Mac Self-Service Troubleshooting
About Migration Assistant, Restoring from Time Machine and Replaced Motherboards
When a new Mac is set up using the migration assistant directly or via Time Machine or when a Mac has its motherboard replaced that Mac might also receive the Self-Service.app and the jamf framework, but the Self-Service server will not accept any connection from that Mac since the new Mac is unknown to the server. The same holds for any other intervention that changes the serial number and/or the UDID of the Mac. For these devices we recommend to first run the command sudo jamf removeframework and then enroll the new Mac as described in https://devices.docs.cern.ch/devices/mac/MacSelfService/Enrolling/.
About the Self-Service Application Version
The Self-Service application gets updated automatically whenever the server version is updated - as long as the Self-Service framework on your Mac is still working properly. Since March 2023 the version of the Self-Service app should be 10.44.1. If your Self-Service app is older than that you can assume that there is a problem with the Self-Service framework on your Mac. In general that implies that the Self-Service itself will not be functioning any more, and we recommend that you first remove the non-functional framework by running sudo jamf removeframework, and then enroll the Mac again as described in https://devices.docs.cern.ch/devices/mac/MacSelfService/Enrolling/.
About Devices that Stop Reporting
Devices that stop reporting to the server for more than three months (more than 12 month for devices that use disk encryption) will be deleted from the database. In that case the Self-Service framework will remain on the device, but will not work anymore. Reasons for stopping to report include
- the device is switched off
- the framework has been corrupted
- the framework failed to upgrade when the server side software was upgraded
When a device has been deleted from the database we recommend to first run the command sudo jamf removeframework and then enroll the Mac again as described in https://devices.docs.cern.ch/devices/mac/MacSelfService/Enrolling/.
Expiration of the MDM Profile
The MDM profile is essential for the functioning of the Self-Service. It cexpires after a certain time. The MDM server renews the MDM profile 90 days before the expiration.
Failing MDM Profile Renewals
Due to changes that the vendor made to the contents of the MDM Profile and tightened verification by recent macOS versions the renewal failed for certain versions of the MDM Profile, rendering the Self-Service non-functional.
When the MDM Profile is expired it is necessary to remove the non-functional framework by running sudo jamf removeframework, and then enroll the Mac again as described in https://devices.docs.cern.ch/devices/mac/MacSelfService/Enrolling/.
MDM Profile not 'User Approved'
In the early days of the MDM it was sufficeint to install the MDM Profile on the Mac. At same stage Apple introduced the user approval for the installation, so users were asks at least twice whether they indeed want to install the MDM Profile. Unfortunately nothing triggered the user for approval of an MDM Profile that was already installed. This left us with some hundred Macs that have an unapproved MDM profile installed.
Many Self-Service items do not work on devices that have an unapproved MDM Profile.
When you see the item "MDM Profile not approved" in the Self-Service app please open the "System Preferences" (called "System Settings" since macOS Ventura) go to the "Profiles" pane, double click the "MDM Profile", check that it is provided by CERN, and approve it.
Self-Service shows "No items"
It can happen that the Self-Service app shows "No items" after the login. This indicates a problem with the enrolment that needs to be corrected on the server side, no user interaction can fix this. Please open a ticket with the Service Desk.
The clock on the Mac is off
The Mac Self-Service requires that the clock on the Mac is sufficiently correct. When the clock is off by too much, all items in the Self-Service will fail. Further symptoms:
- the clock shows a worong time
- in /var/log/jamf.log you see "Clock Skew Error"
Solution: correct the system time on the Mac and make sure a timeserver is activated.
Please Report all Self-Service Related Problems to the Service Desk
We can discover some Self-Service issues on the server side, but for the majority of issues we rely on you reporting malfunctions to become aware of problems. So please report any issues with the Self-Service to the Service Desk, see https://cern.service-now.com/service-portal. You should specify one of the following three quantities, so we can identify your Mac's entry on our server: