harvwadl peppey cherese
Badomero Schoulund
There are reports that show the codes agents select when entering Not Ready state, that calculate the percentage of time spent in the Not Ready state, and that show specific Not Ready reasons based on the time range you specify. These reports help you identify whether agents are taking the appropriate number of breaks and whether their breaks are the appropriate length.Some reports display both the text of the reason code (if configured) and the corresponding number. For example, if an agent enters Not Ready state and selects "Break" as the reason code,and if you have configured text for this code in Configuration Manager, reports display "Break [1]". Other reports display the numeric Not Ready reason code only.If an agent's total login session is not included in the specified time range (for example, the agent was still logged in at the end of the time range), an asterisk (*) appears next to the agent's name in the report to indicate that data for that agent is not complete for the range. For Unified CC, in addition to Not Ready reason codes that you define, there are predefined Not Ready reason codes for situations in which the agent is made Not Ready automatically by the software. The following table describes these predefined Not Ready reason codes.
Forces the logout request; for example, when Agent A attempts to log in to Cisco Agent Desktop and Agent B is already logged in under that agent ID, Agent A is asked whether or not to force the login.
If Agent A answers yes, Agent B is logged out and Agent A is logged in. Reports would then show that Agent B logged out at a certain time with a reason code of 20002 (Agent B was forcibly logged out).
By default, predefined Not Ready reason codes do not have associated textual reason codes.They appear as numbers in reports. If you want to see a textual code for these Not Ready reason codes, enter the predefined Not Ready reason code into the Reason Code List tool with the related text. For example, you might want to label the 32767 Not Ready reason code "Redirection on No Answer".
Are you getting 50002 Error from your EventHub? Is your Throughput appropriately configured? Is your load evenly distributed across all partitions? If so, keep on scrolling down, as you may find the answer to your problem.
The throughput capacity of Event Hubs is controlled by throughput units (TU). If the TU has gone beyond limit, EventHub is throttled and a ServerBusyException is returned. For more detailed information please visit aka.ms/event-hubs-scalability.
To increase the throughput units (TUs) on your Azure Event Hubs namespace, you can either configure it on the Scale page or Overview page of your Event Hubs namespace in the Azure portal, or use the Auto-inflate feature.
You may need to increase your TU or check if your loads are being distributed evenly. By doing so, you will be able to mitigate the throttling for 50002 error occurring on your EventHub. However, if you have any additional support, do not hesitate to contact us.
GetEntityRuntimeInfo is an operation that is used to retrieve information of the entity to read or send the message to the Databrick side by using Spark SDK. This operation is hard coded in the Azure Eventhub Spark SDK. [Line 109]
Unfortunately, the information cannot be cached because Spark driver/executor can change over time, and all the information is Round Robin Database (RRD - it stores data and displays the stored data over time.) based (in memory).
So, they are not being cached, and so driver will always call the runtime info calls per batching interval. The default interval is 500ms. Therefore, every time the operation needs to be called in order to get an event to the Databrick.
50008 Error is occurring when GetEntityRuntimeInfo is called more than 50 times per second which results in Throttling Request. Therefore, limiting this operation is crucial if you are getting such error messages.
By adding the trigger option can mitigate the situation, especially, if you are using numerous consumers and partitions in the EventHub. However, if the throttling still occurs, please contact us to resolve your issue.
Getting this on some (but not all) of our Intune registered Macs that looks like it's coming from JamfAAD. Nothing triggers it that I can tell, totally random. We recently went through registering everyone in Intune and saw a similar message at the end of the procedure (when JamfAAD launches), but everything had been fine since then. The only thing that changed was we upgraded JSS to 10.25 last night and we changed the Intune connector this morning from Manual to Cloud Connector (which was pretty seamless). Anyone know what could be causing this?
I get something similar. It looks like yours is using a custom page. Unless I'm mistaking this for something else. It pops up constantly and signing in doesn't make it go away. Registration works. We haven't rolled it out to all Macs yet thankfully. This would be really annoying for users. No solution yet for my issue.
we already discussed this topic in this thread.
btw. after the support told me that they haven't seen this pop-up I opened a CSM ticket with jamf and told them about the missing documentation from jamf side. There is in fact a Microsoft documentation about this topic the referenced to, but in my opinion there needs to be a jamf documentation also!
