/r/macsysadmin

Photograph via snooOG

A subreddit for all things related to the administration of Apple devices.

The reddit for Mac Professionals.


Please keep all content and discussions professional.


Community Resources

Useful Tools

/r/macsysadmin

34,392 Subscribers

2

Problems mounting NFS shares read-write on Monterey

Hello,

I'm trying to mount a NFS export from a Linuxx server on a MacOS Monterey client. No the share is exported read-write on the server (checked from other machines) but no matter how I mount it in thw client (providing -o rw etc.) I can't write to the mounted share (Permission denied). What am I missing here?

1 Comment
2023/12/09
23:21 UTC

5

Creating a mobileconfig file

Is Jamf PPPC still the gold stantard for creating a mobileconfig file in 2023? I'm asking because the tool hasn't been updated in two years.

Thanks.

7 Comments
2023/12/08
16:58 UTC

6

Issue with Apple Configurator

Apologies if this is not the right sub reddit to post this in, but maybe someone can shed some light on this.

I am attempting to modify the wallpaper on an iPad Mini 5th gen using AC and I keep getting this error message.

The problem is, the device is supervised by an existing organization (as seen in the screenshot) so this error message is throwing me for a loop. When I hit prepare and go through the process again, I get the same error message.

I checked Apple Business Manager and the device does show there so I know it's being enrolled, but I still am unable to update the wallpaper. Any ideas?

Thanks.

https://preview.redd.it/3paqxaohtw4c1.png?width=2446&format=png&auto=webp&s=4ceba489ffef904cfc34c3e87afd8f6c9563e288

8 Comments
2023/12/07
17:43 UTC

15

Microsoft 365 Reset (2.0.0b1) via Jamf Pro Self Service

[Cross-posted from /r/jamf]

A quick-and-dirty Jamf Pro Policy hack for testing Microsoft_Office_Reset_2.0.0.pkg

https://preview.redd.it/2bmyr1cjpu4c1.png?width=2944&format=png&auto=webp&s=41aa701b27ae7e656c2fc01aca1b265d527c6689

Introduction

Office-Reset is a free downloadable tool from Paul Bowden that Mac Admins can use to fix problems and errors encountered with Microsoft Office for Mac apps and version 2.0 Beta 1 includes more than two dozen changes.

The following quick-and-dirty hack will allow Jamf Pro admins to easy deploy the entire Microsoft_Office_Reset_2.0.0.pkg during the beta phase before the app-specific .PKGs are available.

Continue reading …

3 Comments
2023/12/07
10:37 UTC

2

Parallels on Mac - PXE Boot Into SCCM for Windows Image?

Hey guys,

I was wondering if anyone had any success in using SCCM to build a Windows image for Parallels? I found old instructions for how to do this (apparently just putting your virtual NIC into bridged mode and spamming F12 like you normally do worked) but I haven't seen anything about doing this on Apple Silicon. Does anyone have any experience with this? Thanks!

3 Comments
2023/12/07
03:50 UTC

16

Sonoma updates bricking MBPs

In the last couple of weeks, we've had two different Sonoma updates temporarily brick a couple of our 2021 M1 Max Macbook Pros. For my MBP, it was 14.1.2 last week, and a couple of weeks earlier, 14.1.1 bricked a colleague's MBP. Both times, it was a point update and not a full OS installer.

They would get stuck in a boot loop, hanging on the Apple logo with the progress bar stalling out about 1/2 of the way through at boot, where it would sit until we rebooted. Occasionally, we would get a message at boot that the OS was damaged and to try an OS reinstall after rebooting into Recovery, which didn't salvage the situation. We eventually got each one corrected by running first aid in Disk Utility while in Recovery mode, starting with the data volumes, then the group, then the disk container, and finally on the physical disk itself. After that, we'd reboot and let it sit, and after a time and a couple of automated reboots, it would boot back to the login screen as expected.

Our helpdesk lead has put out a notice to make a thorough back up before updating Sonoma (which 99% of users don't do), and to hold off if possible, but at the same time we've had a couple dozen M1 and M2 MBPs of all vintages update without incident.

Has anyone else experienced this? Any ideas as to what is causing the update to fail and brick?

18 Comments
2023/12/07
01:39 UTC

8

Removing firmware password

I was just curious if i can use the apple configurator method to boot to dfu and restore to remove firmware password on a 2017 macbook pro. Also does the target and host mac really need to be on the same os? This macbook hasn’t been able to get into mac os in a couple years so it’s not updated

13 Comments
2023/12/06
15:44 UTC

13

Starting role as MAC admin

Im a Linux admin and Im working mostly on Linux systems, sometimes doing some stuff in Active Directory but mostly Linux based servers/VMs and desktops. Now my company asked me if I can do a job as MAC admin for a customer (maybe for 12 months or so); It would start in 02/24 so in about 2 months. How does MAC OS work in enterprise enviroments ? For instance, we can connect Linux boxes into a MS Active Directory domain to manage authentication etc. I know its also possible with MAC OS but is this a thing? How does deployment work? What about updates? How are MAC clients and user accounts centrally managed? Is there a MDM solution that is widely used?

