Unsupervised devices

Hayden_Webb
New Contributor III

Does anyone know how devices would become unsupervised? We've been running into issues and I noticed a lot of these computers weren't supervised, so I ran a report and somehow over 800 computers are reporting unsupervised. We will be wiping all the computers over the summer so it's not an urgent issue, I'm just curious how this could happen.

11 REPLIES 11

steve_summers
Contributor III

Hey @Hayden_Webb .  I'd suggest you look into this product issue: PI-0004866

This particular product issue is one where Macs become unsupervised.  No idea what your Jamf setup is (on prem/Cloud) but depending upon your Jamf Pro version, this could be the culprit.  I had this issue myself.  I setup a smart group where I monitored all Macs that were unsupervised and as we implemented newer versions of MacOS across the org AND Jamf Pro was upgraded, those numbers drastically fell off.  

I'd suggest you hit up Jamf Support and work with a support agent on determining whether or not the issue is the PI or something in your environment if it's not this defect. Good luck. 

Hi @steve_summers , I need to set up a smart group to find if I have any more unsupervised Macs. I can't see what criteria to use though, would you mind explaining how you did this? I see 'managed by' but in this case, that field is correctly populated. Thanks.

Hey @sparrowhawk , yeah, so the criteria I used for my smart group was "Supervised", as a criteria.  I clicked "Show Advanced Criteria" and way down on the list is Supervised.  Add that, then as the choice, use Supervised - Is - No.  

That should do it. Let me know if it doesn't.  

Ah yes, I had forgotten about the advanced criteria. Thanks Steve!
So I have 47 out of 84 unsupervised devices. They all appear to be running Catalina. I'm wondering if I should use the API to reenrol these devices? I'm not clear what having them as unsupervised means in real terms, or how they came to be that way (I've recently had to take back management of this deployment after a colleague left).

I think I'll raise a support ticket for this.

Greg

Hey @sparrowhawk .  

>>I'm not clear what having them as unsupervised means in real terms<<

Here is an article from DataJar that outlines how this impacts iOS devices, so take it with a grain of salt for Mac laptops and desktops: https://support.datajar.co.uk/hc/en-us/articles/360020069357-Management-differences-between-supervis...

Basically, it means your devices will check in, but getting them to do certain things can be a challenge.  I don't know if you're using Apple Business Manager and auto-enrolling devices via a Zero-Touch workflow, but if you are, you can run this command in terminal on an unsupervised device and it will re-run the enrollment: sudo profiles renew -type enrollment

Give that a whirl on a test device so you know what the experience will be.  Depending too upon the size of your Org, if you have a level 1 team, document all this with a list of devices and open a ticket for them to do all the work.  Just free advice.  :-)

Hi @steve_summers 
Thanks for the link and advice. We have 84 Macs, so not a big org. The issues I'm trying to fix are that certain policies are not being applied to some Macs, and trying to reenrol one through the API returned an error that the device ID couldn't be found. So I'm wondering if the framework needs to be uninstalled and reinstalled to fix this? IDK, I'm having to relearn a lot at the moment!

Greg

@sparrowhawk , it's cool, re-learning happens.  

If you run the command I provided, it re-loads the Jamf binary on the device as well as running the staging (build) setup you may have in place.  So, for me, when we run it on our devices, the splash screen shows up as if the device is being newly staged (we know the keystrokes to close it) and then the dock gets reset to the default.  That is the only item that could impact an end user, having to re-do their dock.  

Hope that helps make things easier.  Good luck!

Does that command work even if we don't use ABM + ZT? We enrol devices through the web GUI?

Hey @sparrowhawk   I was thinking about this. I’m frankly not sure. Try it out on a test device and see what happens. I suspect the jamf binary will load and since you’re not using ABM, it would do anything besides re-enroll the device. 

I don't think it worked. Ran the command, no errors, then ran a recon but the last enrolment date didn't change. Ideally, I'd like to find a way of reinstalling the JAMF framework using the API so that I don't have to use ssh over our VPN. I've followed the guide here, but it hasn't worked yet.

Many thanks for your assistance Steve, much appreciated!

Greg

Hayden_Webb
New Contributor III

I looked and every computer with an OS of 10.15 and lower in the report I ran and the supervision doesn't say "No", it says "Collected for macOS 10.15.0 or later". I looked at their management history and they have been getting configuration profiles, so they are supervised. I guess Collected for macOS 10.15.0 or later reports the same way as No. So there's only a handful with this issue instead of the 800. I put in a ticket with JAMF for clarification.

 

Thanks for the help.