Need to find if a profile is installed on a computer? Here's how I did it.

FindInstalledProfiles.md

I was having problems deploying a profile to a set of computers. I've observed that occasionally MDM needs to be reset on a computer (thanks Apple / JAMF). About 50% of computers in this set were still showing as "pending" for a specific profile. This is after confirming the computers in the office and I've spammed "send blank push" and have cancelled all pending / failed commands. These computers were still regularly checking in, so that part worked.

Part 1. - Test and Detect -- Deploy SadMDM (or sadderMDM) manually via Self Service to a few affected computers to verify that this works on the network. You can see the commands for SadMDM (there's got to be a better name for this) here: (https://gist.github.com/matthewbodaly/818be381744261a432b4794a410b8bc9) -- Add the EA below to the JSS. This will show all installed profiles as an Extension attribute. -- Make a smart group that has "Is Not Like" the UUID of the profile you are searching for. You could do another thing, but ... UUID is harder to masquerade and more unique.

Part 2. - Deploy -- Change the SadMDM policy from a Self Service policy to specifically pointed to a Smart Group of computers that don't have the policy. -- Add an inventory checkin to the end of the policy

Part 3. - Wait -- This part is pretty annoying only because my patience for waiting is so low. -- Watch the Configuration Profiles page and watch the number of computers that say "remaining", drop.

Part 4. - Profit -- This is probably a bit of overkill, but it works. Ideally I'd like to get a bit more granular instead of a full delete and readd of profiles as it could lead to "unexpected results". I mean I'd also like it if I was able to better monitor and control MDM states. In this data set, some of the computers that didn't have the profile were in an unmanaged state either by hook or crook. That part will take a bit more research, but I got the thing done.

Notes: I could have done the thing here: (https://gist.github.com/opragel/1e95017d11b6491f53b1#file-ea_check_for_config_profile-sh), but I noticed clients with "Unknown Profiles" and I wanted to use this also for a bit of discovery. The next version of this routine would likely be several EAs with each individual payload UUID called out and a smart group that has computers with missing profiles queued to have their MDM made great again.

:georgebushmissionaccomplishedjetflyover:

installedprofiles.sh

#!/bin/bash
# https://www.jamf.com/jamf-nation/discussions/9334/extension-attribute-to-see-config-profile
# https://gist.github.com/matthewbodaly/be92b897b13a5e3d7ba6a5465f5d388f is how to search for a very specific UUID 
# Here's the EA I used.
profiles=`/usr/libexec/mdmclient QueryInstalledProfiles | grep "PayloadUUID"`
    echo "<result>$profiles</result>"
exit 0

Testing with mdmclient to figure out if that gets me what i want.

You can likely use the profiles binary to get what you're after. Here's an example that dumps out the computer level profiles' UUIDs:

profiles -C -v | awk -F: '/attribute: profileUUID/{print $NF}' | sed 's/\ //'

You can change the attribute to name if you'd like something more readable. mdmclient isn't providing much information on my end.

mdmclient only returns info if you are running as root. It also says it is Used internally for communication with Configuration Profile management server. Part of Managed Client (MCX).

I'm not sure I would rely on that tool.

I go back and forth. mdmclient is pretty cool, but I don't know how reliable it is (or will be) because little is documented. However, using it to get information for reporting ... seems to work.

Hi all,
I tried to look for Query Security Info but the Terminal gives me this error:

Maybe there is something irregular on my MacBook ?

Thank you