MDM Capability No

billystanton
New Contributor II

Hi Guys,

We have noticed an issue this PM which shows our MDM Capability as "No" after imaging or enrolling via the URL.

Does anybody know what I can check to see what might be causing this?

2 Machines have the same problem now.

Thanks!

EDIT 23/03/16 14:00PM GMT - It seems from comments below that this is an Apple issue, multiple users have reported this to Apple. JAMF have also had multiple reports.

EDIT 24/03/16 11:30AM GMT - Fixed.

1 ACCEPTED SOLUTION

CypherCookie
Contributor

Just check this morning and APN is back up and new Mac's are getting the config profile!

View solution in original post

110 REPLIES 110

stevewood
Honored Contributor II
Honored Contributor II

For those looking for a way to report on MDM status, while not ideal, you can report on the status via the API. Combine that into an EA script and you can create a Smart Group that gives you all machines that do not have MDM enabled.

#!/usr/bin/env python

import urllib
import subprocess
import os.path
import xml.etree.ElementTree as ET


jssAPIuser = 'apiuser'
jssAPIpass = 'apipass'
jssURL = 'https://' + jssAPIuser + ':' + jssAPIpass + 
    '@' + 'yourjssaddress'

serial = subprocess.Popen("system_profiler SPHardwareDataType |grep -v tray 
    | awk '/Serial/ {print $4}'", shell=True, stdout=subprocess.PIPE).
    communicate()[0].strip()

url = jssURL + 
    '/JSSResource/computers/serialnumber/' + serial + '/subset/General'
uh = urllib.urlopen(url)
data = uh.read()
tree = ET.fromstring(data)
general = tree.findall('general')
mdm_status = general[0].find('mdm_capable').text

print '<result>' + str(mdm_status) + '</result>'

Hope that helps some.

stevewood
Honored Contributor II
Honored Contributor II

I should point out, the script above provides the status of either True or False. You'd need to set your SG to False, obviously, for machines with MDM not enabled.

Also, you'll need to put in your API user name and password along with the URL to your JSS (just the domain and port like yourserver.com:8443).

billystanton
New Contributor II

@tim.c.arnold You're correct, I should note that i've only set this up for 1 user so far to "get us by" without leaving the laptop unlocked.

I will remove profiles and re enrol once this is all resolved.

msnowdon
Contributor

Besides enrolling new machines and getting config profiles, what other services are affected? Seems like apps are not getting pushed down to mobile devices.

stevewood
Honored Contributor II
Honored Contributor II

And I just heard from JAMF themselves that there is an EA Template already in the JSS for this. It's called "Verify MDM Enrollment". So, you can use the template or the Python script I posted.

itupshot
Contributor II

I noticed this problem yesterday afternoon when I imaged two MacBook Airs out of the box. They were supposed to receive some Config Profiles as part of enrollment, but no joy. JAMF confirmed that they'd been seeing "major outages with MDM communication."

I fired them up this morning, and they still haven't received them even though they've checked in with my JSS a couple of times already.

gskibum
Contributor III

@tim.c.arnold Very good point!

jhbush
Valued Contributor II

@stevewood I would say your EA is better as it checks for MDM Capability which is a giveaway that things aren't working as expected. MDM Enrollment has come back as enrolled on machines that fail to acquire profiles.

blackholemac
Valued Contributor III

Hate to add a "me too" but me too...I'm seeing it sporadically though.

Our Apple SE definitely acknowledged a problem on Apple's end, but had little other info.

Gordo_L
New Contributor

Same boat rowing right behind everybody...
Patiently stuck in the apple hold que but giving up for lunch!

donmontalvo
Esteemed Contributor III

Opened an escalation with Apple a few hours ago, haven't heard back. A few colleagues say they were told Apple is aware of the issue and is working on it. I'm hoping to get the same response so I can update our internal ticket.

--
https://donmontalvo.com

oldemarg
New Contributor

Same here. Waiting to hear back from Apple.

adhuston
Contributor

Seeing much the same behavior here in Ohio. Configuration profiles are hung pending on our JSS.

donmontalvo
Esteemed Contributor III

Heard back from a colleague who got word back from Apple. Once they fix the MDM issue, clients should just start working again. Not sure why APNS is not included in System Status page. It is indeed listed on the Developer service status page, and shows the service is fine. :(

Fingers crossed.

--
https://donmontalvo.com

adhuston
Contributor

Thanks Don! Hope we see a fix soon!

donmontalvo
Esteemed Contributor III

FYI, just got a response from our Apple SE...

