: No MDM enrollment: No If I run the command "sudo profiles -P" I see the following: There are no configuration profiles installed This doesn't make sense. How were the profiles removed?? Any idea what's going on??