After verifying that I hadn’t somehow enabled Focus or done something else to stop Notification Center notifications from appearing, I did some research which uncovered the solution. For more details, please see below the jump.

As part of the Notifications preferences in the Settings app, there is the following option:

Allow notifications when mirroring or sharing the display

This setting also apparently includes making screen recordings, because enabling it allowed Notification Center notifications to appear during screen recordings. To enable this setting, please use the following procedure:

1. Open Settings

2. Go to Notifications.

3. Enable the Allow notifications when mirroring or sharing the display setting.

You should now see notifications appearing while mirroring, sharing the display, or when making screen recordings.

As of macOS 15.3, management options are available for the following Apple Intelligence functionality:

• Genmoji
• Image Playground
• Writing Tools
• Summarizing emails
• Enabling Siri to connect to third party cloud-based intelligence services
• Managing non-anonymous login to third party cloud-based intelligence services
• Allowing third party cloud-based intelligence service workspace IDs
• Notes transcription summaries

The relevant key values are below:

It’s important to note that while all of the settings listed above work on macOS Sequoia 15.3, not all work on earlier versions of macOS Sequoia. Here’s the compatibility list:

macOS 15.0 and later:

• allowGenmoji
• allowImagePlayground
• allowWritingTools

macOS 15.1 and later:

• allowMailSummary

macOS 15.2 and later:

• allowExternalIntelligenceIntegrations
• allowExternalIntelligenceIntegrationsSignIn

macOS 15.3 and later:

• allowedExternalIntelligenceWorkspaceIDs
• allowNotesTranscriptionSummary

Most of these settings can be managed by a configuration profile, where setting a boolean value of false will disable the Apple Intelligence feature in question. The one exception at this point is the one for managing workspace IDs for allowed external intelligence integrations, which uses a string value. An example profile which allows one workspace ID is available below:

If you need to allow the use of multiple workspace IDs, an example profile which allows multiple workspace IDs is available below:

Please see below for example profiles. The example profiles are also available via the following links:

Note: If you’re planning to use the example profiles with Jamf Pro, it will need to be signed before it can be uploaded to Jamf Pro. If you’re not familiar with how to sign profiles, the post linked below is a good guide to how that process works:

https://macblog.org/sign-configuration-profiles/

• Genmoji: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableGenmoji
• Image Playground: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableImagePlayground
• Writing Tools: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableWritingTools
• Summarize emails: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableMailSummary
• Block Siri from connecting to third party cloud-based intelligence services: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableExternalIntelligenceIntegrations
• Disable non-anonymous login to third party cloud-based intelligence services: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableExternalIntelligenceLogins
• Allow external intelligence workspace IDs: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceAllowExternalIntelligenceWorkspaceID
• Notes transcription summaries: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableNotesTranscriptionSummary

Genmoji:

Image Playground:

Writing Tools:

Summarize emails:

Block Siri from connecting to third party cloud-based intelligence services:

Disable non-anonymous login to third party cloud-based intelligence services:

Allow external intelligence workspace IDs:

Notes transcription summaries:

• Number of login attempts allowed before a Jamf Pro user is locked out of the account
• Password length and age
• Password reuse limitations
• Password complexity

However, the password is not the only option you’re setting when creating a Jamf Pro standard user. Assuming that this is an account not tied to a specific person (as would be the case for a service account or an emergency use admin account), you can set to the username to a long randomized string. This can help secure the account because an attacker needs both the username and password for an account in order to authenticate and the long randomized string should make it more difficult for an attacker to guess the username. For more details, please see below the jump.

The Jamf Pro standard user’s username field can support up to 255 characters. The username field itself supports using lowercase letters and numbers when creating usernames. Within this 255 character limit, you can set a very long randomized string as the username.

Note: The Jamf Pro standard user’s username field should be able to support more than lowercase letters and numbers, but in my experience usernames are normally set using lowercase letters and numbers, like this:

localadmin121

Usernames are usually not set using the following:

• UPPPERCASE LETTERS
• Special characters like the following: ! @ # $ % ^ & * ( ) – _ = + \ | [ ] { } ; : / ? . >

When folks historically don’t do something, it also usually means that there hasn’t been a lot of testing of those conditions. In turn, that may mean there’s yet-undiscovered problems which can crop up.

