I work in places that mostly don’t have great internet (and sometimes none at all). This makes things really challenging when I’m needing to load apps on the iPads I manage in country.

We don’t have caching servers currently (and I was told they aren’t really an improvement if you have unstable connections?), and I’m trying to find ways I can load apps onto my devices to at least get them going.

My initial idea is downloading all the apps onto my Mac and use Apple Configurator 2 to load the apps onto the iPads. If I did that, would Jamf School be able to take over the management of those apps and be able to update them going forward? In an ideal world, I would have all the apps loaded prior to being in country, but that isn’t the case if I have to wipe the iPads.

So, is there a way to locally load the apps but still allow them to be managed by my MDM once an internet connection has been established? Hopefully that makes sense.

We want to provide one of our employees with a company laptop. In all the company will have maybe 5-6 Apple MBP’s in the next year. For next few months it’ll just be 2-3.

I’ve registered the company for Apple Business Manager (ABM) - and it’s yet to be activated. In the mean time, I’m trying to figure out what to choose for MDM - Apple Business Essentials or Mosyle (or anything else that people recommend here).

We essentially need a way to find the laptop, lock it / wipe it remotely and manage Chrome.

This is the first time we’re doing this, so I have no idea what I need to be doing.

E.g Can I buy a laptop before ABM is set up and use Mosyle to set the laptop up for the employee?

I'm working with a rural K-12 school that has about 8 Mac OS devices that distributed district administration staff. About a year ago, one of the staff was let go, but they had logged into the iMac and the MBP with their personal AID. These two devices ('21 iMac and '21 MBP) sat in a cabinet for a year, and I've been asked to get these devices ready to replace some older Macs in the building.

I'm relatively new to managing Apple devices (experienced with Win and Chrome OS device management), so I'm doing some investigating to see what their options are to avoid getting their property tied to an employee's personal AID in the future.

What I'm curious about is Apple School Manager (or Apple Business Manager), along the school's current Securly MDM (the Macs are not in there), to take advantage of managed AID and other management tools.

Some questions I'm currently looking into:

1. Since we have no students using Macs, would it be better to use ABM vs ASM?
2. Can Mac devices that were not purchased with ASM/ABM be retroactively enrolled?

Any ideas or suggestions of what I should be looking into to avoid any future issues with personal AID and to make the Macs easier for the district to manage?

I'm also open to any other suggestions of where I can get up to speed on managing Macs. I am currently going through this subreddit and seeing what I can learn.

Thanks!

Hi,

Is there something to do if Apple School Manager is not available in one's country?

Any forl to fill, any person to contact ?

I'd like to use a MDM for around 100 iPad but can't without ASM or ABM...

Thanks.

From day one of zero experience to Mac/Apple Systems Administrator - if you were starting today (without a degree) what would your steps be for success? It feels like there's a million different certs and job titles out there, making the path a little convoluted. Where would you start and how would you work your way up to a systems admin? (I.e. first start with these certs to get into a help desk job, etc.) I know there's not one possible path, but I'd like to think of a good game plan for others just starting out.

Hi!
I have this issue, and hope to get some input. I have two iPad 6th gen, I have established Apple Business Manager, connected it to Intune and setup configuration Policies, and enrollment policies.

The issue is, that I can't get the one iPad out of this screen. It's in Norwegian, so let me translate directly:

"iPad Added

This iPad has been added to "Company Tenant name".
The iPad is assigned the MDM-server "Intune MDM" in Apple Business Manager."

The button says "Delete iPad"

https://preview.redd.it/4qpzl2s3r0sc1.jpg?width=1280&format=pjpg&auto=webp&s=d7207e0bee1b0900025244de0c961c7ea92d0353

It has been given a MDM-server, and an assigned a Enrollment profile inside of Intune.
I have already tried to delete the iPad and restart the iPad. When I do that, it comes out of ABM, and I need to use the Apple Configurator to get it back in, but that process isn't straight forward. I need many attempts before the code shows up and can scan it.

For the record, This iPad has previously been enrolled and been in use. But later been deleted from both ABM and Intune, and then re-enrolled, but then meet on this issue.

The other iPad works perfectly and is setup and enrolled. So I know I have configured it correctly.

Any input here?

​

​

​

I'm hoping someone here can help me with a “Find my Mac” issue we run into occasionally.

