Should I refresh the MDM profile at a certain frequency?


We had a problem with pushing out a cert to our end users. When I talked to my jamf tech contact we went through a bunch of stuff but the thing that fixed our problem was a policy that executed the commands "jamf removemdmprofile" and "jamf mdm" from a "Files and processes" payload. Do people think this might be a good house keeping task that should get done once a day, once a week, once a month? Should I set the policy up with a reoccurring frequency? Thanks.


Contributor III

Personally I wouldn't trust an aggressive process like removemdmprofile to an automated process. Chances of a system becoming out of compliance is too high.

In terms of what happens to the system, removemdmprofile removes the Trust Profile, that allows the JSS to make changes to the system. Without that Trust Profile, all other subsequent profiles based on that Trust are effectively invalidated, and removed. Then the system is re-enrolled into mdm, and all the applicable profiles are re-sent and are re-applied. That sounds fine in a controlled process, but if there's critical settings that are in place like Directory Binding or Certificates or even Wi-Fi settings, losing those even momentarily would have adverse results especially if the system was in use.

It's effectively pulling the tablecoth from the dinner table, and putting it back without anybody noticing.

and from what I've observed, OS X 10.10 and later it waits and checks in with the MDM service at the login window, though I haven't really been able to figure out the trigger.