Jamf Nation Community

I just got off the phone with our STAM about this exact same issue. We are currently still on 9.96 though. Here is the KB on the related issue. We are currently testing the fix and it has worked at least so far. Good luck.

https://www.jamf.com/jamf-nation/articles/372/enabling-mdm-for-local-user-accounts

If it's a new user make sure that they're shown as MDM enabled in the JSS, usually if i have install issues this is the case,
i get them to log out and back in which usually gets them MDM enabled then i run recon and look at History > Management History to see if it's completed or pending the install.

Eventually the apps appeared as a pending command but do not come down to the work station.

Under management, they are showing up with the username of our management account.
The Enable MDM command was run as a local administrator that we added, not the management account. I reran the command as the management account. I followed up with a jamf recon and jamf policy commands.
I've logged in with numerous LDAP accounts as well.

The apps remain Pending.

This may not be the case with yours but worth looking,
check the inventory to make sure the application isn't already installed, if there's a version of the application anywhere on the Mac
the MDM one won't get installed.

I had earlier versions in a folder on my Desktop, it was only after deleting them and running recon that the MDM one installed.

Thanks for the suggestion, applications are not showing up in the inventory as well.

Worth a shot !

are you testing on more than one machine and with different users ?,
and are they LDAP or local users ?

Base on my pass experience with VPP. The app's as to be redeem by an Apple ID.

So in your case, you would have to set them up in "Self-Service" then click on each one by login in with an Apple ID.
However, DEP give you that option to install without an Apple ID, if your VPP and devices is tied to your DEP.

In the case of OS X, you can package the app's then deploy them with the JSS.

Here is the link to Device Enrollment Program (DEP): https://deploy.apple.com/

Hi @mblair If the app is Device assignable there's no need to use Apple ID's with VPP

Moving from User- to Device-based VPP Assignments

So far, one machine but about to test on a second. On the one machine I've logged in with 2 local admin accounts, the management account and our normal admin account. I've also logged into 3 different LDAP accounts. The 6 apps are all device assignable.
Thanks for the suggestions all, looks like I have a bigger issue and will be pushing it up the support chain at this point.

Once you figure it out it'll be worth your time!
installing apps with VPP still gives me a warm feeling ( maybe i'm odd like that! )

another obvious one, but just incase, these are 10.11 or 10.12 Macs ?

I've been enjoying it with the iPads, so I know what it could be like. They are 10.11

I too am transferring my mobile device knowledge to macOS, and trying to install the iWork apps.

The computers are 10.12, Managed, with MDM Capability: Yes. Our VPP is working, the Mac Apps are checked to use device assignment, and the scope is set up properly.

In History for Mac App Store Apps, they are Pending. If I switch to Management History I see that the commands failed, 'User canceled enabling MDM for local user account.' The user sitting at the keyboard waiting for it to happen was me, and I didn't cancel anything!

This Mac has just the management account and another local administrator; neither are MDM Capable Users. One of the comments suggested that there still needs to be an MDM enabled user? Is this really true for Device Assigned apps?

Thanks,

chris

Just a quick update. An MDM Capable user needs to be logged in for device assigned apps to deploy.

Also, if your PreStage is creating a local administrator, then it will NOT become MDM Capable automatically. I have not figured out how to make it happen retroactively so have changed my lab deployment so that the tech must create the local administrator on DEP Enrollment. I think this is a bug or edge case which I'll be reporting.

@cdenesha , did you ever find a fix for this? Just ran into yesterday after migrating to JAMF Cloud a couple of weeks ago and setting up some brand new computers this week. Very frustrating...

No fix; for that lab we signed in with our AD accounts which became MDM enabled and then ran the policy and recon. For new installs we go through DEP and create the local Administrator account manually. We have an On Enrollment policy that deletes existing iWork apps, and then on Recon the scoped apps are deployed and install. Here is the policy's Files and Processes Execute command:

rm -Rf /Applications/Garageband.app; rm -Rf /Applications/iMovie.app; rm -Rf /Applications/Keynote.app; rm -Rf /Applications/Numbers.app; rm -Rf /Applications/Pages.app

Hope that helps!

chris