Not all computers are showing in JAMF Protect

Hi mletendre,

The ones that are stuck in pending status, I would look at the Last Inventory Update and Last check in. If they haven't done any recent inventory update since you deployed that policy, then I would force an inventory update. 

So only 1 is in pending status. there are about 5 that say completed, however they are not showing up in Protect, even a day later. 

Ok, in the mac record in Jamf. Does it show that Jamf Protect is installed in the list of installed applications?

A few I looked at did appear to have Jamf Protect installed, but others did not even though it says completed. 

Did you re-apply the policy again to those macs that didn't have it installed to see if it actually re-installed?

Hi 

It sounds like potentially some of your devices are stuck at some point in the enrolment process. Got a few suggestions that may be of help to you assuming JAMF Protect API entry has created and been added to JAMF Pro (JAMF Applications>ProtectRegistration). Also Cloud Services connection is configured.  

Suggestion 1 - Look at using the Configuration Profile generated by your Protect plan to scope to your devices.
For our environment we use that as our primary deployment method with a policy attached to a smart group picking up any stragglers. Most machines are picked up fine using the config profile method but may take a little longer to check in. Running a Sudo protectctl -checkin is usually enough to get it into Protect.     

Suggestion 2 - Consider adding in some Extension attributes to get better visibility over what stage your devices are in. They should be in one of these states "Disconnected, Enrolling, Missing Plan, Protected, Missing CA, Protect binary does not exist". If a device is stuck in enrolling state a repair would likely resolve sudo protectctl repair.  

Example EAs are available from the JAMF Protect GitHub repository:

jamfprotect/jamf_pro_extension_attributes at main · jamf/jamfprotect (github.com)

There are other possibly considerations for things that maybe impacting but these are 2 things that made a world of difference for our environment and troubleshooting Protect issues. Hope this is also of help for you.    

Thanks @AntMac  I am going to set some time aside this afternoon to look at this.  I am VERY new to JAMF and Mac in general, so I will probably need to spend most of the time googling how to do what you are suggesting, but I will look into it. 

For those macs that appear to have it installed but not show up in the mac's record. Look at the last Inventory Update. If it hasn't completed an inventory update in a while since you deployed Jamf Protect. You can run sudo jamf manage and sudo jamf recon in terminal. 

sudo jamf manage and sudo jamf recon 

On the local machine, correct? These are all remote machines so talking an end user through it may be a little difficult but I can try. 

Yes, that is correct. But, like I stated. Look at the last Inventory Update. If it hasn't done an inventory update in a while then you will have to coordinate with the user to run those commands. 

Ok, yes thank you. I originally did the Cloud services connection and registered the tenant. I am going through the manually creating the extensions but I am not seeing the states. 

Ok, great. The main extension you would want would be the  application protect status one. jamfprotect/jamf_protect_application_status.sh at main · jamf/jamfprotect (github.com)

The states will populate on the next inventory cycle the workstation runs. Your only other way to get the state information would be to run terminal commands on the machine. For future, the terminal command line to get the state is sudo protectctl info. Rather than trying to walk your users through the terminal commands you could try this potential alternative option to force an inventory cycle. This assumes that the JAMF Pro Binary is healthy.  

Create a new policy, set an update inventory maintenance task, make it available in self service for users to run. This will enable you to get the inventory information updated to troubleshoot as a once off.

As a side thought as well, for ongoing maintenance it would be worth configuring a policy to inventory update with a recurring check in to execute once every week. This will give you regular updates for your inventory.     

Thanks! I am now seeing them all show up in Protect, I believe the issue was we had the original scope set to all computers and all users, I changed it to the smart group of all managed computers and Voila! they started showing up. 

Now to go through the insights. Is there any documentation that maps the insights to policies you can make in JAMF pro? 

Glad to hear things are now working for you. 

CIS compliance/insight is pretty curly one. Here be dragons as they say. From personal experience I would say have a good look at what insights you want to comply with and what things it breaks for your environment. Also test, test and re test on a non production machine before trying to roll this out. Some of these settings once set are a beast to reverse. :)

My recommendation to you would be if you are keen to implement these things and are new to MacOS, JAMF etc to consider paying for a JAMF engineer engagement. This does have a significant cost but it will save you a lot of frustration and heartache. But if you are keen to do this in house see below for a suggested solution.   

There are some things you can remediate with the JAMF inbuilt payloads, others need plists to work. The solution that takes a lot of the ouch out of this process is written by Mischa van der Bent and is published here mvdbent/CIS-Script (github.com)  

I'd suggest have a read through of the read me but in nut shell what this tool does is: 
Generate compliance reports on local workstation
Pull those values into JAMF by use of Extension attributes
Custom configuration profile to set if workstation is to report only or report and remediate failures  
Scripted remediation policy to make devices compliant again