The pop ups ARE expected in the case of say a new registration where a token does not already exist for authentication, and they would be expected in the case of a password change or session expiration (Global default from AAD is 14 days out of box but can be changed). In all other scenarios (EX: Monday the 4th to Tuesday the 4th where the Mac was on and the user used it both days and did not change their password and the session was not expired) it should not prompt.
What I am working to determine is why for some macOS clients does the silent token auth. that MSAL does on daily checks (that the jamfAAD Launch Agent does (more on that here)) fail to stay silent when it should be.
The large majority are NSURL error of network failures ranging from timeout to DNS name resolution. When the MSAL silent token authentication in the background fails jamfAAD is taking that MSAL exit error and falling back to an interactive authentication the same as it would for a missing token or expired session before. The catch being that now with the new ASWebAuthenticationSession that has to be launched (the prompt that macOS is giving to redirect to Microsoft for login) and is very in the users face.
For the network issues we are working on a fix that we think should help resolve the NSURL errors by building in logic for a retry via a configurable flag in jamfAAD so that we do not need MSAL to start the retry after it gets the failure jamfAAD can just force another since newer MSAL is not behaving like MSAL v1.0.7 and older. Work on that is ongoing, but the thinking is if we can give MSAL several attempts at reaching out we might have better luck.
@bouvet do you have a case open? If not could you open one and send in logs? I would like to look at a full sysdiagnose from an affected Mac like that. We are still working with Microsoft on the missing token situation that we see on Macs with a strong network. The missing token causes the same end user impact but we think has a very different cause within MSAL itself possibly. Getting examples has been hard as it is much less pervasive, and or we get the example after the token is gone so we just know it is missing not what caused it.
Thanks!
Ho @bryce , any updates? We created a case and have 10 days left until rollout... Any workaround, recommendation what to do when the popup appears? Can we just cancel the popup or do the user have to login?
Thanks!!!
Great work so far from your end!!!!
I see this behaviour on my Macs in different environments too. That's especially the case, when i close my MacBook in the evening and opening it at the morning. Then i have almost every day this annoying popup.
The user could cancel the pop-up, but keep in mind the jamfAAD agent will just ask again in 2 hours when the agent gets called and reads the last token gather time. Now if the network is stable then the SilentAuth. might just work.
I would verify in your logs @as_devops that the silent failure and subsequent interactive prompt was due to a network, and not MSALErrorDomain, -50002 like in the examples I posted above. If that is the case the token is missing and the silent pull will never work, and the user has to do the prompt at least once. We have yet to see a scenario where the failure (outside of network (that the retry logic should help with)) comes back after that.
@LangStefan I would 98% bet that your network at wake is part of that. We have seen that and the retry logic should help with that. If you have logs I would look for some of the examples above to verify that.
@bryce Sounds like you has a lot of knowledge on this. I have for really long time and actually close to always since we started used conditional access, that clients very random a failing conditional access even the client in jamf/intune looks compliant. Only in Azure the device typical has not have any activity for long time, that is how I nearly always can guess when the next will fail if it has been several weeks since last activity, even the client in jamf and intune is looking fine. But according to microsoft, the lack of activity in azure, has nothing to do with the issue as conditional access does not look at any activity but only on compliance. But the device looks compliant in intune, so why it fails is the question.
@jameson So that is a separate issue that I have been working on. The thing I would look for in that case is Azure AD side in the sign-in logs. Find the point of the failed authentication that tips you off to the issue. If we look before the failures we can see a Interrupted message. This is the first evidence of this issue. The TL;DR is that the Device ID is not provided at the point of sign in. It will have the Sign-in error code of 50097. The reason for that being again that the Device Info is blank, and if that is blank the CA engine can not assess what device it is and compare that with the data the Jamf Pro had sent as part of the integration as that is its record ID. If we look further on the actual Failure that follows that we have another Sign-in error code of 530003.
c01484d022