babgond

A common issue faced by Mac admins is that users can have multiple copies of an application on their system. This can be the result of users having standard user rights and running applications out of the home directories, or users reorganizing the Applications directory in a way that makes more sense to them for their needs. Meanwhile, when Mac admins need to report on whether the apps on the fleet are up to date, these additional or reorganized apps may not be patched but do show up in the software reporting as being out of date.

When you run into these situations, how to handle them? The first step is finding where the duplicates are and reporting on them. To do this, you can use the mdfind command line tool, using the kMDItemCFBundleIdentifier metadata attribute. This metadata attribute reports on the bundle identifier used by an application, so it should pick up all copies of an app which are using that unique identifier for that app. For more details, please see below the jump.

As an example case, I’m going to use the following scenario:

1. I need to locate all copies of the BBEdit app installed on a particular Mac
2. The user in question has three copies of BBEdit installed.

• In /Applications
• In a user-created BBEdit directory inside of /Applications.
• In a user-created Applications directory inside of their home folder.

BBEdit’s bundle identifier is com.barebones.bbedit, so I can use the following mdfind command to find all copies of BBEdit.app:

In the scenario described above, that should provide output similar to what’s shown below:

However, you may not necessarily want to know about /Applications/BBEdit.app as that may be the only version you want installed. To exclude /Applications/BBEdit.app from your results, you can use the grep command line tool’s -v inverse match and -E regular expression options to exclude /Applications/BBEdit.app from the list of results:

If you needed to exclude additional directories (for example, you must exclude searching the user’s home folder for privacy reasons), you can add additional regular expressions to the grep command to exclude additional undesired results. Here’s an example where you’re excluding results from /Users and for /Applications/BBEdit.app:

For our scenario, here’s a script that should identify all installed copies of BBEdit on a Mac and display a list of all copies except for /Applications/BBEdit.app:

For those who wanted a copy of my talk on managing admin rights in the enterprise at Penn State MacAdmins 2025, here are links to the slides in PDF and Keynote format.

• PDF: https://tinyurl.com/PSUMacAdmin2025pdf
• Keynote: https://tinyurl.com/PSUMacAdmin2025key

For those who wanted a copy of my talk on MDM and DDM at Penn State MacAdmins 2025, here are links to the slides in PDF and Keynote format.

• PDF: https://tinyurl.com/PSUMac2025PDF
• Keynote: https://tinyurl.com/PSUMac2025Keynote

Payload-Free Package Creator.app, an Automator application that allows the selection of an existing script and then creates a payload-free package that runs the selected script, has been updated to version 2.5.

The user experience and operations of the app have not changed from previous versions of Payload-Free Package Creator.app. The changes to Payload-Free Package Creator 2.5 are the following:

• Payload-Free Package Creator.app creates distribution installer packages using productbuild in place of the previous method, which used pkgbuild to create component installer packages.
• Payload-Free Package Creator.app is signed with current Developer ID: Application certificate.
• Payload-Free Package Creator.app is notarized.
• Installer package is now signed with current Developer ID: Installer certificate.
• Installer package is notarized.

Payload-Free Package Creator 2.5, along with all components and scripts, is available on GitHub via the link below:

https://github.com/rtrouton/Payload-Free-Package-Creator

You can download the Payload-Free Package Creator 2.5 installer via the GitHub release page for Payload-Free Package Creator 2.5:

https://github.com/rtrouton/Payload-Free-Package-Creator/releases/tag/2.5

As part of the release notes for Jamf Pro 11.18.0, it was mentioned that the Self Service+ app could now be deployed by default in place of the Self Service app (also referred to as Self Service classic.)

Choosing to deploy the Self Service+ app by default in place of the Self Service classic app will result in the following changes taking place on all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server:

• Existing installations of the Self Service classic app are removed from managed Macs running macOS 13 or later.
• The Self Service+ app is installed on managed Macs running macOS 13 or later as part of a managed Mac’s next check-in with Jamf Pro
• The Self Service+ app is installed on managed Macs running macOS 13 or later following enrollment.
• The Self Service+ app is automatically updated to the latest version of Self Service+ as new Self Service+ updates are released.

Managed Macs running macOS 12 Monterey or earlier will not have these changes occur. These Macs will continue to use the Self Service classic app.

