/r/macsysadmin

Photograph via snooOG

A subreddit for all things related to the administration of Apple devices.

The reddit for Mac Professionals.


Please keep all content and discussions professional.


Community Resources

Useful Tools

/r/macsysadmin

38,303 Subscribers

0

Magic Keyboard - changing connected device.

I’d like to be able to switch a Magic Keyboard between a mac and windows PC. I’d happily use a third party keyboard, but only Apple has Touch ID. MX Master 3 mouse switching has been great.

Currently, I have to forget the keyboard on the device that’s being switched to and add it back every time. Not married to the solution, but I’m thinking a startup script for each device that forgets then re-adds the keyboard, but not sure how to go about it.

1 Comment
2024/06/27
16:58 UTC

5

MDM Recommendations

Hello, 1 man IT at an organization.

We need an MDM solely to push out apps to other MAC's. We only have about 30-40.

Any recommendations? Thanks so much.

8 Comments
2024/06/27
16:16 UTC

3

ABM Managed Apple IDs w/federated domain change

A client is changing their primary domain in Office 365 (easy to do via Powershell) and we will be updating their current Managed Apple IDs to use the new domain. The new domain has been federated and an alternate admin has been created (just in case the previous one breaks).

We can change all users' domains in ABM via All Users > Update Managed Apple IDs, but I'm assuming their "Email Address" will stay the same. Will this break anything or can I batch update their emails in ABM to match?

I found this regarding changing emails to an unfederated domain in Apples docs, am I correct in stating that the "email" they're referring to here is in the IDP, not their Managed Apple ID "Email Address"

If you want users to use an email address different from the one in their Google Workspace, Microsoft Entra ID or IdP domain account, you can change it. You must make their email address and Managed Apple ID identical.

0 Comments
2024/06/27
05:28 UTC

3

Installing Certs - Password for Each One?

Hello,

I've written a shell script to install certs on unmanaged devices. It works, but as multiple certs need to be installed each certificate import prompts for the local password, even when run as sudo.

Is there a way this can be handled to only require an initial password? Script is here:

dodcertinstaller/OSCertInstallScript-MacOS.sh at main · tsull360/dodcertinstaller (github.com)

Thanks!

6 Comments
2024/06/26
22:28 UTC

4

Date & Time user permissions

Hi guys, I recently saw users complaining about the date and time permissions in the system settings for MacOS 14. It worked fine on MacOS 13, but it is not working anymore. It's kind of becoming a nuisance for the IT team to provide admin access to users to change time zones.

Did someone else experience this issue? Did Apple move the settings somewhere or change the name?

Thanks in advance

/usr/bin/security authorizationdb write system.preferences allow
/usr/bin/security authorizationdb write system.preferences.datetime allow
0 Comments
2024/06/26
18:39 UTC

8

MacOS intune

Hi Guys, I’m taking care to move corporate MacOS from Jamf to Intune but most of my techincal skills on MDM are based on mobile (nice level of knowledge) so this is a bit challenging but i’m learning also this platform.

Scenario: Corporate Devices enrolled in Intune using ABM with automated enrollment. No on-prem AD connection, only Azure join with PlatformSSO.

All works as expected and i wanna deploy PlatformSSO with Secure Enclave but in this scenario the local password of the account created from the user during the setup assistant will remain the same and i wanna sync it with the directory one. Using Kerberos SSO on top of PlatformSSO can be supported? Any suggestions ti achieve what I’m trying to do?

28 Comments
2024/06/26
18:14 UTC

1

ASM Classes when using Entra ID Dir Sync

I have a question about ASM Classes when using Entra ID Dir Sync. Can classes be rostered while using Entra ID Dir Sync in ASM? Or does one have to choose between classes and Entra ID? I checked, and the available attribute mapping in Entra ID SCIM setup doesn’t include any attributes that might be used for classes.

1 Comment
2024/06/25
19:12 UTC

2

ManageEngine & Elastic-agent

Solved: See Edit 3.

I'm fishing for useful methods to push elastic-agent (using fleet management add agent) to our mac's. They're enrolled in ManageEngine's MDM and profiles are configured. This is through Security Onion running on the latest version. ME pushed out the elastic agent to all the windows devices perfect.

atm, sudo is not installing the elastic-agent, but all other commands prior to this line execute correctly.

