/r/macsysadmin
A subreddit for all things related to the administration of Apple devices.
The reddit for Mac Professionals.
Please keep all content and discussions professional.
/r/macsysadmin
I'm writing a .mobileconfig and there are two PayloadUUIDs, one in top level and one inside payloadcontent. What is the difference? Can the top level be reused? Or should i just generate unique ones for both ?
I'm running Sonoma 14.7.1 and have SMB shares on a secure network interface and a separate Ethernet interface for VMs to access an IoT network. I want the IoT interface to not have any access to my SMB shares.
I don't see any /etc/smb.conf or other way to disable the SMB service on the IoT interface.
Has anyone been able to turn off SMB to one of the network interfaces?
edit: removed references to VLANs because it's not relevant.
Job posting: "... You can write production-quality code for automation in Python, Bash, or similar languages"
I've written some scripts, but nothing significant like the open-source projects we all use.
I can modify what I need from other sources to get stuff done.
I need to be more experienced to contribute to nudge or super, etc.
I guess I'm having a rough day after being passed on job after job and the only factor I can figure is I don't have the programming experience as a sysadmin.
Hello I’m new to this but we will be deploying federated apple ids for Mac users , iPhones and a few iPads for our company. Some of the users have personal IDs logged into them and some Mac’s , iphones and iPads are not enrolled in the MDM(Jamf) will federated apple ids work for those not enrolled with our MDM and is there a way to see who has logged in with their personal IDs?
Hi guys, I'm trying to get a Yubikey 5C NFC working with office login without any luck. It keeps throwing an error "something went wrong. You may want to try a different security key, or contact your administrator". In Entra > Protection > Authentication Methods i have Passkey Fido2 enabled with enforce key restrictions and what i believe the correct AAGUIDs entered for the device. I don't get what the error is about. just has a long correlation ID after it. https://imgur.com/a/ykvHFlR
Hi everyone,
I'm a DevOps person but the company where I work asked me to organize the internal department. We are a small company so its normal to cover multiple positions.
I have to figure out how to manage all of the devices of our employees. I was looking at Apple Business Manager program but I don't think it covers all of the aspects. What my bosses want to cover is the following:
All of our devices so far are MacBooks with latest OS updates. We have around 7-8 devices as we are still small team. We don't use MS AD, our SSO is Google Workspace.
What are your suggestions about such program or service? Any advice would be apricated.
Thank you in advance!
Hello!
I'm asking for opinions on what's the best practice regarding recovery of time machine backups on a brand new DEP Mac that replaces an older (also DEP) one. We use intune AD for MDM and Admin by Request to control privileges, but we specifically allow sudo access as defined by ABR and also allow for Time Machine backups.
In the past we just went the easy route and installed from scratch and told users to deal with it but some management types are asking us if it's at all possible to use the time machine backup to recover while following the standard enrollment.
Our issue historically has been that time machine recovery steps come up before MDM kicks in, and we weren't sure both things would play nice with each other since there's so much stuff dependant on permissions and roles. But we haven't tried again in three years so it may be easier now.
I'm looking forward to trying out Apple Intelligence however the only device I have atm that will be compatible with it is my Mac mini supplied by my work, hence why I am wondering what those of you who are Mac sysadmins predict will happen once Apple releases it.
Are your organizations directing you to block it? Do you know if the MDM programs even allow for that?
Hello, I am currently running into the following problem when attempting to connect two 4k external monitors to my MacBook Pro M3 Pro 14". In short, problem I am experiencing is that no matter what I attempt to do, I am unable to connect more than one external 4k 144hz monitor to my Mac. I have attempted the following connections
Other things I have tried include:
I am currently running on MacOS Sequoia 15.1.1 and as I stated early on I am currently attempting this on an M3 Pro 14".
I have spent 2 hours on the phone with Apple Support and haven’t gotten any closer to a resolution.
Any help would be much appreciated to try and get this to work. Thanks!
Sorry if this has been asked a million times.
We’re just starting to managed our Mac devices in Intune and we are trying to get Anydesk to have a seamless install for the end user but I can’t for the life of me get it to have Screen Recording access.
From what I’ve seen it seems like Apple only allows you to block this feature and allow standard users to approve.
Is this true or is there a script or something I can run to allow this for the user?
I’ve already messed with settings catalog and PPPC MOBILECONFIG files but nothing.
AnyDesk support is no help as well and won’t give me a straight answer.
Due to relegations we have to sever a business unit and are migrating them to their own Jamf Pro environment.
They also have a new Apple Business Manager environment.
If I understand it correctly, we could ask Apple to migrate their current in use macOS devices from the current ABM to the new ABM environment.
Did I understood that correctly?
Are there any risks or downtime involved?
