Help

Pending Management Commands for months

janzaldua
Contributor

Posted on ‎07-21-2023 09:41 AM

Hello. I know there are many threads about this already, but I still haven't found out a long term solution for this problem. I also know there is a workaround, which is to re-enroll the device, and yes this works. But this requires scheduling time with the user for 10-15 minutes, and that can add up quickly.

Does anyone know the root cause or how to fix this issue? Here's some info for those that need it.

- We have created an extension attribute that shows if the MDM is communicating or broken

- We have renewed our push certificates

- We have tried the Jamf binary self-heal with the Jamf API, but no luck

It seems the only way to fix this issue is to remove the profile and framework, then re-enroll. This can get even more time consuming when the Profiles do not get removed and you have to wipe the entire system or disable SIP to remove the non-removable profiles.

5 REPLIES 5

pete_c
Contributor III

Posted on ‎07-21-2023 10:05 AM

Cancel all Failed or Crashed commands, then cancel all Pending commands, then send a Blank Push.  The commands to be issued will be recomputed and eventually the device will receive MDM commands successfully.

Remember, MDM stands for 'Maybe Device Management.'

janzaldua
Contributor
In response to pete_c

Posted on ‎07-21-2023 01:54 PM

This helped quite a bit actually. The solution seems to be a mix of your steps and the self heal. I'll have to test on 10+ more devices to ensure this fix actually works, but here is my solution that has worked on a few machines already.

1. Cancel all Pending/Failed commands on that device within Management > Management Commands

2. Run the Self-Heal using the Jamf API (this redeploys the Jamf Management Framework)

After that, a pending command called "InstallApplication" will pop-up. As long as the device is online, it will resolve itself within 5-10 minutes.

0 Kudos

Bol
Valued Contributor
In response to janzaldua

Posted on ‎07-21-2023 08:30 PM

I use this script on check each day, works well.
https://github.com/rtrouton/rtrouton_scripts/tree/main/rtrouton_scripts/Casper_Scripts/clear_failed_...

0 Kudos

ryanmorales1992
New Contributor

Posted on ‎10-23-2023 06:39 AM

Hi janzaldua,

We are having the same issues, do you mind sharing the extension attribute you used to track if the MDM is communicating or broken?

0 Kudos

janzaldua
Contributor
In response to ryanmorales1992

Posted on ‎10-23-2023 08:46 AM

Hi, no problem:

 

#!/bin/bash
result=$(log show --style compact --predicate '(process CONTAINS "mdmclient")' --last 1d | grep "Unable to create MDM identity")
if [[ $result == '' ]]
then
echo "<result>MDM is communicating</result>"
else
echo "<result>MDM is broken</result>"
fi