babgondhttp://www.babgond.com/moonmoon/2025-08-04T17:52:54ZAuthorDer Flounder : Deploying software update declarations using Blueprints in Jamf Prohttps://derflounder.wordpress.com/2025/08/03/deploying-software-update-declarations-using-blueprints-in-jamf-pro/2025-08-03T21:06:45+00:00rtroutonOne of the management options Jamf Pro now provides with Blueprints is sending DDM declarations to managed Macs run macOS software updates automatically. This is comparable to Jamf Pro’s managed software update functionality, which also provides the ability to send a DDM declaration to run software updates.
For those familiar with Jamf Pro’s managed software update functionality, the Blueprints software update declaration provides the following update options:
Download and schedule to install
Specific version
The Specific version functionality in the managed software update functionality tells the managed Mac to download and install the update for a specific macOS version, like macOS 15.6.0.
The Blueprints software update declaration option provides that same experience, where you can do the following:
Set a date that you want to have your Macs updated by.
Set the OS version you want to update to.
For more details, please see below the jump.
For this example, I have the goal of updating managed Macs to the following version of macOS:
macOS 15.6.0
I want to have them all updated by Friday, August 1 2025 at 6:00 PM (18:00)
I can set up a Blueprint in Jamf Pro to deploy a software update declaration to enforce this using the following procedure:
1. Log into Jamf Pro.
2. Select Blueprints
3. Click on Update software to latest version.
4. Give it a name when prompted. For this example, I’m using Update to macOS 15.6.
5. Select a Jamf Pro smart or static group. For this example, I’m selecting a static group named Managed Software Update Deployment Group.
6. In the Software Updates section, I’m choosing the following settings:
Date and time of the update:
08/01/2025, 18:00
Target OS version:
15.6
Note: The options available via Blueprints for software declarations are the ones Apple has specified for software update declarations. For more information about this topic, please see the following link:
7. Once all the information has been entered and verified to be correct, click the Save button.
Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.
Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Update to macOS 15.6 Blueprint as being deployed.
On your managed devices, you can verify that the new service background task configuration has been deployed by clicking on the enrollment profile, then scrolling to the bottom. In the case of this example, you should see a Device Declarations section with a listing for Software Update.
If you click on that listing, you should see the details of the software update declaration.
From the user’s perspective, they should see a Notifications center notification appear with two available options:
Details
Update
When you click the Details button, you should see behavior similar to what’s shown below:
When you click the Update button, you should see behavior similar to what’s shown below:
Note:The video above has been edited to artificially reduce the amount of time the OS update took to run. Run time of the pre-edited video was 14 minutes 42 seconds.
]]>Der Flounder : Using the mdfind command line tool to find duplicate copies of an application on macOS Sequoiahttps://derflounder.wordpress.com/2025/07/28/using-the-mdfind-command-line-tool-to-find-duplicate-copies-of-an-application-on-macos-sequoia/2025-07-28T22:15:21+00:00rtroutonA common issue faced by Mac admins is that users can have multiple copies of an application on their system. This can be the result of users having standard user rights and running applications out of the home directories, or users reorganizing the Applications directory in a way that makes more sense to them for their needs. Meanwhile, when Mac admins need to report on whether the apps on the fleet are up to date, these additional or reorganized apps may not be patched but do show up in the software reporting as being out of date.
When you run into these situations, how to handle them? The first step is finding where the duplicates are and reporting on them. To do this, you can use the mdfind command line tool, using the kMDItemCFBundleIdentifier metadata attribute. This metadata attribute reports on the bundle identifier used by an application, so it should pick up all copies of an app which are using that unique identifier for that app. For more details, please see below the jump.
As an example case, I’m going to use the following scenario:
I need to locate all copies of the BBEdit app installed on a particular Mac
The user in question has three copies of BBEdit installed.
In /Applications
In a user-created BBEdit directory inside of /Applications.
In a user-created Applications directory inside of their home folder.
BBEdit’s bundle identifier is com.barebones.bbedit, so I can use the following mdfind command to find all copies of BBEdit.app:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
In the scenario described above, that should provide output similar to what’s shown below:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
However, you may not necessarily want to know about /Applications/BBEdit.app as that may be the only version you want installed. To exclude /Applications/BBEdit.app from your results, you can use the grep command line tool’s -v inverse match and -E regular expression options to exclude /Applications/BBEdit.app from the list of results:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
If you needed to exclude additional directories (for example, you must exclude searching the user’s home folder for privacy reasons), you can add additional regular expressions to the grep command to exclude additional undesired results. Here’s an example where you’re excluding results from /Users and for /Applications/BBEdit.app:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
For our scenario, here’s a script that should identify all installed copies of BBEdit on a Mac and display a list of all copies except for /Applications/BBEdit.app:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
]]>Der Flounder : Slides from the “Leveling Up – Managing admin rights in the enterprise” session at Penn State Mac Admins 2025https://derflounder.wordpress.com/2025/07/17/slides-from-the-leveling-up-managing-admin-rights-in-the-enterprise-session-at-penn-state-mac-admins-2025/2025-07-17T22:09:56+00:00rtroutonFor those who wanted a copy of my talk on managing admin rights in the enterprise at Penn State MacAdmins 2025, here are links to the slides in PDF and Keynote format.
