MDM Watchdog

easyedc
Valued Contributor II

I saw a blog post mentioning a new tool Addigy is rolling out to try to work through broken/stuck MDM on managed devices.  The premise sounds promising, and only bring it up here since they plan to offer an open version that can be leveraged with other (aka Jamf) MDM's. https://addigy.com/blog/addigy-new-mdm-watchdog-agent-how-to-resolve-mdm-issues-with-macos/?utm_sour...

14 REPLIES 14

mm2270
Legendary Contributor III

Nice, but I find it to be a sad statement that an entire additional piece of software had to be developed to work around the fact that Apple's MDM largely still sucks and breaks far too often. If Apple would just find a way to make it more reliable, tools like this wouldn't have to be developed in the first place as there would be no need for them.

easyedc
Valued Contributor II

easyedc_0-1685014575319.gif

 

easyedc
Valued Contributor II

I also think it's sort of ironic that Apple frequently walks into meetings with my .org (or any that I've worked with) and brags about being enterprise friendly, yet so many things have to have work arounds or 3rd party apps to make truly useable by Admins. It could be worse - I could be forced to work on Windows. 

davidi4
Contributor

oh oh, Jamf... a small market Fox station picked up on this story: https://fox59.com/business/press-releases/accesswire/756815/addigy-finds-apple-rapid-security-respon...

 

Can we please get some Jamf engineering resources to look at this as a priority, because we all know Apple won't and relying on Addigy could make some of your customers consider a switch of vendors...

mm2270
Legendary Contributor III

Cripes! 25% of managed machines (just the Addigy managed ones mind you) are not getting the RSR updates and are worse, getting into a stuck state. In any environment I can think of, 25% failures would be considered an overall failure and someone(s) would be fired. Only Apple can get away with such a level of brokenness. With so much of our macOS and iOS device management now relying on MDM working (thanks to Apple), systems having broken MDM is a serious problem.

scottlep
Contributor II

Anyone have access to and could share the Restart MDMClient Service script mentioned here? - https://support.addigy.com/hc/en-us/articles/14910202404627-MDM-Client-Is-Unresponsive-and-Remediati...

dsavageED
Contributor III

DavidN
Contributor

Does anyone have an extension attribute for this?

 

Here's what I have so far. You could substitute "MDMCLientStuck" for "MDMEnrolled" to get a true/false value.

#!/bin/sh

 

if [ -d "/Library/Application Support/mdm-watchdog/" ]; then

Watchdog=`mdm-watchdog -diagnose | grep "MDMEnrolled:" | awk '{ print $2 }'`

echo $Watchdog

echo "<result>$Watchdog</result>"

 

else

echo "Watchdog does not exist"

echo "<result>NotInstalled</result>"

 

fi

What’s the time hit on that? I’m hesitant to create an EA simply because the watchdog takes what seems to be an unreasonable amount of time to return a response to -diagnose. This is also mentioning in the video. 

Yeah it does take some time 10 seconds?. I only have it on one system so far. Unsure if this is something I should deploy to more systems? I added the line to check for existence of mdm-watchdog for now.

 

davisna
New Contributor

FYI, the diagnostic piece took too long from an inventory perspective. I wrote this to pull from the unified log instead, as it runs every 95 minutes, that should be sufficient.  

#!/bin/bash

# Written by Nick Davis on 8.25.23 to report the log results from MDM Watchdog.


## Read the log file, search for watchdog process and grab the last 8 lines
resultS=$(log show -predicate 'process = "mdm-watchdog"' | tail -n 8)

## Trim the lines to show MDM Watchdog output
trimIT=$(echo "$resultS" | sed 's/^.*MDME/MDME/')

## Trim the lines to only show the last run date
dateTime=$(echo "$resultS" | sed 's/\..*//' | head -n 1)

## Check for presence of mdm-watchdog in results
installED=$(echo "$resultS" | grep "mdm-watchdog")

## If MDM Watchdog is in the results, display data.

if [ -n "$installED" ]; then
echo "<result>Last Run: $dateTime
$trimIT</result>"
else
echo "<result>Not Installed</result>"
fi

exit 0

This seems to work well and provides a lot of data quickly.

Macweazle
New Contributor III

Excellent.
Not sure if something changed with Sonoma regarding the output of the log, I had to change those to lines to get a proper result:

## Trim the lines to show MDM Watchdog output
trimIT=$(echo "$resultS" | sed 's/^.*MDME/MDME/' | sed '/Retrieve/d')

## Trim the lines to only show the last run date
dateTime=$(echo "$resultS" | grep Default | sed 's/\..*//' | head -n 1)