r/macsysadmin

Since the M1 MacBook Air (2020) only supports 1 external display natively, I’ve been looking into DisplayLink adapters/docks for a second monitor.

Amazon is flooded with options, but a lot of reviews mention lag/jankiness, overheating, or docks failing over time.

I’m mainly just looking for a larger workspace (nothing heavy), but I still want it to feel smooth and not annoying to use day-to-day. I’m willing to spend more for something reliable.

Questions:

• What setup are you actually using?
• Any adapters/docks you trust long-term?
• Is DisplayLink “good enough” for everyday use, or still kinda janky?

Trying to avoid buying something I’ll regret.

Looking for some real-world input on whether Platform SSO with Secure Enclave actually adds value in our setup.

Our environment:

• Macs managed with Jamf Pro
• Microsoft 365 / Entra ID
• Conditional Access with device compliance (Jamf → Intune connector)
• Legacy Enterprise SSO Extension — users stay signed in as long as the device is compliant, no repeated username/password prompts
• No additional Entra-connected apps beyond M365
• No apps enforced via Conditional Access other than M365

Given this setup, what would we actually gain by switching to Platform SSO with Secure Enclave?

Hey everyone,

I'm at a small shop (~15 Apple Silicon Macs) and I've basically "fallen into" being the SysAdmin. We moved from Miradore to FleetDM earlier this year, and I'm now tasked with actually getting software management working.

The Problem:

My boss (and the fact that we're a cybersec company) has a strict "no closed-source SaaS" rule for our binary pipeline-so tools like Workbrew are out. He wants something automated where we don't have to manually package every single binary ourselves.

I tried using Homebrew through scripts (since that's what we did in Miradore), but it's been super flaky and unreliable. I also tried using the out-of-the-box binaries Fleet offers in their software library, but they've been really hit or miss. For example, things like Brave just fail with "Download Failed" and zero helpful logs, while other apps work fine. It's hard to trust it for a fleet-wide rollout.

The Confusion:

I keep seeing Installomator and AutoPkg mentioned, but I'm honestly just confused at this point.

- Are those the only "real" ways to do this without a paid SaaS?

- Am I missing some obvious "middle ground" for a company of 15 people?

- If I go the Installomator/AutoPkg route, what does that actually look like in a Fleet workflow?

I'm basically looking for the "standard" way people handle this when they can't use a black-box service. Is there a better way to approach this, or do I just need to suck it up and learn AutoPkg/Installomator and if so which one?

I wrote a long-form comparative piece on filesystem design, but the real target is APFS and the role it plays in Apple’s platform security model.

The article walks through FFS/FFS2, BFS, NTFS, ext4 and ZFS first, then uses that background to explain why APFS is not just “Apple’s default filesystem”, but part of how modern macOS thinks about crash consistency, snapshots, encryption, space sharing and system integrity.

It is not a buyer’s guide and not a generic “top filesystems” post. The point is to look at the underlying design choices and why they matter.

Link:

https://bytearchitect.io/macos-security/theory/Filesystem-Wars-Why-Your-Choice-of-Storage-is-Actually-a-Security-Move/

I’ll follow up with the APFS/macOS hardening part.

If you ever used Later by Alyssa X, you know the pain: the original binary hasn't worked since Ventura and the repo has been unmaintained for years.

I forked it, fixed it, and ended up going a bit further than planned.

**What was broken:**

- Crashed on first launch due to deprecated screenshot API (CGDisplayCreateImage)

- Force-unwrap crashes throughout

- Broken autostart (used deprecated SMLoginItemSetEnabled)

- Missing privacy strings blocking macOS permissions

- 23 bugs and 6 security findings in total – all documented in ISSUES.md

**What's new in v2.7.5:**

- Full macOS 13–26 (Tahoe) compatibility

- 6 independent session slots with a 2×3 grid – switch between "coding", "meeting", "off" workspaces instantly

- Sessions are now reusable presets – restoring no longer clears the slot

- Right-click quickbar on the menu bar icon – one click to save or restore any slot

- Per-slot reopen timer with weekday recurrence (e.g. "restore Mon–Fri at 09:00")

- Scheduled save per slot

- Configurable global shortcuts for all 6 slots

- Liquid Glass support on macOS 26 Tahoe

- Full security audit, SwiftPM version pins, no more force-unwraps

I built this for myself because I switch contexts a lot and nothing else does exactly this. Tested on M3 Pro, running stable.

