babgond http://www.babgond.com/moonmoon/ 2025-07-06T01:09:19Z Author Der Flounder : Deploying Self Service+ in place of Self Service on Macs managed by Jamf Pro https://derflounder.wordpress.com/2025/07/03/deploying-self-service-in-place-of-self-service-on-macs-managed-by-jamf-pro/ 2025-07-03T21:57:00+00:00 rtrouton As part of the release notes for Jamf Pro 11.18.0, it was mentioned that the Self Service+ app could now be deployed by default in place of the Self Service app (also referred to as Self Service classic.)

Choosing to deploy the Self Service+ app by default in place of the Self Service classic app will result in the following changes taking place on all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server:

  • Existing installations of the Self Service classic app are removed from managed Macs running macOS 13 or later.
  • The Self Service+ app is installed on managed Macs running macOS 13 or later as part of a managed Mac’s next check-in with Jamf Pro
  • The Self Service+ app is installed on managed Macs running macOS 13 or later following enrollment.
  • The Self Service+ app is automatically updated to the latest version of Self Service+ as new Self Service+ updates are released.

Managed Macs running macOS 12 Monterey or earlier will not have these changes occur. These Macs will continue to use the Self Service classic app.

For more details, please see below the jump.

To enable the Self Service+ app for default deployment to managed Macs running macOS 13 Ventura and later, please use the following procedure:

1. Log into Jamf Pro with an administrator account.

2. Go to Settings: Jamf Apps

3. Select Self Service+

4. In the Self Service+ settings, select the checkbox for Use Self Service+ as the default end user application.

5. Verify the setting is set as desired. Once verified, click the Save button.

Note: Once this option is enabled, all managed Macs running macOS 13 or later will use only the Self Service+ app. It will not be possible to run both the Self Service+ app and the Self Service classic app on the same computer.

Once enabled, you should expect to see the following:

  • The Self Service+ app be deployed to all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server.
  • The Self Service classic app be removed from all macOS 13 Ventura and later Macs which are managed by that Jamf Pro server.

For those who want to test the Self Service+ app while continuing to use the Self Service classic app, please see the documentation linked below:

Deploying Self Service+ to End User Devices Using a Policy:

https://learn.jamf.com/en-US/bundle/self-service-plus-documentation/page/Self_Service_Installation.html

]]>
Der Flounder : Deploying AirPrint printers using Blueprints in Jamf Pro https://derflounder.wordpress.com/2025/06/28/deploying-airprint-printers-using-blueprints-in-jamf-pro/ 2025-06-28T20:22:14+00:00 rtrouton As part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to deploy MDM configuration profiles using DDM as the delivery mechanism in place of using MDM to deliver the profiles. Jamf Pro’s Blueprints leverages this capability to support deploying printers which can use AirPrint. Let’s see how this works with an AirPrint configuration, using an AirPrint-compatible printer which is set to use the following static IP address:

10.0.1.10

For more details, please see below the jump.

The first thing we need to do is use the ippfind command line tool to discover information about the printer we want to set up and print to. This process is described as part of Apple’s documentation for AirPrint payload settings for Apple devices, available via the link below:

https://support.apple.com/guide/deployment/airprint-payload-settings-dep3b4cf515/web (see the Set up an AirPrint printer in Apple Configurator for Mac section.)

Use the procedure below to discover the information needed:

1. Open Terminal.

2. Run the following command without root privileges:

ippfind

In this example, we’re getting back the following information about the printer:


username@ZWCM2JG74W ~ % ippfind
ipp://BRN466371FFF599.local:631/ipp/print
username@ZWCM2JG74W ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

From this, we can see the following information about the printer:

  • Bonjour hostname: BRN466371FFF599.local
  • Port number: 631
  • Resource path: /ipp/print

We can use the BRN466371FFF599.local hostname to look up what the IP address of the responding printer is, which in this example is going to be the following IP address:

10.0.1.10

The port number is 631, or the default for the IPP protocol.

The resource path is /ipp/print, which we will need for setting up the AirPrint configuration in Blueprints.

Once we have this information, we’re ready to set up the AirPrint printer settings for deployment using Blueprints.

