I was having problems deploying a profile to a set of computers. I've observed that occasionally MDM needs to be reset on a computer (thanks Apple / JAMF). About 50% of computers in this set were still showing as "pending" for a specific profile. This is after confirming the computers in the office and I've spammed "send blank push" and have cancelled all pending / failed commands. These computers were still regularly checking in, so that part worked.
Part 1. - Test and Detect -- Deploy SadMDM (or sadderMDM) manually via Self Service to a few affected computers to verify that this works on the network. You can see the commands for SadMDM (there's got to be a better name for this) here: (https://gist.github.com/matthewbodaly/818be381744261a432b4794a410b8bc9) -- Add the EA below to the JSS. This will show all installed profiles as an Extension attribute. -- Make a smart group that has "Is Not Like" the UUID of the profile you are searching for. You could do another thing, but ... UUID is harder to masquerade and more unique.
Part 2. - Deploy -- Change the SadMDM policy from a Self Service policy to specifically pointed to a Smart Group of computers that don't have the policy. -- Add an inventory checkin to the end of the policy
Part 3. - Wait -- This part is pretty annoying only because my patience for waiting is so low. -- Watch the Configuration Profiles page and watch the number of computers that say "remaining", drop.
Part 4. - Profit -- This is probably a bit of overkill, but it works. Ideally I'd like to get a bit more granular instead of a full delete and readd of profiles as it could lead to "unexpected results". I mean I'd also like it if I was able to better monitor and control MDM states. In this data set, some of the computers that didn't have the profile were in an unmanaged state either by hook or crook. That part will take a bit more research, but I got the thing done.
Notes: I could have done the thing here: (https://gist.github.com/opragel/1e95017d11b6491f53b1#file-ea_check_for_config_profile-sh), but I noticed clients with "Unknown Profiles" and I wanted to use this also for a bit of discovery. The next version of this routine would likely be several EAs with each individual payload UUID called out and a smart group that has computers with missing profiles queued to have their MDM made great again.
:georgebushmissionaccomplishedjetflyover:
Testing with mdmclient to figure out if that gets me what i want.