As a linux admin, I would like to do my work in a CLI. As MACOS is a unix-like OS, the file hierarchy, commands etc should be similar I guess. Are MAC admins more like Windows admins, doing mostly GUI stuff (besides some powershell scripting) or more like Linux admins, working with the CLI ? Are the onprem servers running MAC too or mostly Windows/LInux? I just would like to have some kind of info how this works in the MAC enterprise world .. I know every company will do it differently but I would like to have a small overview

Thanks

48 Comments
2023/12/06
14:32 UTC

0

Apple Configurator and Calls over Wi-Fi

Is there a way to set up a profile through Apple Configurator to turn off calls over wifi at my home, and then turn it back on again when I am out?

Context: I use a 3rd party voicemail (YouMail) that is no longer able to operate correctly when calls over wifi is enabled. I use T-mobile and my service is spotty, so at home I installed a range booster which works nicely. However, I my work requires me to be in areas with poor cellular service but strong wi-fi service so I find myself having to re-activate calls over wifi but then forgetting to turn it off at home. I did a reddit search without success so please forgive me if this has been addressed before.

6 Comments
2023/12/06
13:50 UTC

8

Microsoft 365 login at Lock Screen.

Hello So currently the Mac’s (10 devices) I manage are connected to ad on-prem. Is it possible to have the Mac’s log in with 365 credentials and still use intune as a MDM. Due to the cost of 365 business we would like to stick with it.

PS sorry if what I’m describing sounds off I’m new to the Mac world in a business environment.

9 Comments
2023/12/06
02:35 UTC

8

Administrator Accounts for Users

Maybe someone here can give me some insight on how to best handle having users with administrator accounts on their company owned Macs. The users are developers and will more than likely need administrator rights on their Macs to be able to work. These same users have Windows devices that they have local administrator rights. Their regular user account is not added to the administrator group, they are given separate AD accounts that are given admin rights on select PCs. The Macs these users have are not managed and they. I have been tasked to get these Macs enrolled in Jamf and under IT management.

My Plan:

  • Setup like usual and let Jamf make the standard user accounts.

  • I create a new user account for their administrator account. Have them log in to the account and sync password with AD.

  • Instruct users not to use admin account to work from. They will need to use their primary login and elevate their commands. (This matches the policy we have for Windows)

  • I will also look into hiding the Administrator account from the login screen.

Other possibly related info:

  • We have a compliance requirement that user accounts and administrator accounts must be separate.
  • Devices are enrolled in ADE and Jamf.
  • When setup through Jamf the local accounts are setup with Kerberos SSO extension to sync with their AD account, not using mobile accounts.

Any issues with this that anyone sees or anything else I should be doing? I have not been doing Mac management long and am new to all of this.

25 Comments
2023/12/06
00:35 UTC

1

Password issue with erase-install.sh?

We use silicon macs with JAMF and JAMF connect and. When deploying, a tech creates a standard local user account and generic password with the users azure ad username, testuser, and then the user logs in with JAMF connect to sync the two accounts, local testuser and azure testuser@domain.com. Filevault is enabled, user has securetoken and is a volume owner.

I am trying to get erase-install.sh working in Self Service to allow standard users to easily update their OS when it is more convenient for them. I have has some success, so I know that the script and policy works but I have running into issues with the majority of my test users. The user initiates erase install via Self Service and it tries and fails with the following error. I have tried having the user change their password via jamf connect to make sure the password is synced. What credentials is it looking for that aren't correct? What am I missing?

The log below was pulled from a mac attempting to upgrade from Big Sur to Monterey. My parameters as as follows

--reinstall --update --cleanup-after-use --pkg --no-fs --current-user --check-power --no-timeout --overwrite --dialog-on-download --os=12 --min-drive-space=35 --rebootdelay=60

Error:

yes macjamftest is a member of everyone
2023-12-04 14:31:47 | v31.0 | [get_user_details] macjamftest is a Volume Owner
<dscl_cmd> DS Error: -14090 (eDSAuthFailed)
2023-12-04 14:31:47 | v31.0 | [check_password] ERROR: The password entered is NOT the login password for macjamftest.
2023-12-04 14:31:48 | v31.0 | [get_user_details] ask for user credentials (attempt 5/5)
2023-12-04 14:31:48 | v31.0 | [get_default_dialog_args] Invoking utility dialog
SyntaxError: JSON Parse error: Unexpected EOF
SyntaxError: JSON Parse error: Unexpected EOF

3 Comments
2023/12/05
18:29 UTC

1

iPad not getting Remote Management prompt during setup

The iPad is showing in Apple Business Manager, it has been assigned to my Jamf Pro instance for MDM, I can see the iPad in Jamf Pro and it has been scoped to a PreStage Enrollment. When I run through Setup Assistant I am not being prompted for Remote Management. I have tried running all the way through setup and then factory resetting the iPad but it still won't do Remote Management. Any ideas?