Hi Don, Thank you for contacting AppleCare Enterprise Support. I understand you are unable to manage OS X systems via your MDM. Apple Product Engineering is aware of the issue and currently investigating. I do not have an ETA at this point, but I will follow-up once more information is available. Regards, XXXXXX XXXXXX AppleCare Enterprise Customer Support Engineering
--
https://donmontalvo.com

Aziz
Valued Contributor

@donmontalvo

Of course the system status for APNS would show as fine.

https://developer.apple.com/system-status/

mjohnston
New Contributor

Same issue here.
How does one run the MDM diagnostics?
Thanks,
Matt

blackholemac
Valued Contributor III

Push Diagnostics is a very helpful app on the App Store made by Two Canoes. That is what folks were using in the screenshots.

zdale59
New Contributor

Called Apple to report this as well. Hoping they'll throw another engineer at it.

mjohnston
New Contributor

@blackholemac Thanks. Ran it on 2 new machines and it's failing.
Passes on older machines.
Apple need to fix this ASAP as we are about to start a massive refresh of the whole company.
:-(

bpavlov
Honored Contributor

Won't help you today, but if this FR were implemented it might not be a problem for OS X:
https://jamfnation.jamfsoftware.com/featureRequest.html?id=4619

Sorry for the shameless plug, but not really.

blackholemac
Valued Contributor III

Same boat man...happening sporadically...of course at the same time I'm trying to get a jump start on summer reimaging

blackholemac
Valued Contributor III

Already voted up

MichaelC
New Contributor III

It's got my vote. Also, reporting the issue exists in New Zealand - although adding a 'me too' at this point seems redundant.

dvasquez
Valued Contributor

When I called they did not acknowledge my information. But I am glad pings have been placed. I hope this is resolved soon.

I bet our Apple Support rep was looking at that APNS and was scratching his head.

Thanks Don!

Dom

ryanstayloradob
Contributor

@donmontalvo that is the nearly identical response we got from our AppleCare support engineer. Still waiting for a fix. Fortunately, we have a manual workaround for our wifi profile and we're not using config profiles for anything else.

blackholemac
Valued Contributor III

I'm giving them until lunchtime Friday and then going to implement local profiles on the afflicted machines, tracking said machines in the JSS and 'fixing it' on those machines after APNS is fully operational.

ryanstayloradob
Contributor

Since Apple's APNS status has been green since this outage occurred, is it only an issue between JAMF and Apple? Are other people having APNS issues outside of using Casper? I say that because FaceTime and iMessage are showing outages for some users after they update to 10.11.4.

blackholemac
Valued Contributor III

According to MacAdmins Slack, MobileIron (or Meraki...can't remember with all the messages flying) customers also seem to note the problem.

gskibum
Contributor III

@ryanstayloradobe Every time I've ever encountered a confimed outage and have gone to check status, the status never reflects the outage. I don't even bother to look there anymore.

@everyone.

Both 10.11.3 and 10.11.4 give the same failures for me. The Configuration Profile logs say "Cancelled"

osbalde
New Contributor

Tried again this afternoon, still down. Push Diagnostic reports green but enrolling a machine still results in no MDM capability.

aeb06397b3754983be20e897b21964e1

prbsparx
Contributor II

We've seen this now in the U.S., Canada, Europe, and Asia. Doesn't seem to matter what version either.

murph
New Contributor III

I wonder if this is also somehow related:

"Many Mac users unable to log in to iMessage & FaceTime after updating to OS X 10.11.4"
http://9to5mac.com/2016/03/23/cant-log-in-to-imessage-facetime-os-x-10-11-4/

donmontalvo
Esteemed Contributor III

@ryanstayloradobe wrote:

Since Apple's APNS status has been green since this outage occurred, is it only an issue between JAMF and Apple? Are other people having APNS issues outside of using Casper? I say that because FaceTime and iMessage are showing outages for some users after they update to 10.11.4.

Interesting...Messages uses APNS, guessing FaceTime does too?

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

@blackholemac weotr:

I'm giving them until lunchtime Friday and then going to implement local profiles on the afflicted machines, tracking said machines in the JSS and 'fixing it' on those machines after APNS is fully operational.

We have been discussing this but yea, then you've got a bunch of deployed non MDM profiles to deal with. Hoping Apple fixes this soon.

--
https://donmontalvo.com

milesleacy
Valued Contributor

I'm seeing the same intermittent failures across my global enterprise. If you have enterprise AppleCare, submit a ticket.

robertojok
Contributor

I had the same problem with Casper imaging and failure of the MDM capability; logged a call with JAMF and have been informed I am not the only one in Europe with this problem. It started 2 days ago...

CypherCookie
Contributor

Just check this morning and APN is back up and new Mac's are getting the config profile!

justinjanson
New Contributor

DEP enrollment is up and running again and seems to work now.