Looking for people to bang on it – especially anyone on Sequoia or the Tahoe.

Repo + DMG: https://github.com/LazaroZero1176/later

Credit for the original concept goes entirely to Alyssa X.

This is for my personal device, and will be done by a background script (launch daemon). How would I shutdown or restart a macbook as soon as it can be safely done to the system, without prompting the user? I'm specifically worried about it happening during a login or logout and interrupting disk/app state.

Google Workspace Enterprise our my IdP, and we use Google login for everything in our company.

I bought the full Jamf stack (Jamf Pro / Jamf for macOS / Jamf for Mobile / basically all Jamf tools). Our macOS devices will be fully enrolled in Jamf, and mobile devices like iPhone/iOS and Android devices will be BYOD with Jamf.

I already watched Jamf 100 / Jamf 140 on YouTube and read the Jamf KB and Google docs, but I still want to validate the correct/supported design.

I already enrolled all macbooks on Apple Business Manager. I already installed and pushed Jamf with success.

I am just struggling with: I am not able to send signals form Jamf MDM to Google IdP.

My goal is very simple: when a user enters their Google username/password for Gmail, Docs, Calendar, etc., I want Google IdP / Context-Aware Access to check only one extra thing from Jamf MDM: device posture = true/false. Nothing else.

My questions (and my unsecure answers if is helpful for someone):

1. Is Chrome + Endpoint Verification the only supported way on macOS? Is that needed only once for initial registration, or must Chrome + Endpoint Verification stay installed/running all the time? For iPhone/iOS BYOD (and Android BYOD), where there is no equivalent Chrome + Endpoint Verification flow, how is this supposed to work? ===> My answer: "Yes, this is the only way and you must use Google Chrome and Endpoint verification on MacOS all time. For mobile you dont have Endpoint verification but you use GMail native app in replacement to send signals."
2. Is there any native Jamf Pro / Jamf MDM → Google Workspace / CAA integration that sends only the compliance signal without depending on Chrome? ===> My Answer: "No. Endpoint verification in MacOS asks to Jamf MDM true/false signal posture. Jamf MDM cant send directly to Google signals."
3. For a new employee / brand new Mac, how do you avoid the chicken-and-egg problem on the first Google login? What is the correct onboarding flow? ===> I dont know this, I am lost here.
4. Can Jamf still provide a supported true/false compliance signal to Google Workspace for those BYOD devices? ===> "No. But I dont undestand why or how."

I’m mainly trying to understand the official/supported way to configure this successfully end-to-end.

Hey, very stuck here and hoping someone can help

We recently ordered 2x macbooks for new starters in the company. They were delivered and put in our store room, but one of them has just completely vanished, not in our asset tracker, not in our jumpcloud so has never been set up by IT.

The serial number shows that the device's warranty will expire on the 12th April 2027, Apple support have told me this directly correlates with the device being activated on Sunday 12th April 2026

Apple support have told me they are completely unable to find the device's location or the apple ID that is logged into it. There's nothing they can do at all even though we can provide all the proof that the device is owned by us.

Pretty stuck on where to go from here, any suggestions would be appreciated

UPDATE: I seemed to have found a way around my problem. I’ve created a blueprint and assigned the device to it without any profiles. Devices sets up without asking for apple sign in. Once in go to settings and sign user in. Clumsy in my opinion but it works.

————————————

I was curious about testing the "native" mdm provided by Apple now since my company's Intune MDM setup is haphazard at best and nothing seems to download or sync properly on a good day.

So I've been testing with an iPhone and everything goes well up wish setup until I get to the 'Sign In to Work Account' screen. I'll enter my company appleID and password and get a 'Verification Failed: An unknown error occurred' which is grand and all but doesn't point me to what the issue is.

If I happen to enter my password wrong, it does recognize that and tell me I entered the wrong password... that still leaves to question what the issue might be.

Mainly curious if others have been having luck with the Apple Business MDM or if hitting the same wall I am.

Hello, first post in here. I've been effectively the mac admin for my university for the last 4 years almost having originally never used a mac. I'm quite comfortable in Jamf Pro now and everything is going smoothly.

