Troubleshooting Mac Unresponsive Issues in MDM
The macOS device is not responding to the Hexnode portal even if the device is switched on and connected to the internet.
Possible troubleshooting methods:
- Make sure your device has a stable internet connection. If the current network connection is unstable or if it doesn’t have sufficient speed, you can try connecting your device to a different network and check whether the device is responding to the Hexnode server by performing a Scan Device action.
- Update your device to the latest OS version and try performing a Scan Device action to check whether the device is responding to the Hexnode server.
- Make sure the APNs token is not expired. The APNs has a validity of one year and it needs to be renewed every year. If the APNs token is expired, you will not be able to perform any actions/functions using the MDM protocol.
Follow the steps given below to renew the APNs certificate:
- Navigate to Admin > APNs and click on Renew Certificate.
- Click on Generate CSR to download the CSR file.
- Log in to the Apple Push Certificates Portal using your Apple ID credentials.
- Identify the certificate that is to be renewed using the Expiration date provided in the portal.
- Select the certificate and click on Renew.
- Upload the CSR file and the updated APNs certificate gets downloaded automatically on the device.
- Upload the new APNs certificate back in the Hexnode portal.
The APNs certificate will get renewed and will be valid for another year.
- If the device is not DEP-enrolled, you can try re-enrolling the device back into the Hexnode portal by following the steps given below:
- In the device, navigate to System Preferences > Profiles.
- Remove the Hexnode MDM profile and enroll the device back into the Hexnode portal.
- Perform the Scan Device action to confirm whether the device is responding.
- Your Apple devices make use of certain hosts and ports to establish a persistent connection with the APNs server. Make sure the following host and ports related to APNs are not blocked in your Firewall settings:
- Host – *.push.apple.com
- Ports – 443, 80, 5223, 2197
If any of the above-mentioned hosts or ports are blocked, they need to be unblocked.
- To re-establish connection with the APNs server, you can try resetting your network settings. Follow the steps given below to reset your network settings:
- Navigate to System Preferences > Network.
- Select Wi-Fi from the left menu and click on the “–” button to remove the existing network configurations.
- Click on the “+” button and from the dropdown, select Wi-Fi to set up a new connection.
Restart the device and perform the Scan Device action from the portal to test whether the connection has been re-established with the device.
- Troubleshooting your device using the sysdiagnose file. The sysdiagnose troubleshooting method can be performed on your device using the steps given below:
- Download the APNs mobileconfig profile from Profiles and Logs.
- Navigate to System Preferences > Profiles and install the downloaded profile.
- Press the following keys to perform the sysdiagnose process from the Finder:
Command + Option + Shift+ Control + Period (.)
The process can take up to 10 minutes to complete.
- Once the process is completed, the folder “/private/var/tmp/“ will automatically appear in the Finder and the sysdiagnose file name will look similar to this:
- Along with your report, you can attach the sysdiagnose file that appears in /private/var/tmp/ to understand the issue in detail.
- You can analyse and troubleshoot the sysdiagnose file by yourself or you can contact our support team for further assistance.
- Once the troubleshooting process is completed, you can remove the mobileconfig file from the device.
You can also perform the sysdiagnose operation using the Terminal as well. Download the sysdiagnose instruction file for macOS from Profiles and Logs to get a detailed explanation of the sysdiagnose troubleshooting method.
- In some instances, the macOS device token will not get fetched into the Hexnode portal. You will not be able to communicate with a device via any third-party MDM or application without the APNs device token. The device token will be sent along with any notification that is sent to the Apple Push Notification server in order to identify the device to which the notification is to be sent. Similarly, if the Hexnode Root CA certificate is deleted on the device end, the device will not ping to the server.
- In case of non-DEP devices, you can manually re-enroll your device by removing the MDM profile from the device and re-installing it again. You will have to be an admin user in order to remove the MDM profile from devices running on macOS 10.15 and above.
- In case of DEP devices, you can enter the following terminal command manually on the device to re-install the MDM profile:
sudo profiles renew -type enrollment
The MDM profile will get re-installed on the device. During device re-enrollment, APNs token will be fetched from the device.
Removing a non-removable MDM profile
If it’s a non-removable MDM profile, follow the below steps to remove it,
- Boot the Mac into Recovery Mode.
- Go to the Utilities menu, open Terminal and type:
- Restart the device.
Press return and type:
On pressing return, you can view the name of your hard drive (Ex: Macintosh HD) as the output. Replace
“Macintosh\ HD”with the hard drive name in the command below.
cd Macintosh\ HD
Type the following command to locate further the exact position of configuration profiles in the directory.
To verify your position in the directory structure, type the
pwdcommand and press return. Now, you will view the output as /Volumes/Macintosh HD/var/db/ConfigurationProfiles (or with your hard drive name in place of “Macintosh HD”).
Enter the commands below once you are in the right directory:
rm -rf *
After you restart the Mac, you can log in and run "sudo profiles renew -type enrollment" command to re-install the MDM profile on your device.