We’ve deployed a bunch of Mac Minis for dashboards and internal signage.

The software side is stable, updates are fine, remote management works well.

But physically they’re mostly just sitting behind displays or on shelves depending on the room setup.

It doesn’t feel like a great long-term approach, especially with cleaning staff, accidental unplugging, and general cable clutter over time.

Curious how other teams are handling this at scale.

I've configured ddclient for porkbun and its working when I force run it on my Mac server. But I am going crazy trying to run it as a LaunchAgent.

For starters, every time I try
brew services start ddclient
it dynamically generates a new ~/Library/LaunchAgents/homebrew.mxcl.ddclient.plist file, and its incorrect! the path is /opt/homebrew/opt/ddclient/bin/ddclient but it should be /opt/homebrew/bin/ddclient. Where is this coming from?

Second, even after I edit the plist, i cant get it to launch:
launchctl kickstart -kp gui/$(id -u)/homebrew.mxcl.ddclient.plist
gives me
Could not find service "homebrew.mxcl.ddclient.plist" in domain for user gui: 501

and
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/homebrew.mxcl.ddclient.plist
gives me
Bootstrap failed: 5: Input/output error

I have verified the owner and permissions are correct for the LaunchAgent. Any other thoughts?

Hey everyone,

Ever wondered why sudo su still gets you "Permission Denied" on modern macOS?

SIP is often called "rootless," but it's not just a neutered root account—it's a complete shift away from the traditional Unix/POSIX security model.

I wrote a quick architectural breakdown on how Apple manages parallel authorities to block root, how rootless.conf works under the hood, and how the kernel handles Apple-signed entitlements.

Key points covered:

• Why XNU cares about what a process is (entitlements), not who runs it (UID 0).
• The Multi-Layer Veto: How the hardware identity can silently override a signed LocalPolicy.
• Why historical bypasses (Shrootless/Migraine) exploited inherited entitlements rather than breaking SIP itself.

If you handle Mac management or just want to see how the kernel handles security enforcement layers under the hood, check out the full post here:

https://bytearchitect.io/macos-security/Apple-defences-SIP-and-APFS-(cont'd)/

>A maintenance update to correct — and enhance — handling of comma-separated values (CSV) for the --operations parameter in the MDM-agnostic, unified, user-friendly macOS script to repair, reset, or remove Microsoft 365 components.

Background

A December 2023 Microsoft 365 Reset (2.0.0b1) via Jamf Pro Self Service post detailed a “quick-and-dirty Jamf Pro Policy hack for testing Microsoft_Office_Reset_2.0.0.pkg” (which still works as advertised today, more than 895 days later).

However, while conducting some internal training, I was pained by how user un-friendly the workflow seemed — even if it did get the job done — which motivated the development of the modern, unified approach that Microsoft-365-Reset.zsh now delivers.

Overview

The Microsoft-365-Reset.zsh script seeks to provide an MDM-agnostic, unified, user-friendly approach to all of Paul’s Office-Reset goodness.

Additionally, one resolution to the nightmare that is the Adobe Acrobat Add-in Removal for Microsoft 365 is also included.

Changes in 1.2.0

This maintenance release focuses on CSV handling for the --operations parameter:

• Constrained the interactive operation picker to only the operations listed in the CSV when --operations / Jamf $5 is provided (addresses #15; thanks, andreilabin!)
• Fixed --operations / Jamf $5 CSV parsing so comma-separated operation IDs are treated as separate selections in silent mode (addresses #16; thanks, meschwartz!)

Using Intune to manage Macs and use Duo for Windows MFA. Duo doesn't support 3-digit pins at macOS login, only yes/no. What do you use to enforce MFA at login that uses a 3-digit pin? Is there a way to enforce a 3-digit pin after a Mac wakes from sleep?

Hi everyone,

I’m looking for a small group of beta testers for BrewBox, a native macOS app for checking and managing a local development environment.

The app scans things like Homebrew, npm, pip, gem, cargo, conda, Docker, Xcode-related caches, PATH/toolchain issues, and known package vulnerabilities. The goal is to help developers understand what’s installed on their Mac, what might be outdated or risky, and what can be cleaned up safely.

