Semi-automating profile installation in Big Sur

It’s pretty well known among Mac admins that, starting with Big Sur (macOS 11), Apple has removed the ability for the profiles command to silently install .mobileconfig profiles. Apple wants you to use an MDM to deliver profiles silently… or have users themselves manually install profiles. If you try to install them silently the old… Continue reading Semi-automating profile installation in Big Sur

Munki can get into a notification loop if root is using the Persian calendar

The Problem At some point, this blog post may be obsolete, because I’m hoping this will be fixed soon, but in the meantime, I’ve filed an issue on GitHub: Using Persian calendar results in notification loop at every next Munki run If you have users who claim to see notifications multiple times a day, even… Continue reading Munki can get into a notification loop if root is using the Persian calendar

How to check the Carbon Black version installed

Update Thanks to Clay Haynes for pointing out you can get the version more easily by running /Applications/VMware\ Carbon\ Black\ EDR.app/Contents/MacOS/CbOsxSensorService -v Back story In Carbon Black 6.3.0 and 7.0.1, it isn’t super obvious how to check for the version installed. For example, if you run defaults read /Applications/VMware\ Carbon\ Black\ EDR.app/Contents/Info.plist, you’ll see CFBundleInfoDictionaryVersion… Continue reading How to check the Carbon Black version installed

Scripting changing user icons: dsimport prompts for password in zsh

Apple is moving toward making zsh the default shell instead of bash, and it may even eventually remove bash completely from being preinstalled on macOS. So lots of Mac admins are working to revise scripts from bash to zsh. Last year, I blogged about Scripting changing the user picture in macOS and referenced this script… Continue reading Scripting changing user icons: dsimport prompts for password in zsh

Using installinstallmacos.py to get beta installers

Usually, if you use installinstallmacos.py, you’ll get the already-released installers: # ProductID Version Build Post Date Title 1 001-15219 10.15.5 19F2200 2020-06-15 macOS Catalina 2 001-04366 10.15.4 19E2269 2020-05-04 macOS Catalina 3 061-86291 10.15.3 19D2064 2020-03-23 macOS Catalina 4 041-91758 10.13.6 17G66 2019-10-19 macOS High Sierra 5 001-57224 10.15.7 19H4 2020-10-27 macOS Catalina 6 061-26589… Continue reading Using installinstallmacos.py to get beta installers

Allowing Outset-run scripts to have access to user folders

Because of TCC/PPPC, which Apple introduced in macOS 10.14, scripts and applications have to ask for permissions to do certain things, especially things like reading user home directory files. If you have an Outset login script that tries to access something in the home directory, you may find in the ~/Library/Logs/outset.log that you get a… Continue reading Allowing Outset-run scripts to have access to user folders

If Jamf recon is launching a du process that causes a CPU spike

If Jamf inventory (jamf recon) causes an extended CPU spike specifically related to the du command, you can fix that by going, in the Jamf settings, to Computer Management > Computer Management – Management Framework > Inventory Collection, and then uncheck the Include home directory sizes checkbox. That is a system-wide setting, but especially if… Continue reading If Jamf recon is launching a du process that causes a CPU spike

Terminal command to tell if a macOS directory is SIP-protected

Starting with El Capitan (OS X 10.11), Apple started using System Integrity Protection (SIP) in macOS, so that certain directories would be not writable, even by root. Here’s a quick reference for a couple of commands you can use to see if a directory or file is SIP-protected, as that may change from macOS version… Continue reading Terminal command to tell if a macOS directory is SIP-protected

Running daily, weekly, and monthly scripts in macOS using periodic

Background I was looking for time-based project similar to Outset (which runs boot and login scripts stored in various directories), and apparently there’s one already baked into macOS that will run daily, weekly, and monthly scripts. Shoutout to @elios on the MacAdmins Slack for letting me know about periodic Launch Daemons If you run sudo… Continue reading Running daily, weekly, and monthly scripts in macOS using periodic

The limits of password-protecting a .mobileconfig profile

Three years ago, Rich Trouton wrote Adding password protection to manually installed management profiles, which gives step-by-step instructions for how to make a manually-installed profile prompt for a custom password (in addition to the local admin password) when being removed. I’ve tested this on Catalina, and it still works! That said, it worked only from… Continue reading The limits of password-protecting a .mobileconfig profile