]]>Der Flounder : Slides from the “MDM and DDM 101” session at Penn State MacAdmins 2025https://derflounder.wordpress.com/2025/07/16/slides-from-the-mdm-and-ddm-101-session-at-penn-state-macadmins-2025/2025-07-16T16:22:17+00:00rtroutonFor those who wanted a copy of my talk on MDM and DDM at Penn State MacAdmins 2025, here are links to the slides in PDF and Keynote format.
]]>Der Flounder : Payload-Free Package Creator 2.5 now availablehttps://derflounder.wordpress.com/2025/07/15/payload-free-package-creator-2-5-now-available/2025-07-15T22:43:56+00:00rtroutonPayload-Free Package Creator.app, an Automator application that allows the selection of an existing script and then creates a payload-free package that runs the selected script, has been updated to version 2.5.
The user experience and operations of the app have not changed from previous versions of Payload-Free Package Creator.app. The changes to Payload-Free Package Creator 2.5 are the following:
]]>Der Flounder : Deploying Self Service+ in place of Self Service on Macs managed by Jamf Prohttps://derflounder.wordpress.com/2025/07/03/deploying-self-service-in-place-of-self-service-on-macs-managed-by-jamf-pro/2025-07-03T21:57:00+00:00rtroutonAs part of the release notes for Jamf Pro 11.18.0, it was mentioned that the Self Service+ app could now be deployed by default in place of the Self Service app (also referred to as Self Service classic.)
Choosing to deploy the Self Service+ app by default in place of the Self Service classic app will result in the following changes taking place on all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server:
Existing installations of the Self Service classic app are removed from managed Macs running macOS 13 or later.
The Self Service+ app is installed on managed Macs running macOS 13 or later as part of a managed Mac’s next check-in with Jamf Pro
The Self Service+ app is installed on managed Macs running macOS 13 or later following enrollment.
The Self Service+ app is automatically updated to the latest version of Self Service+ as new Self Service+ updates are released.
Managed Macs running macOS 12 Monterey or earlier will not have these changes occur. These Macs will continue to use the Self Service classic app.
For more details, please see below the jump.
To enable the Self Service+ app for default deployment to managed Macs running macOS 13 Ventura and later, please use the following procedure:
1. Log into Jamf Pro with an administrator account.
2. Go to Settings: Jamf Apps
3. Select Self Service+
4. In the Self Service+ settings, select the checkbox for Use Self Service+ as the default end user application.
5. Verify the setting is set as desired. Once verified, click the Save button.
Note: Once this option is enabled, all managed Macs running macOS 13 or later will use only the Self Service+ app. It will not be possible to run both the Self Service+ app and the Self Service classic app on the same computer.
Once enabled, you should expect to see the following:
The Self Service+ app be deployed to all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server.
The Self Service classic app be removed from all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server.
For those who want to test the Self Service+ app while continuing to use the Self Service classic app, please see the documentation linked below:
Deploying Self Service+ to End User Devices Using a Policy:
]]>Der Flounder : Deploying AirPrint printers using Blueprints in Jamf Prohttps://derflounder.wordpress.com/2025/06/28/deploying-airprint-printers-using-blueprints-in-jamf-pro/2025-06-28T20:22:14+00:00rtroutonAs part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to deploy MDM configuration profiles using DDM as the delivery mechanism in place of using MDM to deliver the profiles. Jamf Pro’s Blueprints leverages this capability to support deploying printers which can use AirPrint. Let’s see how this works with an AirPrint configuration, using an AirPrint-compatible printer which is set to use the following static IP address:
10.0.1.10
For more details, please see below the jump.
The first thing we need to do is use the ippfind command line tool to discover information about the printer we want to set up and print to. This process is described as part of Apple’s documentation for AirPrint payload settings for Apple devices, available via the link below:
Use the procedure below to discover the information needed:
1. Open Terminal.
2. Run the following command without root privileges:
ippfind
In this example, we’re getting back the following information about the printer:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
From this, we can see the following information about the printer:
Bonjour hostname: BRN466371FFF599.local
Port number: 631
Resource path: /ipp/print
We can use the BRN466371FFF599.local hostname to look up what the IP address of the responding printer is, which in this example is going to be the following IP address:
10.0.1.10
The port number is 631, or the default for the IPP protocol.