Can we ask Apple to start the migration or do the devices need to be in the new Jamf Pro tenant? The tenant is already up and running btw.
I work in a Windows-based company. Pretty much all employees use PCs.
However the company has changed its revenue generation model so I’ve been hired to build a marketing infrastructure from scratch, including hardware and tech stack, and I have gotten approval from execs to purchase Macs for me and my team.
However IT is trying to push back and create friction by saying they need “150 engineer hours” to integrate the first macbook.
I’m certainly no enterprise IT expert, but 150 hours seems pretty excessive to me?
Wouldn’t a tool like Jamf make the integration with intune more streamlined?
IT also clarified the 150 hour estimate doesn’t include any compliance checks and security audits etc.
Any advice? What are some questions I can ask IT to gain clarity on the 150 hours?
Hello
I have successfully passed the Apple Device Support exam and now currently taking the Apple Deployment and Management exam in a few weeks.
I'm struggling to find any decent learning material other then the learning objectives?
I found a few flashcards and quizlet and brainscape but just wondering what other people have used?
Thank you
I have an AppleRAID array using JBOD, with the underlying hardware being NVME M.2 sticks.One member shows "failed" although the hardware checks out OK (Samsung 960 with 3 gpt partitions).
Diskutil (and Disk Utility) seems unable to do anything other than list the partitions. gpt shows the problem partition and I can mount the other partitions utility from the "failed" member, but have no idea how to mount an AppleRAID partition even though it was JBOD. How can a JBOD component drive not be mountable -- isn't this the whole point of JBOD!!
The array was holding a critical TIme Machine backup while I reformatted my main drive. This is a disaster. Any ideas how to recover? If I "delete" the array I hope I can recoved date from the other 3 members, but given that I was usign Time Machine I fear there might have been a critical index on the first (failed) member.
Is there ay recovery tool for AppleRAID, since I think this must have been a software or transmission error only?
Any tricks to repair a failed member drive?
Technical specs
I have had moderate success adding iPad's to ASM for some time through much trial and error. I am still finding success adding devices but there's one in particular that refuses to add.
The error I'm getting: Provisional Enrollment Failed [MCCloudConfigErrorDomain - 0x80EF (33007)]
The only reason this is happening is because during the enrollment, the MacBook died. Now whenever I try to restart the process it keeps providing the error.
I have erased the iPad as well as confirmed that it's not already on a ASM. Does anyone have any pointers?
I have an Apple Macbook Pro M1 chip 2020 model and I have two external monitors that I use for my job - however I cannot get an external display on the 2 screens as well as my Mac. I am aware that M1 chips don't let you use multiple screens - however I have installed DisplayLink software to get around this however it still isn't working.
Does anyone have any recommendations for docking stations or software that will allow me to get around this issue? Currently the only docking station I see that could work is the one below, but I'd like something cheaper
https://www.amazon.com.au/Hyper-Drive-Dual-Travel-MacBook/dp/B09NBS9DS6?th=1
Plz help
Hi all,
I am a network engineer which is trying to migrate to a new VPN solution that will enable decryption on the firewalls.
For decryption to work properly, we need to install our enterprise root CA to both Windows and Mac machines.
Where I have seen a problem is that some CLI applications break because they use their own 'internal CA'.
Is there a 'hidden' certificate store I should know about? Or is this issue on a per application basis?
Also, is there a best practice to manage machine certificates through Jamf?
Hi everyone,
I’m trying to deploy Screaming Frog using Installomator and encountered an issue. In the macOS Console logs and intune log, I see the following error:
screamingfrogseospider: need to provide 'downloadURL'
I’m using the label screamingfrogseospider
, as per the GitHub documentation, but it seems like the download URL isn’t being retrieved properly.
Version Installomator 10.5
Has anyone else experienced this issue or knows how to resolve it?
Any help would be greatly appreciated!
Thanks in advance!
I’m brand new to looking at this. We have 3 macs currently (all apple silicon) and I’m looking to add another 2.
I’m really keen to get management in place before adding more, but I have a couple questions and hoped to get some help from this sub if possible!
Where I’m a little lost is around these being bought directly from apple/a reseller and buying from another retailer. I’ve previously bought from Costco due to their customer service and cost, but they’re not an authorised reseller in the uk so my understanding is these have to be manually added. The existing macs will presumably fall under the same rules (one was bought directly from apple).
In practical terms, what does this mean? Is it simply an extra step with me manually having to enrol them, or are there features we are locked out of?
I’m looking at Mosyle as this seems to be the most recommended one I see, but happy for other thoughts/recommendations.
The purpose of having this is mainly for the security updates/remote wipe. We don’t use much in way of software outside office 365 as it’s almost all browser based work we do.
Afternoon all! So my company is wanting to consolidate all our management for endpoints under one roof. They want Windows, Linux, and macOS under a single management tool. They are deciding between Hexnode and Scalefusion.
