Help

Tracking if a mac has its MDM profile's or not

ClassicII
Contributor III

Posted on ‎03-15-2013 07:55 AM

Hey guys,

We are using MDM profiles on our machines and 10.8.2. We have noticed in a few occasions that some of the profiles will disappear. For example the Device Profile "Baseline" will disappear and only Network Baseline and MDM enrollment will remain. Other times after the machine is imaged it will not pull down one profile or the other and get shipped out that way. We are now checking before they leave and I also know that they should come down once they hit the network again. We are working on that, but until then it would be great if we had a way to check this. Maybe this is not even possible but if any one would know it would be you guys!

Thanks

0 Kudos
5 REPLIES 5

franton
Valued Contributor III

Posted on ‎03-15-2013 07:59 AM

There is a built in template for an extension attribute that can show you if MDM profiles exist on your macs or not.

If you require more info (as I have recently), I used this code pasted into a different attribute.

#!/bin/bash

# Script to read MDM profile address into an Extension Attribute
# This is needed to make sure that our computers are pointing to the correct URL

# Author : r.purves@arts.ac.uk
# Version: 1.0 - Inital Version

# Read the current computer profile and grep for the organisation name

CurrentJSSURL=$( profiles -C -v | grep -m1 "organization:" | cut -d " " -f 4 )

# Check to see if a MDM cert is present

if [ -z $CurrentJSSURL ];
then
   echo "<result>No MDM Certificate</result>"
   exit 0
fi

# Since a cert is present, report it's address. Leave the checking to a smart group.

echo "<result>$CurrentJSSURL</result>"

exit 0
0 Kudos

mscottblake
Valued Contributor

Posted on ‎03-15-2013 09:18 AM

This is an extension attribute I use to track installed configuration profiles:

#!/bin/bash

profiles=$(profiles -C -v | awk -F: '/attribute: name/{print $NF}' | sort)
echo "<result> $profiles </result>"

exit 0

This will return a sorted list of all installed profile names.

I also saved an advanced search that displays them. In my environment, there are large blocks of machines that should all have the same profiles, so I can see at a glance when one is out of whack.

0 Kudos

ClassicII
Contributor III

Posted on ‎03-15-2013 09:55 AM

Guys,

GREAT stuff!!!!

Have you noticed that the profiles hold pretty well? Or do they sometimes disappear ?

If they are not there do you then just wait and hope for them to come back down or do you manually make the machine attempt to get them again ?

0 Kudos

mscottblake
Valued Contributor

Posted on ‎03-15-2013 10:01 AM

If they drop them expectantly, they won't come back. Due to an Apple defect (13189964), the JSS has no idea that they were removed and will not attempt to correct the problem. It has to be done manually.

0 Kudos

franton
Valued Contributor III

Posted on ‎03-15-2013 11:09 AM

We haven't had any disappear, but I wrote the attribute code above so we could selectively replace MDM certificates as we change our JSS address. That attribute is scoped to a smart group. The smart group is added to a policy that executes the following command:

jamf mdm -verbose

This neatly replaces/installs the MDM cert.

0 Kudos