/r/macsysadmin

Photograph via snooOG

A subreddit for all things related to the administration of Apple devices.

The reddit for Mac Professionals.


Please keep all content and discussions professional.


Community Resources

Useful Tools

/r/macsysadmin

41,235 Subscribers

4

Two PayloadUUID, what is the difference?

I'm writing a .mobileconfig and there are two PayloadUUIDs, one in top level and one inside payloadcontent. What is the difference? Can the top level be reused? Or should i just generate unique ones for both ?

0 Comments
2024/12/03
15:49 UTC

3

How can I disable SMB sharing on one interface?

I'm running Sonoma 14.7.1 and have SMB shares on a secure network interface and a separate Ethernet interface for VMs to access an IoT network. I want the IoT interface to not have any access to my SMB shares.

I don't see any /etc/smb.conf or other way to disable the SMB service on the IoT interface.

Has anyone been able to turn off SMB to one of the network interfaces?

edit: removed references to VLANs because it's not relevant.

10 Comments
2024/12/03
05:50 UTC

3

Production quality code

Job posting: "... You can write production-quality code for automation in Python, Bash, or similar languages"

I've written some scripts, but nothing significant like the open-source projects we all use.

I can modify what I need from other sources to get stuff done.

  • What sort of 'production code' have you used or written?

I need to be more experienced to contribute to nudge or super, etc.

  • If you have a code repo, where'd you get the experience?

I guess I'm having a rough day after being passed on job after job and the only factor I can figure is I don't have the programming experience as a sysadmin.

7 Comments
2024/12/03
02:29 UTC

6

Federated Apple IDs and MDM

Hello I’m new to this but we will be deploying federated apple ids for Mac users , iPhones and a few iPads for our company. Some of the users have personal IDs logged into them and some Mac’s , iphones and iPads are not enrolled in the MDM(Jamf) will federated apple ids work for those not enrolled with our MDM and is there a way to see who has logged in with their personal IDs?

8 Comments
2024/12/02
23:10 UTC

0

Help with Yubikey and Office365

Hi guys, I'm trying to get a Yubikey 5C NFC working with office login without any luck. It keeps throwing an error "something went wrong. You may want to try a different security key, or contact your administrator". In Entra > Protection > Authentication Methods i have Passkey Fido2 enabled with enforce key restrictions and what i believe the correct AAGUIDs entered for the device. I don't get what the error is about. just has a long correlation ID after it. https://imgur.com/a/ykvHFlR

2 Comments
2024/12/02
22:15 UTC

15

Manage employees devices

Hi everyone,

I'm a DevOps person but the company where I work asked me to organize the internal department. We are a small company so its normal to cover multiple positions.

I have to figure out how to manage all of the devices of our employees. I was looking at Apple Business Manager program but I don't think it covers all of the aspects. What my bosses want to cover is the following:

  1. To be able to install program automatically (without notifying the person)
  2. Force updates
  3. Disable installing programs without authorization
  4. In case of lost/stolen/left the company without returning the device, to be locked out/wiped out
  5. Different roles for different positions
  6. File encryption
  7. VPN configuration / management
  8. Device and usage monitoring - if possible real life updates
  9. Audit logs - very important for the industry that we are in, its a must sadly
  10. Remote management - in case of a problem, to able to access the device remotely
  11. Any additional security is welcome

All of our devices so far are MacBooks with latest OS updates. We have around 7-8 devices as we are still small team. We don't use MS AD, our SSO is Google Workspace.

What are your suggestions about such program or service? Any advice would be apricated.

Thank you in advance!

30 Comments
2024/12/02
15:07 UTC

6

Recovering from Time Machine while on Intune AD MDM and Admin By Request

Hello!

I'm asking for opinions on what's the best practice regarding recovery of time machine backups on a brand new DEP Mac that replaces an older (also DEP) one. We use intune AD for MDM and Admin by Request to control privileges, but we specifically allow sudo access as defined by ABR and also allow for Time Machine backups.

In the past we just went the easy route and installed from scratch and told users to deal with it but some management types are asking us if it's at all possible to use the time machine backup to recover while following the standard enrollment.

Our issue historically has been that time machine recovery steps come up before MDM kicks in, and we weren't sure both things would play nice with each other since there's so much stuff dependant on permissions and roles. But we haven't tried again in three years so it may be easier now.

17 Comments
2024/12/02
11:25 UTC

16

Do you reckon that Apple Intelligence will be blocked on corporate Apple devices?

I'm looking forward to trying out Apple Intelligence however the only device I have atm that will be compatible with it is my Mac mini supplied by my work, hence why I am wondering what those of you who are Mac sysadmins predict will happen once Apple releases it.

