Alan Siu's Blog

  • Showing the Okta Verify window at login only to users not signed in

    What’s the problem? I wanted a way to have Okta Verify launch at login but with the window for the app appearing only to users who aren’t signed into Okta Verify. Launch Okta Verify at login There is some guidance on how to set up Okta Verify to launch at login. For that, Okta recommends…

  • Managing hiding the menu bar in macOS

    Can you manage the settings for Automatically hide and show the menu bar in macOS? Yes, you can (at least as of macOS 15.5)! Even though it’s not explicitly listed in Apple’s MDM protocol documentation, the management for hiding the menu bar is part of the .GlobalPreferences payload type. The two settings you want to…

  • Do you need to clean up the SelfServeManifest for your Munki clients?

    What might be the issue? Every now and then, on the #munki channel of the MacAdmins Slack, someone will ask about deleting or updating an entry in the SelfServeManifest. The /Library/Managed Installs/manifests/SelfServeManifest file is where Munki keeps track of what optional installs items users choose to install via Managed Software Center. Once a user selects…

  • Getting manifest comments to persist after saving with MunkiAdmin

    Problem Munki manifests are essentially XML, so you can write comments in the manifests to explain why you might have put something in (say, serial numbers in conditions). If you, however, edit and save a manifest using MunkiAdmin, MunkiAdmin doesn’t know about those comments, because they aren’t actual XML keys and values, so the comments…

  • Considerations when migrating from Google Santa to North Pole Santa

    Mountain View to North Pole As of February, 2025, the Google version of Santa has been retired, but there’s a new North Pole version of Santa available. While the migration guide outlines a fairly straightforward process, there are some nuances to consider. Even though I highly recommend reading the actual migration guide, the tl;dr version…

  • Using “new” launchctl subcommands to check for and reload launch daemons

    Note This is a follow-up post to launchctl “new” subcommand basics for macOS Legacy Subcommands With the legacy subcommands for launchctl, you could check if a launch daemon was running by getting the output of sudo launchctl list | grep LAUNCHDAEMONLABEL And then you could just launch it up by running: sudo launchctl load -w…

  • A Jamf extension attribute to check the health of the last Munki run

    If you use both Jamf and Munki (and specifically use Jamf to deploy Munki or reinstall Munki), you may want to have a Jamf extension attribute to see the health of the last Munki run. Munki has a file at /Library/Managed Installs/ManagedInstallReport.plist, which stores details about the last run. Here’s an example of what an…

  • Minimal bootstrapping with Munki

    If you are using Munki to manage your Mac fleet’s software installs, you may want to leverage bootstrapping, wherein Munki, at the login window, keeps installing items, rebooting as necessary, installing more items, and rebooting more if necessary… until all the items are installed. If your infrastructure for this is sophisticated, you may already be…

  • Surprise! Deleting macOS’s /tmp directory can break things…

    System Integrity Protection Macs have something called System Integrity Protection (also known as SIP), which means certain critical directories and files can’t be deleted, even as root. Even the /Applications/Chess.app can’t be deleted because of SIP. ls -ldO /System/Applications/Chess.app drwxr-xr-x 3 root wheel restricted 96 Sep 30 21:10 /System/Applications/Chess.app See that restricted in there? It…

  • Getting the macOS selected Region via command line

    When you set up your Mac for the first time, Setup Assistant will ask you for your preferred language and region. In the graphical user interface (GUI), you can later find (and change) these settings in System Settings > General > Language & Region. But what if you want to find them in the command-line…

  • AutoPkg recipe override inputs and updated trust info

    What can be the issue with recipe override inputs? When you make a recipe override in AutoPkg, your override will have actual overrides and also parent trust info If the parent recipe has critical changes, usually you can update the trust info, and your override should work fine. In theory, critical parts of the recipe…

  • Some basics on switching from DEPNotify to swiftDialog

    DEPNotify is a program that allows you to display a little progress screen while a Mac is getting set up via MDM and/or Munki (or some other scripts). Even though there aren’t any major security issues (as of this writing) with DEPNotify, it’s also not being maintained, and it’s currently (again, as of this writing)…

  • Terminal Secure Keyboard Entry and sudo with Touch ID on macOS

    At one point or another, you may have discovered that you can enable Touch ID for sudo in the macOS terminal. You used to have to manually edit the /etc/pam.d/sudo file after every macOS update to re-enable it, but now you can keep it enabled permanently. When you have Touch ID enabled for sudo, you…

  • launchctl “new” subcommand basics for macOS

    launchd For services running in the background (or foreground), macOS uses launchd (think cron jobs on Linux or scheduled tasks on Windows). Legacy Subcommands If you’ve been managing Macs for a while, you may be familiar with a particular syntax for loading launchd. For launch agents (usually run as user), you may typically have launched…

  • Using Touch ID for sudo on macOS… even after installing an OS update

    For a while, you were able to use Touch ID for sudo on macOS by editing the /etc/pam.d/sudo file to have a line like auth sufficient pam_tid.so In previous macOS versions, that file would get overwritten when you updated (say, from 13.6 to 13.6.1), but in macOS 14 (Sonoma) and supposedly in future versions, you…