For those who wanted a copy of my talk on managing admin rights in the enterprise at Penn State MacAdmins 2025, here are links to the slides in PDF and Keynote format.
Payload-Free Package Creator.app, an Automator application that allows the selection of an existing script and then creates a payload-free package that runs the selected script, has been updated to version 2.5.
The user experience and operations of the app have not changed from previous versions of Payload-Free Package Creator.app. The changes to Payload-Free Package Creator 2.5 are the following:
Choosing to deploy the Self Service+ app by default in place of the Self Service classic app will result in the following changes taking place on all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server:
Existing installations of the Self Service classic app are removed from managed Macs running macOS 13 or later.
The Self Service+ app is installed on managed Macs running macOS 13 or later as part of a managed Mac’s next check-in with Jamf Pro
The Self Service+ app is installed on managed Macs running macOS 13 or later following enrollment.
The Self Service+ app is automatically updated to the latest version of Self Service+ as new Self Service+ updates are released.
Managed Macs running macOS 12 Monterey or earlier will not have these changes occur. These Macs will continue to use the Self Service classic app.
For more details, please see below the jump.
To enable the Self Service+ app for default deployment to managed Macs running macOS 13 Ventura and later, please use the following procedure:
1. Log into Jamf Pro with an administrator account.
2. Go to Settings: Jamf Apps
3. Select Self Service+
4. In the Self Service+ settings, select the checkbox for Use Self Service+ as the default end user application.
5. Verify the setting is set as desired. Once verified, click the Save button.
Note: Once this option is enabled, all managed Macs running macOS 13 or later will use only the Self Service+ app. It will not be possible to run both the Self Service+ app and the Self Service classic app on the same computer.
Once enabled, you should expect to see the following:
The Self Service+ app be deployed to all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server.
The Self Service classic app be removed from all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server.
For those who want to test the Self Service+ app while continuing to use the Self Service classic app, please see the documentation linked below:
Deploying Self Service+ to End User Devices Using a Policy:
As part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to deploy MDM configuration profiles using DDM as the delivery mechanism in place of using MDM to deliver the profiles. Jamf Pro’s Blueprints leverages this capability to support deploying printers which can use AirPrint. Let’s see how this works with an AirPrint configuration, using an AirPrint-compatible printer which is set to use the following static IP address:
10.0.1.10
For more details, please see below the jump.
The first thing we need to do is use the ippfind command line tool to discover information about the printer we want to set up and print to. This process is described as part of Apple’s documentation for AirPrint payload settings for Apple devices, available via the link below:
Use the procedure below to discover the information needed:
1. Open Terminal.
2. Run the following command without root privileges:
ippfind
In this example, we’re getting back the following information about the printer:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
From this, we can see the following information about the printer:
Bonjour hostname: BRN466371FFF599.local
Port number: 631
Resource path: /ipp/print
We can use the BRN466371FFF599.local hostname to look up what the IP address of the responding printer is, which in this example is going to be the following IP address:
10.0.1.10
The port number is 631, or the default for the IPP protocol.
The resource path is /ipp/print, which we will need for setting up the AirPrint configuration in Blueprints.
Once we have this information, we’re ready to set up the AirPrint printer settings for deployment using Blueprints.
As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage AirPrint settings so the blueprint will need to be configured manually. To do this, use the following procedure:
1. Log into Jamf Pro.
2. Select Blueprints
3. Click the Create blueprint button.
4. Give it a name when prompted and click the Create button. For this example, I’m using Reception Desk Printer Settings.
5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the AirPrint component.
Note: AirPrint is listed as Legacy Payload. In Blueprints, a Legacy Payload type indicates that this is an MDM configuration profile being delivered via DDM.
6. Click on the AirPrint component and drag the AirPrint component to the Declaration group section.
7. Mouse over the AirPrint component and you will see a Configure button appear. Click the Configure button.
8. At this point, you will see an Air print section without any listed printers. Click the Add New Item button.
9. To add the settings for the printer in this example, set the following entries as follows:
IP Address:
10.0.1.10
Resource path:
/ipp/print
Port Number:
Make no changes
Force TLS:
Make no changes
Note: Because we verified earlier that this printer is using port 631, which is the default port for the IPP protocol, it is not necessary to set the port number in the example AirPrint configuration we’re creating. In the event a printer does not use port 631, it would be necessary to set the port number here in the AirPrint configuration.
Likewise, if the printer was using TLS to secure the printer connection, it may be necessary to use the Force TLS setting. In this example, TLS is not being used so it is not necessary to configure the Force TLS setting.
10. Once all the settings choices have been made and verified, click the Save button.
11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.
For this example, I’m selecting a static group named Printer Deployment Group.
Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.
12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.
13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Reception Desk Printer Settings blueprint as being deployed.
You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.
