MDM Profile - Not verified. Looking for suggestions.

bcbackes
Contributor II

Hello,

I'm using Jamf Pro 10.15.1 and have some Macs showing up in a Smart Group as the MDM Profile not being verified. Some of the end users are working from home via VPN. My JSS is on-prem and is NOT in the DMZ. So, outside of them connecting to our network VPN they won't be able to reach my Jamf server.

I tried to resolve one of the Macs by re-enrolling it into Jamf remotely (screensharing). It pulled down the quickadd package and went through all the motions, but, at the end it was still unverified. Note: The end user did have admin rights.

Does anyone know how to get the MDM Profile verified if the Mac is being used remotely via VPN?

4 REPLIES 4

walkeri3rd
New Contributor III

I am looking for an answer to this also. The devices are showing enrolled, the MDM Profile expiration date has plenty of time on it but the MDM Profile verification state is "Not Verified".

walkeri3rd
New Contributor III

I am having the same issue. The only resolution I have is to reinstall the OS and then provision them. Originally the MDM was set as non-removable. The MDM moving forward has been changed removable. With the MDM set as non-removable there is no way to resolve the issue.

mpenrod
New Contributor III

I'm pretty sure this is Apple's "new" way (Mojave and forward). If you don't DEP enroll, even if it's a reenroll, then the user (or you remotely) will need to click the verify button in System Prefs -> Profiles. If they open Self Service it should show them a picture of what needs to be done. It's not hard but I've had to do it for quite a few of our people anyway. I've only tried it on prem but it should work over VPN if that traffic is allowed (I have no idea what protocol Apple uses for that).

arpierson
New Contributor III

We occasionally get this on Macs that were enrolled via DEP/ASM. Issuing the Renew MDM Profile command resolves it for us. If it's one of our older Macs that was manually enrolled to Jamf, either via Recon or by a quick add package, then as @mpenrod points out, the Mac is technically a user-initiated enrollment and the user must go to System Preferences > Profiles, click on the MDM Profile in the list of profiles, and click the 'Accept' (or maybe 'Approve'?) button that is just under the title of the profile.