As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage AirPrint settings so the blueprint will need to be configured manually. To do this, use the following procedure:

1. Log into Jamf Pro.

2. Select Blueprints

3. Click the Create blueprint button.

4. Give it a name when prompted and click the Create button. For this example, I’m using Reception Desk Printer Settings.

5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the AirPrint component.

Note: AirPrint is listed as Legacy Payload. In Blueprints, a Legacy Payload type indicates that this is an MDM configuration profile being delivered via DDM.

6. Click on the AirPrint component and drag the AirPrint component to the Declaration group section.

Drag airprint component.

7. Mouse over the AirPrint component and you will see a Configure button appear. Click the Configure button.

Configure airprint component.

8. At this point, you will see an Air print section without any listed printers. Click the Add New Item button.

9. To add the settings for the printer in this example, set the following entries as follows:

  • IP Address:
    • 10.0.1.10
  • Resource path:
    • /ipp/print
  • Port Number:
    • Make no changes
  • Force TLS:
    • Make no changes

Note: Because we verified earlier that this printer is using port 631, which is the default port for the IPP protocol, it is not necessary to set the port number in the example AirPrint configuration we’re creating. In the event a printer does not use port 631, it would be necessary to set the port number here in the AirPrint configuration.

Likewise, if the printer was using TLS to secure the printer connection, it may be necessary to use the Force TLS setting. In this example, TLS is not being used so it is not necessary to configure the Force TLS setting.

10. Once all the settings choices have been made and verified, click the Save button.

11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.

For this example, I’m selecting a static group named Printer Deployment Group.

Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.

12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.

13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Reception Desk Printer Settings blueprint as being deployed.

You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.

If you’re deploying a legacy profile via Blueprints, you should see a Profiles section in Device Declarations. In the Profiles section, there is a listing with a name that matches the name of the blueprint which was deployed. In the case of our example, the listing shows Reception Desk Printer Settings.

If you click on the Reception Desk Printer Settings listing, you should see the details of what is being managed.

Note: The MDM profiles delivered via Blueprints are not signed. This is mentioned in the documentation available via the link below:

https://learn.jamf.com/en-US/bundle/jamf-pro-blueprints-configuration-guide/page/Blueprint_Builder.html

One thing to be aware of is that the AirPrint printer may not appear automatically. To add it, use the following procedure:

1. Open System Settings

2. Go to the Printers & Scanners settings

3. Click the Add Printer, Scanner, or Fax… button.

4. Select the printer which is identified as being the following kind:

AirPrint Profile

5. Click the Add button.

The printer should set up and configure itself using the printer’s AirPrint settings.

]]>
Der Flounder : Deploying device restrictions management using Blueprints in Jamf Pro https://derflounder.wordpress.com/2025/06/25/deploying-device-restrictions-management-using-blueprints-in-jamf-pro/ 2025-06-25T18:54:36+00:00 rtrouton As part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to deploy MDM configuration profiles using DDM as the delivery mechanism in place of using MDM to deliver the profiles. Jamf Pro’s Blueprints leverages this capability to support device restrictions.

Let’s see how this works using a device restriction configuration, using the example of setting the following Apple Intelligence management functions to false in order to block the corresponding Apple Intelligence functions on macOS:



Restriction Setting available in version Description Key Key value Default setting in macOS
Allow Image Playground macOS 15.0.0 If key value is set to FALSE, prohibits the use of image generation. allowImagePlayground Boolean TRUE
Allow Writing Tools macOS 15.0.0 If key value is set to FALSE, allows only anonymous access to external services allowWritingTools Boolean TRUE
Allow Genmoji macOS 15.0.0 If key value is set to FALSE, disables Genmoji allowGenmoji Boolean TRUE
Allow Mail Summary macOS 15.1.0 If key value is set to FALSE, prohibits the ability to create email summaries allowMailSummary Boolean TRUE
Allow Mail Smart Replies macOS 15.4.0 If key value is set to FALSE, disables smart replies in Mail. allowMailSmartReplies Boolean TRUE

For more details, please see below the jump.