If you’re deploying a legacy profile via Blueprints, you should see a Profiles section in Device Declarations. In the Profiles section, there is a listing with a name that matches the name of the blueprint which was deployed. In the case of our example, the listing shows Reception Desk Printer Settings.
If you click on the Reception Desk Printer Settings listing, you should see the details of what is being managed.
Note:The MDM profiles delivered via Blueprints are not signed. This is mentioned in the documentation available via the link below:
As part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to deploy MDM configuration profiles using DDM as the delivery mechanism in place of using MDM to deliver the profiles. Jamf Pro’s Blueprints leverages this capability to support device restrictions.
Let’s see how this works using a device restriction configuration, using the example of setting the following Apple Intelligence management functions to false in order to block the corresponding Apple Intelligence functions on macOS:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage device restrictions so the blueprint will need to be configured manually. To do this, use the following procedure:
1. Log into Jamf Pro.
2. Select Blueprints
3. Click the Create blueprint button.
4. Give it a name when prompted and click the Create button. For this example, I’m using Restrictions Settings for macOS.
5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the Restrictions component.
Note: The Restrictions component is listed as being the Legacy Payload type. In Blueprints, a Legacy Payload type indicates that this is an MDM configuration profile being delivered via DDM.
6. Click on the Restrictions component and drag the Restrictions component to the Declaration group section.
7. Mouse over the Restrictions component and you will see a Configure button appear. Click the Configure button.
8. At this point, you will see all available Restrictions settings which are available for all Apple platforms. To limit to only those options available for both macOS and Apple Intelligence, you can click the filter button and then select macOS in OS Type and Apple Intelligence in Category.
9. To apply the desired settings, select the following options and set them to false:
Allow Genmoji
Allow Image Playground
Allow Mail Smart Replies
Allow manual mail summaries
Allow writing tools
10. Once all the settings choices have been made and verified, click the Save button.
11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.
For this example, I’m selecting a static group named Restrictions Deployment Group.
Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.
12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the new restrictions settings to the Macs you want to manage.
13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Restrictions Settings for macOS blueprint as being deployed.
You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.
If you’re deploying an MDM configuration profile via Blueprints, you should see a Profiles section in Device Declarations. In the Profiles section, there is a listing with a name that matches the name of the blueprint which was deployed. In the case of our example, the listing shows Restrictions Settings for macOS.
If you click on the Restrictions Settings for macOS listing, you should see the details of what is being managed.
Note: The MDM profiles delivered via Blueprints are not signed. This is mentioned in the documentation available via the link below:
As part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to manage software updates. Jamf Pro’s Blueprints leverages this capability to support managing software updates. Let’s see how this works using the following software update configuration as an example:
Standard users can install Apple software updates
Logged-in users will see all software update notifications
OS updates will be automatically downloaded
OS updates will be automatically installed
Security updates will be automatically installed
Rapid Security Response updates will be installed
Rapid Security Response updates can be removed
For more details, please see below the jump.
As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage software updates so the blueprint will need to be configured manually. To do this, use the following procedure:
1. Log into Jamf Pro.
2. Select Blueprints
3. Click the Create blueprint button.
4. Give it a name when prompted and click the Create button. For this example, I’m using Software Update Settings.
5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the Software Update Settings component.
6. Click on the Software Update Settings component and drag the Software Update Settings component to the Declaration group section.
7. Mouse over the Software Update Settings component and you will see a Configure button appear.
Click the Configure button.
8. At this point, you will see all available Software Update settings which are available for all Apple platforms. To limit to only those options available for macOS, you can click the filter button and then select macOS. Once the desired filter(s) have been selected, click the Apply button.
9. To apply the following desired settings, select the following options:
Standard users can install Apple software updates:
Select Enable for Allow standard users to install software updates
Logged-in users will see all software update notifications:
Select Enable for Notification preference for updates scheduled by declarations
Once those options are selected, you’ll need to configure the Install actions and Rapid Security Response sections to achieve the following desired settings:
OS updates will be automatically downloaded
OS updates will be automatically installed
Security updates will be automatically installed
Rapid Security Response updates will be installed
Rapid Security Response updates can be removed
To access the Install actions and Rapid Security Response sections, click their associated Configure buttons.
In the Install actions section, to apply the following desired settings, select the following options:
OS updates will be automatically downloaded:
Select Always for Automatic installs of available updates
OS updates will be automatically installed:
Select Always for Automatic downloads of available OS updates
Note: Selecting Always for Automatic installs of available updates will also automatically set Always for Automatic downloads of available OS updates.
Security updates will be automatically installed:
Select Always for Automatic installs of available security updates
Once all choices have been made and verified, click the Update button.
You should now see the following items set to Always:
Automatic installs of available updates
Automatic downloads of available OS updates
Automatic installs of available security updates
From there, scroll down to the Rapid Security Response section and click the Configure button.