Are your organizations directing you to block it? Do you know if the MDM programs even allow for that?

42 Comments
2024/12/01
22:55 UTC

0

MacBook Pro M3 Pro External Display Troubleshooting

Hello, I am currently running into the following problem when attempting to connect two 4k external monitors to my MacBook Pro M3 Pro 14". In short, problem I am experiencing is that no matter what I attempt to do, I am unable to connect more than one external 4k 144hz monitor to my Mac. I have attempted the following connections

  • Via HDMI on both monitors (One connected through onboard HDMI port and one via Apple USB adapter)
  • Thunderbolt on both monitors (Two separate cables going into both ports on left side of the Mac)
  • Thunderbolt + HDMI (One thunderbolt and one HDMI plugged into onboard port also attempted with adapter)
  • One native thunderbolt + one thunderbolt plugged into CalDigit Element Hub -> Plugged into second port on left side

Other things I have tried include:

  • Restarting my computer
  • Holding Option to "Detect Displays"
  • Tried One 4k and one 1440p display both via thunderbolt and this seemed to work.
  • Turned my Refresh rate on both monitor to 60hz instead of 144hz. This didn't work

I am currently running on MacOS Sequoia 15.1.1 and as I stated early on I am currently attempting this on an M3 Pro 14".

I have spent 2 hours on the phone with Apple Support and haven’t gotten any closer to a resolution.

Any help would be much appreciated to try and get this to work. Thanks!

16 Comments
2024/12/01
21:44 UTC

7

Screen Recording access

Sorry if this has been asked a million times.

We’re just starting to managed our Mac devices in Intune and we are trying to get Anydesk to have a seamless install for the end user but I can’t for the life of me get it to have Screen Recording access.

From what I’ve seen it seems like Apple only allows you to block this feature and allow standard users to approve.

Is this true or is there a script or something I can run to allow this for the user?

I’ve already messed with settings catalog and PPPC MOBILECONFIG files but nothing.

AnyDesk support is no help as well and won’t give me a straight answer.

19 Comments
2024/12/01
19:49 UTC

1

Migration to new Apple Business Manager environment

Due to relegations we have to sever a business unit and are migrating them to their own Jamf Pro environment.

They also have a new Apple Business Manager environment.

If I understand it correctly, we could ask Apple to migrate their current in use macOS devices from the current ABM to the new ABM environment.

Did I understood that correctly?

Are there any risks or downtime involved?

Can we ask Apple to start the migration or do the devices need to be in the new Jamf Pro tenant? The tenant is already up and running btw.

9 Comments
2024/12/01
16:38 UTC

0

IT says they need 150 hours to integrate my MacBook…

I work in a Windows-based company. Pretty much all employees use PCs.

However the company has changed its revenue generation model so I’ve been hired to build a marketing infrastructure from scratch, including hardware and tech stack, and I have gotten approval from execs to purchase Macs for me and my team.

However IT is trying to push back and create friction by saying they need “150 engineer hours” to integrate the first macbook.

I’m certainly no enterprise IT expert, but 150 hours seems pretty excessive to me?

Wouldn’t a tool like Jamf make the integration with intune more streamlined?

IT also clarified the 150 hour estimate doesn’t include any compliance checks and security audits etc.

Any advice? What are some questions I can ask IT to gain clarity on the 150 hours?

45 Comments
2024/12/01
02:32 UTC

11

Apple Deployment and Management exam

Hello

I have successfully passed the Apple Device Support exam and now currently taking the Apple Deployment and Management exam in a few weeks.

I'm struggling to find any decent learning material other then the learning objectives?

I found a few flashcards and quizlet and brainscape but just wondering what other people have used?

Thank you

4 Comments
2024/11/30
18:54 UTC

3

Help with failed AppleRAID JBOD

I have an AppleRAID array using JBOD, with the underlying hardware being NVME M.2 sticks.One member shows "failed" although the hardware checks out OK (Samsung 960 with 3 gpt partitions).

Diskutil (and Disk Utility) seems unable to do anything other than list the partitions. gpt shows the problem partition and I can mount the other partitions utility from the "failed" member, but have no idea how to mount an AppleRAID partition even though it was JBOD. How can a JBOD component drive not be mountable -- isn't this the whole point of JBOD!!

The array was holding a critical TIme Machine backup while I reformatted my main drive. This is a disaster. Any ideas how to recover? If I "delete" the array I hope I can recoved date from the other 3 members, but given that I was usign Time Machine I fear there might have been a critical index on the first (failed) member.

Is there ay recovery tool for AppleRAID, since I think this must have been a software or transmission error only?

Any tricks to repair a failed member drive?

