Policies repeating

Valued Contributor

Hello Everyone,

I am struggling to understand what might be happening with our deployments. This is something new for us as the winter break and last summer we didn't run into this before.

We have a number of policies that are running as completed in the status but the policy will run again. This will usually generate a false positive error in the logs as the apps or policy would have been delivered and done its thing.

All of these deployment policies have a trigger set as Startup/Check In.

The check in period is set for 30 minutes for all computers.

The policies are set to run once per computer. The first time they run, they will show up as completed. Later in the history we are seeing the policy run again, sometimes with a failure. This isn't good as most of the policies install applications. Reinstalling the applications on top of itself I don't think is ideal at all.

Any thoughts on what I should be looking for? Is there something I am overlooking? Seems simple enough, but I really can't get my head around this one.



This happens to me also. I have this very simple test policy: Add SelfService to the end of the Dock. I was wondering why this happens on my personal client again and again.

A bit of thinking what happens here brought the answer. Turns out: It was the log flushing. On my JSS the policy logs will be flushed after three months. And magically the policy runs again on all my clients. :)

A possible solution for this is to create something you can scope on it, like an extension attribute looking for the installed app or app version or package.
Then you could scope your policies to this smart group. The policy should run only once per computer.

But for me it looks like an product issue we have here. "Once per Computer" should mean "Once per Computer" indepentenly from policy logs.


We work around this by creating smart groups that look for whether certain applications are installed on a computer and then scope an install policy to the smart group.

If a computer is missing the designated software at the time of an inventory update, it is added to the smart group and the software is installed. Just need to make sure to add an "Update Inventory" to the policy so that the computer is removed from the smart group after the software is installed.

Valued Contributor

Thank you @gda this is the interesting thing about my situation. The re-running of the policies is happening like almost immediately and not every policy re-run. For instance, we have the deployments set to install our core applications which is the 3 step in our list of policies. After it installs, the other things keep going, binding to AD, adding printers and some other things. That 3rd step will end up repeating itself in many cases, not all. Why the heck after like 45 minutes it has run successfully will it run again?

I agree once a policy has run once per computer, it should NEVER run again unless we physically tell it in Jamf Pro to flush the policy which would allow it run again.

I have a ticket open with jamf, but it seems there is a checkbox or a switch that I have enabled without knowing it. I suspect after upgrading to 10.x, a default setting was set and I just don't know where it is set.

Valued Contributor

Thank you @ejculpepper I appreciate the feedback, this is helpful.

In our smart groups, we do very similar things as you mentioned. The problem I am starting to find is the maintenance payload that allows the policy to update the inventory doesn't seem to always be running. I have resorted to a quick command "sudo jamf recon" at the end of the policy in order to force the update inventory to run.

Something is a little wonky and I just can't get my finger on it.

New Contributor II

Just started happening with us as well. I tried to scope it to an exclusion based on DEP Notify Smart Group but that application doesn't show up in the installed apps. Right now some customers are locked into the splash screen on every reboot. Any suggestions?