r/macsysadmin

MacBook Pro M4 locked after company went out of business
▲ 299 r/macsysadmin+2 crossposts

MacBook Pro M4 locked after company went out of business

I have a MacBook Pro M4 that’s remotely locked and asks for a 6-digit system PIN. The company it belonged to is out of business, so there’s no IT admin to contact. Is there any legitimate way to unlock or remove the MDM lock?
Recovery mode won’t work

u/Pitiful_Resolve2742 — 12 hours ago

MacVault

I just built MacVault, a lightweight, zero-dependency CLI tool for macOS that creates a portable, hidden file vault using dual-layer AES-256 encryption. Unlike basic encrypted DMG files that still leak your file names and folder structures if the volume is mounted, MacVault automatically flattens your directory tree and renames every single file into an anonymous SHA-256 hash inside an encrypted APFS sparse image. The map linking those hashes back to your original file paths is protected via OpenSSL using PBKDF2 with 100,000 iterations, meaning that when the vault is closed, it completely vanishes into an opaque block of random bytes. I designed it to run purely on native Python3 and system OpenSSL without requiring root access, background daemons, or storing any hardcoded secrets. If anyone wants to audit the script, break the code, or give feedback on the implementation, the repo is up on GitHub!

https://github.com/paragon-William/MacVault

u/Frequent_Captain_586 — 21 hours ago

Mac admin training lab, do I need a Mac mini to learn MDM, Jamf or one of the other platforms? Only have M1 Pro mbp.

I was a Mac specialist for a long while, got out of it, looking to get back in with MDM, jamf or similar.

i have one MacBook Pro m1 thats my daily driver and one iPad, two iPhones, will I need a Mac mini or a Neo or two to learn the platform deployment?

thinking intune+msft partner plus apple certification plus mosule or another platform.

i assume ill need a little homelab but im on a tight budget after moving. Hoping to do it 100% remote.

reddit.com
u/Akula_x86 — 1 day ago

Erase a Macbook without login password and Filevault recovery key ?

Received a MacBook Pro as a donation however, the previous owner failed to remove their Apple ID. Tried to access the MacOS recovery mode but was stoped by a
Filevault recovery key (The key is unknown as well). Is there any way to reset to factory settings before I attempt to contact previous owner ?

reddit.com
u/BarringtonSheffield — 3 days ago

Got the job - thank you

https://www.reddit.com/r/macsysadmin/comments/1u6wl9e/mac_technical_support_interview_soon_how_should_i/

I wasn't their preferred hire. The CEO later told me that the rest of the team was concerned about my lack of experience. They got back to me a week later with a job offer. The only thing I can think of is me speaking about my Jamf Lab was enough to push me ahead of the other candidates but I'm really not sure.

Their security team drilled me with questions about PreStage enrollment, DDM and a few scripting questions. One of them I couldn't even fully answer.

I used to work in a call center so this is a major jump in salary. Thank you for the advice. This and the slack channel is a great community to be in.

reddit.com
u/3RDWORLDSAVAGE — 3 days ago

Apple Configurator: Unable to Sign In

I've used Configurator without issues for the last few days, but today, I get "Unable to Sign In. Please try signing in again." after passing MFA.

The status page shows green, but I'm curious if anyone else is seeing issues.

reddit.com
u/Major-Airport-7976 — 4 days ago

Introducing NoMAD-Classic - a NoMAD v1 Universal macOS App

TL;DR NoMAD v1 is a soon to be deprecated Intel binary and NoMAD-2 is unusable in its abandoned beta state so I used Claude (mostly Opus 4.8 and for some trickier bugs Fable 5) to update the battle-tested and well-documented 1.2.2 release to Swift 5 and compile as a Universal binary for Apple Silicon compatibility.

I remember back in 2017 while working at Facebook as a Helpdesk tech how magical it was when we started deploying NoMAD with our macOS fleet. Demobilized accounts, instant screen unlocks off-network, automatic kerberos renewal. This was cutting edge stuff y'all. As part of the original class of 11,000 laid off in 2022 however, I've since taken root at an organization that uhh, well, I don't think they know what the words "cached mobile account" and "demobilization" are. Obviously I'm not going to give up AirPods seamless device switching, Handoff, and iCloud sync, so despite the complete lack of enterprise macOS support and non-negotiable requirement of Windows x64-only apps to perform my primary job functions, I use a Mac as my primary device and hacked together a user environment that fits my needs with limited friction. This includes using NoMAD v1 to keep my (mostly pointless and sparsely utilized) kerberos tickets valid and provide visibility to my password expiration date.