Default code from Fleet Management: Add Agent:
curl -L -O [https]://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.10.4-darwin-x86_64.tar.gz
tar xzvf elastic-agent-8.10.4-darwin-x86_64.tar.gz
cd elastic-agent-8.10.4-darwin-x86_64
sudo ./elastic-agent install --url=[local_server_address] --enrollment-token=[enrollment-token]

I've added in logging into this so that I can see what is going on, but no ManageEngine logs nor my custom log contain anything. I've redirected output and piped it via tee, but still nothing. Running the commands locally, the local administrator account is told that the operation is not permitted. We can no longer "sudo su -" to switch to root due to MDM. Scratching our heads on this one.

Edit: 8 hrs later...based on the lack of responses, this may be too niche. But I'll crack this nut eventually. If y'all think of anything, just toss it in a comment. FWIW, we want to manual install, but we have remote workers that would turn this into a 3-6 month waiting game. New devices are loaded prior to issue with no problems.

Edit2: The [blanks] are edited out for security purposes.

Edit3: Found the issue. Admin was confused about ordered mac's; they were unaware that we had M# processors in our inventory and defaulted to telling us that it was Intel-only. I ended up adding in an arch check (using uname -m) to validate macOS arch. "Operation not permitted" is a normal response when executing an executable file intended for another architecture.

9 Comments
2024/06/25
16:16 UTC

5

Launch Daemon won't start

I've tested this on various versions of Sonoma, including the latest build - however, after my package installation completed, the launch agent fails to start with: postinstall: Load failed: 5: Input/output error. I've also used launch -w with no change. it checks ok with plutil. Any guidance is appreciated. Note that I redacted the auth token & password in it but that part is confirmed correct

Launch daemon below:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.migrator.plist</string>

<key>ProgramArguments</key>

<array>

`<string>/bin/bash</string>`

`<string>/Library/Application Support/MDM/migrator.sh</string>`

`<string>--origin</string>`

`<string>custom</string>`

`<string>--removal-script</string>`

`<string>/Library/Application Support/MDM/MigratorResources/removemdm.sh</string>`

`<string>--registration-type</string>`

`<string>local</string>`

`<string>--dest-baseurl</string>`

`<string>https://my_mdm_server.com/</string>`

`<string>--dest-auth</string>`

`<string>Basic -encrypted string redacted-</string>`

`<string>--dest-token</string>`

`<string>--token redacted--</string>`

`<string>--dest-groupid</string>`

`<string>mz</string>`

`<string>--dest-apiurl</string>`

`<string>--https://my_mdm_server.com/--</string>`

</array>

</dict>

</plist>

8 Comments
2024/06/25
15:56 UTC

1

Munki - Install check script

I want that Munki show the software "LogiOptions Plus" installed, when it is at the system.

So I tried this check script, but it is not working:

https://preview.redd.it/0sq9husxaq8d1.png?width=3426&format=png&auto=webp&s=44a2398fc6581845146a107f106560a8735388da

# !/bin/bash

if \[ -d /Applications/logioptionsplus.app \]; then
    exit 0
else
    exit 1
fi
4 Comments
2024/06/25
14:33 UTC

2

Ability to customize finder?

I know that there are some good apps like dockutil that have more customization than the standard mdm profile and you can set the wallpaper and some other things, but is there a way to customize finder to give it a more cleaner/uniform look? I'd like to be able to define what is on the sidebar, the appearance, accent color, etc...

6 Comments
2024/06/25
14:17 UTC

13

AMA with Christopher Schasse and Rocketman Tech, an Apple/Jamf focused MSP. We’re here to help, not to sell!

0 Comments
2024/06/25
14:05 UTC

11

Is the Mac Admins Slack closed for new aaplicants?

Was wondering, is the Slack channel is currently closed for new joiners?

The site (https://www.macadmins.org/) only has a link to join with an (at)macadmins.org email, and I can't really figure out how to get one.

13 Comments
2024/06/25
09:05 UTC

2

802.1x Certificate

Hi All

I am in the process of migrating users from a PSK SSID to a new SSID using 802.1x The users with authenticate using radius via Jumpcloud.com

I have obtained Jumpclouds public radius cert and installed it on the devices via Jamf however whenever a user connects they are prompted to view the certificate and then need to enter their device credentials.

Is there anyway around this or have I messed someone up somewhere?

4 Comments
2024/06/25
02:31 UTC

9

MDM commands to the FileVault login screen in macOS Sequoia?

During WWDC '24 Apple announced that Platform SSO will be able to unlock FileVault in macOS Sequoia (16:40 in this video).