We rent Macintosh computers for two-year terms. The users sign in with their Apple ID and turn on Find My Mac. When they return the computer after two years, we have the customer sign out of their Apple ID and then we migrate their data onto a new machine.

For the returning unit we restore it via Configurator firmware, format the drive, and restore the latest version of the OS. We then sell the computer to another customer.

Occasionally, the new user will run into an issue when they go to turn on Find My in the settings. They go to their AppleID, drill down to the Find My section, and then attempt to turn on Find My Mac but cannot because it will show the previous users AppleID inside of the Find My window that appears and ask for the password. Even though they are signed in with their AppleID.

Does anybody else run into this? It’s happening frequently enough that I am having to deal with angry people weekly.

We are a small company (3-4 employees) with currently 5 Mac-OS Deviced and 4 iOs devices.
So far we have been using personal Apple IDs for the founders and the 2 employeeds created a personal Apple Id using their work email adress. As we have a half-year rotation of interns, we started using Mosyle MDM to quickly set-up a profile to deploy macs. We only then came upon managed apple ids and still can't decided if we should switch from personal Apple Ids to managed.

What we use apple ids for:
- Keynote/Pages collaboration
- iOs Apps
- Find My (especially on two founders laptops)

Why we thought a managed one could make sense:
- control over password reset
- Offboarding of employees that leave the company (we don't need their phone number to logout)
- provisioning is easier (especially with integrated Mosyle mdm and google Workspace)
Questions/infos:
- what happens to the apps that have been purchased with IF we make the switch to managed apple ids? Can we move it to our personal email adresses? (xy@gmail.com)
- Can we use a personal apple Id (xy@gmail.com) AND a managed Id (max@company.com) on one Mac? I sat that it is possible on iOS devices. (we as founders use the mac both as a personal device and a work device and that would be important for as)

- Find-my should be somehow possibe with Mosyle mdm (so no need to worry about apple ids here anyways?)

- we will cancel the google workspace email once an employee leaves anyway, so the attached apple Id wouldn't work any more but lots of forums said it might be a problem with personal apple ids attached to the work email that Revoking access to AppleID services or synced data when the employee leaves is not possible...

Any thing else we should think of? Thanks for your insights!

I'm hitting an issue where if I use the open command in the terminal, I can connect to the share but if I use mount_smb, it throws an authentication error. The share in question sits on a windows server and is on domain but I cannot see any abnormality.

Is there a standard script/command set for the following scenarios:

1. Map smb share with custom password
2. Map smb share using logged in domain user's credentials - pass through?

Also what commands should I be looking at to map to a windows print queue?

I am looking to put together a shell script (either bash or applescript) to perform the task. Powershell is also an option - in this case I could just copy across the Windows scripts to the mac.

Hello, I'm adding CIS 14 v1.0.0 via Intune to macOS. Is there a way to upload preconfigured policies or do I have to build them out accordingly.

Hey there! Does anyone have a link to an admin guide for the AppleCare Enterprise Portal? We're just trying to figure out what the different roles in the portal give access to. There doesn't seem to be an admin guide published anywhere.

NOTE: I am not talking about Apple Business Manager.

We've all read/heard stories about people buying used Macs, only to find they were activation locked, or (if not locked) still tied to someone's Apple ID. If I'm buying a used Mac, it's easy enough to check by logging into my own Apple ID and trying to turn on Find My Mac.

But what about a Mac that's in someone's ABM account, but for which enrollment is currently turned off? Booting up, logging in, even wiping & restoring would all look the same.

I think it's unlikely some evil person would turn off ADE, sell a Mac, then turn it back on days/weeks/months/years later, but they could!

So, if I'm buying a used Mac, is there any way to protect myself against this possibility?

I'm beginning to test level 1 of CIS Sonoma using Jamf Pro. I've encountered an issue where I created a Config profile to enable automatic update downloads. However, because the window to "check for updates" is no longer needed, I'm not seeing any new updates appearing. I'm aware that version 14.4.1 exists. I can manually check using:

softwareupdate -l --include-config-data

After running this, then the new pending update shows up.

Any reason why?

https://preview.redd.it/r4fxj1o2u4rc1.png?width=992&format=png&auto=webp&s=62305bb608fa77e760c11df8f6c43c5e34a8aa6c

Hey!

So I have this macbook pro details below. It works great. I also have a PC, that doesn't work great. Today I reconnected the monitors from the PC to run off the MacBook, because I've run out of patience with the PC.

My question is, is it sustainable for me to use the MacBook with these two displays long-term? I know that it CAN work. Its working now, really well. Really, what I am worried about is that this could somehow fry the graphics card or the hard drive or something like that. I'm not really that good with computers, so figured i'd ask for help here.

To summarize, I know that I CAN run two external monitors from Macbook, but SHOULD I?

FWIW, this is just a short-term setup, potentially, as ideally I'll eventually replace the PC, but if there is no reason to waste money on a new PC and the MacBook is going to be fine, I could see myself phasing out the PC completely and just being Mac only...

Thanks!!!!!!

​

ps: I just saw rule number one about no support for personal devices... mea culpa. mercy?

https://preview.redd.it/132bw6lri4rc1.png?width=472&format=png&auto=webp&s=cdac9bb41e18180e083f65a13eea48e8a10db352

https://preview.redd.it/zjylxa4ti4rc1.png?width=473&format=png&auto=webp&s=b0f52c66b0eff1584a35e7b14f6d4141cd9f394f

• I've been managing Windows endpoints for a while now, handling tasks like Group Policy Objects (GPOs), SCCM, Intune, and PowerShell.
• However, I've never had the opportunity to work with Mac systems.
• I'm interested in expanding my skills to include Mac administration, particularly with tools like Jamf and Apple Business Manager (ABM).
• Can anyone recommend good resources or learning paths to help me get started with Mac administration?
• Ultimately, my goal is to become proficient in managing and troubleshooting Mac endpoints on a daily basis.

​

Your advice and suggestions would be greatly appreciated. Thank you!

Hi,

So I’ve been trying to find ways to install apps on iPads without VPP, I’ve been experimenting with pushing via Apple Configurator but I would like to manage apps via intune without VPP.

There has to be a way to do this

Had a end user bring this issue over and it kind of stumped me. Wondering if anyone can give insight into what could have caused it.

I have a MacBook pro enrolled into Intune and Company Portal. Its managed with Jamf and Centrify/Delinea for domain access. The problem i ran into is that one day they went home and Outlook just did not update whatsoever, even on/off VPN. They were on the domain, they were enrolled and managed through Jamf. No issues I could find.

So I started removing MS related keychains and re-created his Outlook profile. I then got an error saying "Unable to add account. Please check your credentials and try again". I made sure they were able to use OWA and that all their logins were good. They were. I made sure I was able to create a profile under my own account. I was, the app was functioning correctly. But everytime they tried their own credentials specifically in the Outlook app it did not take. Everything else MS related went through and worked. Next day user came into the office and it worked right away. Which does not make sense to me as even on VPN the issue persisted. I was told this COULD be an issue with Legacy Outlook which they are using but I'm not sure.

Hi!

I'm currently exploring MDMs for my small workplace with 15 employees, expecting slow growth of 1-2 hires per year. Our work environment is hybrid (most work from the office though), we use Macbooks and are entirely cloud-based, primarily using Google Workspace.

I manage most of our IT needs (though it's not my primary job). We don't have any devices enrolled in ABM or any MDM, so people use the local OSX account and control everything themselves. I usually sit for 30 mins and install/set-up everything needed when we either hire someone new or when we upgrade computers. I'd like to optimize this.

I'm looking for the most cost-effective solution that still balances the necessary features, given our relatively modest requirements. Jamf, Mosyle and Kandji all seem similar to me.

Our needs are pretty much this (I think):

• Zero-touch deployment for new Macbooks to save me some time. For installation of some apps, like Chrome and setting it as default, Wi-Fi settings, Google Drive for desktop, and perhaps others I'm not yet aware of.
• Automatic OSX updates, as they are often neglected by my colleagues
• Security reasons, better control over our devices
• Smoother off boarding processes

Appreciate any advice! Is it worth the hassle?

Hi,

unable to connect via "Global Protect" when the feature "Client Certificate Matching" (Criteria) is enabled.

Error message: "Failed to get configuration"

Log-Entries:

Debug(10873): PortalGetConfigCC()...

Debug( 51): >>>>>> CPanConfigCriteriaMac::GetPortalCcCert, ca size =2

Debug(1772): >>>>> copySystemIdentitiesMatchingIssuer, issuerDER.length 28

Debug( 61): >>>>>> matchingCerts count 0

Debug(1772): >>>>> copySystemIdentitiesMatchingIssuer, issuerDER.length 76

Debug( 61): >>>>>> matchingCerts count 0

Debug(1095): GetPortalCcCert does not get cert

Note:

• The certificate chain of the SCEP certificate (device) is trusted on the VPN gateway
• SCEP certificate (device) is available and trusted within the keychain on the macOS device

Are there any type of logs that I can pull to see WHAT app is requesting to elevated permissions? It keeps popping up and if it's an app I can just delete or push something through our MDM to avoid this popup that is the goal.

​

https://preview.redd.it/7wt9fuw2coqc1.jpg?width=4032&format=pjpg&auto=webp&s=9dcbf391080e94764adfddd2c0cefdb70160c982

Has anyone not renewed Kandji before and what was your experience with it?

I can’t find many reports online of people either not renewing and leaving it on, or migrating away from kandji and was wondering how people found the process.

Many thanks.

I am having an issue with NFS shares with regards to UID and GID, I was hoping binding to AD would sort it out via the UID and GID mapping feature however the bind just seems to disappear on a reboot which I suspect is not unusual.

I am running through the options and trying Xcreds which seems to work well but I need to have the UID and GID correctly 'pulled' or 'mapped' from AD in order to be able to manage file perms. Atm it appears as though xcreds is making a new user for the UID and GID and just the apple defaults.

Does anyone have this kind of setup and if so whats the best solve?

Our Mac environment uses ABM defaulting to WS1. I was able to add Intune to ABM and point two of our devices to use that as the MDM. Everything works fine, but the only thing I cant get to work is Company Portal. It always has the error "Your organization requires you to enroll this device with a different device management provider", and wont allow me to install any apps from Company Portal.

Please help my sanity.

Currently using Jamf Business and discussions around renewal have begun. I am wondering if it is worth staying on Jamf in 2024 as a Kandji license (w/ liftoff) + a license for a more robust (third-party) EDR than Jamf Protect costs less than a Jamf Business license.

I know Jamf has a more powerful API, but we are a relatively small shop and most Mac administration is currently done via Jamf’s GUI.

Aside from that, any pros for Jamf or cons for Kandji, that warrants the difference in price, I should consider before making the change?

Hello everyone,

I am currently configuring the software update tool "Munki".
While the base setup is done, we use AutoPkgr to fetch the DMGs/PKGs.
One thing I noticed, I had to add quite a lot of repos to find all programs I want to manage.
However, with adding more Repos I find I rely on a lot of trust to each of these creators.

I thought about creating my own repo and using the given recipes, so I have more control.

Then I realised Overrides might be the same exact thing, but just locally.

Do I understand right that an override of a recipe is theoretically my "own" and it is basically a copy of the current recipe.
It does not update from the repo right?

So all I should do is verify the recipe and create overrides if everything is fine.

Please let me know if you need any additional information.

Hi ! So right now is budgetting time at my non profit, and we realized we spend a looot on licenses, and were thinking of moving over most of our apps to Microsoft Business Premium for non profits. Our plan is to mostly migrate emails and MDM to microsoft. Our current solutions are Meraki SM for the MDM and a local email host for our emails. Does it make sense ? We have around 100 devices which are mostly macs.

My company uses MaaS360 to manage Apple and Android devices.

Normally, when I need to add apps into MaaS360, I 'purchase' them through Apple Business Manager first. Then they show up in MaaS360 with the number of VPP licenses I obtained from ABM.

However, I messed up the other day and added an app through MaaS360 before waiting for it to sync up from ABM first.

The app doesn't show any VPP tokens for it in MaaS360. Trying to assign it to a user or group gets met with a message on the user's iPhone that says, "This Apple ID can't make purchases."

Is it possible to associate the app with the VPP token? Or something else I can do?

Edit: I manually performed a sync of the VPP token in MaaS360, and that let the app come through.

TL;DR i have a grandma who needs a lot of tech help, i work in IT and am usually the go to for her. Grand kids are installing apps or mucking around with her iPhone and iPad and on several occasions. I know the solution is to not let the kids use them, but gram dosen't like that idea. Does apple have a MDM solution that can let me manage apps, device pin, etc? Or can similar be accomplished with Logmein, Anydesk, or in tune?