Using Config profiles can be very frustrating because you aren't in complete control of the entire process.
One thing I see every so often is config profiles that are constantly in the 'Pending' status. The system is working generally since most people are getting pushes. What would cause one to be in a pending state indeffinitely? Is there a way to force a push of them directly?
i have the same problem. even for those pending mac, i ran sudo jamf checkjssconnection and sudo jamf manage, it all shows the JSS is available, plus mac keeps latest update on JSS inventory. and all policies can apply to mac, but simply the config profiles are pending, why?
If you are having issues with stuck configuration profiles, check that your servers and your managed devices are able to talk to Apple’s Push Notification Service (APNS). You may also need to renew the push certificate, and as a last resort reënroll the computer.
I gave an in-depth presentation about APNS at JNUC 2017:
@a.holley I create a script from the config profile and deploy it that way.
Here are the steps:
security cms -D -i /path/to/profilename.mobileconfig | xmllint --format -
4. Take the output from the above command in Terminal and copy it. You will paste this into a script.
5. Create a script with the following information in it. You will need to edit some of this to correspond to whatever it is that you're deploying, like a name for the profile for example.
#!/bin/bash ## Create the .mobileconfig file in /private/tmp/ cat << EOF > /private/tmp/profile.mobileconfig *<paste the entire xml code for the configuration profile from step 3 and 4 here, unaltered>* EOF ## Install the .mobileconfig with the profiles command /usr/bin/profiles -I -F /private/tmp/profile.mobileconfig if [ $? == 0 ]; then echo "Successfully installed. Deleting local file..." rm -f /private/tmp/profile.mobileconfig exit 0 else echo "Installation of profile failed. Deleting local file..." rm -f /private/tmp/profile.mobileconfig exit 1 fi
So you can essentially create these scripts that install a config profile. A bit more of a pain but it has worked for us.
You can even make extension attributes based on the config profile UUID to confirm compliance.
I did not come up with this by the way, I can't remember where I found it to give credit though.
@a.holley I know this thread is old, but When I run this, I get:
Script result: profiles install for file:'/tmp/test.mobileconfig' and user:'root' returned 13 (The profile must originate from a user approved MDM server.)