Jamf Nation Community

Leafeon182 · ‎01-17-2023

Hello all,

I have a JamfPro instance with about 40 Macbooks. Of those, I have 10 devices that are not accepting any management commands. To clarify, all of the management commands and configuration profiles are stuck in pending and nothing that I have done so far appears to have any effect.

I have attempted the following in an attempt to fix:

Canceling all pending commands
Sending a blank push
Renew MDM profile
Issuing the command sudo profiles renew -type enrollment via script and scoped into policy in Jamf. Results in
Script result: Error: Renewing DEP enrollment failed: (null) ((null):0)

Has anyone else run into this where specific devices are not accepting management commands? Is there any way to fix this without having to physically visit all 10 devices?

AJPinto · ‎01-18-2023

They may just need to be rebooted. You probably need to get your hands on the devices as if profiles are not loading, JAMFs MDM commands wont work. The JAMF Binary may allow you to run some commands with a policy, but that is really it.

I can tell you now Apple will say reinstall macOS from recovery if rebooting does not resolve. Honestly I'd probably reinstall macOS from recovery also as it only takes a few minutes and will likely be less of a time investment then figuring out what is going on.

View solution in original post

dlondon · ‎01-17-2023

Are you able to connect to any of the machines on the command line?

If so, maybe try

sudo jamf recon

and see whether it can do a full recon

mschroder · ‎01-18-2023

Things you could check: Do these devices have up-to-date MDM profiles? Are the MDM profiles user approved?

AJPinto · ‎01-18-2023

They may just need to be rebooted. You probably need to get your hands on the devices as if profiles are not loading, JAMFs MDM commands wont work. The JAMF Binary may allow you to run some commands with a policy, but that is really it.

I can tell you now Apple will say reinstall macOS from recovery if rebooting does not resolve. Honestly I'd probably reinstall macOS from recovery also as it only takes a few minutes and will likely be less of a time investment then figuring out what is going on.

bfrench · ‎01-18-2023

This has helped in a few instances where devices were still checking in but not running commands.

https://www.modtitan.com/2022/02/jamf-binary-self-heal-with-jamf-api.html

channy-cl · ‎01-18-2023

First as @AJPinto suggested, have the laptops rebooted somehow.

Then try the self-heal option suggested by @bfrench.

At last, here we have the user of the laptop run the command instead as they have admin access

sudo profiles renew -type enrollment

Leafeon182 · ‎01-20-2023

Seeing some sporadic success with using the self-heal. Thank you @channy-cl and @bfrench !! Had no idea such an option was available, and I want to be sure I thank you for the suggestion.

That said, is there no other way to issue the sudo profiles renew -type enrollment from the MDM? Just trying to think of a way this could possibly be automated?

Again, thank you all for taking the time, I'm still learning a lot.

channy-cl · ‎01-20-2023

That is a chicken and egg problem!

We generally want the "profile renew" command executed on a device where for some reason MDM is broken. But when MDM is broken on the device, there is no way to send the command via MDM :|

Leafeon182 · ‎01-20-2023

I'm fully able to scope them into policies and scripts just fine. Those run and execute regularly and pretty much as expected. Its *only* management commands and configuration profiles.

channy-cl · ‎01-20-2023

Ahh I see what you mean!

I have not tried it myself, but may be you can try find the active user and run the command as that user.

For example,

sudo -u johnd sudo profiles renew -type enrollment

Basically, I believe (might be completely wrong) that policy scripts run as root user and that might be the reason it does not work when run via policy.

If you test it, I would be super curious to know how it goes.

Leafeon182 · ‎01-20-2023

I'll give it a try and let you know. Thank you! As a side note, I have limited access to the devices right now, but will have more direct physical access on Monday, 1/23/23.

channy-cl · ‎01-24-2023

@Leafeon182 I was thinking about running "profile renew" via script and don't think that will solve your issue completely!

Assuming even if the command runs as the user successfully, the mac will then wait for the user to go to the profile list and approve the new profile, no?

jreggans · ‎06-04-2023

What if there are no profiles in the list?

Jamf Nation Community

Pending Management Commands