For more details, please see below the jump.

To enable the Self Service+ app for default deployment to managed Macs running macOS 13 Ventura and later, please use the following procedure:

1. Log into Jamf Pro with an administrator account.

2. Go to Settings: Jamf Apps

3. Select Self Service+

4. In the Self Service+ settings, select the checkbox for Use Self Service+ as the default end user application.

5. Verify the setting is set as desired. Once verified, click the Save button.

Note: Once this option is enabled, all managed Macs running macOS 13 or later will use only the Self Service+ app. It will not be possible to run both the Self Service+ app and the Self Service classic app on the same computer.

Once enabled, you should expect to see the following:

• The Self Service+ app be deployed to all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server.
• The Self Service classic app be removed from all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server.

For those who want to test the Self Service+ app while continuing to use the Self Service classic app, please see the documentation linked below:

Deploying Self Service+ to End User Devices Using a Policy:

https://learn.jamf.com/en-US/bundle/self-service-plus-documentation/page/Self_Service_Installation.html

As part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to deploy MDM configuration profiles using DDM as the delivery mechanism in place of using MDM to deliver the profiles. Jamf Pro’s Blueprints leverages this capability to support deploying printers which can use AirPrint. Let’s see how this works with an AirPrint configuration, using an AirPrint-compatible printer which is set to use the following static IP address:

10.0.1.10

For more details, please see below the jump.

The first thing we need to do is use the ippfind command line tool to discover information about the printer we want to set up and print to. This process is described as part of Apple’s documentation for AirPrint payload settings for Apple devices, available via the link below:

https://support.apple.com/guide/deployment/airprint-payload-settings-dep3b4cf515/web (see the Set up an AirPrint printer in Apple Configurator for Mac section.)

Use the procedure below to discover the information needed:

1. Open Terminal.

2. Run the following command without root privileges:

ippfind

In this example, we’re getting back the following information about the printer:

From this, we can see the following information about the printer:

• Bonjour hostname: BRN466371FFF599.local
• Port number: 631
• Resource path: /ipp/print

We can use the BRN466371FFF599.local hostname to look up what the IP address of the responding printer is, which in this example is going to be the following IP address:

10.0.1.10

The port number is 631, or the default for the IPP protocol.

The resource path is /ipp/print, which we will need for setting up the AirPrint configuration in Blueprints.

Once we have this information, we’re ready to set up the AirPrint printer settings for deployment using Blueprints.

As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage AirPrint settings so the blueprint will need to be configured manually. To do this, use the following procedure:

1. Log into Jamf Pro.

2. Select Blueprints

3. Click the Create blueprint button.

4. Give it a name when prompted and click the Create button. For this example, I’m using Reception Desk Printer Settings.

5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the AirPrint component.

Note: AirPrint is listed as Legacy Payload. In Blueprints, a Legacy Payload type indicates that this is an MDM configuration profile being delivered via DDM.

6. Click on the AirPrint component and drag the AirPrint component to the Declaration group section.

7. Mouse over the AirPrint component and you will see a Configure button appear. Click the Configure button.

8. At this point, you will see an Air print section without any listed printers. Click the Add New Item button.

9. To add the settings for the printer in this example, set the following entries as follows:

• IP Address:
  • 10.0.1.10
• Resource path:
  • /ipp/print
• Port Number:
  • Make no changes
• Force TLS:
  • Make no changes

Note: Because we verified earlier that this printer is using port 631, which is the default port for the IPP protocol, it is not necessary to set the port number in the example AirPrint configuration we’re creating. In the event a printer does not use port 631, it would be necessary to set the port number here in the AirPrint configuration.

Likewise, if the printer was using TLS to secure the printer connection, it may be necessary to use the Force TLS setting. In this example, TLS is not being used so it is not necessary to configure the Force TLS setting.

10. Once all the settings choices have been made and verified, click the Save button.

11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.

For this example, I’m selecting a static group named Printer Deployment Group.

Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.

12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.

13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Reception Desk Printer Settings blueprint as being deployed.

You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.

If you’re deploying a legacy profile via Blueprints, you should see a Profiles section in Device Declarations. In the Profiles section, there is a listing with a name that matches the name of the blueprint which was deployed. In the case of our example, the listing shows Reception Desk Printer Settings.

