MDMClientError 89 when wiping and reinstalling Macs

DanJ_LRSFC
Contributor III

This summer we're finally moving to an Automated Device Enrollment/DEP-based deployment workflow for our Macs and we're wiping and reinstalling them with macOS Catalina.

 

However on some of our Macs, after wiping, reinstalling and enrolling with ADE we are finding that some configuration profiles are not being applied (which is a big problem for us as one of these is needed in order for most of our software to get deployed correctly).

 

On further investigation, when looking at the computer record in Jamf Pro of one of the affected Macs, we can see a large number of failed "Remove Configuration Profile (name)" commands with error "Profile with identifier (guid) not found, MDMClientError:89". With "name" and "guid" being replaced by a profile name and guid respectively. Obviously the profiles are not found because the Mac has been wiped and reinstalled.

 

We found that we can remediate this by deleting the computer record before we wipe and reinstall the Mac but we were hoping there might be a way to clean this up en masse (e.g. in the database) without having to delete those records.

 

Does anyone have any suggestions? I searched here but only found 2 threads with MDMClientError 89, but they were from almost a decade ago and didn't seem to match my current situation.

1 ACCEPTED SOLUTION

DanJ_LRSFC
Contributor III

The solution is as follows:

  1. From the JSS, send the "Remove MDM Profile" command to the target Mac
  2. On the target Mac, in Terminal run 

 

sudo profiles -C -v​

to verify there are no configuration profiles installed

 

  • On the target Mac, in Terminal run 

 

sudo jamf removeFramework​

to remove the jamf client

 

  • On the target Mac, in Terminal run 

 

sudo profiles renew -type=enrollment​

to re-enroll the Mac (only works if your Mac is on DEP)

 

  • On the notification that pops up about Device Enrolment, click Details
  • In the Profiles preference pane that appears click Allow
  • Your normal deployment process should kick off at this point.

View solution in original post

12 REPLIES 12

sdagley
Esteemed Contributor II

@DanJ_LRSFC  Under Settings->Global Management->Re-enrollment try changing the setting for "Clear Management History On Mobile Devices And Computers" to "Clear completed, failed and pending commands"

@sdagley I've just had a look at that setting, but it's already set like that.

DanJ_LRSFC_0-1626441280877.png

 

sdagley
Esteemed Contributor II

@DanJ_LRSFC There could definitely me some more options available related to what's cleared when a Mac re-enrolls (my personal pain point is LDAP EAs not being cleared). Short of deleting computer records before re-enrolling the only other suggestion I have is doing a bulk delete of failed commands after you've re-enrolled a group of computers by doing an Advanced Computer Search for machines showing an Last Enrollment date of less than 1 day and using the Action button to run a Cancel Management Commands to Cancel All Failed Commands (see this blog post by @rtrouton for more details: Clearing failed MDM commands on Jamf Pro )

@sdagley I think I tried the Cancel All failed commands button, but I don't think this clears whatever error state is happening, they just come back again the next time you do a blank push to get the configuration profiles loaded on there.

Cormier
New Contributor

I have used both the JSS and Profile Manager to install the profiles which is fine. All necessary ports are open on the firewall, Certs are in place and I can successfully deploy a payload via the profile. 

First Call Online

@Cormier I think you may have posted on the wrong thread?

DanJ_LRSFC
Contributor III

On further investigation it looks like the list of installed Configuration Profiles in the computer record on Jamf Pro does not match the actual installed configuration profiles. Does jamf recon not update the list of installed configuration profiles on a computer record?

sdagley
Esteemed Contributor II

It's not a recon but a "ProfileList" Management Command sent via APNS that tells the Mac to report installed Profiles to Jamf Pro. Maybe time to open  support case if you're not seeing the actual installed match the computer record in Jamf Pro 

I have a support case open with Jamf already, I was just hoping to find a quick and easy solution as I'm now 2 weeks into the Summer Break and still having to manually resolve this issue by deleting Macs from Jamf Pro and then wiping and reinstalling them a second time (after the first time failed).

sdagley
Esteemed Contributor II

I understand the hassle, but maybe just standardize on delete then re-image. For my org policy is always do that unless it's the same user because there's no other mechanism to clear the data in LDAP EAs.

samuellarsson
New Contributor III

I have the exact same problem. I spent last week clean-installing and upgrading three computer labs (~70 machines) from Mojave to Big Sur and enrolled them all back into the same computer object in Jamf, and now they all have this issue. The machines report that they have old sets of profiles, which they don't, and when Jamf tries to remove them with management commands, they result in error MDMClientError:89. I'm also reluctant to delete the computers from Jamf and redo all of last weeks work... I've logged a case as well.

DanJ_LRSFC
Contributor III

The solution is as follows:

  1. From the JSS, send the "Remove MDM Profile" command to the target Mac
  2. On the target Mac, in Terminal run 

 

sudo profiles -C -v​

to verify there are no configuration profiles installed

 

  • On the target Mac, in Terminal run 

 

sudo jamf removeFramework​

to remove the jamf client

 

  • On the target Mac, in Terminal run 

 

sudo profiles renew -type=enrollment​

to re-enroll the Mac (only works if your Mac is on DEP)

 

  • On the notification that pops up about Device Enrolment, click Details
  • In the Profiles preference pane that appears click Allow
  • Your normal deployment process should kick off at this point.