Jamf Nation Community

miotke · ‎01-24-2018

SOLVED
The title is a bit confusing so here's a better explanation.

We have an established policy that has been working great since we starting using Jamf earlier this summer. Lately, when I go to add a Mac to the policy(scoping to individual computers) sometimes the Mac will not take the policy. I'll set up another Mac and it will take just fine. I can seem to figure out why on some Macs the policy will take and others it just wont. Below is what I've tried thus far.

Remove and re-add policy to ma
Force check for policies with sudo jamf policy
Unenroll, delete from Jamf Pro, enroll again
Re-image Mac
Removed MDM profile and re-enrolled
Clone the policy and scoped to just the troubled Mac

All of the above has not resolved the issue. However, if I create a brand new policy(without cloning) it works fine.

At first I thought it might be an issue with replication of policy with Jamf Cloud but, that doesn't seem to be it since I can create a brand new policy and it takes and works immediately after running sudo jamf policy

sdagley · ‎01-24-2018

@miotke A couple of things to check:

If you click the Logs button when viewing the Policy, do the machines that won't apply the policy appear with a Status of Pending?
Have you set any Exclusions in the Scope of that Policy that might match the problematic machines?

View solution in original post

sdagley · ‎01-24-2018

@miotke A couple of things to check:

If you click the Logs button when viewing the Policy, do the machines that won't apply the policy appear with a Status of Pending?
Have you set any Exclusions in the Scope of that Policy that might match the problematic machines?

miotke · ‎01-24-2018

@sdagley thanks for the reply. I should have added that to the original post. I have checked logs and the problematic Macs don’t appear in the logs at all. There’s one exclusion group that’s states the following.

FileVault 2 Eligibility is eligible and FileVault 2 Partition Encrytion State is not

sdagley · ‎01-24-2018

@miotke I take it you're not expecting the problematic Macs to be in that group? Since they're not showing in the Policy logs makes be think they are. If you click View in your Smart Group for those FV2 settings, do the problematic Macs show up?

ibrahim_senyer · ‎01-25-2018

@miotke what is the situation on the machine policy logs?
History > Policy Logs

Any error?

miotke · ‎01-26-2018

@sdagley You hit the nail on the head, it was the exclusion group.I appreciate your help! I need to figure out why it was there as the group name isn't very descriptive. It was a exclusion that was recommended to us during our Jamf kick start so not sure what the logic was behind it.

sdagley · ‎01-26-2018

@miotke Good to hear you got it figured out. That Smart Group basically tells you a machine could have FileVault 2 turned on, but it’s not. That probably isn’t an exclusion you’d want to use the for the majority of your policies

strider_knh · ‎01-26-2018

We are running Jamf 9.101 and I see this some times. It will take a few check-ins, or triggers, before a policy will run. I was working on a station where half the policies did not run until four hours later, while doing there re-occuring check-in the whole time.

miotke · ‎01-26-2018

@sdagley I agree, I'm trying to figure out why we were directed to do so. So much for that exclusion, I already nixed it. ¯_(ツ)_/¯

Again, thanks for your help, and nice 911 :P

Jamf Nation Community

Some Policies Will Not Take on Some Macs