Pending Configuration Profiles on live devices

SMR1
Contributor III

We deployed the new cisco secure client last week along with the new configuration profile. The profile installed on 341 devices and is pending on 54 devices. I spot checked some of the devices and they're online and checking in correctly, but the profile isn't installing and causing issues when trying to use the VPN. Any ideas other then restarting. These Mac's are currently running Sonoma.

9 REPLIES 9

sdagley
Esteemed Contributor II

@SMR1 Are there any other Pending Commands showing for those Macs? Have they been restarted since the profile was enabled? And if the profile is targeted at User Level is a user logged in on those Macs?

AJPinto
Honored Contributor III

Just because a device is checking in does not mean there is not a communication issue. Get Jamf Environment Test or the Mac Evaluation Utility on one of those devices and run it, see if anything between Apple is being blocked that is related to device management or configuration profiles.

 

Jamf Environment Test | App Directory

Mac Evaluation Utility - can't link directly, but it's one of the Apple Seed for IT downloads.

 

 

 

SMR1
Contributor III

For these 2 devices, the VPN software updated this morning correctly, but didn't install the config profile. I did check the pending commands suggested by @sdagley and both have pending commands. We deployed another update last week on the 20th that has a config profile and it's still showing pending, but the update policy did work.

AJPinto
Honored Contributor III

Things like Policies use Jamf Framework, this uses different network hosts and ports than Apples MDM framework which MDM commands (like installing configuration profiles, or software updates) use. Since you are dealing with a VPN Client, and issues after installing it I am figuring something is being blocked of TLS redirection for Apples MDM framework hosts.

SMR1
Contributor III

@AJPinto I didn't know that about the policies and config profiles. I'm going to work with one of the users tomorrow.

SMR1
Contributor III

I had user run the environment test and they provided me the report. Is there a specific section I should be checking? I ran it my device and it's pretty much identical and I don't have any issues with getting config profiles.

SMR1
Contributor III

After digging around, I noticed that there MDM profile is showing expired. It matches the date of the last completed command.

You'll need to re-enroll these devices. I have the same situatuon in our Company. I have 13 devices with expired MDM profile and coudn't find any other fix than manually remove the MDM profile and re-enroll it again.

Does running this command not do anything?

sudo profiles renew -type enrollment'