Jamf Nation Community

mntbighker · ‎11-22-2024

I'm trying to get Jamf Protect offline client/policy talking from Mac to SIEM. It appears that protectctl is only useful with the full cloud product, or else my clients are broken. If protectctl needs cloud version, why is it installed on my Macs? And how do you debug without it. The files in the db folder are totally opaque for debugging. It appears that protectctl diagnose is also useless without cloud.

Ideas?

matteo_bolognin · ‎11-26-2024

There's 2 + 1 steps involved, depending on the macOS version targeted.

- Package downloaded from "Downloads"
- Configuration Profile downloaded from "Plans" - this profile will contain the:

<key>offlineToken</key>

which is the License Key.
This part is covered here: https://learn.jamf.com/en-US/bundle/jamf-protect-offline-deployment/page/High_Compliance_Protect_Dep...

The 3rd step is for macOS 15 and later devices which is the non-removable system extension, which can be obtained from the "Downloads" section.

View solution in original post

mntbighker · ‎11-22-2024

Sorry, should say HC (High Compliance)

mntbighker · ‎11-22-2024

Support said try re-scope / reinstall, but so far 2 Macs have the same problem. I have uploaded to Jamf Pro for deploy multiple times too. Working on a third one now that has never had Protect before.

matteo_bolognin · ‎11-25-2024

The deployment of Protect, be that the regular or Offline Mode/High Compliance is made in 2 steps:
- the package installer
- the Configuration Profile
Ref: https://learn.jamf.com/en-US/bundle/jamf-protect-offline-deployment/page/Configuring_Offline_Deploym...

If only the package is deployed, Protect won't be able to properly configure on the device as information like the license key and the SIEM details are contained on the Configuration Profile.

mntbighker · ‎11-25-2024

Actually with Sequoia it's a package and two profiles, but apparently the tenant is producing a profile with no license attached, so nothing works. The license "says" it expires next April.

matteo_bolognin · ‎11-26-2024

There's 2 + 1 steps involved, depending on the macOS version targeted.

- Package downloaded from "Downloads"
- Configuration Profile downloaded from "Plans" - this profile will contain the:

<key>offlineToken</key>

which is the License Key.
This part is covered here: https://learn.jamf.com/en-US/bundle/jamf-protect-offline-deployment/page/High_Compliance_Protect_Dep...

The 3rd step is for macOS 15 and later devices which is the non-removable system extension, which can be obtained from the "Downloads" section.

mntbighker · ‎11-26-2024

Thanks, support helped me sort this out today. My logs are hitting the forwarder now, and blocked from the SIEM. ;-) One step "forward" at least.

jartron3030 · Friday

Hey there! We are seeing a similar issue in our environment. We migrated from Compliance Reporter to JP Offline Mode in October and everything was fine until mid-December when everything stopped forwarding randomly. I've reached out to our Splunk and Network teams and all seems to be good on their end, and our deployment of JP Offline hasn't changed either, so we're not sure what's going on.

You mentioned support helped you out - what did you end up doing to get your logs to forward?

Thank you!

jartron3030 · Friday

Adding that I have already tried what @matteo_bolognin has mentioned above a few different times. Essentially just re-deploying what we pushed out in October that was working.

Jamf Nation Community

protectctl with offline HA product