You can also visit brewbox.org if you want to take a look.

This is still a beta, so I’m mainly looking for honest feedback rather than promotion.

I’ll be accepting beta testers until May 31.

If you’re interested, please leave your email or send it to me by DM. I’ll send the beta file by email in batches, in the order people sign up.

After trying it, I’d really appreciate it if you could reply by email with your review or feedback, especially:

- What worked well

- What felt confusing

- Any scan results that looked wrong

- Any crashes or bugs

- Features you expected but didn’t find

- Whether you’d actually use this in your own dev setup

A few notes:

- This is for macOS developers

- The app runs local developer tools, so it is not sandboxed

- Destructive actions are designed to require confirmation

- Please only test it if you’re comfortable trying beta software

Thanks. Any feedback would be genuinely helpful.

So my specific itch was this: you've got your Macs in Jamf (as god intended), but your org also has Intune for the Windows side. Maybe some iPads are in Intune too because someone made that decision before you got there.

Now you've got devices in two places, serial numbers you're cross-referencing manually, and the classic problem of "is this MacBook actually assigned to someone or is it sitting in a drawer?"

I built a tool that:

• Connects to Jamf Pro + Intune and pulls everything into one fleet view
• Tracks the full lifecycle — who has what, when did they get it, when are they giving it back
• Automatically flags when a serial is in Jamf but you've marked it as in storage locally (or vice versa)
• Catches orphaned assignments when someone leaves and their device just... lingers
• Respects Jamf as authoritative for Apple hardware (won't let Intune overwrite Jamf data for Macs)

That last point was important to me. If a Mac shows up in both MDMs, Jamf wins for Apple devices. Intune is authoritative for Windows/Dell/HP/Lenovo.

Looking for 2-3 teams running Jamf (US or EU) who'd be willing to connect and kick the tires. Free during beta, any fleet size. I'm a solo dev so you'd literally be talking to the person writing the code.

DM open if you're curious. Can do a quick demo call before you connect anything.

We currently have 700+ unmanaged iPhones and iPads in our environment and we are moving to join them to a mdm solution. We just got Jamf for this purpose. Problem is all phones are currently spread out across the states and employees are using them so makes this a little harder.

Steps I have taken so far is having our vendor upload all iPhones we purchased in the past years into ABM and pointed them all to our Jamf pro server. I know for them to enroll into mdm we would have to reset the iPhone but management does not want to do this so I guess I’m here on what the best sys admins on Reddit would do! Below our two solutions I have offered management. But would love to hear other ideas!

Solution 1: Send Jamf url enrollment link, have phones managed but not supervised ( this limits our capabilities but when users get new phones we can fully enroll ) more of a slow grind but smooth.

Solution 2: possibly look into Jamf migrate for iOS? Enroll devices into company portal and then use Intune to push Jamf migrate to iPhones to keep user data and swap over to Jamf?

Scenario:

We're trying to tie users to the Macs more efficiently. We also want to sync our Entra groups over for better scoping of our configuration profiles, policies, and software that we deploy for consistency purposes.

We have Jamf Connect connected to Entra so user can log in with their Entra IDs on their Macs. That seems to work incredibly well. However, we notice that only the Username field in the User/Location fields are being populated. We'd like to have everything from their name, email address, position, and department synced over automatically when they enroll their Mac and log into it for the first time.

Does your company have a workflow that pulls this off? If so, how?

Thanks.

Hardware affected: Fleet of 50+ Intel Mac Pros [Sequoia/Tahoe], Mac Studios [Sequoia/Tahoe], and Mac Minis [Tahoe].

Okay y'all, this is my first post here and I am finally out of ideas. We've had an intermittent issue for about the last 2.5 years (from Monterey through now Tahoe) where our Macs freeze and beachball on login, with the clock also freezing. The only way to break out of it seems to be a hard-restart. I can boot into recovery, but Safe Mode exhibits the same behavior and freezes. Local admin and test recovery accounts can't seem to log in either and freeze the same way. I've also attempted clearing auth.db and other caches, even trying to trigger Apple Setup again, all to no avail. It seems that no matter what I've tried, I eventually just have to do a full wipe/rebuild and frankly, I just can't afford the time to rebuild every one of these manually each time.

