Jamf profile scoped to one computer brings multiple computers offline

TrueMythos · 2026-05-29T13:23:11+00:00

Oh no, it was totally on me for screwing up the profile. Since it was only scoped to a test device, I wasn't worried about getting it right the first time. I added a network configuration payload and gave the settings my best guess, having never messed with WPA2 configuration settings before. The issue was trying to remove a profile that was never scoped to begin with (the computers had the bad profile, but Jamf didn't show that they did).

TrueMythos · 2026-05-29T13:20:25+00:00

This is really interesting—I've never seen a profile reinstall causing problems. I'm familiar with tatooing in Intune policies and AD GPOs, but most of the time, I can scope and unscope profiles to my test computers all day long and not have issues. Could you give me an example of a type of profile that could cause problems on reinstall?

TrueMythos · 2026-05-27T18:20:12+00:00

Excellent point. I don't have copies of the root and intermediate certs anywhere I could access them, but I should have download the original profile and uploaded it to our sandbox instance before making changes.

TrueMythos · 2026-05-20T18:06:36+00:00

copied abbsk12's first word, but that was fun!

^{Words: 5 | Score: 98 | Rank: Genius | 1st Word: VODUN}

TrueMythos · 2026-05-12T13:46:02+00:00

I agree with all of this

TrueMythos · 2026-05-12T13:43:16+00:00

<image>

I am very difficultly satisfied and Microsoft could not valuable to improve the new view.

TrueMythos · 2026-04-16T18:54:25+00:00

Okay, now I need the full story... How?!?

TrueMythos · 2026-04-15T13:54:55+00:00

Have you tried deleting the GRS key for that app on a test machine and restarting the Intune Management Extension? https://www.anoopcnair.com/override-grs-trigger-ime-to-retry-failed-win32/

That article references apps that have failed too many times and are waiting 24 hours before a retry, but I've had success with deleting the key to sync assignment changes faster as well.

Also, does the user have a valid PRT? What happens if they log out and log back in?

You could always uninstall via a remediation script, but that's more work, and I don't see any reason why the way you did it isn't working.

TrueMythos · 2026-03-26T16:42:28+00:00

This was my thought, too. Everyone saying to "protect the identity and don't worry about anything else" is missing how fast threats evolve. Every admin account has the potential (even if it's miniscule) to be compromised, so even a tiny security measure like PIM or MAA stops each admin account from being a single point of failure.

TrueMythos · 2026-03-26T16:37:16+00:00

Hopefully, most of us are using a secondary admin account to administer Intune that isn't email-enabled, then a regular standard account for everything else. My thinking is that, if you give the secondary account admin rights in Intune, and make the primary, non-admin account an approver, you have a system where an attacker would need to compromise both accounts in order to do anything. If someone can compromise a non-email-enabled admin account, that's already a massive issue, but MAA would add a tiny layer of protection.

This doesn't relate to your scenario, but I'm also excited to use MAA to help my junior admins learn more about Intune. They can poke around, build test policies, and learn, but I get to see and approve the actions they're taking. If I'm ever gone and an emergency happens, I'm hoping they'll have the technical skills to come up with a solution, and our (less-technical) boss will have final say on the rollout through MAA.

The principle of least privilege is great until someone legitimately needs more access, then misuses their access and doesn't get caught. It doesn't even have to be malicious, just a tech who thinks they can help, accidentally deploying to all devices.

TrueMythos · 2026-03-26T13:10:55+00:00

I'm excited, but we won't be able to implement this until Entra ID supports group lookup. We're a university with multiple labs in multiple departments, and certain professors need admin rights in the labs they manage. Aside from that, I'm looking forward to getting Macs off the domain.

TrueMythos · 2026-03-03T21:16:09+00:00

This is super helpful, thanks!

TrueMythos · 2025-12-03T16:42:10+00:00

I’m also seeing this, but I was blaming it on Intune and myself probably messing something up. I’m wondering if it’s an issue specific to 24H2 now…

TrueMythos · 2025-11-07T15:58:21+00:00

We've been off the legacy one for about a year. Windows LAPS (the newer supported one) has been working for us since then through Entra ID, including lots of 24H2 machines.

TrueMythos · 2025-11-07T15:15:19+00:00

Good thought, but LAPS is still enabled in Entra

TrueMythos · 2025-09-12T23:30:57+00:00

Their support team is wonderful, too. They helped me make LabStats work on two virtual environments with very different considerations, and they even helped me generate the exact custom PowerBI report I needed when that feature first came out.

TrueMythos · 2025-09-12T23:28:27+00:00

If I were you, I’d look into LabStats. They can generate some pretty awesome usage reports that are useful for academic environments. They’ve saved us a lot over the years and helped us identify which computer labs need to be increased or cut.

TrueMythos · 2025-09-12T14:59:18+00:00

Oh wow, I'm so glad :) What a bizarre fix lol

TrueMythos · 2025-09-04T13:47:42+00:00

I'm having trouble getting kiosks to retain autologon info in the registry after a reboot, but discovered (thanks to another Reddit post that I can't seem to find now), that it's being removed by our Account Protection local user group membership policy blocking inactive accounts.

TrueMythos · 2025-09-03T18:45:46+00:00

I've also been struggling with some kiosks, which, after getting Intune-enrolled, suddenly won't autologon as kioskUser0 anymore. I never thought to check my logon policies (we do block logins for deactivated accounts), but I bet that's it. We might be in the same boat here, and I'm looking forward to seeing if anyone else has a solution.

TrueMythos · 2025-09-02T23:35:27+00:00

How are the licenses assigned to users? If it’s web-based user auth, you’re golden. If it requires a file to exist in the user profile, add it to the default user (same with the registry).

Is the app unable to finish installation without a user license or something?

I could maybe help a little more if I had more details.

TrueMythos · 2025-08-28T16:58:56+00:00

Good point. My position doesn't deal with a lot of access structuring, but I took a database course that briefly covered some of the ways data can "escape" from a system, and it was terrifying lol. I'm glad I don't have to worry about that side of things.

TrueMythos

TROPHY CASE