- Jamf Nation Community
- Products
- Jamf Pro
- Re: Re-imaged computers don't re-run Patch Policie...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Re-imaged computers don't re-run Patch Policies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2020 02:21 PM
If a computer does one of the Patch Policies in Patch Management, the computer is then marked as "Completed". If the computer is wiped and deployed again, it doesn't get patched because Jamf thinks it's already done.
What should I be doing for this to work?
Labels:
- Labels:
-
Patch Management
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2020 03:54 AM
Hey Jason
In the settings, under Global Management -> Re-enrollment, is Clear policy logs on computers enabled?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2020 06:30 AM
Short term you can go to those computers, >history>Policy logs and flush all logs. Long term you would want to move away from using "Once Per Computer" Policies for standard softwares. https://www.jamf.com/resources/videos/moving-beyond-once-per-computer-workflows/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2020 07:32 AM
I am not personally a fan of having clear policy logs enabled on the re-enrollment level, because it can cause unwanted behavior should you ever have to re-enroll a machine that is currently in use.
What I have done is added the command
/usr/local/jamf/bin.jamf flushPolicyHistoryto my Erase macOS and re-install macOS scripts that I have. I also include API calls to make sure the computer is unmanaged in the JSS/JPS so that I am not paying for licenses on machines that are blank.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2020 12:46 PM
In the settings, under Global Management -> Re-enrollment, is Clear policy logs on computers enabled?
Yes it is. I assumed this is only for normal Policies, and not Patch Policies, since the latter can't be cleared in the console.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2020 12:48 PM
Short term you can go to those computers, >history>Policy logs and flush all logs. Long term you would want to move away from using "Once Per Computer" Policies for standard softwares.
I think you're talking about normal Policies, not Patch Policies. There's no flush logs or trigger for Patch Policies.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2020 12:55 PM
What I have done is added the command /usr/local/jamf/bin.jamf flushPolicyHistory
@sdamiano Thanks. Can you confirm that this flushes Patch Policies even though there's no "flush" in the console for them?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2020 01:05 PM
If the machines are being wiped and re-deployed, why not just delete them from Jamf and let them re-enroll with a completely fresh history?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2020 05:26 PM
@echave If your using DEP, then technically a user could concievably internet restore and automatically re-enroll themselves (in fact this might even be the preferred method in the case of total OS failure offsite). I doubt there is a way to include a delete prior to removal in this scenario so you have to account for re-imaged machines coming back into the system somehow.
We used a scripted solution as per @sdamiano for ours, you generally going to have some kind of first run happening so it's pretty easy to drop in there. It is worth noting if you have a large database or a device with a large amount of logging it can take sometime so it needs to be followed by a short delay before attempting to check for any further policies.
