Welcome to my blog
Join me on my journey as I share my insights and experiences on all things Apple, Business and Entrepreneurship!
Join me on my journey as I share my insights and experiences on all things Apple, Business and Entrepreneurship!
Modern device management isn't just about enforcing policies—it's about communicating effectively with users at the right time. In JAMF Pro, Smart Groups give you powerful visibility into device state, but they don't natively solve the problem of proactive, automated user communication. Whether you're trying to prompt users to restart their machines, complete updates, or take action on compliance issues, bridging that gap requires a flexible and scalable notification system.
There are a few kinds of mistakes you make as a Mac admin. There are the ones that cost you time, the ones that cost you sleep, and then there are the ones that leave you staring at a perfectly good laptop thinking, “How did I possibly make this *less* manageable by touching it?” These mistakes often stem from a lack of understanding or experience with macOS, but they can also be the result of rushing through tasks or not taking the time to properly plan and test.
Keeping Safari updated is one of the simplest ways to harden a macOS fleet. Apple ships security fixes for Safari frequently, and those patches often land before a full macOS point release. This means that by keeping Safari up-to-date, you can ensure your users have access to the latest security protections without having to wait for a major operating system update. If Safari is lagging behind, your users are browsing the web with a larger attack surface than necessary.
If you've spent enough time living inside Jamf Pro, you eventually run into the same problem: someone set a configuration somewhere, sometime, and nobody remembers where. It might be something obscure – a certificate payload, a conditional SSO predicate, or that one security preference quietly misbehaving on three machines in accounting. And when you have dozens of configuration profiles, each with multiple payloads, nested keys, and XML-wrapped values, finding that setting can feel like forensic archaeology.
When I first wrote about troubleshooting Standard Routing Policies in Jamf Security Cloud, the goal was simple: help admins keep Microsoft Teams and Microsoft 365 traffic flowing smoothly through Jamf Trust + App-Based VPN. This straightforward objective remains unchanged, as the complexities of network configurations can often lead to frustrating issues that hinder productivity.
There’s a tipping point in every Jamf Pro environment where the policy list begins to feel like a junk drawer. Everyone means well. Nobody deletes anything. And then, months later, you’re trying to answer simple questions like: *Which policies are actually scoped? What’s no longer referenced? Why are there five versions of the same script?* This post covers a small, practical script I wrote to help you **see** what’s stale, **explain** why it’s stale, and (optionally) **park** it safely out of the way—without deleting a thing.
Most teams use Apple’s macOS Security Compliance Project (mSCP) baselines because they scale and they’re repeatable. Jamf’s tooling makes deployment straightforward and the Extension Attribute (EA) output is a convenient place to capture drift. What you don’t automatically get is the artifact an auditor will accept on a specific date—an actual document you can file that shows which endpoints are failing which items, plus a concise roll-up of failure counts you can act on. Smart Groups answer scope; they don’t produce evidence.
Keeping macOS environments up-to-date in a seamless, efficient, and low-maintenance way has always been a challenge for IT admins. Traditional package deployment workflows can be time-consuming, prone to versioning issues, and require extensive testing and repackaging. This can lead to frustration and wasted resources as IT teams struggle to keep pace with the latest updates and patches. But there's another way—a more elegant, nimble approach: scripting.
Microsoft OneDrive is widely used for syncing documents across devices, but on macOS, it can silently fail to sync certain files if they violate Windows filesystem rules — like overly long paths or invalid characters. This creates frustrating experiences for end users who don’t know why files aren’t syncing.
Enabling FileVault is a critical step in securing macOS devices, particularly in managed environments like schools, enterprises, and remote teams. For administrators using **Jamf Pro**, automating this process can simplify device onboarding and ensure compliance with disk encryption policies. This automation also helps reduce the administrative burden associated with manually configuring each device, allowing IT staff to focus on other tasks while maintaining a secure environment.
Managing and maintaining a growing collection of scripts in a GitHub repository can quickly become cumbersome without automation. Whether you're writing bash scripts for JAMF deployments, maintenance tasks, or DevOps workflows, it's critical to keep things well-documented, consistently versioned, and easy to track over time. This includes ensuring that changes are properly recorded, dependencies are up-to-date, and the overall structure remains organized.
