Skip to content

4. Smoke test

Owner: IT

Confirm one Mac receives everything cleanly and captures land in ChainDB before widening the pilot.

Any Jamf-enrolled Mac in the pilot group from Steps 2 and 3. Note the device’s serial number — Cloud Ops needs it to look up captures.

For meaningful email attribution on captures, the user should be bound to your Entra tenant (Platform SSO, Workplace Join, or Jamf Connect). At enterprises running M365 this is already true fleet-wide; no per-rollout action.

The package and profiles install on the next MDM check-in (~15 min). To skip the wait, from Jamf:

  • Computers → Search Inventory → <test Mac> → Management → Send Blank Push

Wakes the Mac via APNs and forces a check-in.

On the test Mac’s inventory page:

  • Profiles tab — Roots managed preferences and Roots Accessibility both show Installed.
  • Management → Policy Logs (or the Install Roots policy’s Logs tab) — this Mac’s row shows Completed.

Hand Cloud Ops the test user’s UPN (or the local Mac short name if your fleet isn’t Entra-bound). Cloud Ops runs:

SELECT user_id, email, last_seen_at
FROM public.auth_identities
WHERE email = '<test user UPN or short name>';
SELECT id, app_name, window_key, to_timestamp(created_at / 1000.0) AS created_at
FROM public.captures
WHERE user_id = (
SELECT user_id FROM public.auth_identities WHERE email = '<value>'
)
ORDER BY created_at DESC LIMIT 10;

Healthy state: one row in auth_identities with last_seen_at within the last few minutes, and recent rows in captures with created_at close to now.

Symptom in Jamf Cause
Policy stuck at Pending Distribution Point not configured for the fleet, or the Mac hasn’t checked in. Check Settings → Server → Cloud distribution point is enabled with a CDN selected; trigger another Blank Push.
Configuration profile not Installed Scope tab on the profile doesn’t include this Mac. Re-check the pilot group’s membership rule.
Policy Completed but no rows in captures The user/Entra binding may be missing (check auth_identities for the local short name), the agent’s Entra token request may be failing, or the agent may not have loaded its privacy rules yet. Confirm that the app registration has a current client secret. Cloud Ops should also check the customer capture switch and connectivity to the backend’s /functions/v1/blocklist endpoint; the agent holds captures until it has current or cached rules. If the secret was rotated, update the managed-preferences profile and force a re-push (Send Blank Push again, or as a last resort scope-cycle the profile: remove the target on the Scope tab → Save → re-add → Save).
Capture rows show local short name in email instead of UPN Test user isn’t Entra-bound on this Mac (no Platform SSO / Workplace Join / Jamf Connect). Fleet-wide identity issue, not per-rollout. Pipeline is otherwise proven.

The pipeline is proven for one user end-to-end: profiles installed, package deployed, agent acquired an Entra token, captures landing with attribution. Widen the scope from the pilot group to the broader rollout group in Jamf. Same artifacts, more devices.

5. Shipping updates.