Posted on 01-30-2015 02:11 PM
OK, I've now seen this behavior at TWO clients after upgrading their Windows-based JSS from 9.62 to 9.63 (tidbit: one client on Win2k8R2, the other on 2012R2).
After a machine is imaged, and it reboots and additional installs are done, when the system restarts it is void of any/all config profiles scoped to it. Only one it has is the mdm profile.
sudo jamf mdm
sudo jamf manage
don't do anything. If I do a
sudo jamf removeMdmProfile
sudo jamf enroll -prompt
When the computer gets the new MDM profile, the right certs come down.
The computer had network connectivity during the initial setup. The JSSes have the relevant APNS certs and unrestricted access to Apple's push servers.
Can anyone else repeat this? Again, the fact that it's happening at two clients is making me go hmmm…
I've got 2 support cases open, but will cc @amanda.wulff][/url to see if I'm the only one seeing this.
Posted on 01-30-2015 02:23 PM
Just confirmed the workaround is to insert a QuickAdd package into the imaging workflow. But I shouldn't have to...
Posted on 01-31-2015 10:02 AM
I've been testing 9.63 in the lab on a similar setup, I haven't seen this issue yet... Thanks for the heads up.
Posted on 01-31-2015 01:46 PM
@RobertHammen What in the QuickAdd package is actually fixing the issue. Couldn't this be just a online script performed post-image?
Posted on 01-31-2015 02:07 PM
Just tried in a VM, Ran Casper Imaging 9.63 to pave down 10.10.2 with one package and one printer. Restarted and I see my MDM Profile plus two default Profiles.
9.63 was upgraded from 9.62 running on Ubuntu.
Posted on 02-01-2015 10:20 AM
@justinrummel Not sure. Don't see any errors in the post-imaging /var/log/jamf.log but the profiles don't end up on the device unless a QuickAdd is injected into the imaging workflow.
JAMF Support replied that they have someone else reporting the same issue. Not sure if it's Windows-specific. I haven't yet imaged from a Mac-based 9.63 (have no clients with Linux JSSes), so...
Posted on 02-01-2015 10:43 AM
@RobertHammen how are your Profiles scoped? My two that worked were scoped to "All Clients". Just a thought.
Posted on 02-02-2015 04:47 AM
@RobertHammen][/url][/url - any chance in logs on JSS for the machine, management history, you're seeing unable to decrypt profile? I have been having that issues since 9.32, was supposedly fixed in 9.4 (had to run quickadd), but I'm seeing it again in 9.62. However, even running quickadd doesn't seem to be helping in 9.62... (and I hate running packages at reboot. I have weird issues with my post image scripts when doing that, adobeinstall account not 100% being deleted, etc).
https://jamfnation.jamfsoftware.com/discussion.html?id=11579
Posted on 02-02-2015 12:19 PM
I'm seeing something similar. I'm using 9.62 and with the 10.10.2 install from imaging and the system is enrolled and has the MDM profile, but none the configuration profiles are being pushed to the system.
I have done an re-enroll, jamf manage, jamf mdm; and have not had any luck. The odd thing is the JSS knows there is a problem too because on the Management tab for the device inventory, I do not have a "Management Commands" group to where I can lock or wipe the system, but the History tab shows that I have configuration profiles pending.
Since 10.10.2 came out last Tuesday, I figured there will be a new version of the JSS soon, which may or may not address this issue.
Posted on 02-02-2015 12:45 PM
For those of you who are seeing an MDM profile on the client, but are not getting any profiles pushed down, and are unable to get the profiles down by just running a jamf manage, could you please take a look at the MDM profile on an affected machine and see if it has a payload identifier at all?
We’d also want to look at the inventory record of the affected computer in the JSS and see if, under Profiles, it shows any “Unknown Profile” profiles.
The other case I saw this behavior on also exhibited what I've just described, so if that's not what we're seeing in your cases, it's most likely not the same thing.
I’ve seen one other case, as I mentioned, that may be similar, but it occurred on a JSS running on a Mac, so it’s likely that it’s just coincidental that the two JSSes mentioned by @RobertHammen happened to be running Windows.
@RobertHammen I also left a couple of notes on your open case for your Technical Account Manager as well.
Thanks!
Amanda Wulff
JAMF Software Support