Broken or partially functional device records in Jamf Pro can be frustrating to diagnose. Devices may still appear in inventory but stop receiving policies, fail to process MDM commands, or stop checking in entirely.

In many cases, administrators jump straight to wiping or reenrolling the device, but that’s often unnecessary. A structured troubleshooting approach can usually identify whether the problem lies with the Jamf Agent, the MDM profile, or the enrollment relationship.

This guide walks through a practical troubleshooting process used by experienced Jamf administrators.

Understanding Jamf Management Components

Before troubleshooting, it’s important to understand that Jamf management relies on two separate components working together.

Jamf Agent (Jamf Management Framework)

The Jamf Agent is responsible for:

• Running policies

• Executing scripts and packages

• Performing recurring check-ins

• Updating inventory

If the Jamf Agent breaks, policies stop running even though the device still appears in Jamf.

MDM Profile

The MDM profile enables Apple’s Mobile Device Management framework and allows Jamf to send:

• Configuration profiles

• Remote commands

• Security actions (lock, wipe)

• Software update commands

A device may still have a working Jamf Agent while the MDM profile is broken, or the opposite may be true. Understanding which component has failed is the key to troubleshooting efficiently.

Review the Device Inventory Data

Before making any changes, start by reviewing the device record in Jamf Pro.

Key Indicators to Review

Several fields in the device record provide important clues about the device’s current management state.

You should review:

• Verify Device Management status

• Confirm MDM capability

• Last recurring check-in

• Review Policy Activity

• Completed MDM commands

These indicators help determine whether the issue is related to Jamf policy execution, MDM communication, or enrollment trust.

Verify Device Management Status

The first thing to verify is whether the device is marked as Managed in Jamf Pro.

If the device status shows Not Managed, Jamf will not execute policies or apply management tasks.

If this field shows Not Managed, restoring the managed state may immediately restore functionality.

Confirm MDM Capability

Next, verify whether the device is MDM Capable.

If this field shows No, the device cannot receive:

• Configuration profiles

• Security commands

• Remote management actions

This usually indicates an issue with the MDM profile or enrollment state.

Check Jamf Agent Communication

The Last Check-In timestamp indicates whether the Jamf Agent is still communicating with the Jamf server.

If the device has not checked in recently, it may indicate:

• Jamf framework corruption

• Certificate issues

• Network connectivity problems

• A broken Jamf binary

Devices that have not checked in for an extended period often require the Jamf Management Framework to be redeployed.

Review Policy Activity

Policy logs reveal whether the Jamf Agent is successfully executing policies.

If there are no recent policy logs, the Jamf Agent is likely not functioning correctly.

Common causes include:

• Framework corruption

• Trust relationship issues

• Expired certificates

Check MDM Command Activity

If policies are failing, check whether MDM commands are still completing successfully.

Repairing the Jamf Management Framework

Before ripping everything out and starting over, lets try to repair the Jamf Management Framework. This works great if MDM commands are working but Jamf policies are not, the Jamf Management Framework may be damaged.

Redeploy the Jamf Framework via the API

The framework can be redeployed using the Jamf API.

Steps

1. Open the Jamf API documentation.

   1. This is located at https://YOUR-JAMF-SERVER-URL/api/doc/#/jamf-management-framework/post_v1_jamf_management_framework_redeploy__id_

2. Authenticate at the top of the page

3. Use the endpoint: POST /v1/jamf-management-framework/redeploy/{id}

4. Click "Try it Out"

5. Enter the device ID.

6. Click Execute.

This triggers a redeployment of the Jamf Management Framework and often restores policy execution.

Testing the Jamf Agent on the Device

If redeploying the framework does not resolve the issue, the next step is to test the Jamf Agent locally on the Mac.

Run a Manual Policy

Ask the user to run the following command in Terminal:

sudo jamf policy

Review the output carefully.

If the logs show something like:

Device Signature Error

the device has lost its trust relationship with Jamf and will likely need to be reenrolled.

Attempting Enrollment Renewal

Sometimes the enrollment relationship can be repaired without removing Jamf entirely.

Renew the Enrollment Profile

Run the following command:

sudo profiles renew -type enrollment

Steps

1. Open Terminal on the affected Mac.

2. Run the command above.

3. Follow the prompts presented by macOS.

If the Mac is enrolled through Automated Device Enrollment, this command may restore the MDM connection. However, in most cases it will fail because their is already an MDM Profile on the device. This is to be expected, we typically want to remove the MDM profile first, however, sometimes it's able to simply renew the profile which doesn't require us to go down that path.

If the command returns a message indicating:

No Device Enrollment configuration was found for this computer

Then the Mac is not enrolled through DEP and must be enrolled manually.

Removing the MDM Profile

If repairing the management framework didn't work, we will have to re-enroll the Mac. The first step is to remove the MDM Profile.

Remove the Profile from System Settings

Navigate to:

• System Settings → Device Management

• Locate the MDM Profile and select Unenroll.

If the profile is removable, this disconnects the device from Jamf management.

Removing the Jamf Framework

After removing the MDM profile, the Jamf Management Framework should also be removed.

Run the following command:

sudo jamf removeframework

This removes the Jamf agent and prepares the device for a clean enrollment.

Removing the Profile from Jamf Pro

If the MDM profile cannot be removed locally, you may attempt to remove it remotely from Jamf.

Send the Unmanage Command

Open the device record in Jamf Pro and select Remove MDM Profile.

