>A maintenance update to correct — and enhance — handling of comma-separated values (CSV) for the --operations parameter in the MDM-agnostic, unified, user-friendly macOS script to repair, reset, or remove Microsoft 365 components.

Background

A December 2023 Microsoft 365 Reset (2.0.0b1) via Jamf Pro Self Service post detailed a “quick-and-dirty Jamf Pro Policy hack for testing Microsoft_Office_Reset_2.0.0.pkg” (which still works as advertised today, more than 895 days later).

However, while conducting some internal training, I was pained by how user un-friendly the workflow seemed — even if it did get the job done — which motivated the development of the modern, unified approach that Microsoft-365-Reset.zsh now delivers.

Overview

The Microsoft-365-Reset.zsh script seeks to provide an MDM-agnostic, unified, user-friendly approach to all of Paul’s Office-Reset goodness.

Additionally, one resolution to the nightmare that is the Adobe Acrobat Add-in Removal for Microsoft 365 is also included.

Changes in 1.2.0

This maintenance release focuses on CSV handling for the --operations parameter:

• Constrained the interactive operation picker to only the operations listed in the CSV when --operations / Jamf $5 is provided (addresses #15; thanks, andreilabin!)
• Fixed --operations / Jamf $5 CSV parsing so comma-separated operation IDs are treated as separate selections in silent mode (addresses #16; thanks, meschwartz!)

Has anyone integrated Jamf with Microsoft Entra for compliance and would you recommend it?

Has anyone gotten this to work yet? It looks like it's now supported by Microsoft, finally, but I went through the instructions from JAMF and my device keeps hanging after enrollment where it says it's waiting for the management server.

We don't have this issue at all with PSSO so it's only with those few options that are required for simplified setup.

Haven't made any changes to either Okta or Jamf but this started popping up today when trying to log into Jamf Connect 3.7. Using Self Service+. Have had no issue for months until today. Self Service is also telling me my password is out of sync but no change has been made to my password. This is happening across all devices. Any assistance is appreciated.

https://preview.redd.it/rtrn17k8f51h1.png?width=2066&format=png&auto=webp&s=552afec39843c87c63eecb1ef5049b78796c8022

https://preview.redd.it/3h1e08zve51h1.png?width=1120&format=png&auto=webp&s=f08a75d7cc203b8d5f3092567fccb3c46c535224

Hi All,

I’m having an issue at the moment where after going though the config of setting up PSSO, linking it to Entra and then letting some time lapse. I am losing the ability to use Sudo, with the error in terminal being “sudo: 4294967295: invalid value” From what I can tell the “4294967295” is part of a group that can be found with the Directory Utility and correlates to “NoGroup” From there I’m completely stuck. I can only think it has to be something to do with the PSSO set-up or something that PSSO just does? Maybe how it “smashes” my local account and the service account we use for registration? Any help here would be massively appreciated

If one or two profiles were originally scoped to a Smart Group, and later the scope was changed to “All Computers,” would deleting the original Smart Group afterward cause any issues?

Since the profiles are now scoped to All Computers, I’m assuming the Smart Group is no longer needed, but I just wanted to confirm there would be no impact to already deployed profiles or future profile delivery.

I feel like I'm going to lose my mind here, so I am going to need some help. I have a configuration profile to set up disk encryption upon first login. I am looking under inventory, and it says that the Filevault 2 partition is encrypted but FileVault 2 is not enabled. When I look at the mac it says it is encrypted, when I do fdesetup status in terminal it's encrypted and when I look at the different volumes the data partition is encrypted.

I read a post here a while back that said it's an issue with Mac that Apple is looking into so is that still the case or am I missing something?

Hello all, I've recently taken on a role managing devices using Jamf and have managed to figure out most of it so far. However, we are deploying ~20 iPads in shared mode for pupils.

I have the profile all sorted and working as expected with one hitch, device time. As they are shared devices the location services prompt is bypass and therefore never enabled. This is causing the timezone to default to pacific while we are in the UK.

Is there away to enable location services within a profile, or just set the timezone without enabling location services?

Hey everyone,

I’m hitting a wall with a brand new MacBook Pro (M5 Pro chip) running macOS 26.4.1.
I’m wondering if anyone else is seeing issues with the initial management framework bootstrap on this hardware.

The Situation: The device goes through the Automated Device Enrollment (DEP) perfectly fine. The "Remote Management" screen appears, the user logs in, and the setup assistant completes.

The Problem: The device is in a "Zombie" state.

• profiles status -type enrollment says: Enrolled via DEP: Yes.
• In Jamf Pro, the device record is stuck as a "Placeholder" / Unmanaged.
• NO Jamf Binary: /usr/local/bin/jamf does not exist.
• No Self Service, no identity certificates in the Keychain.
• The "Allow Jamf Pro to perform management tasks" checkbox in the inventory is NOT checked.

What I’ve tried so far:

1. PreStage Tweaks: Verified account settings (Set to Administrator), tried with and without custom Enrollment Packages.
2. The Rosetta Clue: I tried pushing the Company Portal as an enrollment package. It triggered a Rosetta 2 installation prompt, which makes me think the initial bootstrap is timing out or failing because of some Intel-legacy dependency during the M5 bootstrap process.
3. Manual Nudges: Ran sudo mdmclient selfrequest mdm.InstallManagementFramework and sudo profiles renew -type enrollment. Commands return success, but no binary ever lands.
4. Network: Tested on a clean mobile hotspot to bypass VPN/Firewalls. Same result.
5. Wipe & Retry: Done this 5+ times with different PreStage configs.

My Questions:

• Has anyone encountered issues with the Jamf binary bootstrap on the M5 Pro silicon specifically?
• Is there a way to force-install the binary on macOS 26 when the MDM channel is open but the binary won't deploy?
• Is the current Jamf binary still reliant on Rosetta for the initial install on M5 chips?

I have a ticket open with my MSP/Jamf, but I’m under a massive time crunch to get this high-priority device deployed. Any insights would be life-saving.

#Jamf #macOS26 #M5Pro #DEP #SysadminLife

Context:
We are getting a pool of roughly 200 new devices/ year. The pool is supposed to supply students & teachers and have spare devices in case a device needs to be replaced or new students arrive.

Problem:

Student and faculty devices are supposed to be configured differently. But I can't find an option to make a smart group based merely on status "teacher". There is an option to make a smart group based on teachers of certain classes, but I would love a way to have a smart user/ device group just based on the binary teacher/ student differentiation.

I can't imagine that this is not a common scenario to roll out profiles just based on this, but I can't figure out how without manually updating a teacher's list.

I'd appreciate your input!