Jamf Nation Community

easyedc · ‎05-24-2023

I saw a blog post mentioning a new tool Addigy is rolling out to try to work through broken/stuck MDM on managed devices. The premise sounds promising, and only bring it up here since they plan to offer an open version that can be leveraged with other (aka Jamf) MDM's. https://addigy.com/blog/addigy-new-mdm-watchdog-agent-how-to-resolve-mdm-issues-with-macos/?utm_sour...

mm2270 · ‎05-24-2023

Nice, but I find it to be a sad statement that an entire additional piece of software had to be developed to work around the fact that Apple's MDM largely still sucks and breaks far too often. If Apple would just find a way to make it more reliable, tools like this wouldn't have to be developed in the first place as there would be no need for them.

easyedc · ‎05-25-2023

easyedc · ‎05-25-2023

I also think it's sort of ironic that Apple frequently walks into meetings with my .org (or any that I've worked with) and brags about being enterprise friendly, yet so many things have to have work arounds or 3rd party apps to make truly useable by Admins. It could be worse - I could be forced to work on Windows.

davidi4 · ‎05-25-2023

oh oh, Jamf... a small market Fox station picked up on this story: https://fox59.com/business/press-releases/accesswire/756815/addigy-finds-apple-rapid-security-respon...

Can we please get some Jamf engineering resources to look at this as a priority, because we all know Apple won't and relying on Addigy could make some of your customers consider a switch of vendors...

mm2270 · ‎05-25-2023

Cripes! 25% of managed machines (just the Addigy managed ones mind you) are not getting the RSR updates and are worse, getting into a stuck state. In any environment I can think of, 25% failures would be considered an overall failure and someone(s) would be fired. Only Apple can get away with such a level of brokenness. With so much of our macOS and iOS device management now relying on MDM working (thanks to Apple), systems having broken MDM is a serious problem.

scottlep · ‎05-30-2023

Anyone have access to and could share the Restart MDMClient Service script mentioned here? - https://support.addigy.com/hc/en-us/articles/14910202404627-MDM-Client-Is-Unresponsive-and-Remediati...

dsavageED · ‎06-14-2023

If it helps, the watchdog is now released - https://addigy.com/mdm-watchdog/?utm_medium=referral&utm_source=press-release&utm_campaign=mdm-watch...

DavidN · ‎06-23-2023

Does anyone have an extension attribute for this?

DavidN · ‎06-26-2023

Here's what I have so far. You could substitute "MDMCLientStuck" for "MDMEnrolled" to get a true/false value.

#!/bin/sh

if [ -d "/Library/Application Support/mdm-watchdog/" ]; then

Watchdog=`mdm-watchdog -diagnose | grep "MDMEnrolled:" | awk '{ print $2 }'`

echo $Watchdog

echo "<result>$Watchdog</result>"

else

echo "Watchdog does not exist"

echo "<result>NotInstalled</result>"

fi

davidi4 · ‎06-26-2023

What’s the time hit on that? I’m hesitant to create an EA simply because the watchdog takes what seems to be an unreasonable amount of time to return a response to -diagnose. This is also mentioning in the video.

DavidN · ‎06-26-2023

Yeah it does take some time 10 seconds?. I only have it on one system so far. Unsure if this is something I should deploy to more systems? I added the line to check for existence of mdm-watchdog for now.

davisna · ‎08-28-2023

FYI, the diagnostic piece took too long from an inventory perspective. I wrote this to pull from the unified log instead, as it runs every 95 minutes, that should be sufficient.

#!/bin/bash

# Written by Nick Davis on 8.25.23 to report the log results from MDM Watchdog.

## Read the log file, search for watchdog process and grab the last 8 lines
resultS=$(log show -predicate 'process = "mdm-watchdog"' | tail -n 8)

## Trim the lines to show MDM Watchdog output
trimIT=$(echo "$resultS" | sed 's/^.*MDME/MDME/')

## Trim the lines to only show the last run date
dateTime=$(echo "$resultS" | sed 's/\..*//' | head -n 1)

## Check for presence of mdm-watchdog in results
installED=$(echo "$resultS" | grep "mdm-watchdog")

## If MDM Watchdog is in the results, display data.

if [ -n "$installED" ]; then
echo "<result>Last Run: $dateTime
$trimIT</result>"
else
echo "<result>Not Installed</result>"
fi

exit 0

davidi4 · ‎09-07-2023

This seems to work well and provides a lot of data quickly.

Macweazle · ‎01-16-2024

Excellent.
Not sure if something changed with Sonoma regarding the output of the log, I had to change those to lines to get a proper result:

## Trim the lines to show MDM Watchdog output
trimIT=$(echo "$resultS" | sed 's/^.*MDME/MDME/' | sed '/Retrieve/d')

## Trim the lines to only show the last run date
dateTime=$(echo "$resultS" | grep Default | sed 's/\..*//' | head -n 1)