As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage device restrictions so the blueprint will need to be configured manually. To do this, use the following procedure:

1. Log into Jamf Pro.

2. Select Blueprints

3. Click the Create blueprint button.

4. Give it a name when prompted and click the Create button. For this example, I’m using Restrictions Settings for macOS.

5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the Restrictions component.

Note: The Restrictions component is listed as being the Legacy Payload type. In Blueprints, a Legacy Payload type indicates that this is an MDM configuration profile being delivered via DDM.

6. Click on the Restrictions component and drag the Restrictions component to the Declaration group section.

Drag restrictions component.

7. Mouse over the Restrictions component and you will see a Configure button appear. Click the Configure button.

Configure restrictions component.

8. At this point, you will see all available Restrictions settings which are available for all Apple platforms. To limit to only those options available for both macOS and Apple Intelligence, you can click the filter button and then select macOS in OS Type and Apple Intelligence in Category.

9. To apply the desired settings, select the following options and set them to false:

  • Allow Genmoji
  • Allow Image Playground
  • Allow Mail Smart Replies
  • Allow manual mail summaries
  • Allow writing tools

10. Once all the settings choices have been made and verified, click the Save button.

11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.

For this example, I’m selecting a static group named Restrictions Deployment Group.

Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.

12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the new restrictions settings to the Macs you want to manage.

13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Restrictions Settings for macOS blueprint as being deployed.

You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.

If you’re deploying an MDM configuration profile via Blueprints, you should see a Profiles section in Device Declarations. In the Profiles section, there is a listing with a name that matches the name of the blueprint which was deployed. In the case of our example, the listing shows Restrictions Settings for macOS.

If you click on the Restrictions Settings for macOS listing, you should see the details of what is being managed.

Note: The MDM profiles delivered via Blueprints are not signed. This is mentioned in the documentation available via the link below:

https://learn.jamf.com/en-US/bundle/jamf-pro-blueprints-configuration-guide/page/Blueprint_Builder.html

]]>
Der Flounder : Deploying software update management using Blueprints in Jamf Pro https://derflounder.wordpress.com/2025/06/24/deploying-software-update-management-using-blueprints-in-jamf-pro/ 2025-06-24T21:37:36+00:00 rtrouton As part of Apple’s unveiling of Declarative Device Management (DDM) at WWDC 2023, Apple announced that DDM management included the ability to manage software updates. Jamf Pro’s Blueprints leverages this capability to support managing software updates. Let’s see how this works using the following software update configuration as an example:

  • Standard users can install Apple software updates
  • Logged-in users will see all software update notifications
  • OS updates will be automatically downloaded
  • OS updates will be automatically installed
  • Security updates will be automatically installed
  • Rapid Security Response updates will be installed
  • Rapid Security Response updates can be removed

For more details, please see below the jump.

As of Jamf Pro 11.18.0, there is not a Blueprints template available for creating blueprints which manage software updates so the blueprint will need to be configured manually. To do this, use the following procedure:

1. Log into Jamf Pro.

2. Select Blueprints

3. Click the Create blueprint button.

4. Give it a name when prompted and click the Create button. For this example, I’m using Software Update Settings.

5. You should see an unconfigured Blueprint. Scroll down in the list on the right-hand side of the browser window to locate the Software Update Settings component.

6. Click on the Software Update Settings component and drag the Software Update Settings component to the Declaration group section.

7. Mouse over the Software Update Settings component and you will see a Configure button appear.


Click the Configure button.

8. At this point, you will see all available Software Update settings which are available for all Apple platforms. To limit to only those options available for macOS, you can click the filter button and then select macOS. Once the desired filter(s) have been selected, click the Apply button.

9. To apply the following desired settings, select the following options:

  • Standard users can install Apple software updates:

Select Enable for Allow standard users to install software updates

  • Logged-in users will see all software update notifications:

Select Enable for Notification preference for updates scheduled by declarations

Once those options are selected, you’ll need to configure the Install actions and Rapid Security Response sections to achieve the following desired settings:

  • OS updates will be automatically downloaded
  • OS updates will be automatically installed
  • Security updates will be automatically installed
  • Rapid Security Response updates will be installed
  • Rapid Security Response updates can be removed

To access the Install actions and Rapid Security Response sections, click their associated Configure buttons.

