Pending Config Profiles

New Contributor II

Using Config profiles can be very frustrating because you aren't in complete control of the entire process.
One thing I see every so often is config profiles that are constantly in the 'Pending' status. The system is working generally since most people are getting pushes. What would cause one to be in a pending state indeffinitely? Is there a way to force a push of them directly?



i have the same problem. even for those pending mac, i ran sudo jamf checkjssconnection and sudo jamf manage, it all shows the JSS is available, plus mac keeps latest update on JSS inventory. and all policies can apply to mac, but simply the config profiles are pending, why?

New Contributor II
New Contributor II

here the same, the configuration profiles all ready are on the client but the JSS still says that they are pending.
how come?


I've had issues with Config Profiles for as long as I can remember. Applying them manually is the only way I can apply them on some of my stubborn machines.


@monosodium , would you mind explaining to me what you mean by applying them manually?
I have one that is stuck, and I really need it on a machine.

Valued Contributor II

If you are having issues with stuck configuration profiles, check that your servers and your managed devices are able to talk to Apple’s Push Notification Service (APNS). You may also need to renew the push certificate, and as a last resort reënroll the computer.

I gave an in-depth presentation about APNS at JNUC 2017:


@a.holley I create a script from the config profile and deploy it that way.

Here are the steps:

  1. Create the Configuration Profile .mobileconfig however you want, for example, in Jamf Pro, or in Apple's Profile Manager. As long as you can get a physical .mobileconfig file in the end, or access the direct xml of the profile.
  2. If you created it in Jamf Pro, access it in the GUI and use the Download button in the Profile details.
  3. Use the following command on the downloaded file. This is necessary with any downloaded from Jamf Pro, since they end up as signed Config Profiles:
security cms -D -i /path/to/profilename.mobileconfig | xmllint --format -

4. Take the output from the above command in Terminal and copy it. You will paste this into a script.
5. Create a script with the following information in it. You will need to edit some of this to correspond to whatever it is that you're deploying, like a name for the profile for example.

#!/bin/bash ## Create the .mobileconfig file in /private/tmp/
cat << EOF > /private/tmp/profile.mobileconfig
*<paste the entire xml code for the configuration profile from step 3 and 4 here, unaltered>*

## Install the .mobileconfig with the profiles command
/usr/bin/profiles -I -F /private/tmp/profile.mobileconfig

if [ $? == 0 ]; then
    echo "Successfully installed. Deleting local file..."
    rm -f /private/tmp/profile.mobileconfig
    exit 0
    echo "Installation of profile failed. Deleting local file..."
    rm -f /private/tmp/profile.mobileconfig
    exit 1

So you can essentially create these scripts that install a config profile. A bit more of a pain but it has worked for us.

You can even make extension attributes based on the config profile UUID to confirm compliance.

I did not come up with this by the way, I can't remember where I found it to give credit though.

Contributor II

@a.holley I know this thread is old, but When I run this, I get:

Script result: profiles install for file:'/tmp/test.mobileconfig' and user:'root' returned 13 (The profile must originate from a user approved MDM server.)

Any ideas?

Esteemed Contributor II

@rpayne Deploy the profile from Jamf Pro as a Configuration Profile instead of a scripted install. Some profiles such as kernel extension and privacy approvals can only be installed via MDM. There is no other option.

Contributor II

@sdagley The issue is that there are some machines that just hang on "pending" indefinitely.

New Contributor III

I'm in the same boat as well. CP's get installed initially when enrolled, but new CP's I've added since aren't being downloaded, updates aren't going through as expected, and profiles aren't being removed when de-scoped.

Very frustrating...

New Contributor III

When I've seen the message "The profile must originate from a user approved MDM server" it typically means that the user needs to approve the profile within System Preferences > Profiles.