Help

Way to watch for jamf removal?

ImAMacGuy
Valued Contributor II

Posted on ‎07-28-2021 07:57 AM

We are having a problem with devices removing themselves from Jamf (jamf server logs indicate it received a 401 error).  The problem is that since it seems pretty random, we need to get an alert when it drops so we can start to narrow down times.  What would be the best way to do this?  I'd imagine just monitoring the MDM Profile (profiles command?) but then I need a timestamped popup and log to refer back to...

 

Anybody have any thoughts on how to do this (please)?

 

0 Kudos
Reply
5 REPLIES 5

boberito
Valued Contributor

Posted on ‎07-28-2021 10:48 AM

MDM Profile won't help because this has to do with the jamf binary.

Couple things could be possible....if your Jamf Pro isn't up to date and the jamf binary on the device up to date, it may be not renewing the device id certificate or whatever it's called. The jamf binary relies on a certificate, it used to expire and then the device would stop checking in. But in the last 6 months they set this to auto renew. This might be the culprit if these are devices that have been enrolled for like 2, 3, 5 years.

 

The other culprit, if you have a script running that deletes or modifies computers it's possible it isn't hitting the device you want. I haven't been able to prove it but we ran into what felt like a bug where the API was modifying the wrong computer record thus breaking the trust relationship. 

0 Kudos
Reply

ImAMacGuy
Valued Contributor II
In response to boberito

Posted on ‎07-28-2021 11:52 AM

It’s cloud based jamf and current. This is only happening in a couple of our sites. We can see jamf cloud server logs receiving the 401 error and doing (as I understand it in my head, but may not be the right terminology) is that the 401 is acting as an emergency removal of the binary. It actually seems to happen only on LAN, Wi-Fi seems fine. If we have the device connected to both, it seems fine.

But because it’s randomly getting removed, it’s been difficult to catch (since we have to go looking for the missing profiles or self service).

iPhone. iTypos. iApologize. 
0 Kudos
Reply

dvasquez
Valued Contributor

Posted on ‎07-28-2021 01:08 PM

@ImAMacGuy what about an extension attribute that checks for enrollment/unenrolled devices (say in the last week) then use that indicator in a smart group that triggers the JAMF helper to send or forward a notification to your (Email) or the device of your choice and with logs.  I am not going to pretend to have tested this but there has to be a way to notify you of unenrolled devices and check for the JAMF binary being present on devices.  Use the capture logs script created here: https://github.com/kc9wwh/logCollection/wiki/General-Configuration  to send logs to your JAMF pro for download. 

Sounds crazy but is it?

0 Kudos
Reply

Asnyder
Contributor III

Posted on ‎08-02-2021 11:01 AM

You could use a logging server like Graylog and set it up to send email notifications. Maybe your org already has a central logging server you can send to?

0 Kudos
Reply

Tcisneros
New Contributor II

Posted on ‎01-24-2024 10:46 AM

Was this ever resolved? I am currently experiencing multiple devices getting a 401 response and having all profiles removed. have not been able to pinpoint where this 401 response is coming from or why it is being triggered. 

0 Kudos
Reply