In the Install actions section, to apply the following desired settings, select the following options:

  • OS updates will be automatically downloaded:

Select Always for Automatic installs of available updates

  • OS updates will be automatically installed:

Select Always for Automatic downloads of available OS updates

Note: Selecting Always for Automatic installs of available updates will also automatically set Always for Automatic downloads of available OS updates.

  • Security updates will be automatically installed:

Select Always for Automatic installs of available security updates

Once all choices have been made and verified, click the Update button.

You should now see the following items set to Always:

  • Automatic installs of available updates
  • Automatic downloads of available OS updates
  • Automatic installs of available security updates

From there, scroll down to the Rapid Security Response section and click the Configure button.

In the Rapid Security Response section, to apply the following desired settings, select the following options:

  • Rapid Security Response updates will be installed:

Select Allow for Rapid Security Response installation

  • Rapid Security Response updates can be removed:

Select Allow for Rapid Security Response removal

Once all choices have been made and verified, click the Update button.

You should now see the following items set to Enabled:

  • Rapid Security Response installation
  • Rapid Security Response removal

10. Once all the settings choices have been made and verified, click the Save button.

11. At this point, you should have a blueprint which has all settings configured but where no target scope has been set. To scope this blueprint, go to the Scope section and click the Open button.

For this example, I’m selecting a static group named Managed Software Update Deployment Group. Once the desired smart and/or static groups have been set and verified for the scope, click the Save button.

12. Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.

13. Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Software Update Settings blueprint as being deployed.

You can also check on the managed device’s end by opening System Settings: General: Device Management, locating the MDM enrollment profile in the list of profiles and double-clicking on it. When you scroll to the bottom of the enrollment profile’s window, you should see a Device Declarations section.

If you’re deploying a software update configuration via Blueprints, you should see a Global Settings listing for Software Update in the Device Declarations section.

If you click on the Global Settings listing, you should see the details of the configuration.

You can also see the details of what’s configured in System Settings: General: Software Update.

In this case, you can click on the ( i ) button next to the Automatic Updates section and see the settings which have been applied.

]]>
Der Flounder : Extracting fonts from configuration profiles on macOS Sequoia https://derflounder.wordpress.com/2025/06/20/extracting-fonts-from-configuration-profiles-on-macos-sequoia/ 2025-06-20T23:28:10+00:00 rtrouton One way to deliver custom fonts on macOS is to deploy them via a configuration profile. In this case, you’re deploying a profile which includes a copy of the font file or files. For example, here’s how the open source Caprasimo font looks when deployed via a profile.

You can access information about the font in question using the Font Book app on macOS Sequoia.

In Font Book.app, you should see the profile-deployed font appearing in the My Fonts section. You can also access information about the font from here.

But how do you extract the font file from the profile? You can also do this using the Font Book app. For more details, see below the jump.

You can use the following procedure to export a font which was installed using a configuration profile:

1. Open Font Book.app.

2. Find the font in question and select it.

3. Under the File menu, choose the Export… option.

4. Select where you want to save the exported font file to.

5. Verify that the font file has been exported to the desired location.

]]>
Der Flounder : Setting reduced transparency on macOS Sequoia https://derflounder.wordpress.com/2025/06/18/setting-reduced-transparency-on-macos-sequoia/ 2025-06-18T14:58:27+00:00 rtrouton One of the user interface features in macOS is what Apple refers to as Vibrancy, where the color displayed for Finder windows, menus, the Dock, the menubar and other interfaces subtly change to reflect the colors behind them. This produces a translucent visual effect for those interfaces.

This feature, first introduced in OS X 10.10 Yosemite, can come at a cost in terms of processor and GPU resources because this visual effect is being recalculated and redrawn as needed. For those who want to reclaim those resources, it’s possible to turn Vibrancy off if needed. On macOS Sequoia, this is managed via the following setting in System Settings:

System Settings: Accessibility: Display: Reduce Transparency

With the Reduce transparency setting enabled, Vibrancy is turned off and the various interface components should change from their Vibrancy-managed translucent appearance to a non-translucent gray appearance.