If you click on the Reception Desk Printer Settings listing, you should see the details of what is being managed.

Note: The MDM profiles delivered via Blueprints are not signed. This is mentioned in the documentation available via the link below:

https://learn.jamf.com/en-US/bundle/jamf-pro-blueprints-configuration-guide/page/Blueprint_Builder.html

One thing to be aware of is that the AirPrint printer may not appear automatically. To add it, use the following procedure:

1. Open System Settings

2. Go to the Printers & Scanners settings

3. Click the Add Printer, Scanner, or Fax… button.

4. Select the printer which is identified as being the following kind:

AirPrint Profile

5. Click the Add button.

The printer should set up and configure itself using the printer’s AirPrint settings.

As part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to deploy MDM configuration profiles using DDM as the delivery mechanism in place of using MDM to deliver the profiles. Jamf Pro’s Blueprints leverages this capability to support device restrictions.

Let’s see how this works using a device restriction configuration, using the example of setting the following Apple Intelligence management functions to false in order to block the corresponding Apple Intelligence functions on macOS:

For more details, please see below the jump.

As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage device restrictions so the blueprint will need to be configured manually. To do this, use the following procedure:

1. Log into Jamf Pro.

2. Select Blueprints

3. Click the Create blueprint button.

4. Give it a name when prompted and click the Create button. For this example, I’m using Restrictions Settings for macOS.

5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the Restrictions component.

Note: The Restrictions component is listed as being the Legacy Payload type. In Blueprints, a Legacy Payload type indicates that this is an MDM configuration profile being delivered via DDM.

6. Click on the Restrictions component and drag the Restrictions component to the Declaration group section.

7. Mouse over the Restrictions component and you will see a Configure button appear. Click the Configure button.

8. At this point, you will see all available Restrictions settings which are available for all Apple platforms. To limit to only those options available for both macOS and Apple Intelligence, you can click the filter button and then select macOS in OS Type and Apple Intelligence in Category.

9. To apply the desired settings, select the following options and set them to false:

• Allow Genmoji
• Allow Image Playground
• Allow Mail Smart Replies
• Allow manual mail summaries
• Allow writing tools

10. Once all the settings choices have been made and verified, click the Save button.

11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.

For this example, I’m selecting a static group named Restrictions Deployment Group.

Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.

12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the new restrictions settings to the Macs you want to manage.

13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Restrictions Settings for macOS blueprint as being deployed.

You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.

If you’re deploying an MDM configuration profile via Blueprints, you should see a Profiles section in Device Declarations. In the Profiles section, there is a listing with a name that matches the name of the blueprint which was deployed. In the case of our example, the listing shows Restrictions Settings for macOS.

If you click on the Restrictions Settings for macOS listing, you should see the details of what is being managed.

Note: The MDM profiles delivered via Blueprints are not signed. This is mentioned in the documentation available via the link below:

https://learn.jamf.com/en-US/bundle/jamf-pro-blueprints-configuration-guide/page/Blueprint_Builder.html

As part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to manage software updates. Jamf Pro’s Blueprints leverages this capability to support managing software updates. Let’s see how this works using the following software update configuration as an example:

• Standard users can install Apple software updates
• Logged-in users will see all software update notifications
• OS updates will be automatically downloaded
• OS updates will be automatically installed
• Security updates will be automatically installed
• Rapid Security Response updates will be installed
• Rapid Security Response updates can be removed

For more details, please see below the jump.

As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage software updates so the blueprint will need to be configured manually. To do this, use the following procedure:

1. Log into Jamf Pro.

2. Select Blueprints

3. Click the Create blueprint button.

4. Give it a name when prompted and click the Create button. For this example, I’m using Software Update Settings.

5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the Software Update Settings component.

6. Click on the Software Update Settings component and drag the Software Update Settings component to the Declaration group section.

7. Mouse over the Software Update Settings component and you will see a Configure button appear.

Click the Configure button.

8. At this point, you will see all available Software Update settings which are available for all Apple platforms. To limit to only those options available for macOS, you can click the filter button and then select macOS. Once the desired filter(s) have been selected, click the Apply button.

