This article helps identify devices that are encountering issues communicating with Addigy via MDM, and what you can do to resolve those issues. We have created several resources to help determine why MDM may be in a broken state. This specifically monitors and tracks the health of the Apple MDM Client and native macOS Processes that can cause this behavior.
Note: When the MDM is unresponsive on a Mac, the Addigy Agent will still be responsive and fully functional. This means that devices may appear to be fully functional, even if they are having issues communicating via MDM.
Tools to Identify MDM Communication Issues
The following sections describe methods of identification of the possible MDM Health issues. This is not an exhaustive list, but the areas identified are happening in most cases where MDM connectivity does not work.
Device Facts
MDM Last Connected (macOS/iOS/iPadOS)
The `MDM Last Connected` fact shows the last time a device connected or responded to the MDM Server.
Is MDM Client Stuck (macOS)
The `Is MDM Client Stuck` fact checks if a Mac has an Addigy MDM profile installed and if the MDM client is stuck. It does this by searching for the presence of the Addigy MDM profile in the system configuration profile data and by checking the latest log entry for the MDMClientStuck flag. If both conditions are met, it returns true; otherwise, it returns false.
MDM Identity Certificate Installed (macOS)
The `MDM Identity Certificate Installed` fact will show if the device lost its "Identity", meaning the MDM Identity Certificate that is responsible for the Device Identity. This Identity Certificate is required by Apple's MDM Protocol to establish a trusted connection. There are known issues with this certificate going missing or the keychain in which the certificate resides may go missing. Known issues like this are primarily due to Migration Assist or direct modification of the Keychain. If this device fact is false, please refer to this section: Identity Certificate Missing Error (macOS).
MDM Statuses in GoLive
Within GoLive, it's quite easy to identify MDM communication problems.
One way to view the MDM status is by referencing the MDM Details window in GoLive. You can view this by selecting the "MDM: Enabled" text within the GoLive page of a device:
Here, we can see what push certificate details, the last MDM response time, and some troubleshooting tools for certain scenarios.
Another easy way to verify MDM activity is by reviewing the "Refresh Data" drop-down. This will show the statuses of each MDM audit that Addigy runs. More information on what these audits do can be seen in this article.
Resolving MDM Communication Issues
Push Certificate Problems
Expired Push Certificate
If you have an expired push certificate, there is a good chance that your devices are no longer communicating via MDM. There are some cases where devices can continue to communicate after the push certificate expires, but it is by no means guaranteed.
To confirm if the push certificate installed on a device has expired, refer to the MDM Details window in GoLive. This will show the installed push certificate and when it expires.
If the push certificate has expired, please follow this guide for steps on renewing this: FAQ: My Push Certificate Expired
Revoked Certificate
If your push certificate has not expired, another good thing check for is a revoked push certificate. To check for that, navigate to GoLive and open the MDM Details window. Then, click "Test MDM Response". If the push certificate is revoked, you will receive the following error.
If you see the 'tls: Revoked Certificate' error, please follow this guide for steps on renewing your push certificate: FAQ: My Push Certificate Expired
Identity Certificate Missing Error (macOS)
If the "MDM Identity Certificate Installed" device fact is reporting false, it's likely the Mac is encountering the following error:
0x100f93 Error 0x0 10724 0 mdmclient: [com.apple.ManagedClient:MDMDaemon]
[ERROR] MDM_Connect: Unable to create MDM identity from persistent
reference: -25304 (The specified item is no longer valid. It may
have been deleted from the keychain.) for profileIf desired, you can confirm by following these steps:
-
Start a LiveTerminal session on the device and run the following command:
sudo log stream | grep mdmclient
- Run any MDM command on the device (for example, perform a device Audit by using the GoLive > 'Refresh Data' button). This should trigger the device to return the above error in the log stream.
- After about 7 seconds, stop the log stream by entering a new line in LiveTerminal (CTRL + C on Mac).
- Once the output has been frozen, CMD + F search for something like "Unable to create MDM identity". If the error is there, then follow the remediation steps below.
For an ADE device, you'll need to run the command outlined in this article: Overview: Using the 'sudo profiles renew -type enrollment" Command
For manually enrolled (non-ADE) Macs, you will need to remove and reinstall MDM. To remove only MDM, follow the steps here and select "Remove MDM Profile". To reinstall MDM, reference this guide (note: MDM will always require admin credentials to approve the MDM installation).
NotNow Responses
In short, a NotNow response to an MDM command will be returned when a device is unavailable to run the specific MDM command at that moment. A NotNow response can be expected in some scenarios, but in some niche cases, a device can get stuck in this NotNow state, which can cause downtime in MDM communication.
For a complete walkthrough of NotNows and remediation steps, please reference this guide: "Not Now" (NotNow) Apple Device Responses
MDM Communication Being Blocked/Interfered With
If possible, it would be best to confirm if any network settings, Firewall, DNS, Antivirus, etc, are allowing connections for Addigy and MDM as a whole. If MDM is being blocked or interfered with, that can cause downtime in Addigy. This guide covers everything you need to allow Addigy and MDM to function without disruption: Complete Port Usage for Addigy
If desired, you can use the log stream command outlined in this section to look for an error like this:
Error Domain=NSURLErrorDomain Code=-1200
"An SSL error has occurred and a secure connection to the server cannot be made." Last Resort - Reinstall MDM
If other steps have not helped or have been ruled out, there is a chance that reinstalling MDM may aid in resolving the communication problems. This process requires manual interaction, so if you are unable to remote to the device and/or do not want to disturb the user, please do not hesitate to reach out to our support team, and we can advise whether this would be a necessary step based on the issue at hand.
iOS/iPadOS - Reinstalling MDM on an iOS/iPadOS device only requires you to know the passcode (if available). Additionally, if the device is already supervised in Addigy, it will maintain supervision through re-enrollment.
To delete MDM, follow this guide and select "Remove MDM" in the deletion window.
Best Practices: Removing a Device From Addigy
To reinstall MDM, follow this guide:
How To: Manually Enroll iOS/iPadOS into Addigy's MDM
macOS - Reinstalling MDM on macOS will always require an admin-level user to approve the enrollment once MDM is deleted. This is defined by Apple and cannot be circumvented. The steps to reinstall MDM will greatly vary on the enrollment method:
If a device has been enrolled via ADE, you should use the command outlined in the article below to maintain ADE-specific capabilities:
Overview: Using the 'sudo profiles renew -type enrollment" Command
If a device has been manually enrolled, you can use the 'Install MDM' tool to make the re-enrollment easier.
What Does The Install MDM (+MDM) Button Do?
If you do not want to use this tool, please follow this article:
How To: Manually Enroll macOS into Addigy's MDM