Jamf Nation Community

Here ya go. (not in right order)

@rstasel i kinda see now.

yup.

@rstasel how long after you ran the 2 commands did you see results? ( i see, you had to just daily or whatever see the numbers drop as computers ran inventory)

my search I only did the first line.

another issue i have is a handful of these macs have totally dropped off from even doing the routine checkin and inventory updates, so probably those macs won't be affected by this.

If the MDM command succeeds, the next inventory they should report as Verified. So I started seeing results pretty quick. If you want to speed it up, make a new smart group and scope an inventory to that.

And yes, that command will just sit waiting for machines until they come online again. the profile being unverified should have nothing to do with them not checking in, that just means they're off, or somehow Jamf is broken on them (Jamf Binary and MDM stuff aren't tied together).

If you don't have any 10.13 machines, then that's fine. If you DO have 10.13 machines, or older, you want to exclude them from this. They won't successfully renew the MDM profile, and instead just spin up the CPU for a while before failing silently and continuing to be unverified.

@rstasel we have nothing older than 10.13.

so far i see 5 macs that have run inventory since i did those 'actions', and checking the inventory information on one of them i see no change to the Not Verified state.
Also i see in the macs management tab a handful of pending commands, along with the Renew MDM Profile command. Date of last push 13 minutes ago!!!! what is preventing these commands from executing??

Hi @tcandela

What OS? If 10.14, is someone logged in? If not, someone needs to login.

There are a lot of variables, and yes, the 100 or so I have left are all in this state. Which means having to re-enroll them.

@rstasel here is a couple sample results from two of the computers the renew profile command was sent to. Someone has been logged in. also the search is still at 86 computers, so the commands did not effect even 1 computer

So that top one looks suspicious. I'm not positive, but that looks like the MDM push cert was renewed with a different appleid than originally (so when you renew the APN profile with Apple, it warns you in the Jamf pro server if the apple ID is different than originally). Does that sound right? If that's the case, any machine in that state will need to be re-enrolled.

The bottom one looks like the ones I have left... just for whatever reason they're aren't accepting the new MDM. I'm unclear why.

What OS is on each of these? Do you have one in your possession or are they all out in the field?

@tcandela When you renewed your push certificate I assume you used the same Apple ID you used the previous year(s)?

@rstasel both are running 10.14 and out in the field.

I have no idea what that top 'does not contain same push topic' message means!!!

yup, what @mainelysteve said. that does not contain same push topic looks like a different appleid was used to renew the push certificate.

@tcandela my suggestion at this point honestly if you haven't already. Open a ticket with Jamf support.

@boberito i did once. They're about as helpful as asking no one.

@tcandela yaaa.... :/

@tcandela Would definitely recommend opening a ticket in this case. Cause not sure we're going to be familiar with all the specific errors.

That first one though looks like APN Push Cert was renewed with different appleid. The second one though is more what I'm seeing (machines that aren't getting/respecting the Renew MDM command).

A few of our devices are not able to renew the MDM profile.  The failed commands shows:

Profile replacing MDM profile does not contain same ServerURL as original <MDMClientError:90>

We've only had one AppleID reserved for use with APN Push Certs.

Has anyone determined a resolution?