AFAICT this means there would need to be an active internet connection at the FileVault login window, which would allow a device to receive MDM commands like erase device when FileVault is locked (this has not been the case up to now).

I'll spare you the details but I inherited a shop where we have to frequently erase the disc and reinstall macOS on returned Macs due to not having FileVault credentials, so this would be huge for me. Has anyone gotten access to the beta that can confirm an internet connection at the FileVault login screen? If so have you tested running MDM commands like erase or lock when FileVault is locked?

edit: thanks for the responses but some are missing what I'm asking for, to state it more plainly:

  • Are you running the macOS Sequoia beta?
    • If yes, can you confirm the FileVault login screen has an internet connection?
      • If yes, have you tried running MDM erase commands on a device that is connected to the internet at the FileVault login screen?
23 Comments
2024/06/24
23:38 UTC

9

Apple ID creation failing org-wide. Having to contact Apple Support for EVERY SINGLE Apple ID creation 😡

Hello fellow MSA's. We have been having this issue for a few months, and we know that we're not alone.

No matter how the user attempts to sign up for an Apple ID, it fails with variations of the message: Could Not Create Account. Your account cannot be created at this time.

Doesn't matter if they are in the office, at home, on the web, on an iOS device, Windows PC, etc., it is clearly aimed at our domain. We have to have the user contact Apple support, who then fixes whatever backend issue and allows the Apple ID to be created. Somewhere along the way, our domain appears to have been blacklisted.

We have attempted to escalate this up the business support chain, as well as with our dedicated Apple rep & reseller (we purchase a lot of Apple devices), and we have gotten nowhere. I'm a Sr. Infosec Director who got tasked with corporate Apple support because no one else knows (or is willing to learn) anything about it. I probably have 100 users a month creating Apple ID's and I don't have the bandwidth to help each of them with this. Federated Apple ID's are not an option due to users needing a wide range of apps and features associated with regular Apple ID's.

Has anyone successfully gotten this remediated with Apple? I'd say I've exhausted my resources, so maybe someone else has some thoughts?

17 Comments
2024/06/24
18:44 UTC

0

Is it possible to update Macbooks through a switch using only content caching?

I don't want to use wifi at all, I just want to hook up 1 computer with content caching and 6 other Macbooks that need to update. So far I'm not having luck doing this, I think Apple wants us to just use internet and updates as usual hoping they use the content caching device automatically.

6 Comments
2024/06/24
15:15 UTC

1

Does ABM check if a device is already enrolled in another account when manually adding it?

If you have a Mac laptop that was added to Apple Business Manager from a different organization what happens if you manually try to add it to your Apple Business Manager using the Apple Configurator tool?

I assume at some point the device serial must be checked to confirm it’s not already enrolled elsewhere. Has anyone seen this or tested this before? Does the tool provide a warning that the device is already enrolled? How can I confirm a device is clear from all prior MDM enrollments before continuing the process?

The scenario would be if your organization wants to purchase a few refurbished units on the eBay and wants them added to your ABM how do you know they aren’t still connected to a prior ABM?

I’ve seen systems that were ‘registered’ in another ABM but were not ‘assigned’ a profile . Even though I did a full factory restore and update and also ran sudo profiles show -type enrollment the system appeared clear of MDM enrollment. However, a year later after restoring the unit it became enrolled at startup. I’m looking for a definitive way to confirm a device is complete clear of MDM enrollment.

Thank you!

2 Comments
2024/06/24
12:46 UTC

1

Need help with cis lvl1 custom rule

I am busy with customizing the cis_lvl1 rule, but I am very confused how to do this. I follow the following guide: https://techzone.omnissa.com/resource/enforcing-macos-security-compliance-project-baselines-workspace-one-operational-tutorial#overview

What I do os the following:

  • coping the right policy.yaml to the custom > rules folder
  • edit the value to my needs (keep all the rest of the lines)
  • run generate_guidance.py
  • check cis_lvl1/mobileconfig/preference > check the plist that should have a new the new value, but it doesn't.
1 Comment
2024/06/24
10:10 UTC

14

Secure Token issue on all apple silicon / MacOS Sonoma macbooks.

Hi, we give our users mobile accounts that authenticate via our AD domain. We keep seeing this issue on newer macs / OSs: the user changes their AD domain password, everything seems fine but then a few days later they are either locked out of the machine or lose admin rights.

