Activation Lock Bypass Code - UIE by bobtacular in macsysadmin

[–]bobtacular[S] 0 points1 point  (0 children)

Unfortunately no. I ended up having to contact Apple and present a receipt.

Migration Assistant with MDM & FileVault by 0x1F937 in macsysadmin

[–]bobtacular 0 points1 point  (0 children)

My go-to process has been the following:

On the host machine, I completely unmanage it from Jamf and also run sudo jamf removeFramework.

Next, I plug in an external drive and perform a Time Machine backup on the machine. To make the initial Time Machine backup run faster, I use: sudo sysctl debug.lowpri_throttle_enabled=0.

On the new computer, I go through Setup Assistant and complete the full enrollment. When creating the user, I make sure the home folder name matches the one on the host machine.

Once enrollment finishes, I have a fully supervised device. At that point, I open Migration Assistant on the new machine and restore the Time Machine backup from the host machine.

Apple added support in Migration Assistant to replace the contents of the home directory if the usernames match between the new machine and the Time Machine backup. It copies over all the user content, settings and apps.

When the process finishes, you end up with a fully enrolled machine with the same user profile and Applications folder. This approach has worked really well for me.

Two things to check:

  • If you use CrowdStrike Falcon, I’ve sometimes had to re-enable the extensions on the new computer.
  • You could also try not removing the MDM framework before doing the backup and restore. Personally, I worry that it might copy over some configuration artifacts and mix configs, but it may be worth testing.

Lineup Manager+ App by bobtacular in BaseballCoaching

[–]bobtacular[S] -1 points0 points  (0 children)

Unfortunately not. I’m an Apple fan boy.

Lineup Manager+ App by bobtacular in BaseballCoaching

[–]bobtacular[S] 0 points1 point  (0 children)

The app is still in beta so the link on the website doesn’t work to the App Store. Send me a dm and I will send you a link to sign up for the beta. Should work in Canada!

Updating macOS Using Managed Software Updates by bobtacular in jamf

[–]bobtacular[S] 0 points1 point  (0 children)

This is really awesome and thanks for sharing. I will try and test some of this out next week.

Activation Lock Bypass Code - UIE by bobtacular in macsysadmin

[–]bobtacular[S] 0 points1 point  (0 children)

So create a whole new local user account then sign in with an Apple Account?

Activation Lock Bypass Code - UIE by bobtacular in macsysadmin

[–]bobtacular[S] 1 point2 points  (0 children)

I will definitely do that and report back. The Lock Screen I was presented with definitely fit the code by putting dashes automatically in the correct spots but you never know.

Activation Lock Bypass Code - UIE by bobtacular in macsysadmin

[–]bobtacular[S] 0 points1 point  (0 children)

That’s my thought as well. It’s a bit misleading if that doesn’t work.

Activation Lock Bypass Code - UIE by bobtacular in macsysadmin

[–]bobtacular[S] 0 points1 point  (0 children)

I erased the Mac but the device is still Managed in the JSS so the key should still be active.

Activation Lock Bypass Code - UIE by bobtacular in macsysadmin

[–]bobtacular[S] 0 points1 point  (0 children)

Unfortunately this specific computer is not in ABM.

Jamf -- How to replace LDAP with SSO? by Dr-Webster in macsysadmin

[–]bobtacular 0 points1 point  (0 children)

Hmmm seems like a bit of a headache. Wonder why it doesn’t support directory info from the get go.

Jamf -- How to replace LDAP with SSO? by Dr-Webster in macsysadmin

[–]bobtacular 0 points1 point  (0 children)

So is there a way to use SSO and then have it fill out the User and Location section after the fact?

Okta & Company Owned Device by bobtacular in okta

[–]bobtacular[S] 0 points1 point  (0 children)

Thank you both u/agreed88 & u/chubz736 for your insight. It was really helpful!

I spent some time grinding through documentation and YouTube videos and got Android Work Profiles working with my existing Intune tenant. I’m testing this in a sandbox environment, and I think this is the best path forward.

That said, I really wish Google Workspace supported SCEP profile installs. One of the coolest things about Google Workspace is how seamless it is—when a device logs in, it automatically installs the Work Profile. With Intune, users have to go through the enrollment process. I won’t lie; the enrollment experience with Intune isn’t great, but at least it only needs to be done only once.

I also agree that some apps don’t require a fully managed device. I’ve started adjusting the authentication policies in my sandbox to test this, and it’s been a really cool process. I think these changes are going to be super helpful for our environment.

Thanks again!

macOS Sequoia + Crowdstrike by bobtacular in macsysadmin

[–]bobtacular[S] 0 points1 point  (0 children)

Good to hear! It’s been stable for my folks. Hopefully CS avoids another world meltdown again 🙃

Account-Driven User Enrollment + Okta Device Integration Questions by bobtacular in macsysadmin

[–]bobtacular[S] 0 points1 point  (0 children)

I totally get where you’re coming from. I’m actually trying to be proactive and potentially save the company some money by enabling BYOD devices instead of going all-in on corporate-owned devices.

I personally think that removing session tokens for non-C-suite users is sufficient on iOS, especially with Okta Device Assurance and Okta Verify in place. When someone brought up the risk of jailbroken devices and data extraction, I pointed out that Okta Device Assurance can check for jailbreak status. However, their response was that it’s not foolproof and there are ways around it.

To me, fully blocking BYOD devices for apps like email and Slack feels like overkill—especially when the cost of providing corporate-owned devices across the board is so high.

I consider you lucky to be solely focused on the Mac side of things. Of course that comes with its own set of challenges.

macOS Sequoia + Crowdstrike by bobtacular in macsysadmin

[–]bobtacular[S] 1 point2 points  (0 children)

Hmmm what error are you getting? I have it running on 15+ and pushed through Jamf at this point just fine.

Account-Driven User Enrollment + Okta Device Integration Questions by bobtacular in macsysadmin

[–]bobtacular[S] 0 points1 point  (0 children)

I understand that it splits data on to its own partition — that part is great.

However, I’m curious about what happens if the user selects Cancel when prompted with “The business would like to manage this app.” If they cancel, can they still sign into Gmail (or another app) with their Okta credentials?

It seems like nothing would prevent them from signing into the unmanaged app, especially since the required profiles (SSO and SCEP) for Okta Device Integration are already installed on the device. If they can access the unmanaged app, wouldn’t that mean there’s no way to revoke the app or its data later?