I started getting the occasional macOS nags about Intel-only app compatibility with Tahoe 26.5, and they're now incessant in the Golden Gate 27 beta. I tried NoMAD-2 but it's so janky and poorly documented, it's clearly an unfinished product with a feature set far too complicated for my actual needs. After spending a few hours in-between actual work tasks playing with the v2menu.nomad.nomad preferences, I realized it was a sunk cost and put my Claude subscription to work building a Universal binary from the NoMAD 1.2.2 source code (the README.MD on GitHub references a 1.3.0 but it ain't on the releases page so ¯\_(ツ)_/¯ ). Opus 4.8 got the bulk of the work migrating Swift 3 > Swift 5 done in a few minutes, then I switched to Fable 5 for a bug preventing the menubar item from expanding. Less than 30 minutes later, including my commute home, I had a fully functional Apple Silicon compatible build of the original NoMAD - NoMAD-Classic.

This was probably more work to do, and even more to post to Reddit about, than a project this niche is even worth. But if you depend on the original NoMAD for your personal environment, or god forbid it's still being deployed to your enterprise fleet in spite of all the modern macOS MDM implementations, then this Bud's for you 🤙🏼

github.com
u/heyitsbarish — 4 days ago

Help with MacOS MDM enrollment

I'm at my wit's end trying to figure this out, any help would be appreciated! So I set up Apple Business Manager, and I factory reset and added one of our Macs in with Apple Configurator 2 on my iPhone. After it reached the desktop I see it in ABM just fine, but somehow I forgot to set up the enrollment into our MDM. Now I have gone in on our ABM dashboard and set the MDM to our ManageEngine instance and the Mac is now synced in ManageEngine.

The trouble is, I would really like to apply the new MDM to the Mac without re-wiping the machine as it caused enough tension for our employee. I would really like to avoid that process. I heard of the "sudo profiles renew -type enrollment" command, but if I use that does that actually force the MDM just like it would if I did a factory reset? Or will the user be able to remove it? Is my only option to reset the Mac again? The Mac is in ABM right now with the MDM newly assigned.

On a side note, the "Activation Lock" field is "Off" with a red warning sign. Does this mean that the Mac is still tied to the employee's personal Apple ID? How do I make it so the organization can control the device lock?

Thanks!

reddit.com
u/ShopNo7513 — 4 days ago

PSSO and Wifi

I have PSSO working I believe but my next issue is for a shared computer.

we are a mixed network. right now we check to see if a computer is bound to Active Directory to allow it on. With PSSO we do not have that. What can we do to allow these devices to authenticate the wifi on our network.

reddit.com
u/dustinkraus — 4 days ago

Apple Content Caching Transparency in iOS & iPadOS

I think with 25.5.2 Apple added the ability for iOS and iPadOS to see Apple Content Caching servers.

It is located in Wi-Fi details (i) > scroll to the bottom > Content Content Caches

For the macOS side of things it's the less pretty Terminal command: AssetCacheLocatorUtil

If you don't have one setup I would highly recommend it. The screenshots are from my home setup, not the work one that has multiple public IP ranges and DNS TXT record set to favor.

Happy to answer any questions. Below is a link to the Apple guide.

https://support.apple.com/guide/deployment/intro-to-content-caching-depde72e125f/web

u/haElwKfeiow6 — 4 days ago

necesitu ayuda con una Macbook Air 2018-2019 T2

perdon por la mala ortografia de antemano

Mi padrastro trabaja construyendo casas y hace poco le pidió a la familia con la que trabaja si le podían conseguir una computadora para mí. Ellos aceptaron, pero decidieron darme una usada que era de una chica de EE. UU. que se las dio antes de ser deportada a quién sabe dónde. El caso es que ahí se perdieron los comprobantes y todo el mierdero.

Para mi horror, la Mac está más bloqueada que el culo del demonio. Necesito ayuda porque pagamos 800 dólares y aún debemos. ¿Alguien sabe cómo puedo desbloquearla? Tengo el correo de la chica que está vinculado a la Mac y su número, pero creo que estoy jodido.

(si, soy un mocoso pero en verdad necesito ayudaa)

reddit.com
u/Long_Equivalent5518 — 5 days ago
▲ 70 r/macsysadmin+1 crossposts

Fort - CLI to review and fix your Mac's security settings.

Hi team, I have been building Fort which runs 15+ security checks on your Mac, fixes what it safely can, and writes an auditor-ready report. No agent, no signup, no MDM enrollment. Just a single binary.

https://github.com/djadmin/fort

Good for anyone who wants to harden their Mac. Essential for teams preparing for SOC 2 or ISO 27001.

Happy to hear any feedback.

u/djadmn — 8 days ago

Multicast solutions for mounting disk images to multiple intel MacBooks.