I support Multiple Mac Labs of varying ages (2 iMac labs running ventura, 1 mostly intel mac mini, and 1 M1 Mac mini lab). I am having an issue specifically in my M1 Mac Mini lab, which i would have thought would be my most stable lab. for context, all of the macs are joined to the domain and mobile accounts are created and cached whenever a user(student) logs in. We are working on deploying Jamf connect over the summer, but this is what i have for now.

The issue is in the M1 lab that everyday, a large portion of the lab has to be restarted sometimes after every user that logs in. When a user logs out and a new one tries to log in, the computer freezes and just shows a loading beachball and the clock stops updating. Afer restarting, the m1 mac works fine and loads fairly quickly. This does not happen in any other lab. The only configuration difference that i have is that "switching user" is enabled and i have an automatic logout after 30 minutes of inactivity set.

My first thought is that perhaps the users are not logging out, however, after observing a class leave, pretty much everyone logged out properly (shockingly) and nothing was on the lock screen. there are about 10-20 user accounts created at most on each mac and one local admin account. Is the number of accounts potentially the problem? I was trying to figure out a way to delete old accounts 90 days old or more, however i couldn't find a good way to do it. Or is the fact that they are mobile accounts causing the issue? In which case, why doesn't this happen on the other Intel Mac Labs? If switching to Jamf connect/local accounts will fix it then great, but i just have to finish this semester.

Any thoughts are greatly appreciated.

As far as I know, in The Netherlands, we do not see an option to deploy custom MDM profiles or DDM json blobs using Apple Business, yet in the documentation it is mentioned that it is possible:
https://support.apple.com/nl-nl/guide/business/axmcf4de99c4/1/web/1

Has anyone from other countries seen this option be available?

I imagine this gonna be pretty new for us non-Americans so I took the plunge. Despite the "turn on built in management" being a full page switch, it just added another MDM server to my list. Phew!

However, I can't seem to find a way to connect my previous Business Connect brands? It was set up with the same Managed Apple Account. It wants me to set up locations and brands again.
EDIT: Found it. My old Business Connect environment counts as a different org under my account. Oof. There's a way to change ownership but it seems it needs the intervention of Apple Supoort.

I'm stumped by the following:

Step 2: Fill in the Mac OS X Server Information Worksheet

The Server Information Worksheet, located on the cut-off panel of this card, contains the information you need to set up your server for the first time. Fill in the worksheet, then refer to it during step 4.

And I have no idea what "cut-off panel of this card" actually refers to. It doesn't appear to be mentioned in the documentation for Mac OS X Server, and google has so far been exceedingly unhelpful.

The context is setup and installation of Mac OS X Server, and none of the other steps mention panels or cards of any kind.

Testing out Apple’s free MDM and I have an old iPhone 8 that I wanted to test with. I have it hooked to my Mac with Apple Configurator and it says it is supervised and managed by my company. I am using the email service Apple is also providing. Using this, I created a new managed user, signed in.

When I get to the Remote Management screen then to sign in to your work account, all I get is

"Verification Failed, Your Apple account does not support the expected services on this device. Contact your administrator to sign in." The role the account is under is Staff but I also get it on my admin account. 

The only docs I have been able to find on this is the old employee plan which doesnt exist anymore. I also looked into seeing if I could add the device to the user but that option also does not exist.

So we have had about one report a week for the past few months with users swearing they entered their correct password but FileVault refuses to unlock/acknowledge the password. At first I thought it was just user-error but it keeps happening to more and more users and I'm honestly out of ideas for what could be causing this.

For environment reference we use Intune and XCreds for account deployment (Intune sets up a hidden admin account, the user account gets created by XCreds and receives the first and only Secure Token on the system. Users are Standard users and not local admins.) as we never physically touch the machines as they are shipped directly to end-users and enrolled via ABM.

I suspect some fuckery with Secure Token BS but can't narrow it down or actually check as I have no physical access to any user machines as we are all remote and since they can't get past the FileVault screen there is no way to assist them remotely.

As the recovery key would enable them to reset the password for the local admin account and as such escalate privileges our only option is to wipe their machines, but this is not optimal as the issue seems to be affecting more and more users each day.