As of macOS Sequoia, it does not appear to be possible to manage the Reduce transparency setting using a defaults command but it is possible to manage it via a configuration profile. For more details, please see below the jump.

The relevant preference domain and key values are below:

  • Preference domain: com.apple.universalaccess
  • Key: reduceTransparency
  • Value: Boolean

Setting a boolean value of true will disable Vibrancy on macOS Sequoia. I’ve built a configuration profile with the boolean value of true set, where the profile is available on GitHub via the link below:

https://github.com/rtrouton/profiles/tree/main/ReduceTransparency

]]>
Der Flounder : Deploying disk management using Blueprints in Jamf Pro https://derflounder.wordpress.com/2025/06/11/deploying-disk-management-using-blueprints-in-jamf-pro/ 2025-06-11T18:06:36+00:00 rtrouton As part of Apple’s discussion of Declarative Device Management (DDM) at WWDC 2024, Apple announced that DDM management on macOS 15 Sequoia and later now included the ability to allow or block external and network storage. You can manage the following:

  • External storage devices
  • Network storage

The following mount policies can be specified for both external and network storage:

  • Allowed: The system can mount storage that’s read-write or read-only.
  • Read-only: The system can only mount read-only storage. Storage that is read-write is not mounted read-only.
  • Disallowed: The system can’t mount any external storage.

Note: The read-only options are for mounting storage which is already read-only. If macOS can detect that the storage is read-write when it tries to mount the storage in question, macOS won’t mount the storage and will display an error message.

Jamf Pro’s Blueprints supports deploying and managing these disk management controls via the Disk management policy component. Let’s see how this looks, using the following example:

Goal

Block network storage from mounting

For more details, please see below the jump.

I can set up a Blueprint in Jamf Pro to deploy this network storage management configuration using the following procedure:

1. Log into Jamf Pro.

2. Select Blueprints

3. Click the Open button for Install disk management settings.

4. Give it a name when prompted. For this example, I’m using Block Network Storage.

5. Select a Jamf Pro smart or static group. For this example, I’m selecting a static group named Disk Management Deployment Group.

6. In the Disk Management Policy section, select the following settings:

  • Click the checkbox for Network storage.
  • Click the button for Disallowed.

7. Once all the information has been entered and verified to be correct, click the Save button.

Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.

Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Block Network Storage Blueprint as being deployed.

On your managed devices, you can verify that the new service background task configuration has been deployed by clicking on the enrollment profile, then scrolling to the bottom. In the case of this example, you should see a Device Declarations section with a listing for Disk Management.

If you click on the Disk Management listing, it should report the following:

  • Network Storage Restriction: Not Allowed

You can verify that the network storage restriction is working by running the following test:

1. Connect to a network storage server.

2. Log in using your credentials.

3. When the server presents the list of available network storage shares, select one your user account should have access to.

If the network storage restriction is working, you should receive an error when macOS tries to mount the network share. This is because the network storage restriction is acting at the time when macOS is trying to mount the network share.

]]>
Der Flounder : Rosetta 2 transition timeline announced by Apple https://derflounder.wordpress.com/2025/06/11/rosetta-2-transition-timeline-announced-by-apple/ 2025-06-11T15:21:44+00:00 rtrouton Alongside macOS Tahoe being the last macOS version to support Macs with Intel processors, Apple has announced a transition timeline for macOS’s Rosetta 2 translation environment.

Apple first announced Rosetta 2 as being available for macOS Big Sur in 2020. It is an optionally installed binary translator for macOS, which allows applications written only for Macs with Intel processors to also run on Macs with Apple Silicon processors. As with the previous Rosetta, where the goal was to smooth the transition from Power PC processors to Intel processors, Rosetta 2’s goal was to likewise smooth the transition from Intel processors to Apple Silicon processors by enabling Intel-only applications to run on Apple Silicon Macs. With Intel support in macOS now having an official retirement version with macOS Tahoe, Rosetta 2 is likewise transitioning over time.