The only fix has been to turn secure token off and then back on using the sysadminctl command, while connected to our AD domain via LAN, so I wanted to know where to start to look for a solution.

Is this a common issue? Is there a fix? All the discussions I've seen so far only show the sysadminctl thing and Apple seems to have no documentation regarding this.

Please help a noob out.

35 Comments
2024/06/24
07:30 UTC

2

Microsoft 365 apps for macOS close and reinstall without notification

2 Comments
2024/06/23
23:47 UTC

3

Stealth Mode + minikube

I'm currently rolling out Jamf at my new company. The Engineering team came to me yesterday with concerns that minikube no longer starts up. I was able to troubleshoot and determined that the issue is related to Stealth Mode being enforced in the macOS Firewall settings. When Stealth Mode is off, minikube works perfectly. Something I tried was adding bootpd as an allowed exception in the profile with Stealth Mode still enforced but that didn't work. From everything I've read Stealth Mode is an independent service and doesn't associate with the allow/block list.

Anyone encounter this or have any creative solutions? I'm trying to avoid forking profiles that turn off Stealth Mode for a specific team.

Your firewall is blocking bootpd which is required for socket_vmnet. The following commands will be executed to unblock bootpd:

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/libexec/bootpd
$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblock /usr/ libexec/bootpd

Firewall settings cannot be modified from command line on managed Mac computers.
4 Comments
2024/06/22
17:24 UTC

2

New to Swift--Using Nested Code in Z-shell to Activate Extensions From JSS

Have recently discovered that Swift can be nested within a shell script, and came up with the following for activating system extensions: #!/bin/zsh -vloggedInUser=$( /usr/bin/stat -f %Su "/dev/console" )echo $loggedInUser

Define the Swift code within a heredoc

swift_script=$(cat <<EOFimport Foundationimport SystemExtensions// Define a class that will act as the delegate for the OSSystemExtensionRequestclass SystemExtensionHandler: NSObject, OSSystemExtensionRequestDelegate {

// Create an array to hold activation requests
var activationRequests = [OSSystemExtensionRequest]()

// Method to activate extensions
func activateExtensions() {
    // Create the first activation request
    let request1 = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.microsoft.OneDrive.FinderSync", queue: DispatchQueue.main)
    activationRequests.append(request1)

    // Optionally, create more activation requests and add them to the array
    let request2 = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.microsoft.OneDrive.FileProvider", queue: DispatchQueue.main)
    activationRequests.append(request2)
    
    // Optionally, create more activation requests and add them to the array
    let request3 = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.microsoft.onenote.mac.shareextension", queue: DispatchQueue.main)
    activationRequests.append(request3)
    
    // Optionally, create more activation requests and add them to the array
    let request4 = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.netmotionwireless.MobilityOSX", queue: DispatchQueue.main)
    activationRequests.append(request4)

    // Optionally, create more activation requests and add them to the array
    let request5 = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.netmotionwireless.MobilityOSX.Extension", queue: DispatchQueue.main)
    activationRequests.append(request5)

    // Optionally, create more activation requests and add them to the array
    let request6 = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: "com.microsoft.OneDrive-mac.FinderSync", queue: DispatchQueue.main)
    activationRequests.append(request6)
 
    // Set the delegate for each request in the array
    for request in activationRequests {
        request.delegate = self
        OSSystemExtensionManager.shared.submitRequest(request)
    }
}

// Delegate method called when the extension request is loaded
func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) {
    switch result {
    case .completed:
        print("Extension activation completed successfully.")
    case .willCompleteAfterReboot:
        print("Extension activation will complete after reboot.")
    u/unknown default:
        print("Unknown result from extension activation request.")
    }
}

// Delegate method called when the extension request fails
func request(_ request: OSSystemExtensionRequest, didFailWithError error: Error) {   
    print("Extension activation failed with error: \(error.localizedDescription)")
}

// Delegate method to handle user approval
func requestNeedsUserApproval(_ request: OSSystemExtensionRequest) {
    print("Extension activation needs user approval.")
}

// Delegate method called when the request is canceled
func request(_ request: OSSystemExtensionRequest, didCancelWithError error: Error) {
    print("Extension activation canceled with error: \(error.localizedDescription)")
}
// Required delegate method for replacing extension
func request(_ request: OSSystemExtensionRequest, actionForReplacingExtension existing: OSSystemExtensionProperties, withExtension ext: OSSystemExtensionProperties) -> OSSystemExtensionRequest.ReplacementAction {
    return .replace
}

} // Create an instance of the handler and call the activateExtensions method let handler = SystemExtensionHandler() handler.activateExtensions() EOF )

Execute the Swift code using the swift command

echo "$swift_script" | sudo -u $loggedInUser swift -

With the advent of Jamf Pro 11.5.1 it seems that PI-009939 made its rather ugly return to my JSS... And in conjunction with seemingly continuous Apple changes under the hood... There was no need for this prior, but since stuff and things are breaking--we're pulling out all the stops.

