Remotely re-enroll computers

New Contributor

We have a problem where our computers have been losing their profiles over time- we have a solution, running the command "profiles renew -type enrollment", but this requires us to get every single computer into our office one by one to manually run it. I attempted to automate this solution and have run into two new problems:

1. In spite of the -forced flag, which Apple claims will skip over confirmation, it still asks the user to confirm the profile. Which our students would absolutely not do, if they even click on the notification.

2. Even though the user should already be tied to the computer in JAMF, it asks us to put in their AD information again. Our students don't know* this information and we can only take a guess at this remotely, but we can't put it into that box as is.

Is there any way to automate or skip over these issues somehow, or is there a better solution?

Additional notes:

  • Renew MDM profile in management fails on these computers- it returns a device signature error.
  • They seem to still be checking in even though they have no profiles. I have yet to test whether they actually run policies, but they appear to.
  • We're mostly using Big Sur and slowly converting to Monterey.
  • "JAMF enroll -prompt" was allowing students to remove the MDM profiles themselves and as far as we know isn't an option.
  • *The students do know their AD information, obviously, but they see an unfamiliar box pop up and tend to freak out and not know what to do, so I can't rely on them being able to enter it in.
  • We have to be as unintrusive as humanly possible as we have no idea whether the student is or isn't using their computer or is testing or anything of that nature. We may get away with a popup warning, but no user input or interruption is preferable.
  • We have 125 computers currently in this state so a mass push would be nice to have to get the problem under control, though we'll have them all in the office shortly no matter what. We'd still like to have this so there's not another thing we need to keep watching and they'll fix themselves.

Honored Contributor II
Honored Contributor II

In 10.36 we introduced a new API endpoint that would allow for the redeployment of the Jamf framework as long as a machine was still able to receive MDM commands. 

How-to: Reinstall the Jamf Framework through the API 

You should be able to utilize that and not require any prompting or passwords.

That sounds promising- I'll ask and see if we have access to PowerAutomate or any of the other tools mentioned and hopefully we'll be able to test this as a solution soon.

Just to make sure- This would be a way to reinstall the Jamf MDM profiles, correct? We're not 100% on whether or not reinstalling the framework would also re-add the profiles we already have. Especially since the solution is very complex and written for software we don't have/can't afford (so we'd need to figure out how to do it somewhere else). We just want to be sure this will do what we need it to before we jump in and we aren't applying a complicated solution to a different problem.

This will not reinstall MDM profiles. This is for reinstalling the Jamf Binary. This is assuming that your MDM profiles on the machine are valid and live, but, that your jamf binary has stopped functioning for whatever reason, it can be re-installed. 

The MDM profiles on the machines are gone completely. That's the problem we're trying to solve. As far as I can tell the Jamf Binary is fine because the computers are still checking in, they just don't have any profiles.

We have the same problems. Our machines are checking-in and can see last check-in but cannot push policies or profiles, it stays pending and cannot do anything. Any solutions found?

Not... really.

We've had too many projects for me to sit down and play with this (I should ask the other techs how it's working) but we've got this right now. It sounds promising enough, but the computers need to be receiving and processing MDM commands.