The resource path is /ipp/print, which we will need for setting up the AirPrint configuration in Blueprints.
Once we have this information, we’re ready to set up the AirPrint printer settings for deployment using Blueprints.
As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage AirPrint settings so the blueprint will need to be configured manually. To do this, use the following procedure:
1. Log into Jamf Pro.
2. Select Blueprints
3. Click the Create blueprint button.
4. Give it a name when prompted and click the Create button. For this example, I’m using Reception Desk Printer Settings.
5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the AirPrint component.
Note: AirPrint is listed as Legacy Payload. In Blueprints, a Legacy Payload type indicates that this is an MDM configuration profile being delivered via DDM.
6. Click on the AirPrint component and drag the AirPrint component to the Declaration group section.
7. Mouse over the AirPrint component and you will see a Configure button appear. Click the Configure button.
8. At this point, you will see an Air print section without any listed printers. Click the Add New Item button.
9. To add the settings for the printer in this example, set the following entries as follows:
IP Address:
10.0.1.10
Resource path:
/ipp/print
Port Number:
Make no changes
Force TLS:
Make no changes
Note: Because we verified earlier that this printer is using port 631, which is the default port for the IPP protocol, it is not necessary to set the port number in the example AirPrint configuration we’re creating. In the event a printer does not use port 631, it would be necessary to set the port number here in the AirPrint configuration.
Likewise, if the printer was using TLS to secure the printer connection, it may be necessary to use the Force TLS setting. In this example, TLS is not being used so it is not necessary to configure the Force TLS setting.
10. Once all the settings choices have been made and verified, click the Save button.
11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.
For this example, I’m selecting a static group named Printer Deployment Group.
Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.
12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.
13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Reception Desk Printer Settings blueprint as being deployed.
You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.
If you’re deploying a legacy profile via Blueprints, you should see a Profiles section in Device Declarations. In the Profiles section, there is a listing with a name that matches the name of the blueprint which was deployed. In the case of our example, the listing shows Reception Desk Printer Settings.
If you click on the Reception Desk Printer Settings listing, you should see the details of what is being managed.
Note:The MDM profiles delivered via Blueprints are not signed. This is mentioned in the documentation available via the link below:
One thing to be aware of is that the AirPrint printer may not appear automatically. To add it, use the following procedure:
1. Open System Settings
2. Go to the Printers & Scanners settings
3. Click the Add Printer, Scanner, or Fax… button.
4. Select the printer which is identified as being the following kind:
AirPrint Profile
5. Click the Add button.
The printer should set up and configure itself using the printer’s AirPrint settings.
]]>Der Flounder : Deploying device restrictions management using Blueprints in Jamf Prohttps://derflounder.wordpress.com/2025/06/25/deploying-device-restrictions-management-using-blueprints-in-jamf-pro/2025-06-25T18:54:36+00:00rtroutonAs part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to deploy MDM configuration profiles using DDM as the delivery mechanism in place of using MDM to deliver the profiles. Jamf Pro’s Blueprints leverages this capability to support device restrictions.
Let’s see how this works using a device restriction configuration, using the example of setting the following Apple Intelligence management functions to false in order to block the corresponding Apple Intelligence functions on macOS:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage device restrictions so the blueprint will need to be configured manually. To do this, use the following procedure:
1. Log into Jamf Pro.
2. Select Blueprints
3. Click the Create blueprint button.
4. Give it a name when prompted and click the Create button. For this example, I’m using Restrictions Settings for macOS.
5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the Restrictions component.
Note: The Restrictions component is listed as being the Legacy Payload type. In Blueprints, a Legacy Payload type indicates that this is an MDM configuration profile being delivered via DDM.
6. Click on the Restrictions component and drag the Restrictions component to the Declaration group section.
7. Mouse over the Restrictions component and you will see a Configure button appear. Click the Configure button.
8. At this point, you will see all available Restrictions settings which are available for all Apple platforms. To limit to only those options available for both macOS and Apple Intelligence, you can click the filter button and then select macOS in OS Type and Apple Intelligence in Category.
9. To apply the desired settings, select the following options and set them to false:
Allow Genmoji
Allow Image Playground
Allow Mail Smart Replies
Allow manual mail summaries
Allow writing tools
10. Once all the settings choices have been made and verified, click the Save button.
11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.
For this example, I’m selecting a static group named Restrictions Deployment Group.
Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.
12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the new restrictions settings to the Macs you want to manage.
13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Restrictions Settings for macOS blueprint as being deployed.
You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.
If you’re deploying an MDM configuration profile via Blueprints, you should see a Profiles section in Device Declarations. In the Profiles section, there is a listing with a name that matches the name of the blueprint which was deployed. In the case of our example, the listing shows Restrictions Settings for macOS.