Quirks/Other Info: Anecdotally, it seems to come in waves, eg 6 machines did it last week and 3 did it this week, while sometimes we'll go a weeks/months without issue. Additionally, some machines will occasionally get themselves on a reboot loop when exhibiting this behavior, but all of it seems to be cleared when I wipe/rebuild the machine.

At one point, I had just been re-imaging via Disk Utility in recovery, which seemed to work for a while then continued the same behavior down the line. Additionally, I had tested switching certain machines from AD to EntraID for authentication and it seemed to correct the issue for a while but now makes no difference. I also haven't seen any issues coming from JAMF's side either, as several other machines at the organization are totally fine. Everything seems to be fine until all of a sudden it doesn't.

Has anyone else seen or heard of any similar issues?

I'm managing a range of Macs in a multi-user (lab type) environment. After trying lots of ways of automating MacOS patch updates, a Jamf Pro Software Updates DDM blueprint seems to be the most reliable .

The issue I have is that these Macs are used pretty much 24 hours per day, 5 days per week. Because they're not single user devices, I can't rely on the user to run the update from the notification. I can set the "Install At" time and use a low "Days after release to enforce update" but this risks interupting user work, because they might be using the machine at any time of day.

Ideally I'd like an "enforce update by the second Saturday after release", but there doesn't seem to be a way of doing that. Is there a workaround or setting I'm not seeing?

Hi all,

Started a new Sysadmin job and most of our devices are Apple. I had very little experience with Apple before starting and the previous admin has left me with a bit of a cleanup operation and I'm sure they weren't doing things the best way.

- Our field staff use iPads. Every iPad was assigned a personal Apple account such as "fieldipad-1" with its own email address and the IT mobile number as the account recovery number (this number has been exhausted since too many accounts were opened with it).

- The Apple account logins and passwords are only kept by IT so that staff can't install apps by themselves - the problem is sometimes they get randomly signed out, after updates etc. This is a problem in itself because my current password policy is long and complex passwords, so if a staff member suddenly had to sign into their Apple account, it'd be difficult to give them e.g a 64 char password.

- These field iPads are sometimes shuffled between crew members without my knowledge so there's no good register of who has what iPad at any given time, and management want to know where specific crew members are with Find My. Each iPad also has an active eSIM.

- I don't even know what's happening with the iCloud situation or how it would work considering multiple people are shuffling between devices. We also don't have any MDM as far as I'm aware.

This whole setup seems like an absolute cluster**** to me. Just wondering if anyone can enlighten me on what a sane setup would look like here.

im wondering if anyone has updated their classic PSSO configuration and added the Authentication > Extensible Single Sign On > Platform SSO > Enable Registration During Setup. will that impact anything in your current users?

I’m really confused and stressed rn. I’ve been using this iPhone as my personal phone for around 6 years without any issue. Never had any company account, never used a Microsoft account on it, never got this screen before.

My storage was completely full because of “System Data” (around 30GB+) so I backed up my iPhone using iTunes on my Windows PC and then factory reset the phone to clean it up.

But after resetting and starting setup again, it suddenly shows:

>

and it’s asking for Microsoft Company Portal / work or school account login.

I never enrolled this phone in any company system myself. I’ve used this phone normally for years. Now I’m stuck on setup and can’t access my phone.

Things I already tried:

• Restarting
• Resetting again
• Different WiFi
• I do have my Apple ID
• Backup exists in iTunes

Questions:

1. How can a phone suddenly become managed after 6 years?
2. Is there any way to remove this MDM / Company Portal thing?
3. Could an old work/school profile have stayed hidden all these years?
4. Is there any legit fix without the company account?

