Issues with deploying policies/actions

Shenanigans 2023-05-15 16:20:45 UTC #1

We have just setup MCM in our environment are experiencing issues when deploying policies and actions. I have a Windows target device (Windows 10 22H2) that I have enrolled to MCM, but every policy and/or action I try to deploy never completes as the enrolled device seems to stay in the “not reported” status indefinitely (or until the task is terminated in BF console). Have we missed something in configuration of MCM or has anyone else seen this issue?

JasonWalker 2023-05-15 16:40:24 UTC #2

I think we’ll need some more detail.

When you enroll in MCM, you can have two distinct types of devices for each endpoint - the ‘native agent’ which is the BESClient service running in the endpoints native OS, and the “MCM Agent” which is the MCM functionality. These two endpoints can be represented in a single “correlated” computer object but still operate independently.

When you send an Action, you might be sending an “MCM action” (like ‘Wipe Disk’ or 'Lock Device) that is targeted & processed to the MCM agent, or a “native action” (like “install a patch”) that is targeted & processed by the native agent.

So, first - do you have both the ‘native agent’ and ‘mcm device’ agent for these endpoints? And what kind of Action are you sending?

Shenanigans 2023-05-15 18:04:23 UTC #3

I apologize for my ignorance, but how is the ‘mcm device’ agent obtained? The target device already had the ‘native agent’, and I enrolled it through bulk enrollment as this is the method we are going to utilize for enrolling devices in our environment. I currently have the “Restart” action deploying to the device, and when checking the BF console it still shows as “not reported” (also shows the same status in MCM dashboard). The device has not restarted yet, and the action has been open for about 4 hours now. I had also tried the passcode policy which had the same results, so I thought to try the standard actions first to ensure they would deploy properly before assigning policies.

gbl888 2023-05-15 20:59:53 UTC #4

This likely due to a WNS failure.

Please check the /var/opt/BESUEM/windows/logs/windows-mdm.log for any indication of a WNS issue, like a bad credential.

You can also check the Plugin Portal log and search for “new action” to ensure that the action did get that far.

JasonWalker 2023-05-15 21:02:35 UTC #5

Ok so that’s pretty clearly an MCM action (I have to ask because there’s both an “MCM” Reboot action, launched from the MCM App in WebUI, as well as a “normal” Reboot action, launched from the Console or any action from the ‘Custom’ or ‘Content’ apps).

For an MCM action, the most likely cause is that your MCM plugin cannot reach Microsoft’s push notification servers (APNS). From the guide at https://help.hcltechsw.com/bigfix/10.0/mcm/MCM/Config/c_system_maintenance.html you should check the Plugin Portal logs at C:\Program Files (x86)\BigFix Enterprise\BES Plugin Portal\BESPluginPortal.log as well as the Windows MDM Plugin log at C:\Program Files (x86)\BigFix Enterprise\BES Plugin Portal\Plugins\WindowsMDMPlugin\Logs. There are also instructions on that page for enabling verbose logging if it’s necessary.

You may also wish to open a Support incident if the problem is not apparent in the logs or you need more help with the servers/ports/protocols required to get Push Notifications working.