Help

System Preferences “your system administrator has not given you access to this preference pane”

KMak84
Contributor

Posted on ‎01-29-2018 10:33 AM

2adb6920df9149d1ac3ee9e60138ebc2
Hi

We currently have 50 machines out of 400 that state the above message.

No recent policies have been pushed or amended in that case. I wanted to know how to correct this issue. I have tried to do it via Configuration Policy but for some odd reason only 40 Machines can be seen out of 400 I try to scope the Configuration Policy and it has not been defined to a specific site. We are running v9.82 on El Capitan

Any suggestions would be appreciated

0 Kudos
8 REPLIES 8

Asnyder
Contributor III

Posted on ‎01-29-2018 12:27 PM

I think this is a managed preferences thing. I would check those just in case. If it's a config profile it'll show up in the computer's inventory as a profile.

0 Kudos

justinboyle
New Contributor

Posted on ‎01-29-2018 12:32 PM

This is related to the "Restrictions" payload in a configuration profile, so you're looking in the right spot.

  1. Are you sure you haven't set any exclusions?
  2. What do you mean when you say you can only see 40 machines? What variables/groups are you using to scope the config profile?
0 Kudos

mm2270
Legendary Contributor III

Posted on ‎01-29-2018 12:37 PM

Config Profiles can only be scoped to machines that are enrolled into MDM, meaning if you look at the device record, under the General section it should say "MDM Capability: Yes" If it doesn't say that, profiles can't be pushed to it and that would be one reason for them to not show up in scoping for the Profile.
It may not be the only reason though.

0 Kudos

KMak84
Contributor

Posted on ‎01-29-2018 12:45 PM

@justinboyle In 'Restrictions' payload I have set it so it is not greyed out / disabled. But when trying to scope to machines that are enrolled into JSS and the machines in questions, I am unable to scope it as it is not appearing in there.

@mm2270 I will check again in the general section if it states "MDM Capability: Yes".

It is odd that it only happened to those machines, this was never an issue before.

0 Kudos

KMak84
Contributor

Posted on ‎01-30-2018 02:00 AM

Just had a look now and 'MDM Capability' is No

When trying to re-enroll interestingly it fails with this message

41e3e3516e30460eb8d9929b9205b3c2

e9eacf6e40114f2fa3383df824e1c301

0 Kudos

PeterClarke
Contributor II

Posted on ‎01-30-2018 04:16 AM

Hi, 'k84' - as for fails to re-enroll with this…

I have seen that kind of thing too…
It seems to be caused by the computer record 'already existing' before re-enrolment.

You have two choices:
1: Delete the 'computer record' before trying to re-enrol the machine…
2: Don't delete the 'computer record' - but after the enrol fails 'the first time', re-enrol it a second time - this time around it should 'succeed'.

If you have the condition, where the machine is re-enrolled, but 'failed' the enrolment
- then it's kind of 'half-in' the system… and some things sometimes don't work correctly on it…
- For it to work 'correctly' - you need to end up in the state where enrolment 'succeeded'…

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎01-30-2018 08:36 AM

Also make sure you are using a new QuickAdd after going through the User Initiated Enrollment (UIE), or a standalone one from Recon.app. You can't reuse the QuickAdd's that get pulled down when doing the UIE process. Those are one offs that will only work once. The one's built from Recon.app will work over and over again.

0 Kudos

KMak84
Contributor

Posted on ‎01-30-2018 01:49 PM

Hi @PeterClarke & @mm2270

I will let you know how I get on.

Thanks guys

0 Kudos