Profiles are stuck in "Pending" due to missing "ack"

[roperzh]

Fleet version: 4.41.1

Web browser and operating system:

---

💥  Actual behavior

Fleet sets a profile as verifying when it gets the ack from the InstallProfile command.

However we might miss the ack, or the host might fail to send it for a variety of reasons, causing profiles to be stuck inpending forever, even though:

1. The profile is installed in the device
2. We know the profile is installed (via osquery)

Note

The same logic can be applied for failed profiles as well, but we're tracking that as a feature request, this is only about profiles going from pending to verified

🧑‍💻  Steps to reproduce

1. Add a macOS configuration profile
2. Run the following MySQL query: UPDATE host_mdm_configuration_profiles SET status = 'pending'
3. Verify that the host has the profile but Fleet shows the profile as pending
4. Refreshing host vitals should move the profile to "verified"

🛠️ To fix

• Update DB queries that set profile status to allow "pending" profiles:

fleet/server/datastore/mysql/mdm.go

Line 485 in e3c037c

[]interface{}{fleet.MDMDeliveryVerifying, fleet.MDMDeliveryFailed},

[sabrinabuckets]

Following Roberto's instructions above (with the caveat that host_mdm_configuration_profiles needs to be host_mdm_apple_profiles or host_mdm_windows_profiles) I was able to force a newly uploaded profile into Pending status, and then on refetch observe the status change to Verified.

[nonpunctual]

This has been a long-standing problem in Jamf that most admins (including myself) wrote custom extension attributes for, i.e., not relying on  MDM to validate if profiles are nstalled, but, doing something like calling system_profiler SPConfigurationProfileDataType & parsing the output to verify profiles are on the computer. So, even if you have reproduced it & watched it flip from pending to verified I doubt that you will see this 100% of the time.

One major cause of this in customer environments is not having good communication with all of  recommended Enterprise Network URLs / services. https://support.apple.com/en-us/HT210060

2 ways of testing this are 1) https://twocanoes.com/products/mac/push-diagnostics/
2) 's Mac Evaluation Utility which is available for customers enrolled in AppleSeed For IT. I have a recent version of MEU which I will upload to this ticket in case anyone wants to see what it does.

[fleet-release]

Profiles stuck, pending,
A fix brings clarity, peace,
Fleet sails smoothly now.