Jamf Nation Community

billystanton · ‎03-22-2016

Hi Guys,

We have noticed an issue this PM which shows our MDM Capability as "No" after imaging or enrolling via the URL.

Does anybody know what I can check to see what might be causing this?

2 Machines have the same problem now.

Thanks!

EDIT 23/03/16 14:00PM GMT - It seems from comments below that this is an Apple issue, multiple users have reported this to Apple. JAMF have also had multiple reports.

EDIT 24/03/16 11:30AM GMT - Fixed.

CypherCookie · ‎03-24-2016

Just check this morning and APN is back up and new Mac's are getting the config profile!

View solution in original post

stevewood · ‎03-23-2016

For those looking for a way to report on MDM status, while not ideal, you can report on the status via the API. Combine that into an EA script and you can create a Smart Group that gives you all machines that do not have MDM enabled.

#!/usr/bin/env python

import urllib
import subprocess
import os.path
import xml.etree.ElementTree as ET


jssAPIuser = 'apiuser'
jssAPIpass = 'apipass'
jssURL = 'https://' + jssAPIuser + ':' + jssAPIpass + 
    '@' + 'yourjssaddress'

serial = subprocess.Popen("system_profiler SPHardwareDataType |grep -v tray 
    | awk '/Serial/ {print $4}'", shell=True, stdout=subprocess.PIPE).
    communicate()[0].strip()

url = jssURL + 
    '/JSSResource/computers/serialnumber/' + serial + '/subset/General'
uh = urllib.urlopen(url)
data = uh.read()
tree = ET.fromstring(data)
general = tree.findall('general')
mdm_status = general[0].find('mdm_capable').text

print '<result>' + str(mdm_status) + '</result>'

Hope that helps some.

stevewood · ‎03-23-2016

I should point out, the script above provides the status of either True or False. You'd need to set your SG to False, obviously, for machines with MDM not enabled.

Also, you'll need to put in your API user name and password along with the URL to your JSS (just the domain and port like yourserver.com:8443).

billystanton · ‎03-23-2016

@tim.c.arnold You're correct, I should note that i've only set this up for 1 user so far to "get us by" without leaving the laptop unlocked.

I will remove profiles and re enrol once this is all resolved.

msnowdon · ‎03-23-2016

Besides enrolling new machines and getting config profiles, what other services are affected? Seems like apps are not getting pushed down to mobile devices.

stevewood · ‎03-23-2016

And I just heard from JAMF themselves that there is an EA Template already in the JSS for this. It's called "Verify MDM Enrollment". So, you can use the template or the Python script I posted.

itupshot · ‎03-23-2016

I noticed this problem yesterday afternoon when I imaged two MacBook Airs out of the box. They were supposed to receive some Config Profiles as part of enrollment, but no joy. JAMF confirmed that they'd been seeing "major outages with MDM communication."

I fired them up this morning, and they still haven't received them even though they've checked in with my JSS a couple of times already.

gskibum · ‎03-23-2016

@tim.c.arnold Very good point!

jhbush · ‎03-23-2016

@stevewood I would say your EA is better as it checks for MDM Capability which is a giveaway that things aren't working as expected. MDM Enrollment has come back as enrolled on machines that fail to acquire profiles.

blackholemac · ‎03-23-2016

Hate to add a "me too" but me too...I'm seeing it sporadically though.

Our Apple SE definitely acknowledged a problem on Apple's end, but had little other info.

Gordo_L · ‎03-23-2016

Same boat rowing right behind everybody...
Patiently stuck in the apple hold que but giving up for lunch!

donmontalvo · ‎03-23-2016

Opened an escalation with Apple a few hours ago, haven't heard back. A few colleagues say they were told Apple is aware of the issue and is working on it. I'm hoping to get the same response so I can update our internal ticket.

--
https://donmontalvo.com

oldemarg · ‎03-23-2016

Same here. Waiting to hear back from Apple.

adhuston · ‎03-23-2016

Seeing much the same behavior here in Ohio. Configuration profiles are hung pending on our JSS.

donmontalvo · ‎03-23-2016

Heard back from a colleague who got word back from Apple. Once they fix the MDM issue, clients should just start working again. Not sure why APNS is not included in System Status page. It is indeed listed on the Developer service status page, and shows the service is fine. :(

Fingers crossed.

--
https://donmontalvo.com

adhuston · ‎03-23-2016

Thanks Don! Hope we see a fix soon!

donmontalvo · ‎03-23-2016

FYI, just got a response from our Apple SE...

Hi Don, Thank you for contacting AppleCare Enterprise Support. I understand you are unable to manage OS X systems via your MDM. Apple Product Engineering is aware of the issue and currently investigating. I do not have an ETA at this point, but I will follow-up once more information is available. Regards, XXXXXX XXXXXX AppleCare Enterprise Customer Support Engineering

--
https://donmontalvo.com

Aziz · ‎03-23-2016

@donmontalvo

Of course the system status for APNS would show as fine.

https://developer.apple.com/system-status/

mjohnston · ‎03-23-2016

Same issue here.
How does one run the MDM diagnostics?
Thanks,
Matt

blackholemac · ‎03-23-2016

Push Diagnostics is a very helpful app on the App Store made by Two Canoes. That is what folks were using in the screenshots.

zdale59 · ‎03-23-2016

Called Apple to report this as well. Hoping they'll throw another engineer at it.

mjohnston · ‎03-23-2016

@blackholemac Thanks. Ran it on 2 new machines and it's failing.
Passes on older machines.
Apple need to fix this ASAP as we are about to start a massive refresh of the whole company.
:-(

bpavlov · ‎03-23-2016

Won't help you today, but if this FR were implemented it might not be a problem for OS X:
https://jamfnation.jamfsoftware.com/featureRequest.html?id=4619

Sorry for the shameless plug, but not really.

blackholemac · ‎03-23-2016

Same boat man...happening sporadically...of course at the same time I'm trying to get a jump start on summer reimaging

blackholemac · ‎03-23-2016

Already voted up

MichaelC · ‎03-23-2016

It's got my vote. Also, reporting the issue exists in New Zealand - although adding a 'me too' at this point seems redundant.

dvasquez · ‎03-23-2016

When I called they did not acknowledge my information. But I am glad pings have been placed. I hope this is resolved soon.

I bet our Apple Support rep was looking at that APNS and was scratching his head.

Thanks Don!

Dom

ryanstayloradob · ‎03-23-2016

@donmontalvo that is the nearly identical response we got from our AppleCare support engineer. Still waiting for a fix. Fortunately, we have a manual workaround for our wifi profile and we're not using config profiles for anything else.

blackholemac · ‎03-23-2016

I'm giving them until lunchtime Friday and then going to implement local profiles on the afflicted machines, tracking said machines in the JSS and 'fixing it' on those machines after APNS is fully operational.

ryanstayloradob · ‎03-23-2016

Since Apple's APNS status has been green since this outage occurred, is it only an issue between JAMF and Apple? Are other people having APNS issues outside of using Casper? I say that because FaceTime and iMessage are showing outages for some users after they update to 10.11.4.

blackholemac · ‎03-23-2016

According to MacAdmins Slack, MobileIron (or Meraki...can't remember with all the messages flying) customers also seem to note the problem.

gskibum · ‎03-23-2016

@ryanstayloradobe Every time I've ever encountered a confimed outage and have gone to check status, the status never reflects the outage. I don't even bother to look there anymore.

@everyone.

Both 10.11.3 and 10.11.4 give the same failures for me. The Configuration Profile logs say "Cancelled"

osbalde · ‎03-23-2016

Tried again this afternoon, still down. Push Diagnostic reports green but enrolling a machine still results in no MDM capability.

prbsparx · ‎03-23-2016

We've seen this now in the U.S., Canada, Europe, and Asia. Doesn't seem to matter what version either.

murph · ‎03-23-2016

I wonder if this is also somehow related:

"Many Mac users unable to log in to iMessage & FaceTime after updating to OS X 10.11.4"
http://9to5mac.com/2016/03/23/cant-log-in-to-imessage-facetime-os-x-10-11-4/

donmontalvo · ‎03-23-2016

@ryanstayloradobe wrote:

Since Apple's APNS status has been green since this outage occurred, is it only an issue between JAMF and Apple? Are other people having APNS issues outside of using Casper? I say that because FaceTime and iMessage are showing outages for some users after they update to 10.11.4.

Interesting...Messages uses APNS, guessing FaceTime does too?

--
https://donmontalvo.com

donmontalvo · ‎03-23-2016

@blackholemac weotr:

I'm giving them until lunchtime Friday and then going to implement local profiles on the afflicted machines, tracking said machines in the JSS and 'fixing it' on those machines after APNS is fully operational.

We have been discussing this but yea, then you've got a bunch of deployed non MDM profiles to deal with. Hoping Apple fixes this soon.

--
https://donmontalvo.com

milesleacy · ‎03-23-2016

I'm seeing the same intermittent failures across my global enterprise. If you have enterprise AppleCare, submit a ticket.

robertojok · ‎03-24-2016

I had the same problem with Casper imaging and failure of the MDM capability; logged a call with JAMF and have been informed I am not the only one in Europe with this problem. It started 2 days ago...

CypherCookie · ‎03-24-2016

Just check this morning and APN is back up and new Mac's are getting the config profile!

justinjanson · ‎03-24-2016

DEP enrollment is up and running again and seems to work now.

Jamf Nation Community

MDM Capability No