Mojave Upgrade Creates Unverifed MDM Profile

GabeShack
Valued Contributor II

I'm seeing an issue where once we apply the Mojave update to a machine, the MDM profile then gets listed as unverified and other pushes (IE apps and other profiles) don't come down until I remove the MDM and re enroll the machine. Then of course I have to navigate to the profiles section of system preferences and approve the new verified mdm profile. Is this normal behavior or is there a work around?

I've tried removing the MDM profile then doing a sudo jamf manage command, however I get an error saying "Error installing the computer level mdm profile: profiles install for file: '/Library/Application Support/JAMF/tmp/mdm.mobileconfig' and user 'root' returned -915 (Unable to contact the SCEP server at"https://ourserver.com:8443//CA/SCEP".)

Not sure If maybe I'm doing something wrong.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools
1 ACCEPTED SOLUTION

michaelprice
New Contributor III

I am finding both of these commands run in this order is fixing the issue for me -- we have been struggling with known issue PI-000489 and this post helped me. Not sure if it has fixed our EDU profile yet, but I will report back.

sudo jamf trustjss
sudo jamf mdm -userLevelMdm

Saves us from disabling SIP, DEP re-enrollment trickery

View solution in original post

3 REPLIES 3

GabeShack
Valued Contributor II

So after some playing around I also found that we could use the command sudo jamf trustjss but I don't know yet whether it works to correct this issue until I do another machine.

Also I found that running sudo jamf mdm -userLevelMdm fixes another part of this problem that was causing our EDU profiles from getting through.

I'll post more info if I find out anything more.

Edit: Looks like just running the above user mdm command fixes this issue. the trustjss may not be needed.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

michaelprice
New Contributor III

I am finding both of these commands run in this order is fixing the issue for me -- we have been struggling with known issue PI-000489 and this post helped me. Not sure if it has fixed our EDU profile yet, but I will report back.

sudo jamf trustjss
sudo jamf mdm -userLevelMdm

Saves us from disabling SIP, DEP re-enrollment trickery

View solution in original post

jtrant
Contributor III

What OS were they upgraded from? I found this happened occasionally when machines were upgraded from Sierra to High Sierra (specifically 10.13.4 which brought user-level MDM). The only consistent variable was a hardware change (e.g. repair or Time Machine restore) that changed the GUID.