Apple has committed to making Rosetta 2 in its current form available for the next two OS releases, with macOS 26 being the first OS release and macOS 27 being the second OS release. Apple has not described what will happen with Rosetta 2 beyond macOS 27, beyond stating that they will be keeping a subset of Rosetta functionality available to support certain Intel-based frameworks. The goal of the support for these not-yet specified Intel-based frameworks is to allow older unmaintained gaming titles to run on macOS past macOS 27.

]]>
Der Flounder : Deploying service background tasks using Blueprints in Jamf Pro https://derflounder.wordpress.com/2025/06/10/deploying-service-background-tasks-using-blueprints-in-jamf-pro/ 2025-06-10T19:30:46+00:00 rtrouton As part of Apple’s discussion of Declarative Device Management (DDM) at WWDC 2024, Apple announced that DDM management on macOS 15 Sequoia and later now included the ability to manage sets of tamper-resistant files which run tasks either on behalf of the logged-in user or which run with root privileges to provide services in the background. Running these tasks may involve any of the following:

  • Executable binaries
  • Scripts
  • Configuration files for the tools being used

In turn, these tools are triggered by the following LaunchD items:

  • Launch agents – to run the task for the logged-in user
  • Launch daemons – to run the task with root privileges

Jamf Pro’s Blueprints supports deploying and managing these service background tasks via the Service background tasks component. Let’s see how this looks, using the following example:

Goal

Using a service background task to run a Jamf Pro inventory update each time the managed Mac starts up.

Tools used

  • A script to run a Jamf Pro inventory update using the Jamf agent
  • A LaunchDaemon to run the script when the Mac starts up.

For more details, please see below the jump.

To deploy this script and LaunchDaemon with Blueprints as a service background task, several things are needed. To start with, we need the following:

  1. The script
  2. The LaunchDaemon

The script is named runjamfproinventoryupdate.sh and is available below:


#!/bin/zsh –no-rcs
# This script runs the following actions:
#
# 1. Verifies that it can connect to the Jamf Pro server which manages this Mac.
# 2. Once verification is successful, an inventory update is sent to the Jamf Pro server
/usr/local/jamf/bin/jamf checkJSSConnection -retry 60 && /usr/local/jamf/bin/jamf recon
exit 0

The LaunchDaemon file is named com.github.runjamfproinventoryupdate.plist and is available below:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.github.runjamfproinventoryupdate</string>
<key>ProgramArguments</key>
<array>
<string>/private/var/db/ManagedConfigurationFiles/BackgroundTaskServices/Services/com.github.runjamfproinventoryupdate/runjamfproinventoryupdate.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

One thing to note is that the LaunchDaemon is running the runjamfproinventoryupdate.sh script at the following location:

/private/var/db/ManagedConfigurationFiles/BackgroundTaskServices/Services/com.github.runjamfproinventoryupdate/runjamfproinventoryupdate.sh

/private/var/db/ManagedConfigurationFiles/BackgroundTaskServices/Services is the tamper-resistant directory where macOS is storing the executable binaries, scripts, etc. it uses to run service background tasks. The LaunchAgents and LaunchDaemons are stored in separate tamper-resistant directories within /private/var/db/ManagedConfigurationFiles/BackgroundTaskServices:

  • LaunchAgents: /private/var/db/ManagedConfigurationFiles/BackgroundTaskServices/LaunchAgents
  • LaunchDaemons: /private/var/db/ManagedConfigurationFiles/BackgroundTaskServices/LaunchDaemons

Meanwhile, the runjamfproinventoryupdate.sh script is itself being stored inside a com.github.runjamfproinventoryupdate directory. This directory is named to match the label of the LaunchDaemon being deployed to run this service background task: com.github.runjamfproinventoryupdate

Once you have the script and the LaunchDaemon available, the following items are needed:

1. A zip file which contains both the directory and file structure of the script in question.

The script is stored in a directory named com.github.runjamfproinventoryupdate and the file is named runjamfproinventoryupdate.sh, so a zip file containing a directory named com.github.runjamfproinventoryupdate, with the script set to be executable and named runjamfproinventoryupdate.sh inside the com.github.runjamfproinventoryupdate directory, is needed for this.

For this example, we’ll name the zip file as com.github.runjamfproinventoryupdate.zip.