Would really appreciate help because this is my main phone and all my data/life is basically on i

Hey everyone,

We're currently pulling our hair out over a sudden printing issue that has popped up after our users are updating their Macbooks to macOS 26.4.1 and newer. We are a company that provides IT-services for schools in a BYOD environment. Our users are constantly being prompted for their AD credentials every time they try to print ever since updating their Macs.

Our Environment:

• Client OS: macOS 26.4.1 (and newer...)
• Print Server: Windows Server 2022 running PaperCut MF.
• Directory: Active Directory (Users synced to PaperCut)
• Deployment: Printers are mapped either manually via SMB or installed using PaperCut Mobility Print.

The Problem: Whenever a user sends a print job, macOS throws an authentication prompt asking for their username and password. Even if the user checks the "Remember this password in my keychain" box, the system completely ignores it. The next time they print, the prompt is back.

Our Suspicion: Because this is happening across both SMB and Mobility Print queues, we strongly suspect this is a localized macOS issue rather than a PaperCut server issue. It seems like macOS 26.4.1 is either:

1. Failing to write the print credentials to the user's Login Keychain properly. (We do see the credentials in the keychain, but it's very strange that the software does not read the credentials when printing again).
2. Preventing the CUPS daemon/print spooler from reading those credentials from the keychain due to a new privacy/security restriction.

What we're looking for:

• Has anyone else encountered this endless auth loop on macOS 26.4.1?
• Are there any known workarounds? (e.g., wiping specific keychain entries, adjusting CUPS config)
• Does the Mobility Print client require a patch for this specific macOS build?

Any insights or shared misery would be greatly appreciated. Thanks!

Hi All,

I’m having an issue at the moment where after going though the config of setting up PSSO, linking it to Entra and then letting some time lapse. I am losing the ability to use Sudo, with the error in terminal being “sudo: 4294967295: invalid value” From what I can tell the “4294967295” is part of a group that can be found with the Directory Utility and correlates to “NoGroup” From there I’m completely stuck. I can only think it has to be something to do with the PSSO set-up or something that PSSO just does? Maybe how it “smashes” my local account and the service account we use for registration? Any help here would be massively appreciated

Hey everyone,

I’m hitting a wall with a brand new MacBook Pro (M5 Pro chip) running macOS 26.4.1.
I’m wondering if anyone else is seeing issues with the initial management framework bootstrap on this hardware.

The Situation: The device goes through the Automated Device Enrollment (DEP) perfectly fine. The "Remote Management" screen appears, the user logs in, and the setup assistant completes.

The Problem: The device is in a "Zombie" state.

• profiles status -type enrollment says: Enrolled via DEP: Yes.
• In Jamf Pro, the device record is stuck as a "Placeholder" / Unmanaged.
• NO Jamf Binary: /usr/local/bin/jamf does not exist.
• No Self Service, no identity certificates in the Keychain.
• The "Allow Jamf Pro to perform management tasks" checkbox in the inventory is NOT checked.

What I’ve tried so far:

1. PreStage Tweaks: Verified account settings (Set to Administrator), tried with and without custom Enrollment Packages.
2. The Rosetta Clue: I tried pushing the Company Portal as an enrollment package. It triggered a Rosetta 2 installation prompt, which makes me think the initial bootstrap is timing out or failing because of some Intel-legacy dependency during the M5 bootstrap process.
3. Manual Nudges: Ran sudo mdmclient selfrequest mdm.InstallManagementFramework and sudo profiles renew -type enrollment. Commands return success, but no binary ever lands.
4. Network: Tested on a clean mobile hotspot to bypass VPN/Firewalls. Same result.
5. Wipe & Retry: Done this 5+ times with different PreStage configs.

My Questions:

• Has anyone encountered issues with the Jamf binary bootstrap on the M5 Pro silicon specifically?
• Is there a way to force-install the binary on macOS 26 when the MDM channel is open but the binary won't deploy?
• Is the current Jamf binary still reliant on Rosetta for the initial install on M5 chips?

I have a ticket open with my MSP/Jamf, but I’m under a massive time crunch to get this high-priority device deployed. Any insights would be life-saving.

#Jamf #macOS26 #M5Pro #DEP #SysadminLife