3 Comments
2024/06/22
15:55 UTC

6

MacOS Intune Platform SSO not prompting to register device until Company Portal is opened

I'm deploying Platform SSO to allow our Mac users to sign into their devices without the need for a "build process", similar to autopilot on Windows.

I've followed this guide and it all works, except that the user has to open and sign in to Company Portal before they are prompted to register the device via the notification pop up in step 5 of the guide.

Has anyone else experienced this, and where should I be looking for troubleshooting information?

2 Comments
2024/06/21
11:12 UTC

7

Is pluginkit the only tool to enable app extensions for users?

Hi,

I am reaching out because I've been banging my head against a wall the last few days regarding the pluginkit tool. To my understanding, this is the only way to enable app extensions (Settings > Privacy & Security > Added Extensions) for users.

When I run the command locally as the signed in user it works fine (pluginkit -m | grep com.mi ) for example. However, I am trying to deploy a shell script (a variation of this script shell-intune-samples/macOS/Config/EnableOneDriveFinderSync/EnableOneDriveFinderSync.sh at master · microsoft/shell-intune-samples (github.com) ) to my test mac device via Intune (running as the signed in user). However, every time pluginkit is called, it errors with "match: connection invalid" which is clear that even though Intune is running it as the user, there must be some user environment or security context missing thus causing the error. Part of troubleshooting I echo out the current user and it is the correct logged on user.

I have tried to leverage pluginkit as root using other ideas such as launchctl asuser etc and I get the same error when deployed from an MDM platform. (We don't have JAMF). (macos - Is it possible to run pluginkit from a process running as root? - Stack Overflow)

Is there any other way to achieve this? Perhaps a custom profile? I am trying to enable the following app extensions:

com.microsoft.OneDrive.FinderSync

com.microsoft.OneDrive.FileProvider

com.microsoft.onenote.mac.shareextension

com.microsoft.CompanyPortalMac.ssoextension

com.citrix.NetScalerGateway.macos.app.vpnplugin
com.microsoft.CompanyPortalMac.Mac-Autofill-Extension

EDIT: I've resolved this, finally to work with Intune as root user. If anyone is interested in the full code, I've posted it in the comments below, but also to the GitHub issue page (macOS - Intune - ABM/ADE - Sonoma 14.5 M3 - EnableOneDriveFinderSync.sh (logs show "match: connection invalid") · Issue #137 · microsoft/shell-intune-samples (github.com))

I appreciate everyone that took the time to try to help out!

20 Comments
2024/06/20
21:53 UTC

13

Local password reset w/ filevault recovery key completely breaks Microsoft licensing

I've got a couple of users who have found themselves needing to do a local password reset for the laptop with filevault encryption running (we use Mosyle, keys escrowed in MDM), and any time this happens, Microsoft licensing is completely broken and doesn't return. It's random and I can't nail down the exact culprit, but none of the instructions for addressing this seem to work (uninstalling/reinstalling, license removal tool, troubleshooter script which I didn't need to use but couldn't hurt given nothing else is working).

This has happened before with a user who did not have filevault encryption or MDM running, so I'm not sure those are actual factors as opposed to possible factors. She did have to do a local password reset via recovery mode, and that broke her account much the same way this one is broken now.

I'm sure there is a script that could fix this, or documentation about how to find the files I need to delete or edit, but I may not be asking the right questions. Any one else run across this before?

7 Comments
2024/06/20
19:45 UTC

0

Lease a MBP?

disclaimer: I dont have immediate financial barriers

I find that every 2-3 years I look to upgrade my MBP to get more ram/cpu but really a better display -- Ideally if I ran a business it looks like the business leasing from apple would be great but it looks like their minimum order is 4k and I'm just a solopreneur for now on small projects

Wondering if there's anything like a business lease that folks have run into where I can pay a bit more to have the flexibility to "upgrade" every few years?

11 Comments
2024/06/20
08:18 UTC

Back To Top