2. The SHA-256 hash of the zip file.

You can use the sha256sum command line tool to get the SHA-256 hash of the zip file, so using a command similar to the one shown below should provide that information:


sha256sum /path/to/filename_goes_here

view raw

gistfile1.txt

hosted with ❤ by GitHub

Assuming our SHA-256 hash is 48fa6c5e25590536970e71ae4bdf02c5153dbcb12ae5a3c2c7682ac94e065582, you should see output like this when you run the command above:


username@ZWCM2JG74W ~ % sha256sum /Users/username/Desktop/com.github.runjamfproinventoryupdate.zip
48fa6c5e25590536970e71ae4bdf02c5153dbcb12ae5a3c2c7682ac94e065582 /Users/username/Desktop/com.github.runjamfproinventoryupdate.zip
username@ZWCM2JG74W ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

3. The SHA-256 hash of the LaunchDaemon file

Assuming our SHA-256 hash is d913416e04862a8dfa5d58ba9ca045bc8527da7e40b9cdee608d4dcbd4104183, you should see output like this when you run the command above:


username@ZWCM2JG74W ~ % sha256sum /Users/username/Desktop/com.github.runjamfproinventoryupdate.plist
d913416e04862a8dfa5d58ba9ca045bc8527da7e40b9cdee608d4dcbd4104183 /Users/username/Desktop/com.github.runjamfproinventoryupdate.plist
username@ZWCM2JG74W ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

4. A place to download the zip and LaunchDaemon files from, which allows downloading without authentication.

For this example, I’ve set up an S3 bucket in Amazon Web Services named 75d831079efb4d02ada44eed4f8ae093 and uploaded the .zip and LaunchDaemon files. Once uploaded, the following files were set to be publicly accessible from that S3 bucket:

  • com.github.runjamfproinventoryupdate.zip
  • com.github.runjamfproinventoryupdate.plist

Once I have all the above available, I can set up a Blueprint in Jamf Pro to deploy the sudo configuration file as a Service configuration file.

1. Log into Jamf Pro.

2. Select Blueprints

3. Click the Open button for Service background tasks.

4. Give it a name when prompted. For this example, I’m using Run Jamf Pro Inventory at Startup.

5. Select a Jamf Pro smart or static group. For this example, I’m selecting a static group named Service Background Task Deployment Group.

6. Provide the necessary information to download the com.github.runjamfproinventoryupdate.zip and com.github.runjamfproinventoryupdate.plist files.

Task Type:

The name provided here must exactly match the label of the LaunchDaemon being deployed to run this service background task. In this case, this means that the name used here is the following:

com.github.runjamfproinventoryupdate

Description:

This is optional, you may fill this in or not as desired.

Executable asset:

This is the zip file with the runjamfproinventoryupdate.sh script inside. For this example, the following information is being used:

Launchd asset #1:

This is the com.github.runjamfproinventoryupdate.plist LaunchDaemon which is triggering the runjamfproinventoryupdate.sh script to run. For this example, the following information is being used:

Important Note

Wherever you’re downloading the LaunchDaemon file from, it’s important that the content headers being provided for that file match what is set for the content type in the service background task’s configuration. Otherwise, what will occur is that the service configuration task will not install on your managed Macs.

While testing this on my end, I initially could not get the configuration to work and couldn’t figure out why until I checked the headers I was getting from Amazon’s S3 service. Those headers looked similar to this:


username@computername ~ % curl -I https://75d831079efb4d02ada44eed4f8ae093.s3.us-east-1.amazonaws.com/com.github.runjamfproinventoryupdate.plist
HTTP/1.1 200 OK
x-amz-id-2: bXMExGDQxfF5mgBiaHklA8LPNrOBqpB10r1GPygtJgNmg6L7vDNFS9wNJ41/Z9H3U8SwXKqcoQk=
x-amz-request-id: QENYC85SCPY6EA41
Date: Mon, 09 Jun 2025 15:14:33 GMT
Last-Modified: Mon, 09 Jun 2025 15:10:39 GMT
ETag: "1d92da3d92ac98519e1574b2fa56f5af"
x-amz-server-side-encryption: AES256
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Content-Length: 521
Server: AmazonS3
username@computername ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

