OS X 10.11.4 Not Apply Config Profiles

jhein
New Contributor II

Just started to see this, upgraded a Macbook to newest El Capitan version (10.11.4) and no configuration profiles are being installed. Am using JSS 9.81, and am doing two things; a cert delivery and an AD Cert request. Any one else on 10.11.4 seeing this?

Julian

1 ACCEPTED SOLUTION

jhein
New Contributor II

Guess I can mark this as an "Answer", just so others know what all went down, but it was more or less a group effort of yelling at Apple. So the general thought is that Apple APNS service went down yesterday which broke the MDM push capabilities. However, this morning myself and others have found that the config profiles are applying again across multiple OS X versions. I can confirm that my problem 10.11.4 is now successfully working.

View solution in original post

35 REPLIES 35

bentoms
Esteemed Contributor
Esteemed Contributor

mm2270
Legendary Contributor III

Why not 9.82? Is there something stopping you from updating to the latest JSS version? I'm not saying that is definitely the issue, but it would be worth seeing if using the latest 10.11 approved Casper Suite version will resolve this for you.
We only just began playing with 10.11.4 today, so I'll need to see if we see a similar issue. We're on JSS 9.82.

EDIT: Ok then, nevermind. Looks like there is some issue with 10.11.4. Oy Apple!

yan1212
Contributor

Yes, I am seeing similar behaviour. I haven't had the chance to diagnose it properly but so far I saw 3 MacBooks that our support guys rebuilt to 10.11.4 and enrolled today that would not have any profiles pushed to them despite being in scope and showing as "pending".

jhein
New Contributor II

Thank @bentoms, will bookmark that and look into it.

@mm2270, No real reason for not updating the JSS, just had not gotten to updating it yet. I am going to try on some 10.10 Macs first before doing that but will keep that in mind. If you could reply back with your finding after playing around with it, that would be awesome!

yan1212
Contributor

Thanks @bentoms !

Stonham
New Contributor II

I am also seeing this issue.

Retrac
Contributor

Same thing for me, JSS 9.82.

10.11.4 - Add CP to scope and nothing happens on the Mac. Reboot and it applies
10.1.5 - Add CP to scope and the profile gets delivered but does not take effect until a logout/login.

Not sure when this started happening though.

Retrac
Contributor

Just tested again after posting and now 10.10.5 works as expected.

Add or remove a CP for a Mac and it instantly gets applied/removed.

Jakov
New Contributor III

exactly the same issue here! JSS 9.82 and OS X 10.11.4, no profiles applied...

MTFIDjamf
Contributor II

Seeing the same here across all of our builds..
JSS 9.82

OS X 10.10.5 - Production net new devices pull no config profiles.
OS X 10.11.3 - Test build, no CP's.
OS X 10.11.4 - Test build, no CP's.

Any more news on this?

jhein
New Contributor II

It is looking like, from other posts and what has been said here, that it is an Apple issue. I have not tested out 10.10 builds yet, am getting ready to, but did notice that on the 10.11.4 the MDM Capable is set to "No" when I check the machine in JSS, so maybe something was changed with how the MDM is setup in 10.11.4.

Just tested 10.10.5, and it pulled profiles down like a champ. So it looks like it is more 10.11.4 that messed everything up... Way to go Apple.....

MTFIDjamf
Contributor II

Just checked that setting across all of the OS X builds mentioned above.....any net-new device that we image comes up as 'MDM Capability: NO' no matter the version of OS X.

blackholemac
Valued Contributor III

Following the other post referenced above but will updated this thread too...basically a me too, but occurring randomly and updated to note that our Apple SE acknowledged an issue on Apple's end but had no other immediate details.

apizz
Valued Contributor

I can confirm that after reimaging a test machine with 10.11.4 that it gets our MDM profile and a couple others, but after creating a new test CP it has not yet applied. JSS running 9.82. After restarting the machine the profile got applied.

blackholemac
Valued Contributor III

@aporlebeke My "occurring randomly" in my post above can be best described by your post only it occurred on a freshly reimaged 10.11.3 MacBook. I blew the MDM profile out of System Preferences--->Profiles pane and ran sudo jamf mdm and it loaded all fine, but on one or two MacBooks running same 10.11.3 image, that doesn't work.

No answers but at least someone else is seeing what I thought was my unique issue. Waiting on Apple for a fix it looks like.

gskibum
Contributor III

@aporlebeke That's my experience too. Devices enroll and get the JSS MDM, but others don't hit the box.

