Some Policies Will Not Take on Some Macs

miotke
New Contributor III

SOLVED
The title is a bit confusing so here's a better explanation.

We have an established policy that has been working great since we starting using Jamf earlier this summer. Lately, when I go to add a Mac to the policy(scoping to individual computers) sometimes the Mac will not take the policy. I'll set up another Mac and it will take just fine. I can seem to figure out why on some Macs the policy will take and others it just wont. Below is what I've tried thus far.

  • Remove and re-add policy to ma
  • Force check for policies with sudo jamf policy
  • Unenroll, delete from Jamf Pro, enroll again
  • Re-image Mac
  • Removed MDM profile and re-enrolled
  • Clone the policy and scoped to just the troubled Mac

All of the above has not resolved the issue. However, if I create a brand new policy(without cloning) it works fine.

At first I thought it might be an issue with replication of policy with Jamf Cloud but, that doesn't seem to be it since I can create a brand new policy and it takes and works immediately after running sudo jamf policy

1 ACCEPTED SOLUTION

sdagley
Esteemed Contributor II

@miotke A couple of things to check:

  • If you click the Logs button when viewing the Policy, do the machines that won't apply the policy appear with a Status of Pending?
  • Have you set any Exclusions in the Scope of that Policy that might match the problematic machines?

View solution in original post

8 REPLIES 8

sdagley
Esteemed Contributor II

@miotke A couple of things to check:

  • If you click the Logs button when viewing the Policy, do the machines that won't apply the policy appear with a Status of Pending?
  • Have you set any Exclusions in the Scope of that Policy that might match the problematic machines?

miotke
New Contributor III

@sdagley thanks for the reply. I should have added that to the original post. I have checked logs and the problematic Macs don’t appear in the logs at all. There’s one exclusion group that’s states the following.

FileVault 2 Eligibility is eligible and FileVault 2 Partition Encrytion State is not

sdagley
Esteemed Contributor II

@miotke I take it you're not expecting the problematic Macs to be in that group? Since they're not showing in the Policy logs makes be think they are. If you click View in your Smart Group for those FV2 settings, do the problematic Macs show up?

ibrahim_senyer
New Contributor III

@miotke what is the situation on the machine policy logs?
History > Policy Logs

Any error?

miotke
New Contributor III

@sdagley You hit the nail on the head, it was the exclusion group.I appreciate your help! I need to figure out why it was there as the group name isn't very descriptive. It was a exclusion that was recommended to us during our Jamf kick start so not sure what the logic was behind it.

sdagley
Esteemed Contributor II

@miotke Good to hear you got it figured out. That Smart Group basically tells you a machine could have FileVault 2 turned on, but it’s not. That probably isn’t an exclusion you’d want to use the for the majority of your policies

strider_knh
Contributor II

We are running Jamf 9.101 and I see this some times. It will take a few check-ins, or triggers, before a policy will run. I was working on a station where half the policies did not run until four hours later, while doing there re-occuring check-in the whole time.

miotke
New Contributor III

@sdagley I agree, I'm trying to figure out why we were directed to do so. So much for that exclusion, I already nixed it. ¯_(ツ)_/¯

Again, thanks for your help, and nice 911 :P