Keeping your organization's VPN always connected is crucial—especially with Zero Trust Network Access (ZTNA) frameworks like **Jamf Trust**. One of the challenges with **Jamf Trust** is that it does *not* automatically open or reconnect on startup or login by default. However, with a combination of Jamf Pro policies, a custom script, and an extension attribute, you can ensure your users stay securely connected at all times, even when their devices are restarted or logged out. This setup helps maintain continuous access to network resources while adhering to the security standards...
As a fairly new administrator of JAMF Security Cloud, it was the ease of which its administration that admittedly drew me in. Quite an elegant solution for securing the various apps on business workstations with premade app-based VPN routing rules built right in, I was hooked. The concept is simple: turn on the policies, create your enrollment, and deploy – and you're done. This straightforward approach has made it easy to integrate into our existing workflow, allowing us to focus on more critical tasks.
Managing Secure Tokens on macOS has long been a challenge for administrators using JAMF and Automox. In my previous post, Managing the macOS Secure Token with JAMF Pro, I discussed a script-based approach to grant Secure Tokens to additional users. However, this method required administrators to manually pass usernames and passwords into the JAMF configuration—an approach that, while effective, was not ideal from a security or usability perspective. This manual process introduced unnecessary risks and added complexity to the overall management of Secure Tokens.
As promised I am continuing to look for ways to build out my JAMF Github Repo. One of the items that I have been working heavily with in my role is the macOS Compliance Project and as I am a JAMF administrator that means leveraging the JAMF Compliance Editor. The JAMF Compliance Editor gives you the ability to rapidly configure, tailor and deploy a custom baseline with the macOS Compliance Project.
If you are new to either the macOS Compliance Project or JAMF Compliance Editor, I would recommend watching and reading the following videos and blog posts on the topic. Familiarizing yourself with these resources will help ensure a smoother understanding of the project's requirements and functionality. This will also enable you to better navigate the tools and make informed decisions about your compliance setup.
As organizations continue to embrace Bring Your Own Device (BYOD) strategies, ensuring security without compromising user experience remains a challenge. This post outlines a minimum baseline for BYOD restrictions across iOS, Android, macOS, and Windows devices—providing a foundation for companies to secure personal devices while allowing employees the flexibility to work from their own hardware. While these recommendations represent best practices, they are not a one-size-fits-all solution. Each company has unique security needs, regulatory requirements, and risk tolerances, meaning these restrictions can be improved upon, debated, or modified to better...
It really depends on your company's needs. For example, many companies need to hire 1099 contractors and in such a case they come with their own devices but not the correct security settings or enforcements. Remember BYOD is a security construct. The idea here is that you should be securing the company's sensitive data in all forms. This may involve implementing policies for contractor-owned devices, ensuring that all devices accessing company data meet minimum security standards, and regularly reviewing and updating these standards to stay ahead of emerging threats.
As I continue to build out my JAMF Github Repo, it was no surprise that JAMF Extensions are one of the key and fundamental elements and features that gives JAMF its edge as an MDM. Scoping is a crucial part of what makes an MDM effective, allowing for granular control over device management. The ability to group, report, and then scope to specific custom values is what sets it apart from other MDM solutions, providing a level of precision that's essential for large-scale deployments.
As I work on building out my JAMF Github Repo, I am constantly looking at sharing some of the configurations that have worked for me and saved me time and effort. Many of these came from the JAMF Library, but some I wrote specifically due to tools and workflows that I had to tackle in my very own ecosystem. In fact, a significant portion of these custom scripts were born out of necessity, addressing specific pain points or requirements that weren't covered by existing solutions.
For those who have worked with macOS for a while, the struggle of managing secure tokens on macOS is a very real one. Let's start off with the basics. What is a secure token? In essence, it's a small hardware device that stores sensitive information, such as passwords or encryption keys, in a secure environment.
Its been a while since I have used Automox, but the premise of the tool is that it automatically patches your macOS, Linux and Windows workstations. for macOS it does this using a service account created with username _automoxserviceaccount and this account needs a secure token. The issue here is that when the package is deployed the secure token is not transferred to that account which means that it most cases it can't apply macOS updates.