Devices also show "MDM Capability: Yes" in inventory.

apizz
Valued Contributor

Well, I guess it's a good thing it's only March and we don't have to worry about sealing up our image just yet. Hopefully there aren't any new issues like this when the fix this in 10.11.5 ...

adhuston
Contributor

Seeing much the same result. We just finished imaging a number of our labs and had a tough time getting our CPs to apply. Reboot fixed them sometimes, but it's been a bumpy ride.

blackholemac
Valued Contributor III

I hope 10.11.5 isn't the fix...we'll need something much sooner than that. Things were working just fine in 10.11.3 two weeks ago.

I hadn't updated my base image yet to 10.11.4 yet and have little plan to until Apple gets this under control.

Blackholemac

apizz
Valued Contributor

So this is interesting. I've been able to confirm this issue on my personal laptop running 10.10.4. I've restarted once and I still haven't gotten the new config profile ... so is this a larger Apple issue and not just isolated to 10.11.4?

blackholemac
Valued Contributor III

It is definitely larger...10.11.4 isn't even in our workflow yet...it shouldn't need to be...haven't had a full chance to vet yet.

blackholemac
Valued Contributor III

I personally think APNS has a cluster node down somewhere for what it's worth.

apizz
Valued Contributor

... and yet it works when I push to some hard-wired machines ... what is going on??

blackholemac
Valued Contributor III

Its probably not your network...I was reimagine using thunderbolt Ethernet dongles...I had the problem there too..given the sporadic nature of this problem a node, cluster or group of cluster nodes on APNS about has to be down.

apizz
Valued Contributor

@blackholemac but I thought config profiles came directly from the JSS to clients and did not require APNs?

bpavlov
Honored Contributor

Not quite. There needs to be a communication between the JSS, client and APN.

Vote this up: https://jamfnation.jamfsoftware.com/featureRequest.html?id=4619

blackholemac
Valued Contributor III

@bpavlov is spot on. Unless you are manually hand installing a profile by downloading it manually to a local client (or using the profiles command) you are using standard MDM commands (which requires APNs communication).

What @bpavlov is requesting in his feature request is the ability to have Casper lay on the profiles locally in a managed manner (instead of through standard MDM channels). An interesting concept for sure, but we shouldn't need it. Apparently after the likes of today though, we might.

Retrac
Contributor

APNS and CP's seem to be back to normal this morning.

My 10.11.4 test mac which was not applying CP's until reboot yesterday is today applying instantly, if anything it's the fastest i've ever seen a CP apply and take effect (moving the dock for visual test)

adhuston
Contributor

Same here. Config Profiles are working again! For what it's worth, I was having trouble applying profiles to multiple versions of Mac OS X, including 10.9, 10.10, and 10.11.

MTFIDjamf
Contributor II

Same here as well. The Config Profiles are working again across 10.10.5, 10.11.3, and 10.11.4.

jhein
New Contributor II

Guess I can mark this as an "Answer", just so others know what all went down, but it was more or less a group effort of yelling at Apple. So the general thought is that Apple APNS service went down yesterday which broke the MDM push capabilities. However, this morning myself and others have found that the config profiles are applying again across multiple OS X versions. I can confirm that my problem 10.11.4 is now successfully working.

dnevius
New Contributor

We are having this issue with a new Macbook that we updated to 10.11.4 BEFORE joining it to Casper, and although the JSS says the profiles and policies were applied, they are not displaying in the Macbooks System Preferences, nor are the policies applying to the system. There is obviously something in the 10.11.4 update that is blocking Config Profiles and Policies deployment from Casper.

If the system was NOT on 10.11.4 (on 10.11.3 or earlier), policies applied fine.

So, Houston (JAMF) looks like Apple slipped on by you that you now have to catch up to w/ a new release ASAP.

bpavlov
Honored Contributor

@dnevius what happens if you do "sudo jamf mdm" on that computer?

ClassicII
Contributor III

I was going crazy yesterday trying to figure out what was going on. I wish we could find out!

Props to @blackholemac as this is probably what happened.

dzhang
New Contributor II

Same issue as yours.

I tried a lot to figure this out, and i found:

I think there is a bug in 10.11.4 which from MacBook Air 2015. If I use 10.11.3 instead of 10.11.4, there is no problem for enrolling to JSS.

Just tried on MacBook Air 2013, Macbook Air 2015 and MacBook Pro 2012 , work fine.

I do not think it is about APNS. because at the same time, the capper image with 10.11.3 works, the 10.11.4 does not work. they all use the same configurations.