Hey Hexnode, I’ve been trying to push a couple of policies to our macOS devices, and I’m getting the following error.
“Device profile policy association is successful. User profile policy association has failed. User token could not be fetched to the server.”
It seems like this is happening only on a few devices, not all. Can someone explain what this means?
254 Views
Hey @josiah, Thanks for reaching out to Hexnode Connect.
The error you are referring to can be seen in certain scenarios, and is tied to how macOS handles user identity during MDM enrollment.
When a macOS device is enrolled, Hexnode maps the policy association to the user account that performed the enrollment. If the device is later being used or logged into with a different local user account, macOS won’t return the required user token, which leads to the failure you’re seeing in the user profile part of the policy.
That explains why your device profile applies successfully (since that’s machine-level), while the user profile fails.
Here’s how you can fix it:
Please try the following steps on the devices where user profile policies are failing:
|
1 |
sudo profiles renew -type enrollment |
This resets the current logged-in user as the default enrolled user, which allows macOS to generate a fresh user token. After this, your user profile policies should start associating successfully.
If you run into anything else or need further assistance, feel free to reach out; we’re always happy to help.
Best regards,
George
Hexnode UEM
Hey George!
Our Hexnode tenant is synced with our EntraID tenant, and my macOS device was enrolled at activation (linked to Hexnode via Apple Business Manager) using an EntraID account. During the enrollment process, I am prompted to create a local user account (which is what I am currently logged in as). When I look in my portal, I see that this local account has “Secure Token” as “Granted”. Is that the same thing? I am currently unable to push user profile policy settings as it is.
Looks like you’re running into the same issue I had.
Also, Secure Token is a different thing altogether, so it’s not the same as the user token needed for user profile policy association.
I’d suggest running the same command @george mentioned while you’re logged in to the local account you’re currently using. That should resolve it:
|
1 |
sudo profiles renew -type enrollment |
From what you described, it sounds like your device was enrolled through ADE. Usually, a managed admin account is created automatically during enrollment. But since you mentioned you were prompted to create a new local user account during setup, this might be a separate local account (not the managed admin account).
If your enrollment profile was configured to create a user during enrollment, that would explain this behaviour.
Hey @mdjump, @josiah is absolutely on point here.
Secure Token isn’t the same as the user token required for user profile policy association.
So please go ahead and run the same command @josiah mentioned on the affected Mac (while logged into the current user account).
If your setup looks different or this still doesn’t resolve it, feel free to reach out and we’ll be happy to help.
Cheers,
George
Hexnode UEM
Don't have an account? Sign up