This sends an MDM command instructing the device to remove its MDM profile. However, if the device is no longer communicating with Jamf, this command may not succeed.

Last Resort: Removing the Profile Using Recovery Mode

If the MDM profile cannot be removed through normal methods, you may need to remove it manually by temporarily disabling System Integrity Protection (SIP).

This situation typically occurs when:

• The MDM profile is non-removable

• The device is no longer communicating with Jamf

• The Unmanage command fails

• The MDM framework is broken

Disabling SIP allows you to remove the profile locally so the device can be re-enrolled.

⚠️ Important:This should only be used as a last troubleshooting step, since SIP protects important system components.

Step 1: Boot into macOS Recovery

1. Shut down the Mac.

2. Turn it back on.

Apple Silicon Macs

Hold the power button until you see:

Then click Options → Continue.

Intel Macs

Turn on the Mac and immediately hold:

Command (⌘) + R

until the Apple logo appears.

This will boot the Mac into macOS Recovery.

Step 2: Open Terminal in Recovery

Once in the recovery environment:

1. Click Utilities in the top menu bar.

2. Select Terminal.

Step 3: Disable System Integrity Protection (SIP)

In Terminal, run:

csrutil disable

You should see a message confirming that SIP has been disabled.

Example output:

Successfully disabled System Integrity Protection.Please restart the machine for the changes to take effect.

Restart the Mac.

Step 4: Remove the MDM Profile

Once macOS boots normally again, remove the profile.

Open System Settings → Privacy & Security → Profiles

Locate the MDM Profile and click Remove or Unenroll.

If the profile was previously non-removable, it should now be removable.

Step 5: Remove the Jamf Framework

After removing the profile, remove the Jamf framework to ensure a clean enrollment.

Run:

sudo jamf removeframework

This completely removes the Jamf agent from the Mac.

Step 6: Re-enable System Integrity Protection

After the profile has been removed, SIP should be re-enabled.

Boot back into Recovery Mode

Follow the same steps used earlier to enter macOS Recovery.

In Terminal, run:

csrutil enable

You should see a message confirming that SIP has been disabled.

Example output:

Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.

Restart the Mac.

⚠️ Important Note

Disabling SIP should always be temporary. Leaving it disabled can expose the system to security risks and break expected macOS protections. Always re-enable SIP immediately after removing the profile.

Re-Enrolling the Device

Once the MDM profile and Jamf Management Framework have been removed, the Mac is no longer managed and can be enrolled again.

The re-enrollment method depends on how the device is assigned in your organization. Most environments use Automated Device Enrollment (ADE) through Apple Business Manager, but some Macs may still require manual enrollment.

Before proceeding, it’s a good idea to verify that the previous management components were successfully removed.

You can confirm this by checking:

• System Settings → Privacy & Security → Device Managment (There should be no MDM profile present)

and running:

sudo jamf checkJSSConnection

If the Jamf framework was removed correctly, the command should indicate that the device is not managed.

Automated Device Enrollment (DEP / ADE)

If the Mac is assigned in Apple Business Manager and scoped to your Jamf server, the easiest way to re-enroll it is by triggering the enrollment process again.

macOS includes a built-in command that checks with Apple’s device enrollment service and installs the correct MDM profile.

sudo profiles renew -type enrollment

If the Mac is properly assigned in Apple Business Manager, you will see an enrollment prompt appear shortly after running the command.

The user may be prompted to:

• approve remote management

• authenticate with company credentials

• complete enrollment steps depending on your configuration

Once enrollment completes, Jamf will automatically reinstall the Jamf Management Framework, and policies should begin running again.

A Quick Tip

If the device fails to re-enroll using profiles renew -type enrollment, double-check that:

• the Mac is assigned to your Jamf server in Apple Business Manager

• the assignment has been synced into Jamf Pro

• the device is not still associated with a previous MDM server

These issues can sometimes prevent the enrollment process from triggering properly.

Manual Enrollment (Jamf Web Enrollment)

If the device is not assigned in Apple Business Manager, the Mac must be enrolled manually.

This is typically done using Jamf Web Enrollment.

1. Open a browser on the Mac.

2. Navigate to your Jamf enrollment URL. For example:

https://YOUR-JAMF-URL/enroll

3. Log in using your organization's authentication method.

4. Follow the enrollment prompts.

5. Install the MDM profile when prompted.

Once the profile is installed, Jamf will begin installing the Jamf Management Framework, and the device will appear again in Jamf Pro inventory.

Confirming the Device is Fully Enrolled

After enrollment completes, it’s worth confirming that the device is communicating properly with Jamf again. Check the device record in Jamf Pro and verify:

• Managed Status: Managed

• MDM Capable: Yes

• Last Check-In: Recent

• Policy Logs: New policies executing

You can also run the following command locally to force an immediate policy check:

sudo jamf policy

If the command runs successfully and policies begin executing, the device is fully restored to management.

Final Thoughts

Troubleshooting Jamf issues becomes much easier once you understand the relationship between the Jamf Management Framework, the MDM profile, and the enrollment process. When one of those components breaks, the symptoms can look confusing, but the fix is usually straightforward.

With a structured approach and the right checks, most devices can be repaired and brought back under management without starting from scratch.

If you need the dream team to step in, shoot us an email at sales@rocketman.tech. We've built tools to not only help identify and fix devices in this state, but also prevent it from happening in the future!