9. To apply the following desired settings, select the following options:

• Standard users can install Apple software updates:

Select Enable for Allow standard users to install software updates

• Logged-in users will see all software update notifications:

Select Enable for Notification preference for updates scheduled by declarations

Once those options are selected, you’ll need to configure the Install actions and Rapid Security Response sections to achieve the following desired settings:

• OS updates will be automatically downloaded
• OS updates will be automatically installed
• Security updates will be automatically installed
• Rapid Security Response updates will be installed
• Rapid Security Response updates can be removed

To access the Install actions and Rapid Security Response sections, click their associated Configure buttons.

In the Install actions section, to apply the following desired settings, select the following options:

• OS updates will be automatically downloaded:

Select Always for Automatic installs of available updates

• OS updates will be automatically installed:

Select Always for Automatic downloads of available OS updates

Note: Selecting Always for Automatic installs of available updates will also automatically set Always for Automatic downloads of available OS updates.

• Security updates will be automatically installed:

Select Always for Automatic installs of available security updates

Once all choices have been made and verified, click the Update button.

You should now see the following items set to Always:

• Automatic installs of available updates
• Automatic downloads of available OS updates
• Automatic installs of available security updates

From there, scroll down to the Rapid Security Response section and click the Configure button.

In the Rapid Security Response section, to apply the following desired settings, select the following options:

• Rapid Security Response updates will be installed:

Select Allow for Rapid Security Response installation

• Rapid Security Response updates can be removed:

Select Allow for Rapid Security Response removal

Once all choices have been made and verified, click the Update button.

You should now see the following items set to Enabled:

• Rapid Security Response installation
• Rapid Security Response removal

10. Once all the settings choices have been made and verified, click the Save button.

11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.

For this example, I’m selecting a static group named Managed Software Update Deployment Group. Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.

12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.

13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Software Update Settings blueprint as being deployed.

You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.

If you’re deploying a software update configuration via Blueprints, you should see a Global Settings listing for Software Update in the Device Declarations section.

If you click on the Global Settings listing, you should see the details of the configuration.

You can also see the details of what’s configured in System Settings: General: Software Update.

In this case, you can click on the ( i ) button next to the Automatic Updates section and see the settings which have been applied.

One way to deliver custom fonts on macOS is to deploy them via a configuration profile. In this case, you’re deploying a profile which includes a copy of the font file or files. For example, here’s how the open source Caprasimo font looks when deployed via a profile.

You can access information about the font in question using the Font Book app on macOS Sequoia.

In Font Book.app, you should see the profile-deployed font appearing in the My Fonts section. You can also access information about the font from here.

But how do you extract the font file from the profile? You can also do this using the Font Book app. For more details, see below the jump.

You can use the following procedure to export a font which was installed using a configuration profile:

1. Open Font Book.app.

2. Find the font in question and select it.

3. Under the File menu, choose the Export… option.

4. Select where you want to save the exported font file to.

5. Verify that the font file has been exported to the desired location.

One of the user interface features in macOS is what Apple refers to as Vibrancy, where the color displayed for Finder windows, menus, the Dock, the menubar and other interfaces subtly change to reflect the colors behind them. This produces a translucent visual effect for those interfaces.

This feature, first introduced in OS X 10.10 Yosemite, can come at a cost in terms of processor and GPU resources because this visual effect is being recalculated and redrawn as needed. For those who want to reclaim those resources, it’s possible to turn Vibrancy off if needed. On macOS Sequoia, this is managed via the following setting in System Settings:

System Settings: Accessibility: Display: Reduce Transparency

With the Reduce transparency setting enabled, Vibrancy is turned off and the various interface components should change from their Vibrancy-managed translucent appearance to a non-translucent gray appearance.

As of macOS Sequoia, it does not appear to be possible to manage the Reduce transparency setting using a defaults command but it is possible to manage it via a configuration profile. For more details, please see below the jump.

The relevant preference domain and key values are below:

• Preference domain: com.apple.universalaccess
• Key: reduceTransparency
• Value: Boolean

Setting a boolean value of true will disable Vibrancy on macOS Sequoia. I’ve built a configuration profile with the boolean value of true set, where the profile is available on GitHub via the link below:

https://github.com/rtrouton/profiles/tree/main/ReduceTransparency