Home > Casper, JSS, Mac administration > Automatically fixing Casper Mac MDM enrollment

Automatically fixing Casper Mac MDM enrollment

While I was working on a new laptop this afternoon, I noticed that the Profiles icon was missing from System Preferences.

Profiles in System Preferences

This system was managed by our Casper server and we’re using both certificate-based communication and an APN certificate, so it should have been there. Moreover, when I ran profiles -P, I saw that no profiles were installed.

Running jamf mdm -verbose fixed the issue by installing the MDM certificate, but I wanted to ensure that any other machines with the same issue were found and then automatically fixed by Casper. After a little research, I have a process that does this. See below the jump for details.

Update – 9-8-2013: It looks like Casper 9.x handles MDM certificate re-enrollment differently than Casper 8.x does. To avoid any confusion, I’m removing the Casper 9.x information from this post. Once I’ve got the right method, I plan a follow-up post covering how to do this with Casper 9.x.

Update – 7-31-2014: Click here to see how to do this with Casper 9.x.

UPDATE – 9-22-2014: JAMF brought back the jamf mdm command in Casper 9.4, so it’s possible to use the workflow described below in Casper 8.7.x and in Casper 9.4 and later.

JAMF provides three extension attributes with your Casper JSS server to help you identify machines with either problematic SSL certificates or missing MDM certificates.

JSS Certificate Validation

Verify Certificate Based Communication

Verify MDM Enrollment

Screen Shot 2013-08-30 at 3.07.10 PM copy

All can be installed from the JAMF Software category of your JSS server’s Extension Attribute Templates.

Screen Shot 2013-08-30 at 3.07.10 PM

From there, you can set up a Smart Group to look for machines that fit the following criteria:

JSS Certificate ValidationSuccess

Verify Certificate Based CommunicationEnabled

Verify MDM EnrollmentNot Enrolled

It should also currently be scoped to look for Macs running 10.7.x or higher, as earlier OSs won’t be enrolled in MDM.

Here’s how the smart group I set up looks in Casper 8.x:

Casper 8.x:

Screen Shot 2013-08-30 at 3.06.30 PM

From there, set up a policy that is scoped to run on members of that smart group. The policy I set up will run the jamf mdm -verbose command to install the MDM certificate on the Mac, then run a new inventory. The inventory update process should then allow the JSS to detect that the MDM certificate has been installed and take the machine out of the smart group.

Here’s how the policy I set up looks in Casper 8.x:

Casper 8.x:

Screen Shot 2013-08-30 at 3.08.56 PM

Screen Shot 2013-08-30 at 3.08.39 PM

Screen Shot 2013-08-30 at 3.08.18 PM

Categories: Casper, JSS, Mac administration
  1. September 5, 2013 at 8:16 pm

    Hi Rich
    Could it be that the “jamf mdm” command is not available anymore in Casper 9.x? I get

    There is a problem with your syntax.

    Error: The specified verb (mdm) is not recognized.

    Type “jamf help” for more information

    on all of my machines.

    I guess

    jamf manage

    is the new version with similar results.

    • September 5, 2013 at 8:32 pm

      On re-testing it, it looks like “jamf mdm” isn’t available in Casper 9. My mistake there, I must have been looking at the wrong test box.

      I’ll check with JAMF Support and see what the new version of the command is.

    • September 5, 2013 at 11:43 pm

      According to JAMF Support, the replacement commands are these:

      jamf removeMdmProfile


      jamf manage

      I can run this outside of a Casper policy like this:

      jamf removeMdmProfile -verbose && jamf manage -verbose

      I’m not able to run this as part of a policy so far, so I’ve followed up with JAMF.

  2. September 9, 2013 at 3:48 pm

    Thanks for the info. I will give this new commands a try. BTW: Looking forward to meet you in Sweden next week!

  3. Ssjonker
    October 11, 2013 at 7:55 pm


    Have you been able to get it to work reliably with JSS 9.xx? Just curious, thanks! I don’t seem to have anybody showing up in my smart group (we are using 9.12).

  4. April 15, 2014 at 1:44 pm

    Thanks for this article. I had been using it with Casper 8.x and like you, couldn’t get it to work in 9.x.

    I’ve since built a quick package with the luggage that installs a LaunchDaemon and postinstall script starts it. The LaunchDaemon periodically calls the jamf removeMDMProfile && jamf manage verbs, and when successful, does a recon and then shuts down the LaunchDaemon and removes it.

    Of course, at this point I don’t have anything to test it on, but I’m confident that it should work around the problems of trying to run the commands within a policy.

    • May 21, 2014 at 2:08 am


      Would you mind posting your solution, either on Github or elsewhere?

      • akismet-81edbd0379b605bdf363d603e975ae1d
        May 21, 2014 at 2:58 pm

        Hey Rich, I posted my package at: https://github.com/sheagcraig/fix_mdm_cert

        Of course, it’s basically just a package that does what you described in the post, except as a LaunchDaemon executing a script (and then cleaning up after itself) rather than as part of a jamf policy.

        Unfortunately I don’t have any broken computers at the moment that I can test with, but I can see in my policy logs that it took care of about 12 computers in the last couple of months. I can test some more once we reimage our fleet this summer (educational institution!)

        From: Der Flounder <comment-reply@wordpress.com> Reply-To: Der Flounder <comment+_htgtt-3_3o-2alw3aqrqbuqgsbv16zuq30om1ln@comment.wordpress.com> Date: Tuesday, May 20, 2014 at 10:08 PM To: Shea Craig <shea.craig@da.org> Subject: [New comment] Automatically fixing Casper Mac MDM enrollment

        rtrouton commented: “Shea, Would you mind posting your solution, either on Github or elsewhere?”

  5. June 12, 2014 at 1:17 am

    Thanks, Shea. I think I’ve figured out a way to do this without having to killall the jamf binary. I’ve tested this method with 10.7.x, 10.8.x and 10.9.x and so far it looks like it works OK.

    I’m planning to write this up at some point, but I’ve got a gist posted on Github:

  6. tobiaslinder
    June 12, 2014 at 6:37 am

    Thanks Rich, I will give it a try.

  7. Michael
    May 19, 2016 at 8:37 am

    A finding in regard to DEP: PreStage Enrolment
    You have to Allow MDM Profile Removal (Allow the user to remove the MDM profile).
    Otherwise jamf mdm -verbose will not work.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: