Management Commands stuck in a pending state

Mcleveland
New Contributor II

Version: 12.1 Monterey
Processor: M1 Pro

Last Inventory Update:01/12/2022 at 12:27 PM
Last Check-in:01/12/2022 at 12:26 PM
Supervised: Yes
Screen Shot 2022-01-12 at 12.28.44 PM.png

 

What are my troubleshooting steps to get these to go through. Let's collab.
 

 

1 ACCEPTED SOLUTION

Mcleveland
New Contributor II

@skrituliukas - I could not do sudo jamf -prompt because I kept getting errors when trying to complete this stage. I couldn't fill out the SSH information. For JSS information I used an account with enrollment only permissions. 

@GabeShack @skrituliukas 
What I found to work was typing: (source)

 

sudo profiles renew -type enrollment

 

 The issues that I found that has been fixed in my environment was...stuck spinning wheel when clicking into management to get to MDM commands, unable to download VPP applications from self service (cannot reach MDM server error), and lastly the issue at hand...a full list of pending MDM commands. 

I didn't want to do another enrollment but my patience was wearing thin. I assume somewhere down the line something after the enrollment went wonky... wish I knew more. 

View solution in original post

14 REPLIES 14

cbrewer
Valued Contributor II

Why is there a Renew MDM command queued up? If this is an M1 pro, it must be a fairly recent enrollment. Maybe just cancel that command? Otherwise, if Renew MDM won't go through, you probably want to re-enroll.

Mcleveland
New Contributor II

 re-enrolling a machine isn't an ideal solution. Nuke the entire enrollement I don't know why is step 1.   

GabeShack
Valued Contributor III

@Mcleveland @cbrewer I'm seeing this on random machines as well.  So far on an M1 Macbook Air and a new MacBook Pro Max.  They also had the renew MDM command queued up, which I didn't push.  Im going to start looking at some various machines in the fleet to double check.  I was also seeing recon timing out during the updating hardware information stage as well, which caused me to review all my extension attributes.  I only noticed that though by running the command locally on the device and then noticed after 30 min that it never completed the recon.  Not sure if the two issues are related though.  After rebooting the device the inventory went through, but management commands still are pending.

Gabe Shackney
Princeton Public Schools

skrituliukas
New Contributor II

Hello, we are having this too. sudo jamf enroll -promt fix the issue, but it is hard to fix 10 or more machines like that. it would be usefull find out roots of it. anyone tried create smart group to get number of affected machines?

Mcleveland
New Contributor II

@skrituliukas - I could not do sudo jamf -prompt because I kept getting errors when trying to complete this stage. I couldn't fill out the SSH information. For JSS information I used an account with enrollment only permissions. 

@GabeShack @skrituliukas 
What I found to work was typing: (source)

 

sudo profiles renew -type enrollment

 

 The issues that I found that has been fixed in my environment was...stuck spinning wheel when clicking into management to get to MDM commands, unable to download VPP applications from self service (cannot reach MDM server error), and lastly the issue at hand...a full list of pending MDM commands. 

I didn't want to do another enrollment but my patience was wearing thin. I assume somewhere down the line something after the enrollment went wonky... wish I knew more. 

skrituliukas
New Contributor II

That's worked too. thank you. Do you have any idea how to check, how many machines we have in this state?

@skrituliukas  Did you ever find a good way or querying these machines? I am seeing lots of machines in our environment that are checking in with JAMF and submitting inventory but aren't getting config profiles or management commands. Like some one said in the thread, nuking the machine and starting over as step 1 doesn't seem ideal...

I am seeing this issue with around ~20 of our machines as well 

Tjernigan
New Contributor III

Have this issue too. Two machines upgraded to monterey and lost the ability to receive commands. Tried sudo jamf prompt and profile renew and neither worked. 

pueo
Contributor II

Hi All.

I just discovered 3 devices which this issue has occurring.  What triggered the investigation was users not being able to connect to VPN but could authenticate. Upon my initial troubleshooting with the VPN team, the Jamf record looks great.  Device is checking in, Inventory is updating but when we looked at the users Keychain on the device there were missing Certs and no profiles.
In the Pending Profiles list was a Renew MDM Cert. I did not push the Command to have MDM renew.  What I figured it was the 2year MDM renewal and something borked preventing it from renewing

I excluded the Mac from our DEP notify enrollment  workflowand asked the user to click on a Policy in Jamf  which ran the 'profiles renew -type enrollment' command.  This put everything back to normal.  I also submitted a ticket to Jamf asking why this occurs.

Would like to know HOW to prevent this.

:-)

PhilS
New Contributor III

For me even re-enrolling a Mac with a bunch of pending commands didn't work....it wiped out the pending list, but every command I send to it from Jamf Pro goes right back into Pending. Not good at all.

pueo
Contributor II

If you are missing the MDM profile run the profiles command, when it works, it works great.  What about running commands from terminal on the Mac - jamf manage as example or check to see if the device is communicating to Jamf Pro.
Of the 3 machines I mentioned, two would not response to the:

sudo profiles renew -type enrollment

We had to enroll two of the three using User Initiated Enrollment which means the device loses some Management commands.  Jamf Support are still investigating as to why this happened.  Terminal would accept the command but nothing happened. 

PhilS
New Contributor III

I re-enrolled using that command. Re-enrollment went through fine. Still not accepting remote commands.

pueo
Contributor II

Sometimes a corrupt profile can cause a back log. Can you remove one profile at a time and see what happens?  

Throwing out ideas right now:

Jamf Binary look at: 

flushCaches Flush cache files for the system and/or users

 

manage Enforces the entire management framework from the JSS

renewDeviceCert Renews the existing management framework device certificate

At this point what do you have to loose. 

  In the end we re enrolled via the URL. It worked and we can move on. Jamf Support can tell me why we lost MDM Profiles on our devices.