The Content-Type header was reporting the following:

Content-Type: binary/octet-stream

Fortunately, I was able to change the content type by using the AWS CLI tool to run the following command to force the content-header I wanted for the com.github.runjamfproinventoryupdate.plist LaunchDaemon file:


aws s3 cp s3://S3_BUCKET_HERE/ s3://S3_BUCKET_HERE/ –exclude '*' –include 'com.github.runjamfproinventoryupdate.plist' –no-guess-mime-type –content-type="application/xml" –metadata-directive="REPLACE" –recursive

view raw

gistfile1.txt

hosted with ❤ by GitHub

Note: S3_BUCKET_HERE is a placeholder for the name of the actual S3 bucket being used.

Once that was done, the headers now looked like this:


username@computername ~ % curl -I https://75d831079efb4d02ada44eed4f8ae093.s3.us-east-1.amazonaws.com/com.github.runjamfproinventoryupdate.plist
HTTP/1.1 200 OK
x-amz-id-2: bXMExGDQxfF5mgBiaHklA8LPNrOBqpB10r1GPygtJgNmg6L7vDNFS9wNJ41/Z9H3U8SwXKqcoQk=
x-amz-request-id: QENYC85SCPY6EA41
Date: Mon, 09 Jun 2025 16:43:13 GMT
Last-Modified: Mon, 09 Jun 2025 16:10:33 GMT
ETag: "1d92da3d92ac98519e1574b2fa56f5af"
x-amz-server-side-encryption: AES256
Accept-Ranges: bytes
Content-Type: application/xml
Content-Length: 521
Server: AmazonS3
username@computername ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

Now that the Content-Type header was reporting the following to match the application/xml content type set for my configuration, the configuration applied successfully:

Content-Type: application/xml

Returning to our example, once all the information has been entered and verified to be correct, click the Save button.

Once everything has been configured, Jamf Pro should inform you that you have undeployed changes. Click the Deploy button to deploy the changes to the Macs you want to manage.

Once deployed, the Blueprints screen in Jamf Pro should show the newly-created Run Jamf Pro Inventory at Startup blueprint as being deployed.

On your managed devices, you can verify that the new service background task configuration has been deployed by clicking on the enrollment profile, then scrolling to the bottom.

In the case of this example, you should see a Device Declarations section with a listing for Background Tasks: com.github.runjamfproinventoryupdate.

If you click on the Background Tasks: com.github.runjamfproinventoryupdate listing, it should report the following:

  • It has an executable file – this is the runjamfproinventoryupdate.sh script
  • The count of Daemon plist files – This reflects that only the com.github.runjamfproinventoryupdate.plist LaunchDaemon was deployed.
  • The count of Agent plist files – This reflects that no LaunchAgents were deployed.

]]>
Der Flounder : macOS Tahoe is the final release of macOS with support for Macs with Intel processors https://derflounder.wordpress.com/2025/06/10/macos-tahoe-is-the-final-release-of-macos-with-support-for-macs-with-intel-processors/ 2025-06-10T02:42:05+00:00 rtrouton In January 2006, Apple released the first generation of Macs which used Intel processors in place of the previous line of Power PC processors. These Macs, running a special Intel-only build of Mac OS X Tiger 10.4.4, marked the second time Apple had switched processor architectures.

In 2020, Apple announced a similar third transition from Intel processors to Apple-designed Apple Silicon processors. Beginning in November 2020, Apple has steadily released new Mac models which used Apple Silicon processors and phased out Mac models which used Intel processors. The final Mac model to transition to Apple Silicon was the Mac Pro in 2023.

With Apple no longer selling any Mac models which use Intel processors, it was just a matter of time before Apple announced that, like it had done for previous processor transitions, that a particular macOS release would be the final one to support Macs using Intel processors. Apple made that announcement today at WWDC 2025, as part of the Platform State of the Union session video.

For macOS Tahoe, the following Intel Mac models are supported:

  • 2019 16-inch MacBook Pro
  • 2020 13-inch MacBook Pro with four Thunderbolt 3 ports
  • 2020 iMac
  • 2019 Mac Pro
]]>