Currently, for our macs, we use Jamf. And as our only Jamf/Intune admin, i have made HEAVY use of extension attributes, the Jamf App Catalog, Autopkgr, Jamf Setup Manager, and Jamf Connect to make this all sing. We are about 600 endpoints strong with mostly MacBooks and some iPads.
Looking around at it, Scalefusion seems tailored to hospitals and retail, with Hexnode being more multi purpose, but with an annoying pricing structure.
Here is my question, what do i lose if we make the move to one of these solutions? Will we be far worse off?
TL;DR: Leadership is wanting to switch to a new MDM solution to put it all in one bucket. We use Jamf heavily for our Macs, but they want to use Hexnode or Scalefusion. What do we lose moving to it?
I've been asked by my employer to put Kandji on my iPhone. The only work-related connection on my phone is the native email app, accessing my work email. I don't have Salesforce or Box or anything else installed on my phone.
I've read what threads I can find on this question, but they are mostly asked/answered from the perspective of the company sysadmin. From my perspective, what can this app see on my phone? A backdoor is a backdoor, and I'm highly reluctant to allow that.
Also -- my alternative is to request a company phone, but then I'd be carrying two around.
Apparently there's a way to thank him directly:
Hello!
I have a company MacBook that's pretty hands off (no restrictions, explicitly told it can be used as a personal device), but it's enrolled into MDM and jamf (no company apps installed, just managed through it). I'm now getting a new personal MacBook and want to migrate my data to it. I know migration assistant usually breaks MDM and read a lot about it, but is there a way to prevent it from carrying over completely? First step is unchecking transferring the system settings, but is there anything else?
I'm making a time machine backup to do this migration
Thank you!
One of the places I'm a system admin for is a school, who keeps buying M1 Air's with 128gb of space. To make things better kids always just download random stuff and fill it up quickly, or even staff putting their imessage on there and loading everything (who also get the same Macs). What can I realistically do about this so I have enough storage to update them remotely? Is it possible to lock 35gb of their storage for updates only? I use Jamf Pro, thanks.
just switched to mac and everything has been great until... i downloaded Edge...
I use 2 microsoft accounts, my standard one for everything and then an admin account for managing 365 stuff like entra, intune, etc. I use seperate browsers so I dont have 2 accounts fighting for the SSO, hence i downloaded edge to use for my 365 admin account.
but now the admin account is linked to chrome and no matter how many times i click "sign out and forget" it just keeps autologging itself back in. Every SSO website i go to it asks me which account i want to use to sign in. I deleted edge but it is still happening.
Macs are enrolled to Intune. Microsoft SSO extension is pushed to chrome. if i open company portal and go to settings, the only SSO account listed is my standard account.
this is driving me mad. any assistance is much appreciated!
So I have a shared folder on a NAS that is hidden from SMB discovery (cannot be browsed through Finder). I can connect to the folder just fine by going to it via the Connect to server option, but how do I create a direct shortcut to it on the Desktop, one that will be persistent and will work whenever I'm connected to the required network?
I have Apple configurator installed on a Mac mini. The operating system is running out of space. I cannot seem to find where all the cached download files are being saved from Apple Configurator. This is macOS 15.
Hi all,
I do some consulting for a AV company and use mosyle for in house work Macs but they have a number of Macs in their hire stock. These need to be wiped when returning to the warehouse but must survive reboots etc onsite. Previously I have used:
- DeployStudio = Worked perfectly until apple stopped support on the older Intel fleet (pre 2016)
- A script I wrote to restore the show user account from a hidden warehouse account. Again worked until Apple changed the permissions. It also didn't restore Applications etc.
- tmutil localsnapshots. Works really, really well. Warehouse boots into recovery. Selects time machine then restore. Big downside. The snapshot is eventually automatically deleted. If I call the snapshot a special name then it isn't deleted but won't show up as a restorable snapshot. If I then rename it is removed. I also can't clone a snapshot.
Lastly I have looked into using Mosyle which would work and do a full wipe but some software requires licensing. One of those programs (Dante Virtual Soundcard) doesn't allow for re-activations even on the same hardware without contacting support! Others may require you to de-register and then re-register on the backend.
I've also looked into DeepFreeze for Mac which is perfect except for one thing! It triggers during reboot and not manually. If someone reboots the machine during a hire then they could lose all their data.
MDS looks brilliant but again it would just trigger a restore causing issues with licensing unless I could get it to re-image the machine from a previous backup?
We have a pretty fast network and lots of disk space so even having a backup per machine is fine. Worst case a time machine network backup could work but it does nag the user and again could remove the oldest backup which is the one we want to keep!
Has anyone got a solution? I feel like APFS snapshots are so close if I could get it to be persistent.