4 Comments
2023/12/05
15:58 UTC

4

Bypass requirement for Full Access perms upon OS major updates

So most of this is in the title. As an IT admin, we currently must touch each mac machine to grant permissions to an EDR or AV product whenever macOS get updated to a major version (i.e. 13.0>14.0). I see this article from SentinelOne one but am wondering if anyone has had success in the wild with performing this without having to manually grant permissions from the user machine for the application with each major update. I've noticed this is an issue with most EDR/AV solutions (ESET, S1, Sophos, etc.)

9 Comments
2023/12/05
15:49 UTC

0

Managing iCloud Private Relay on iOS devices

I am trying to disable iCloud Private Relay on iOS 17 using a Jamf Restrictions profile.

I have a iCloud+ subscription active on my test device.

When the Restrictions profile is installed, I don't see any references to iCloud Private relay on the device (in my iCloud account settings). Does the Restrictions profile hide the Private Relay toggle? Or should the option be greyed out? How do I know if it's working?

Also - When the the Restrictions profile is installed, I still see the option to 'Limit IP Tracking' on my active network. Isn't this setting related to iCloud Private relay? Should this setting also be disabled when Private Relay is disabled?

iCloud Private Relay is only available for iCloud+ customers correct?

Is the option to Limit IP Tracking available to non-iCloud+ customers?

6 Comments
2023/12/05
13:54 UTC

7

Umlaut on server

Hi

we face a weird issue on multiple customers systems. When attachments recieved from an sender with macOS become safed locally, the umlaut characters become corrupted.

maybe anybode knows this issue?

https://preview.redd.it/qqq38h9cgg4c1.png?width=1528&format=png&auto=webp&s=8b353a8153a39843e11a3ebb5a5b5b7475c97423

7 Comments
2023/12/05
10:41 UTC

5

Jamf LAPS not working

Hey Guys,

I am trying to test a workflow in which we demote local admins to standard user and then use LAPS for installing macapps. We have also restricted installation of apps to admin only. When I enter LAPS Username/password, it is not accepted. Is this the correct way to use LAPS ? Is it limited to only certain workflows?
We are distributed/remote workforce and NO ABM. All the machines are UIE.
Thanks for your help!!

16 Comments
2023/12/04
22:07 UTC

1

Customizing Outlook contextual menus?

Hi all - I suspect the answer is 'no', but I still must ask for due diligence. Is there a way to customize the contextual menu settings in Outlook?

My manager wants to hide/replace the built-in MS “Report” function in Outlook with our 3rd-party Add-in (PhishNotify). We deploy the PhishNotify Add-in in our O365 console to all Macs, Windows and iOS devices.

Once PhisyNotify was deployed, I was able to hide the MS “Report” Outlook toolbar icon with the PhishNotify icon via a Jamf profile, however, savvy users can still right-click any message from their Inbox and select the MS “Report” contextual menu to mark as Phishing, Spam, etc (and skip using the PhisNotify Add-in icon in the Outlook toolbar).

Back-story: Without going down a rabbit hole, we can not use the MS "Report" feature because it reports false positives to my Infosec team and they are grumpy.  We need all Mac Outlook phish/spam reporting to be performed via the PhisNotify Add-in and not the MS “Report” function. 

5 Comments
2023/12/04
19:12 UTC

8

Microsoft Intune/macOS MDM News - Thoughts/Opinions?

https://techcommunity.microsoft.com/t5/microsoft-intune-blog/now-is-the-time-manage-your-mac-endpoints-with-microsoft-intune/ba-p/3974449

Read through this article, seems to be going in the ideal direction, but still have my skepticism until seen in practice, seems most of these items are tentative.

14 Comments
2023/12/04
17:04 UTC

6

Releasing an iPhone

Hi all, got a member of our team leaving and he is keeping his iPhone.

I want to release it from ABM right? And then ask the user to wipe it?

Just double checking.

14 Comments
2023/12/04
12:08 UTC

0

Xerox Versalink Printers/AIO with Macs (Large format printing)

Xerox is having a sale on the C70xx and B70xx All in One units. We are looking at one of these for an all Mac office. The person at the end of the toll free number says without the Postscript Option you can't use them with Macs. And the Postscript option is not available with these end of life but new with warranty printers.