9 Comments
2024/11/30
18:19 UTC

1

Trouble adding iPad to Apple School Manager from AC2

Technical specs

  • iPad Air A1474

I have had moderate success adding iPad's to ASM for some time through much trial and error. I am still finding success adding devices but there's one in particular that refuses to add.

The error I'm getting: Provisional Enrollment Failed [MCCloudConfigErrorDomain - 0x80EF (33007)]

The only reason this is happening is because during the enrollment, the MacBook died. Now whenever I try to restart the process it keeps providing the error.

I have erased the iPad as well as confirmed that it's not already on a ASM. Does anyone have any pointers?

0 Comments
2024/11/29
10:17 UTC

3

Extending Displays for Macbook Pro with M1 chip

I have an Apple Macbook Pro M1 chip 2020 model and I have two external monitors that I use for my job - however I cannot get an external display on the 2 screens as well as my Mac. I am aware that M1 chips don't let you use multiple screens - however I have installed DisplayLink software to get around this however it still isn't working.

Does anyone have any recommendations for docking stations or software that will allow me to get around this issue? Currently the only docking station I see that could work is the one below, but I'd like something cheaper

https://www.amazon.com.au/Hyper-Drive-Dual-Travel-MacBook/dp/B09NBS9DS6?th=1

Plz help

21 Comments
2024/11/29
01:13 UTC

9

Managing system certificates.

Hi all,

I am a network engineer which is trying to migrate to a new VPN solution that will enable decryption on the firewalls.

For decryption to work properly, we need to install our enterprise root CA to both Windows and Mac machines.

Where I have seen a problem is that some CLI applications break because they use their own 'internal CA'.

Is there a 'hidden' certificate store I should know about? Or is this issue on a per application basis?

Also, is there a best practice to manage machine certificates through Jamf?

8 Comments
2024/11/28
10:14 UTC

2

Installomator Error with Intune: "need to provide 'downloadURL'" for Screaming Frog

Hi everyone,

I’m trying to deploy Screaming Frog using Installomator and encountered an issue. In the macOS Console logs and intune log, I see the following error:

screamingfrogseospider: need to provide 'downloadURL'

I’m using the label screamingfrogseospider, as per the GitHub documentation, but it seems like the download URL isn’t being retrieved properly.
Version Installomator 10.5
Has anyone else experienced this issue or knows how to resolve it?

Any help would be greatly appreciated!

Thanks in advance!

6 Comments
2024/11/28
08:23 UTC

2

First time MDM questions

I’m brand new to looking at this. We have 3 macs currently (all apple silicon) and I’m looking to add another 2.

I’m really keen to get management in place before adding more, but I have a couple questions and hoped to get some help from this sub if possible!

Where I’m a little lost is around these being bought directly from apple/a reseller and buying from another retailer. I’ve previously bought from Costco due to their customer service and cost, but they’re not an authorised reseller in the uk so my understanding is these have to be manually added. The existing macs will presumably fall under the same rules (one was bought directly from apple).

In practical terms, what does this mean? Is it simply an extra step with me manually having to enrol them, or are there features we are locked out of?

I’m looking at Mosyle as this seems to be the most recommended one I see, but happy for other thoughts/recommendations.

The purpose of having this is mainly for the security updates/remote wipe. We don’t use much in way of software outside office 365 as it’s almost all browser based work we do.

5 Comments
2024/11/27
22:28 UTC

25

Company switching from Jamf to UEM MDM solution

Afternoon all! So my company is wanting to consolidate all our management for endpoints under one roof. They want Windows, Linux, and macOS under a single management tool. They are deciding between Hexnode and Scalefusion.

Currently, for our macs, we use Jamf. And as our only Jamf/Intune admin, i have made HEAVY use of extension attributes, the Jamf App Catalog, Autopkgr, Jamf Setup Manager, and Jamf Connect to make this all sing. We are about 600 endpoints strong with mostly MacBooks and some iPads.

Looking around at it, Scalefusion seems tailored to hospitals and retail, with Hexnode being more multi purpose, but with an annoying pricing structure.

Here is my question, what do i lose if we make the move to one of these solutions? Will we be far worse off?

TL;DR: Leadership is wanting to switch to a new MDM solution to put it all in one bucket. We use Jamf heavily for our Macs, but they want to use Hexnode or Scalefusion. What do we lose moving to it?

41 Comments
2024/11/27
18:48 UTC

6

Kandji on iPhone

I've been asked by my employer to put Kandji on my iPhone. The only work-related connection on my phone is the native email app, accessing my work email. I don't have Salesforce or Box or anything else installed on my phone.

I've read what threads I can find on this question, but they are mostly asked/answered from the perspective of the company sysadmin. From my perspective, what can this app see on my phone? A backdoor is a backdoor, and I'm highly reluctant to allow that.

Also -- my alternative is to request a company phone, but then I'd be carrying two around.

27 Comments
2024/11/27
16:54 UTC

50

For fans of Paul Bowden (of macadmins.software and office-reset.com fame)

Apparently there's a way to thank him directly:

https://buymeacoffee.com/pbowden

11 Comments
2024/11/26
21:01 UTC

0

Question on MDM and Migration Assistant to personal mac

Hello!

I have a company MacBook that's pretty hands off (no restrictions, explicitly told it can be used as a personal device), but it's enrolled into MDM and jamf (no company apps installed, just managed through it). I'm now getting a new personal MacBook and want to migrate my data to it. I know migration assistant usually breaks MDM and read a lot about it, but is there a way to prevent it from carrying over completely? First step is unchecking transferring the system settings, but is there anything else?

I'm making a time machine backup to do this migration

Thank you!

7 Comments
2024/11/26
17:19 UTC

38

How am I supposed to keep Macs updated if my organization keeps buying 128gb M1 models and people fill them up with trash?

One of the places I'm a system admin for is a school, who keeps buying M1 Air's with 128gb of space. To make things better kids always just download random stuff and fill it up quickly, or even staff putting their imessage on there and loading everything (who also get the same Macs). What can I realistically do about this so I have enough storage to update them remotely? Is it possible to lock 35gb of their storage for updates only? I use Jamf Pro, thanks.

66 Comments
2024/11/26
16:15 UTC

1

help with Microsoft SSO

just switched to mac and everything has been great until... i downloaded Edge...

I use 2 microsoft accounts, my standard one for everything and then an admin account for managing 365 stuff like entra, intune, etc. I use seperate browsers so I dont have 2 accounts fighting for the SSO, hence i downloaded edge to use for my 365 admin account.

but now the admin account is linked to chrome and no matter how many times i click "sign out and forget" it just keeps autologging itself back in. Every SSO website i go to it asks me which account i want to use to sign in. I deleted edge but it is still happening.

Macs are enrolled to Intune. Microsoft SSO extension is pushed to chrome. if i open company portal and go to settings, the only SSO account listed is my standard account.

this is driving me mad. any assistance is much appreciated!

9 Comments
2024/11/26
14:49 UTC

2

How to create a desktop shortcut to a hidden SMB folder

So I have a shared folder on a NAS that is hidden from SMB discovery (cannot be browsed through Finder). I can connect to the folder just fine by going to it via the Connect to server option, but how do I create a direct shortcut to it on the Desktop, one that will be persistent and will work whenever I'm connected to the required network?

4 Comments
2024/11/25
23:56 UTC

1

Apple configurator

I have Apple configurator installed on a Mac mini. The operating system is running out of space. I cannot seem to find where all the cached download files are being saved from Apple Configurator. This is macOS 15.

9 Comments
2024/11/25
22:46 UTC

2

DeepFreeze/Imaging hire stock

Hi all,

I do some consulting for a AV company and use mosyle for in house work Macs but they have a number of Macs in their hire stock. These need to be wiped when returning to the warehouse but must survive reboots etc onsite. Previously I have used:

- DeployStudio = Worked perfectly until apple stopped support on the older Intel fleet (pre 2016)

- A script I wrote to restore the show user account from a hidden warehouse account. Again worked until Apple changed the permissions. It also didn't restore Applications etc.

- tmutil localsnapshots. Works really, really well. Warehouse boots into recovery. Selects time machine then restore. Big downside. The snapshot is eventually automatically deleted. If I call the snapshot a special name then it isn't deleted but won't show up as a restorable snapshot. If I then rename it is removed. I also can't clone a snapshot.

Lastly I have looked into using Mosyle which would work and do a full wipe but some software requires licensing. One of those programs (Dante Virtual Soundcard) doesn't allow for re-activations even on the same hardware without contacting support! Others may require you to de-register and then re-register on the backend.

I've also looked into DeepFreeze for Mac which is perfect except for one thing! It triggers during reboot and not manually. If someone reboots the machine during a hire then they could lose all their data.

MDS looks brilliant but again it would just trigger a restore causing issues with licensing unless I could get it to re-image the machine from a previous backup?

We have a pretty fast network and lots of disk space so even having a backup per machine is fine. Worst case a time machine network backup could work but it does nag the user and again could remove the oldest backup which is the one we want to keep!

Has anyone got a solution? I feel like APFS snapshots are so close if I could get it to be persistent.

5 Comments
2024/11/25
19:03 UTC

Back To Top