This article helps identify devices in the state where MDM on a managed device is in an unresponsive state. We have created a few several resources to determine "Why" MDM may be in a broken state. This specifically monitors and tracks the health of the Apple MDM Client and native macOS Processes that can cause this behavior.
The below sections describe methods of identification of the possible MDM Health issues. This is not an exhaustive list, but the areas identified are happening in most cases where MDM connectivity does not work.
MDM Last Connected
The `MDM Last Connected` fact (https://releases.addigy.com/AM-15098) shows the last time a device connected or responded to the MDM Server. This compliments the `Is MDM Stuck `fact to provide a date based value of the last time the device connected.
Is MDM Client Stuck
The `Is MDM Client Stuck` fact was discussed earlier in this thread. We modified it slightly to report every 30 minutes, for a more up-to-date status of the device (https://releases.addigy.com/AM-15119)
MDM Identity Certificate Installed
The `MDM Identity Certificate Installed` fact (https://releases.addigy.com/AM-15189) will show if the device lost its "Identity", meaning the MDM Identity Certificate that is responsible for the Device Identity. This Identity Certificate is required by Apple's MDM Protocol to establish a trusted connection. There are known issues with this certificate going missing or the keychain entirely, which the certificate resides may go missing. Known issues like this are primarily due to Migration Assist or direct modification of the Keychain.
Is MDM Software Update Stuck
The `Is MDM Software Update Stuck` fact (https://releases.addigy.com/AM-15190) is a new fact released today, identifying if the last MDM Command sent to the device was an MDM Command to do a Software Update process (e.g. `AvailableOSUpdates`, `ScheduleOSUpdateScan`, etc.), the device must be in this state for at least 90 minutes to show as stuck in this condition.
Remediation: MDM Stuck
If you have devices in the `Is MDM Client Stuck` state, cross reference those with a valid `Is MDM Identity Certificate Installed` fact, ensuring they have a valid Identity Certificate. Then, you can run these two community scripts in attempt to kickstart and flush relevant processes:
Copy the scripts listed above from the Community, Identify the devices with the facts discussed above already available in your environments, and send the scripts to the devices.
Remediation: Missing Certificate
If you have Devices where the `Is MDM Identity Certificate Installed` is missing, this means that most likely their keychain was modified or corrupted in some aspect, during migration, tampering, etc, and the MDM Identity certificate is missing.
You can remediate this as follows:
- You must do this as an Administrator
- The device must be Automated Device Enrollment (ADE) eligible or ADE Enrolled
- You must run this from a terminal of an interactive user session `sudo profiles renew -type enrollment`
- You must click the notification to open the Profiles Pane to Update the Enrollment.
We would advise out of an abundance of caution to carefully automate your remediations, in order to not remediate the services during an important process inadvertently.
Therefore, as previously committed we are still working on using all of this data to identify the most ideal time to cycle these processes based on pre-existing conditions or identified reasons MDM could go into an unhealthy state. (Note: Devices with broken MDM Identities will not be automatically healed with our new healing mechanism.)
Should you want to automate the remediations immediately, we would suggest using them in a Maintenance Job based on the cadence of your update schedule requirements. (E.g. daily, weekly, monthly).