Posted on 06-23-2022 07:24 AM
We have about 15 computers currently in JAMF Pro, we added JAMF Protect and set up a policy to push it out to the endpoints. That was a few days ago and pretty quickly 7 machines showed up in the JAMF protect portal.... but now a few days later its still just those 7, the others are not showing up.
I looked at the logs in JAMF Pro and 14 out of the 15 show completed, and just one shows pending.
Not sure where to go next as far as testing this and getting the others to show up.
Solved! Go to Solution.
Posted on 06-27-2022 06:59 AM
Not a worry. I can point you in the right direction for some parts and hopefully save you some searching.
Cloud Services Connection - refer this link and section "Enabling the Cloud Services Connection" Cloud Services Connection - Jamf Pro Documentation | Jamf
Registering your Protect Tenant with JAMF Pro - Jamf Protect Integration with Jamf Pro - Jamf Pro Documentation | Jamf (this also has the information about scoping your plans)
Manually creating a Extension Attribute - Refer "Manually Creating a Computer Extension Attribute" Computer Extension Attributes - Jamf Pro Documentation | Jamf
Can highly recommend the JAMF Training Catalogue for getting bite sized videos on different JAMF subjects. Jamf Online Training Catalog
The JAMF 100 course is a great starting point and is free. Jamf 100 Course | Jamf Education | Jamf
Posted on 06-23-2022 10:17 AM
Hi mletendre,
The ones that are stuck in pending status, I would look at the Last Inventory Update and Last check in. If they haven't done any recent inventory update since you deployed that policy, then I would force an inventory update.
Posted on 06-23-2022 12:48 PM
So only 1 is in pending status. there are about 5 that say completed, however they are not showing up in Protect, even a day later.
Posted on 06-23-2022 12:50 PM
Ok, in the mac record in Jamf. Does it show that Jamf Protect is installed in the list of installed applications?
Posted on 06-24-2022 12:13 PM
A few I looked at did appear to have Jamf Protect installed, but others did not even though it says completed.
Posted on 06-24-2022 12:44 PM
Did you re-apply the policy again to those macs that didn't have it installed to see if it actually re-installed?
06-26-2022 11:01 PM - edited 06-26-2022 11:02 PM
Hi
It sounds like potentially some of your devices are stuck at some point in the enrolment process. Got a few suggestions that may be of help to you assuming JAMF Protect API entry has created and been added to JAMF Pro (JAMF Applications>ProtectRegistration). Also Cloud Services connection is configured.
Suggestion 1 - Look at using the Configuration Profile generated by your Protect plan to scope to your devices.
For our environment we use that as our primary deployment method with a policy attached to a smart group picking up any stragglers. Most machines are picked up fine using the config profile method but may take a little longer to check in. Running a Sudo protectctl -checkin is usually enough to get it into Protect.
Suggestion 2 - Consider adding in some Extension attributes to get better visibility over what stage your devices are in. They should be in one of these states "Disconnected, Enrolling, Missing Plan, Protected, Missing CA, Protect binary does not exist". If a device is stuck in enrolling state a repair would likely resolve sudo protectctl repair.
Example EAs are available from the JAMF Protect GitHub repository:
jamfprotect/jamf_pro_extension_attributes at main · jamf/jamfprotect (github.com)
There are other possibly considerations for things that maybe impacting but these are 2 things that made a world of difference for our environment and troubleshooting Protect issues. Hope this is also of help for you.
Posted on 06-27-2022 05:46 AM
Thanks @AntMac I am going to set some time aside this afternoon to look at this. I am VERY new to JAMF and Mac in general, so I will probably need to spend most of the time googling how to do what you are suggesting, but I will look into it.
Posted on 06-27-2022 06:59 AM
Not a worry. I can point you in the right direction for some parts and hopefully save you some searching.
Cloud Services Connection - refer this link and section "Enabling the Cloud Services Connection" Cloud Services Connection - Jamf Pro Documentation | Jamf
Registering your Protect Tenant with JAMF Pro - Jamf Protect Integration with Jamf Pro - Jamf Pro Documentation | Jamf (this also has the information about scoping your plans)
Manually creating a Extension Attribute - Refer "Manually Creating a Computer Extension Attribute" Computer Extension Attributes - Jamf Pro Documentation | Jamf
Can highly recommend the JAMF Training Catalogue for getting bite sized videos on different JAMF subjects. Jamf Online Training Catalog
The JAMF 100 course is a great starting point and is free. Jamf 100 Course | Jamf Education | Jamf
Posted on 06-27-2022 07:25 AM
Ok, yes thank you. I originally did the Cloud services connection and registered the tenant. I am going through the manually creating the extensions but I am not seeing the states.
Posted on 06-27-2022 07:35 AM
Ok, great. The main extension you would want would be the application protect status one. jamfprotect/jamf_protect_application_status.sh at main · jamf/jamfprotect (github.com)
The states will populate on the next inventory cycle the workstation runs. Your only other way to get the state information would be to run terminal commands on the machine. For future, the terminal command line to get the state is sudo protectctl info. Rather than trying to walk your users through the terminal commands you could try this potential alternative option to force an inventory cycle. This assumes that the JAMF Pro Binary is healthy.
Create a new policy, set an update inventory maintenance task, make it available in self service for users to run. This will enable you to get the inventory information updated to troubleshoot as a once off.
As a side thought as well, for ongoing maintenance it would be worth configuring a policy to inventory update with a recurring check in to execute once every week. This will give you regular updates for your inventory.
Posted on 06-27-2022 12:26 PM
Thanks! I am now seeing them all show up in Protect, I believe the issue was we had the original scope set to all computers and all users, I changed it to the smart group of all managed computers and Voila! they started showing up.
Now to go through the insights. Is there any documentation that maps the insights to policies you can make in JAMF pro?
Posted on 06-27-2022 04:49 PM
Glad to hear things are now working for you.
CIS compliance/insight is pretty curly one. Here be dragons as they say. From personal experience I would say have a good look at what insights you want to comply with and what things it breaks for your environment. Also test, test and re test on a non production machine before trying to roll this out. Some of these settings once set are a beast to reverse. :)
My recommendation to you would be if you are keen to implement these things and are new to MacOS, JAMF etc to consider paying for a JAMF engineer engagement. This does have a significant cost but it will save you a lot of frustration and heartache. But if you are keen to do this in house see below for a suggested solution.
There are some things you can remediate with the JAMF inbuilt payloads, others need plists to work. The solution that takes a lot of the ouch out of this process is written by Mischa van der Bent and is published here mvdbent/CIS-Script (github.com)
I'd suggest have a read through of the read me but in nut shell what this tool does is:
Generate compliance reports on local workstation
Pull those values into JAMF by use of Extension attributes
Custom configuration profile to set if workstation is to report only or report and remediate failures
Scripted remediation policy to make devices compliant again
Posted on 06-27-2022 06:47 AM
For those macs that appear to have it installed but not show up in the mac's record. Look at the last Inventory Update. If it hasn't completed an inventory update in a while since you deployed Jamf Protect. You can run sudo jamf manage and sudo jamf recon in terminal.
Posted on 06-27-2022 06:58 AM
sudo jamf manage and sudo jamf recon
On the local machine, correct? These are all remote machines so talking an end user through it may be a little difficult but I can try.
Posted on 06-27-2022 07:14 AM
Yes, that is correct. But, like I stated. Look at the last Inventory Update. If it hasn't done an inventory update in a while then you will have to coordinate with the user to run those commands.