I though the "Macs can only print to Postscript" printers myths died over 10 years ago. Or do the Xerox drivers for Macs have something coded into them that requires the printer to have Postscript. The person on the phone didn't seem to understand what he was saying and was reading from a canned answer. We are NOT doing Adobe app based Postscript output.

Any Mac users out there with one of these who can answer. Or in central North Carolina and would allow me to stop by for a test? Xerox doesn't have brick and mortar offices around the country anymore. Well except to service larger clients.

And if these will NOT print without the Postscript option, what do you like for 1200x1200 or better B&W 11x17 or 12x18 printing from Macs? We don't need scanning and copying but they are a bonus just now.

TIA

9 Comments
2023/12/04
05:25 UTC

1

JAMF certifications while using Mosyle

Is it worth getting certified in JAMF if my current workplace uses Mosyle? I’m thinking of the future and wanting to be able to prove my experience in Apple MDMs and I wonder if 1) my experience with Mosyle would help at all in taking the exams and 2) if the certification is valued high enough that it would give me an edge beyond just my experience.

14 Comments
2023/12/03
22:04 UTC

2

iMac crashed while resetting, now I can't get it running

Hi guys, I'm kinda lost here... Today I tried to prepare my 24" iMac for sale. Did everything as usual, used the built in factory reset but bumped into a weird error when I was trying to disconnect "find my", because a super old mail address was shown. So I removed the iMac through the web-client and suddenly it crashed, only to boot up with a ! in a circle.

After googling I found the support page that recommends resetting it via the Apple Configurator, but after trying twice it always gives me an error on Step 4 (Error: Gave up waiting for device to transition from Recovery state to Recovery state. [com.apple.MobileDevice.MobileRestore – 0xFCD (4045)]).

Anybody have a fix for this? While in Apple Connector it shows the apple symbol. If I restart it after the error it's back to showing the "!"-symbol.

Thank you!

28 Comments
2023/12/03
13:52 UTC

4

Restrict apps/websites

Hi

Is there an easy way to restrict apps and website categories in Jamf Pro?

All documentation I’ve seen is very manual or require third party solutions.

Thanks Fabio

9 Comments
2023/12/03
11:44 UTC

6

9L0-3023 - Apple Device Support Exam - Help!

Hi all,

I just failed this exam after studying for the better part of a year. I got 76% (78 to pass) I knew half the questions easily based on what I studied from flash online cards and the apple device support training articles. But there were like half the questions I had no idea or never even heard of the concepts used. I need to pass this test to keep my job so any and all advice/study guides/ tutors $$/"appleCertificate"App. anything would be helpful as I have to face the boss on Monday.

Thanks,

13 Comments
2023/12/02
21:09 UTC

6

MacOS and Intune Certificate Connector: Issuing Device Certificates without Domain Join?

MacOS isn’t connected to a domain but is linked to Azure AD and enrolled in Intune. The Intune certificate connector is set up and can issue user certificates. When manually connecting to WiFi using the user certificate, it works. Now, without the macOS device being part of a domain and lacking an AD computer object, can the Intune Certificate Connector still provide a device certificate for the macOS?

1 Comment
2023/12/02
16:42 UTC

6

macOS Documents folder problem with Packages

I’m having a bit of trouble with Packages. I’m trying to put a ‘data’ folder in the (/Documents) folder. However, when I try to install the package, I get an error saying, “the package is trying to install content to the system volume.”

https://preview.redd.it/ateawn9t9t3c1.png?width=2008&format=png&auto=webp&s=abe90d2b530b2b46a11342c568f6fb9fb0b94e24

15 Comments
2023/12/02
04:43 UTC

2

9L0-3025: Apple Deployment and Management exam tips

Does anyone has experiences with this exam? I learnt the Apple exam guide and questions set and that did not enough to pass. (I failed with 68/100). In the exam there are so many questions asked very detail and I think it was to much dig down to the details like CLI commands, eSim restrictions etc...

2 Comments
2023/12/02
02:51 UTC

11

Issues updating to 13.6.2

Hello fellow admins!

We use Nudge to enforce updates and today was the deadline for users to install 13.6.2. This morning I started getting reports that Nudge was doing its thing, but there were no updates available to the user (we have major version updates deferred for 90 days).

I have a test device on 13.6 and I'm not seeing the update for 13.6.2 either. If I remove the major version deferral from the device I can see the Sonoma update (14.1.2), so Software Update is clearly working.

The only thing showing up under Other Updates Available is an update to Safari.

Any ideas as to what's going on?

6 Comments
2023/12/01
19:42 UTC

Back To Top