Way to watch for jamf removal?

Valued Contributor II

We are having a problem with devices removing themselves from Jamf (jamf server logs indicate it received a 401 error).  The problem is that since it seems pretty random, we need to get an alert when it drops so we can start to narrow down times.  What would be the best way to do this?  I'd imagine just monitoring the MDM Profile (profiles command?) but then I need a timestamped popup and log to refer back to...


Anybody have any thoughts on how to do this (please)?



Valued Contributor

MDM Profile won't help because this has to do with the jamf binary.

Couple things could be possible....if your Jamf Pro isn't up to date and the jamf binary on the device up to date, it may be not renewing the device id certificate or whatever it's called. The jamf binary relies on a certificate, it used to expire and then the device would stop checking in. But in the last 6 months they set this to auto renew. This might be the culprit if these are devices that have been enrolled for like 2, 3, 5 years.


The other culprit, if you have a script running that deletes or modifies computers it's possible it isn't hitting the device you want. I haven't been able to prove it but we ran into what felt like a bug where the API was modifying the wrong computer record thus breaking the trust relationship. 

Valued Contributor II
It’s cloud based jamf and current. This is only happening in a couple of our sites. We can see jamf cloud server logs receiving the 401 error and doing (as I understand it in my head, but may not be the right terminology) is that the 401 is acting as an emergency removal of the binary. It actually seems to happen only on LAN, Wi-Fi seems fine. If we have the device connected to both, it seems fine.

But because it’s randomly getting removed, it’s been difficult to catch (since we have to go looking for the missing profiles or self service).

iPhone. iTypos. iApologize. 

Contributor III

@jwojda what about an extension attribute that checks for enrollment/unenrolled devices (say in the last week) then use that indicator in a smart group that triggers the JAMF helper to send or forward a notification to your (Email) or the device of your choice and with logs.  I am not going to pretend to have tested this but there has to be a way to notify you of unenrolled devices and check for the JAMF binary being present on devices.  Use the capture logs script created here: https://github.com/kc9wwh/logCollection/wiki/General-Configuration  to send logs to your JAMF pro for download. 

Sounds crazy but is it?

Contributor III

You could use a logging server like Graylog and set it up to send email notifications. Maybe your org already has a central logging server you can send to?