If you click on the Restrictions Settings for macOS listing, you should see the details of what is being managed.
Note: The MDM profiles delivered via Blueprints are not signed. This is mentioned in the documentation available via the link below:
]]>Der Flounder : Deploying software update management using Blueprints in Jamf Prohttps://derflounder.wordpress.com/2025/06/24/deploying-software-update-management-using-blueprints-in-jamf-pro/2025-06-24T21:37:36+00:00rtroutonAs part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to manage software updates. Jamf Pro’s Blueprints leverages this capability to support managing software updates. Let’s see how this works using the following software update configuration as an example:
Standard users can install Apple software updates
Logged-in users will see all software update notifications
OS updates will be automatically downloaded
OS updates will be automatically installed
Security updates will be automatically installed
Rapid Security Response updates will be installed
Rapid Security Response updates can be removed
For more details, please see below the jump.
As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage software updates so the blueprint will need to be configured manually. To do this, use the following procedure:
1. Log into Jamf Pro.
2. Select Blueprints
3. Click the Create blueprint button.
4. Give it a name when prompted and click the Create button. For this example, I’m using Software Update Settings.
5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the Software Update Settings component.
6. Click on the Software Update Settings component and drag the Software Update Settings component to the Declaration group section.
7. Mouse over the Software Update Settings component and you will see a Configure button appear.
Click the Configure button.
8. At this point, you will see all available Software Update settings which are available for all Apple platforms. To limit to only those options available for macOS, you can click the filter button and then select macOS. Once the desired filter(s) have been selected, click the Apply button.
9. To apply the following desired settings, select the following options:
Standard users can install Apple software updates:
Select Enable for Allow standard users to install software updates
Logged-in users will see all software update notifications:
Select Enable for Notification preference for updates scheduled by declarations
Once those options are selected, you’ll need to configure the Install actions and Rapid Security Response sections to achieve the following desired settings:
OS updates will be automatically downloaded
OS updates will be automatically installed
Security updates will be automatically installed
Rapid Security Response updates will be installed
Rapid Security Response updates can be removed
To access the Install actions and Rapid Security Response sections, click their associated Configure buttons.
In the Install actions section, to apply the following desired settings, select the following options:
OS updates will be automatically downloaded:
Select Always for Automatic installs of available updates
OS updates will be automatically installed:
Select Always for Automatic downloads of available OS updates
Note: Selecting Always for Automatic installs of available updates will also automatically set Always for Automatic downloads of available OS updates.
Security updates will be automatically installed:
Select Always for Automatic installs of available security updates
Once all choices have been made and verified, click the Update button.
You should now see the following items set to Always:
Automatic installs of available updates
Automatic downloads of available OS updates
Automatic installs of available security updates
From there, scroll down to the Rapid Security Response section and click the Configure button.
In the Rapid Security Response section, to apply the following desired settings, select the following options:
Rapid Security Response updates will be installed:
Select Allow for Rapid Security Response installation
Rapid Security Response updates can be removed:
Select Allow for Rapid Security Response removal
Once all choices have been made and verified, click the Update button.
You should now see the following items set to Enabled:
Rapid Security Response installation
Rapid Security Response removal
10. Once all the settings choices have been made and verified, click the Save button.
11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.
For this example, I’m selecting a static group named Managed Software Update Deployment Group. Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.
12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.
13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Software Update Settings blueprint as being deployed.
You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.
If you’re deploying a software update configuration via Blueprints, you should see a Global Settings listing for Software Update in the Device Declarations section.
If you click on the Global Settings listing, you should see the details of the configuration.
You can also see the details of what’s configured in System Settings: General: Software Update.
In this case, you can click on the ( i ) button next to the Automatic Updates section and see the settings which have been applied.
]]>Der Flounder : Extracting fonts from configuration profiles on macOS Sequoiahttps://derflounder.wordpress.com/2025/06/20/extracting-fonts-from-configuration-profiles-on-macos-sequoia/2025-06-20T23:28:10+00:00rtroutonOne way to deliver custom fonts on macOS is to deploy them via a configuration profile. In this case, you’re deploying a profile which includes a copy of the font file or files. For example, here’s how the open source Caprasimo font looks when deployed via a profile.
You can access information about the font in question using the Font Book app on macOS Sequoia.
In Font Book.app, you should see the profile-deployed font appearing in the My Fonts section. You can also access information about the font from here.
But how do you extract the font file from the profile? You can also do this using the Font Book app. For more details, see below the jump.
You can use the following procedure to export a font which was installed using a configuration profile:
1. Open Font Book.app.
2. Find the font in question and select it.
3. Under the File menu, choose the Export… option.
4. Select where you want to save the exported font file to.
5. Verify that the font file has been exported to the desired location.