For this reason, I’m going to stick with only using lowercase letters and numbers in the examples used in this blog post. It’s possible the use of uppercase letters and special characters is just fine and setting a username like LOLRICHISWRONG!@()_ works without problems, but I’ll leave further experimentation on this topic to my readers and for this post stick with a format which I see the least problems with: lowercase letters and numbers.

To leave some room in the character limit, let’s generate a username which is 250 characters long which is a randomized string of lowercase letters and numbers. You can do this using the following command:

Note: The export LC_CTYPE=C.UTF-8 part of the command is there because the tr command will otherwise return tr: Illegal byte sequence on macOS when working with /dev/urandom‘s output:

https://andres.jaimes.net/linux/random-string/

That command should return a 250 character string like the one shown below:

You can then use that string when creating a Jamf Pro standard user.

https://wwww.apple.com

For those who find this behavior undesirable and wish to turn it off, it can be disabled using the following process:

1. Launch Mail

2. Under the Mail menu, select Settings.

3. In the Settings window, select the Composing option.

4. Uncheck the Add link previews option.

With this option disabled, here’s how it looks when I paste the following URL into a new email:

https://wwww.apple.com

I have not found a way to disable the Add link previews option in Apple’s Mail app on macOS Sequoia using a defaults command, but it is possible to disable the Add link previews option using a configuration profile. For more details, please see below the jump.

The relevant preference domain and key values are below:

• Preference domain: com.apple.mail
• Key: AddLinkPreviews
• Value: Boolean

Setting a boolean value of false will disable the Add link previews option in Apple’s Mail app on macOS Sequoia. I’ve built a configuration profile with the boolean value of false set, where the profile is available on GitHub via the link below:

https://github.com/rtrouton/profiles/tree/main/AppleMailDisableLinkPreviews

I have not found a way to suppress this screen using a defaults command, but it is possible to suppress the Welcome to Mac screen on macOS Sequoia using a configuration profile. For more details, please see below the jump.

The relevant preference domain and key values are below:

• Preference domain: com.apple.SetupAssistant.managed
• Key: SkipSetupItems
• Value: Welcome

The profile is available on GitHub via the link below:

https://github.com/rtrouton/profiles/blob/main/SkipWelcomeToMacSetup

To start, send an MDM command to the device in question. If your MDM server says it sent successfully, see what shows up on the Mac’s end using the following command:

This will likely give you a large number of log entries, but it’s possible to filter for what you’re looking for. For example, a blank push remote command sent from a Jamf Pro MDM server will include a log entry that looks similar to this:

Since we can see from the log entry that the relevant process is mdmclient and the string to search for includes “Processing server request: DeclarativeManagement for“, then if you know you sent a blank push within the last ten minutes you can use the following command to see if the entry appears in the returned logs:

That should pull up the relevant log entry:

From there, we can see the UUID identifier of the MDM command. In this example, the UUID is the following:

We can then use that to figure out from the Mac’s side if the MDM command was successful by running the following command:

From there, we should see output that looks similar to what’s shown below:

If the blank push command was successful, we should see three log entries like the ones that showed up in the output above:

Different MDM commands will have different output, but if you’re using Jamf Pro and need to figure out if a particular Mac is receiving MDM commands successfully, the process described above should assist with this. If you want to stream the logs in real time, so that you can check the logs as you’re sending a blank push command, you can use the following:

That should provide output similar to what’s shown below when you send a blank push:

Hat tip to Bryson and his teammates for figuring out most of this and sharing it with me.

https://jamf.pro.server.here/api

When choosing to view the Classic API or Jamf Pro API documentation, there’s an option to log in and authenticate, so that you can run API commands interactively to see how running the commands works in real time and what results you see. This functionality is also useful when setting up API accounts with least privileged access, as it allows testing to verify that all necessary privileges have been assigned to the accounts.

Up until now, this authentication mechanism only supported using username and password authentication but as of Jamf Pro 11.2.0, the authentication mechanism now supports both of the following authentication methods:

• Username/Password authentication
• API client authentication

To use your preferred authentication method, please select it from the relevant drop-down menu.

“I installed this profile for macOS NewVersion onto macOS OldVersion, then upgraded from macOS OldVersion to macOS NewVersion. The setting didn’t work. Why didn’t it work?”

Why it didn’t work has to do with how management profile settings are handled. When a management profile is installed, the settings contained within that profile are applied.