In the Rapid Security Response section, to apply the following desired settings, select the following options:
Rapid Security Response updates will be installed:
Select Allow for Rapid Security Response installation
Rapid Security Response updates can be removed:
Select Allow for Rapid Security Response removal
Once all choices have been made and verified, click the Update button.
You should now see the following items set to Enabled:
Rapid Security Response installation
Rapid Security Response removal
10. Once all the settings choices have been made and verified, click the Save button.
11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.
For this example, I’m selecting a static group named Managed Software Update Deployment Group. Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.
12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.
13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Software Update Settings blueprint as being deployed.
You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.
If you’re deploying a software update configuration via Blueprints, you should see a Global Settings listing for Software Update in the Device Declarations section.
If you click on the Global Settings listing, you should see the details of the configuration.
You can also see the details of what’s configured in System Settings: General: Software Update.
In this case, you can click on the ( i ) button next to the Automatic Updates section and see the settings which have been applied.
One way to deliver custom fonts on macOS is to deploy them via a configuration profile. In this case, you’re deploying a profile which includes a copy of the font file or files. For example, here’s how the open source Caprasimo font looks when deployed via a profile.
You can access information about the font in question using the Font Book app on macOS Sequoia.
In Font Book.app, you should see the profile-deployed font appearing in the My Fonts section. You can also access information about the font from here.
But how do you extract the font file from the profile? You can also do this using the Font Book app. For more details, see below the jump.
You can use the following procedure to export a font which was installed using a configuration profile:
1. Open Font Book.app.
2. Find the font in question and select it.
3. Under the File menu, choose the Export… option.
4. Select where you want to save the exported font file to.
5. Verify that the font file has been exported to the desired location.
One of the user interface features in macOS is what Apple refers to as Vibrancy, where the color displayed for Finder windows, menus, the Dock, the menubar and other interfaces subtly change to reflect the colors behind them. This produces a translucent visual effect for those interfaces.
This feature, first introduced in OS X 10.10 Yosemite, can come at a cost in terms of processor and GPU resources because this visual effect is being recalculated and redrawn as needed. For those who want to reclaim those resources, it’s possible to turn Vibrancy off if needed. On macOS Sequoia, this is managed via the following setting in System Settings:
System Settings: Accessibility: Display: Reduce Transparency
With the Reduce transparency setting enabled, Vibrancy is turned off and the various interface components should change from their Vibrancy-managed translucent appearance to a non-translucent gray appearance.
As of macOS Sequoia, it does not appear to be possible to manage the Reduce transparency setting using a defaults command but it is possible to manage it via a configuration profile. For more details, please see below the jump.
The relevant preference domain and key values are below:
Preference domain: com.apple.universalaccess
Key: reduceTransparency
Value: Boolean
Setting a boolean value of true will disable Vibrancy on macOS Sequoia. I’ve built a configuration profile with the boolean value of true set, where the profile is available on GitHub via the link below:
As part of Apple’s discussion of Declarative Device Management (DDM) at WWDC 2024, Apple announced that DDM management on macOS 15 Sequoia and later now included the ability to allow or block external and network storage. You can manage the following:
Allowed: The system can mount storage that’s read-write or read-only.
Read-only: The system can only mount read-only storage. Storage that is read-write is not mounted read-only.
Disallowed: The system can’t mount any external storage.
Note: The read-only options are for mounting storage which is already read-only. If macOS can detect that the storage is read-write when it tries to mount the storage in question, macOS won’t mount the storage and will display an error message.
I can set up a Blueprint in Jamf Pro to deploy this network storage management configuration using the following procedure:
1. Log into Jamf Pro.
2. Select Blueprints
3. Click the Open button for Install disk management settings.
4. Give it a name when prompted. For this example, I’m using Block Network Storage.
5. Select a Jamf Pro smart or static group. For this example, I’m selecting a static group named Disk Management Deployment Group.
6. In the Disk Management Policy section, select the following settings:
Click the checkbox for Network storage.
Click the button for Disallowed.
7. Once all the information has been entered and verified to be correct, click the Save button.
Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.
Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Block Network Storage Blueprint as being deployed.
On your managed devices, you can verify that the new service background task configuration has been deployed by clicking on the enrollment profile, then scrolling to the bottom. In the case of this example, you should see a Device Declarations section with a listing for Disk Management.
If you click on the Disk Management listing, it should report the following:
Network Storage Restriction: Not Allowed
You can verify that the network storage restriction is working by running the following test:
1. Connect to a network storage server.
2. Log in using your credentials.
3. When the server presents the list of available network storage shares, select one your user account should have access to.
If the network storage restriction is working, you should receive an error when macOS tries to mount the network share. This is because the network storage restriction is acting at the time when macOS is trying to mount the network share.