Jamf Nation Community

The funny part is we do always see it enroll properly and do the management command correctly. Sometime later it seems to drop this portion of management and we can't seem to figure out why.
Gabe Shackney
Princeton Public Schools

Is port 2195 available from JSS to the outside world (Apple)? The other port you would need available on your network is 5223 for clients to speak with Apple.

Yes these are both available. The issue isn't it connecting to the apn, but when looking on the computer details page in the jss reporting "MDM Capable: No" I can rerun the JAMF manage command and then it shows Yes again but seems to lose it again later. Most annoying.

Gabe Shackney
Princeton Public Schools

Sorry for the late reply Gabe. Are any of your clients using a proxy of some sort? Just checking all the bases to see where the communication hangup might be. Other thing to maybe check is your certificates. Are you using a self signed certificate or a third party certificate ( JSS >> Settings >> General Settings >> Server Configuration >> Web Certificate ). Is your Push Certificate valid or recently renewed?

Hi Gabe,

Did you get this resolved? I seem to be running into this issue now. Do you happen to have a proxy?

No proxy, but ended up renewing our built in SSL certificate and then issuing either a sudo jamf mdm or sudo jamf manage command to our clients and this seemed to fix it. Still unsure of the cause.

Gabe Shackney
Princeton Public Schools

We had the same problem, this was due to our proxy doing SSL inspection, we turned it off for apple.com sites and it appears to now show up as "yes" still having major issues with config profiles on ML though.

I solved my problem by removing the old MDM Profile in system preferences, and re-enrolled the JSS again.

We started seeing this on a small number of Macs at remote locations, but never on our corporate campus.

In our case, the afflicted Macs were on VLANs that blocked access to APNs over 5223. All these Macs had the MDM enrollment profile from our JSS (v9.65).

Since we also can't use MDM Capability as scope criteria, we decided to create an extension attribute. Basically, we're checking access to gateway.sandbox.push.apple.com 5223 and returning status.

#!/bin/bash
# Test whether Apple Push Notification (APN) service is accessible to Mac client
# A blocked status will prevent Macs getting or updating our MDM settings.

function MDMstatus ()
{
/usr/bin/expect <<EOD
set timeout 2
spawn nc -z gateway.sandbox.push.apple.com 5223
expect *"succeeded!"
EOD
}

reportMDMstatus=`/bin/echo "$(MDMstatus)"`
if [[ "$reportMDMstatus" == *"succeeded"* ]]; then
    /bin/echo "<result>Accessible</result>"
    exit 0
else
    /bin/echo "<result>Blocked</result>"
fi
exit 0

All disclaimers apply, but this may help others needing to test actual access to APNs.

Hey Guys,
I found the only solution that works:
1- delete the computer from jss.
2- reboot and open disk utility and erase the hard disk.
3- reinstall pure, clean OSX either from the web or from an OSX installer from Apple on a USB stick.
4- after installation is complete, run recon or quick add package or any way to enrol the machine into jss and now it should show up in jss MDM Capable= yes.

Being MDM-capable requires a recovery partition. The above process may resolve some of these kinds of issues if the previous volume had no Recovery HD.

@bmarks - not sure this is true. our student workstations don't have a recovery partition and are all mdm capable.

Maybe I'm thinking of FileVault, but I'm about 90% sure I'm correct. The reason being that certain MDM features like remote lock, remote wipe, etc. utilize the other partition to do these things and without it, these MDM features wouldn't work.