This settings application occurs exclusively at the time of the profile installation. Those applied settings are never again re-read or re-applied as long as that profile is installed. The settings in a profile are applied only at the time of installation and that is the current state of things.

How is this relevant to settings you want to apply to macOS? Apple defines what OS version a setting was introduced for, which means it does not work for OS versions prior to that. For more information, please see below the jump.

An example of this is the management setting for iPhone mirroring:

https://github.com/apple/device-management/blob/1fa842739c8f19db5b62f3ac6aed261cc378e5b8/mdm/profiles/com.apple.applicationaccess.yaml#L1834-L1860

This setting was introduced for macOS as of macOS 15 Sequoia. That means that the setting works on macOS Sequoia but what happens when you install a management profile like the one below which contains this setting onto a Mac running macOS 14 Sonoma?

Nothing.

A profile’s settings get applied at the time of installation. If the setting isn’t understood by the OS the profile is installed onto at the time of installation, the setting is ignored.

In the context of the management setting for iPhone mirroring, macOS Sonoma doesn’t have the management option for managing iPhone mirroring so Sonoma will ignore the setting. It will remain ignored if the Mac gets upgraded to Sequoia because the setting only gets applied at the time of installation and the setting never gets re-evaluated to see if it applies to Sequoia. The outcome is that the setting does not get applied on Sequoia if the profile with the setting was installed on Sonoma.

How do you fix this? Remove the profile with the iPhone mirroring setting from the Sequoia Mac and re-install the profile. Once the profile is installed again, the setting will get applied as part of the install process. Sequoia has that setting as a management option, so Sequoia will then apply the setting from the profile and manage iPhone mirroring as defined by the profile’s settings.

So what does this mean for management settings you want to apply to macOS NewVersion? You’ll need to check what the introduction version is for the setting you want to apply. If it’s a brand new setting where the introduction is on macOS NewVersion, you’ll need to wait until the Mac is running macOS NewVersion before deploying a profile to manage that setting.

For Mac admins who want the capability to install a setting on macOS OldVersion and have it apply to macOS NewVersion, I recommend filing feedback with Apple to request it .

The Apple Intelligence pop-up window can be suppressed for the logged-in user by running the command shown below:

It is also possible to suppress the Apple Intelligence pop up window on macOS Sequoia using a configuration profile. For more details, please see below the jump.

The relevant preference domain and key values are below:

• Preference domain: com.apple.SetupAssistant.managed
• Key: SkipSetupItems
• Value: Intelligence

The profile is available on GitHub via the link below:

https://github.com/rtrouton/profiles/blob/main/SkipAppleIntelligenceSetup

As of macOS 15.2, management options are available for the following Apple Intelligence functionality:

• Genmoji
• Image Playground
• Writing Tools
• Summarizing emails
• Enabling Siri to connect to third party cloud-based intelligence services
• Managing non-anonymous login to third party cloud-based intelligence services

The relevant key values are below:

It’s important to note that while all of the settings listed above work on macOS Sequoia 15.2, not all work on earlier versions of macOS Sequoia. Here’s the compatibility list:

macOS 15.0 and later:

• allowGenmoji
• allowImagePlayground
• allowWritingTools

macOS 15.1 and later:

• allowMailSummary

macOS 15.2 and later:

• allowExternalIntelligenceIntegrations
• allowExternalIntelligenceIntegrationsSignIn

These settings can be managed by a configuration profile, where setting a boolean value of false will disable the Apple Intelligence feature in question. Please see below for example profiles. The example profiles are also available via the following links:

• Genmoji: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableGenmoji
• Image Playground: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableImagePlayground
• Writing Tools: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableWritingTools
• Summarize emails: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableMailSummary
• Block Siri from connecting to third party cloud-based intelligence services: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableExternalIntelligenceIntegrations
• Disable non-anonymous login to third party cloud-based intelligence services: https://github.com/rtrouton/profiles/tree/main/AppleIntelligenceDisableExternalIntelligenceLogins

Note: If you’re planning to use the example profiles with Jamf Pro, the profiles will need to be signed before they can be uploaded to Jamf Pro. If you’re not familiar with how to sign profiles, the post linked below is a good guide to how that process works:

https://macblog.org/sign-configuration-profiles/

Genmoji:

Image Playground:

Writing Tools:

Summarize emails:

Block Siri from connecting to third party cloud-based intelligence services:

Disable non-anonymous login to third party cloud-based intelligence services: