Skip to content Skip to site navigation

How to Troubleshoot Jamf Agents not Checking in to Jamf Cloud

Computers may fall into non-compliance in MyDevices if the Jamf agent stops reporting inventory data to Jamf Cloud. Before attempting remediation steps for the Jamf agent, perform these checks first:

CHECK #1: UIT Stanford Jamf MDM Profile is in place

  1. Open System Preferences > Profiles.
  2. Stanford UIT Jamf’s MDM profile has a custom name of “Stanford Device Management.”
  3. Upon confirming this in place, check for the instance URL of “stanford.jamfcloud.com” within the profile details, as shown in the below screenshot.

    Note: If upon selection of this profile, the “-” button just below the Profiles list is greyed out, this means the computer is Automated Device Enrollment (ADE) Enrolled, and you, therefore, cannot simply un-enroll by removing this MDM Profile, then re-enroll with User-Initiated Enrollment (UIE).
  4. Take note of the above for now, then continue with the remaining checks.

CHECK #2: Jamf binary in place

  1. Open Applications > Utilities > Terminal.
  2. Type the following command, then hit Enter. 
    jamf about
  3. If the Terminal does not recognize the `jamf` command, the Jamf binary is not installed.
    Note: Knowing if Jamf binary exists advises on whether or not it is worth attempting other remediation steps while also informing on how far along the enrollment process this computer did or did not get.
  4. Proceed with the remaining checks, regardless of whether the binary exists or not.

CHECK #3: Jamf console shows no recent activity for this device

  1. Find the computer record in Jamf using your preferred search criteria such as by user's username, computer name, or serial number.
  2. Under Inventory > General, confirm both the “Last Inventory Update” and “Last Check-in” stopped within the same 24 hours.
  3. If the two values DO NOT fall within a close enough window, escalate to the Product Support Team(PST)/Endpoint Engineering and Development (EED), as this is a very unusual state.
  4. Under History > Management History, confirm the Completed Commands, Pending Commands, and Failed Commands all show nothing more recent than what you see for “Last Inventory Update” / “Last Check-in”.
  5. If Management History shows anything as recent as the past day or two, escalate to the Product Support Team(PST)/Endpoint Engineering and Development (EED), as this suggests we can likely remotely repair the Jamf agent with a “Heal” command.

CHECK #4: The computer is assigned to the appropriate PreStage Enrollment

Most computers should be assigned to the default PreStage Enrollment, [SU] Stanford University - Automatically Assign New Devices, with the primary exception being Cardinal Protect computers (PreStage name: [SU] Cardinal Protect - Enroll in Cardinal Protect). These steps will assume this is not a Cardinal Protect computer, but the process is otherwise the same.

  1. Open Computers > PreStage Enrollments.
  2. Click [SU] Stanford University - Automatically Assign New Devices.
  3. Click Scope.
  4. Use the “Filter Results” field to locate the problem computer – filtering by the computer's serial number is recommended.
    Note: If you do not find the computer, see if the computer is a Cardinal Protect device by checking the [SU] Cardinal Protect - Enroll in Cardinal Protect) and confirming it scoped there with its checkbox enabled
  5. The checkbox must be enabled for this problem computer; if it is not enabled, escalate to UIT Service Desk ETS to Edit > filter > enable the checkbox for computer > Save. If UIT Service Desk ETS is not available to assist immediately, escalate to Endpoint Engineering and Development (EED).

Client-side Remediation Steps:

Upon confirming at a minimum that Checks #1 and #4 are in place: 

Try renewing the enrollment

  1. Open Terminal on the problem computer.
  2. Type the following command, then hit Enter. 
    sudo profiles renew -type enrollment
  3. If not immediately, a “Device Enrollment” notification should appear out of (or within) the macOS Notification Center at the top-right; click the “Device Enrollment” message.
  4. System Preferences should immediately open to Profiles and prompt you to log in to renew the enrollment – the message window asks, “Allow Device Enrollment?”
  5. Click Allow. 

     
  6. Enter local Administrator credentials to invoke re-enrollment through the resulting Stanford SSO login prompt.

     
  7. Confirm enrollment is renewed. 

Upon completion, you may receive an error indicating you cannot enroll because another MDM profile already exists. You can disregard this if the “Stanford Device Management” MDM profile’s “Installed” date reflects the enrollment renewal just completed. Further assurance the remediation succeeded is finding the computer record in Jamf is now displaying a recent Inventory or Check-in timestamp.

 

Last modified March 4, 2024