Hey, I'm currently working on a project where I need to erase and restore a couple hundred intel MacBook Pro's from between the years of 2017 and 2020. My current set up is using Two Canoe's MDS to create a disk image with the Mac OS installer that I can host on a web server and then mounting that disk image from each computer and running the installer. The problem is that this process uses a web server (specifically the built-in apache web server) which is unicast. However, from information I see online, when restoring multiple computers it's preferable to use multicast. So, is there a tool out there that would allow me to mount a disk image in restoration mode using multicast?

reddit.com
u/ShakeWooden — 6 days ago

High volume iPad rental vendors that support custom device setup?

We’re planning a field training project across several offices and need around 120 iPads for a few months. Has anyone worked with a rental provider they would recommend?
A few things we’d ideally like are cellular connectivity, support for custom device configuration and management, and a setup process that’s straightforward for staff who aren’t particularly technical.
I’ve come across a few providers online but don’t have experience with any of them. Curious if anyone has recommendations or companies they’ve worked with before.

reddit.com
u/Opening_Talk_3649 — 6 days ago

Usermanagement for MacOS

Hi, I need your help or advice.

We’re planning to set up dynamic workstations. Basically, every user should be able to log in to any workstation using a Mac mini. The idea is that everyone can log in to any Mac mini at a workstation, so that a workstation doesn’t sit unused for weeks on end. To make this happen, we need a suitable user management solution. The solution should be GDPR-compliant (Germany). Is there a good solution for this? I’ve seen Apple Business Manager, but I’m not familiar with it. I’ve also come across Cortado and JumpCloud. However, since I have very little experience with identity management I usually work with IaC and in a Linux environment.

I’m used to a setup where every workstation is configured identically and there’s a docking station. You simply connect the MacBook to it. That actually seems like the better solution to me, but I wanted to explore the other options first before making that suggestion.

reddit.com
u/Top_Maintenance289 — 9 days ago
▲ 4 r/macsysadmin+1 crossposts

Can a federated/Managed Apple Account be used as a Custom Store (eCommerce) login? Trying not to break it after I federate.

I work for a small company, and was tasked with figuring out how to purchase and MDM a fleet of Macs + iPhones (~24 devices).

Ive setup ABM and gotten our Org verified. I want to enable Domain Federation (with Google Workspace) in ABM so all uses have "Managed Apple Accounts". (My work email and a break-glass admin mailing list set as org admins, have an Org #). From my understanding, I need a "Customer ID" in order for purchases to flow into ABM properly.

So far:

  1. I thought setting up an account on https://www.apple.com/us-smb/store would give us a Customer Number. Based on my research/understanding a "Managed Apple Account" cannot be used for any store, and so I signed up using one of our alternative domains. Got account verified, added EIN etc.
  2. I called the Apple Business support phone number (1-866-902-7144) once the account was setup and was told I cannot get a "Customer Number" for that account and must go into the Apple Store in-person.
  3. Went to the Apple Store, gave them Org #, etc. They emailed me to setup the "Custom Store" account so I can get a "Customer Number"

Here is where my problem is: they want me to give them an email to create the login for the "Custom Store"; I gave the Rep the rundown and their response was basically "just use your primary domain and I will try it" without addressing any of my concerns, so I hope one of y'all can help me figure out the proper path.

Ideally, it would be one of our primary domain emails; but those will become "Managed Apple Account"s once I federate the domain, and I don't want to break the "Custom Store" after I federate, or to lock up the domain into federation if this will cause problems.

Alternatively, I would like to use the secondary-domain email I setup and went through the flow on the us-smb store; but I think that might be unusable now since the "Custom Store" FAQ states that you cant reuse a "Personal Apple account" or the "ABM admin account". If that one's burned, I can provision another secondary-domain account (least ideal, but I'll do it if that's correct).

What the rep won't answer and the FAQ doesn't address:

  1. Can the store login be a federated/Managed account on our captured domain, or does the store require a non-managed account?
  2. If it has to be non-managed: what do people actually use? An email on a separate domain you don't federate? A subdomain? Something else?
  3. Is what I did on the SMB flow a personal account?
  4. Has anyone's store login broken after federating (works as a normal account, then dies once it becomes Managed)?

Basically: what kind of email survives as a working eCommerce/Custom Store login once the domain is federated? I want to pick the right one before I trip the one-way domain capture, not after. If you've actually set up a Custom Store on a federated domain, I'd love to know what email you used.

If this is the wrong sub, please let me know, and thanks in advance!

reddit.com
u/osome101 — 9 days ago
▲ 19 r/macsysadmin+2 crossposts

VirtualProg Turns One Year Old 🎉

VirtualProg Turns One Year Old 🎉

About a year ago I introduced VirtualProg to the macOS community. Since then, the app has grown significantly thanks to feedback from users and a lot of late-night development.

For those unfamiliar with it, VirtualProg is a native virtual machine manager for macOS built on Apple’s Virtualization Framework.

Since the initial release, some of the biggest additions include:

🖥️ Virtual Machine Features

  • USB passthrough support (macOS 27)
  • VM checkpoints and advanced snapshot management (macOS 27)
  • VM provisioning for rapid deployment (macOS 27)
  • VM templates and cloning
  • Headless VM support and background operation
  • VM groups and batch operations
  • VM scheduling (automatic start and shutdown)
  • Password protection and Touch ID unlock

🌐 Networking

  • Custom virtual networks
  • Host-only and shared networking
  • Static IP assignment
  • Port forwarding
  • Interactive network topology visualization

🚀 Remote Management

  • Browser-based Web Dashboard
  • Remote VM display and control from any browser
  • Mobile-friendly remote access
  • Web-based terminal and administration tools
  • Secure HTTPS/TLS support for CLI Server
  • Hardware-accelerated H.265/H.264 streaming
  • Token based Authentication
  • 2FA for Web dashboard

⚙️ Automation & Management

  • Complete vpvm command-line interface
  • Remote CLI management
  • URL scheme automation
  • Siri Shortcuts and Spotlight integration
  • Disk Space Analyzer
  • Statistics and monitoring tools
  • VirtualProg Widget for macOS

📸 Snapshots & Recovery

  • Visual snapshot timeline
  • Safety snapshots before restore
  • Snapshot-based VM creation

🍎 Latest macOS Support

  • Support for the latest Apple Virtualization Framework capabilities
  • Support for macOS Golden Gate 27 virtual machines
  • Continuous updates alongside new macOS releases

What started as a relatively small VM manager has evolved into a full virtualization platform for macOS, and I’m incredibly grateful to everyone who tested early builds, reported bugs, requested features, and shared feedback.

I’d love to hear what features you’d like to see next.

Website:
https://makeprog.com/Products/VirtualProg

u/rbmanian75 — 10 days ago

Safe to install macOS 27 on an external SSD (MBP M1 Max 15.7)?

I have a MacBook Pro 16 M1 Max running macOS Sequoia 15.7, I would like to test macOS 27 on an external Thunderbolt SSD, but, I am concerned that the new macOS 27 Firmware, that will be installed on the M1 Max might affect at some point macOS 15.7, if I decide to stay with Sequoia and not upgrade to Golden Gate. Also how can I keep the Firmware updated after, if I decide to keep macOS 15.7 and not to upgrade to macOS 27, it will stay on the latest firmware based on the last installation of macOS 27, thanks

reddit.com
u/br_web — 8 days ago
▲ 11 r/macsysadmin+1 crossposts

Issue with Platform SSO during Setup Assistant.

Hey everyone I have an issue that I've been scartching my head with for trying to setup PSSO during setup assistant with the password authentication method. Basically we are getting prompted twice to sign in and we can't seem to figure it out with Apple JAMF or Microsoft.

So right after ADE enrollment is kicked off and the company portal app is installed we get the prompt to sign in

https://preview.redd.it/5wvd8vx9o89h1.png?width=2940&format=png&auto=webp&s=c4c12daafd1bac633b2c156adb529f956668e9b0

https://preview.redd.it/z1jj25fcm89h1.png?width=2940&format=png&auto=webp&s=0477f01f6cdc39b6fb2a7fb067ad3cf0b14aa552

Sign in is good then the next prompt we get

https://preview.redd.it/5sbqvfdmm89h1.png?width=2940&format=png&auto=webp&s=1b5459db6723bbdb60f50e634c386f51b9b82150

sign in with entra prompt and then JAMF Setup Manager kicks off

After setup maanger is complete we get a second prompt to sign in which is where it fails

https://preview.redd.it/h3yohqueo89h1.png?width=2940&format=png&auto=webp&s=1ce91e711b1fd19795a206ad3699544e3f0d22ba

https://preview.redd.it/sfvzwu83p89h1.png?width=2940&format=png&auto=webp&s=bbeb135b29c933a1d210cffb2e41b794e2e44358

https://preview.redd.it/kz6llnv2o89h1.png?width=2940&format=png&auto=webp&s=622a1edb058461d9689c61fa012b93477dfe9f18

Has anyone else seen this? any ideas on why this may be happeneing? I checked my configuration profile and prestage setting with Microsoft, JAMF and apple which they say is fine.

reddit.com
u/Mastercheif212 — 12 days ago