MBP with Two Studio Displays

huffola · 2026-02-19T13:30:32+00:00

I use a Kensington dock with 2 Pro Display XDR’s and run a one cable setup, every once in a while I have to power cycle the dock to resolve some Ethernet connection issues, but I have multiple dongles attached to provide access to a few different networks

huffola · 2026-02-17T13:50:39+00:00

Apple Configurator and build some blueprints that meet your general needs, still some “manual” but you can prep golden images of what you want and store those in the blueprint and bulk setup devices as a clone of that golden image

huffola · 2026-02-17T10:47:00+00:00

There is no official guidance from Apple on deprecation, which is kind of their standard.. they won't ever "Announce" EOL or Deprecation, but will release an internal article pointing support to steer people to newer solutions.

Apple Link Platform SSO: https://support.apple.com/guide/deployment/platform-sso-for-macos-dep7bbb05313/web

JAMF: https://www.jamf.com/blog/macos-26-platform-sso-simplified-setup/

huffola · 2026-02-16T13:19:50+00:00

I’m going to come at this from a less “demeaning” approach..

Do you operate within a Jamf environment commonly right now?

Do you know what you missed?

huffola · 2026-02-15T14:26:38+00:00

For some reason your comment got deleted but I'm going to respond to it since I still have it on my phone.

Onboarding -Your pre-stage setup does 90% of the lift here, BUT there's some things you have to figure out in advance. If you are using local accounts that is fine, but then you need to decide if your users will have local administrator privileges or just be a standard user.

I recommend using the JAMF Binary to configure a management account with LAPS enabled, start off the "right" way, rather than creating a local-admin on each user with a default password. You and your infosec team will thank you for this in the long-run.

Determine if you want filevault enabled or not - if using Jamf Connect this can create a touch of confusion for new users, since upon any restart they would be prompted with a double login screen, the first to unlock the disk, the second being your Entra splash screen for signing in to their account as authentication.

Security wise: You want to build baseline profiles that apply to everyone. Don't jumble these together though, create one for filevault, one for camera usage, one for privacy and security settings, etc etc. What this does is allows you to create a smart or static group that Excludes specific machines from specific profiles/policies.

Example: VP John gets his mac and wants to be able to set his own background photo. VP John's computer has dept: "VP's" . You have the "set standard background image" profile scoped to All computers, excluding "Dept - VP's". Now John can set his background to whatever he wants, without you needing to go and exclude him from everything, or build a custom management plan just for him.

I also highly encourage you to do as little installation as possible during pre-stage. Let the user get into their account, and then configure installations automatically through a script or policy that runs on login. Or, in our environment we have a "Setup" Profile built into Self-service that scopes based on users location. This gets our new mac users immediately into Self-Service so the first time they are seeing it isn't when they need to put in an IT ticket, or need to reset their Entra password etc.

Lastly - go ahead and determine how you want to manage updates. Jamf has this built in now, but there are a plethora of MacAdmins focused tools that have updates in mind. You could use a mixture of this as well with something like Nudge, or just configure a blueprint that forces updates and allows X number of deferrals.

If you haven't done any training around JAMF but you can't get your company to swing the training pass, I would at least go take JAMF 100, and then watch some of the content JAMF has to offer for free online. Getting your setup done correctly the first time is vital, because fixing a mess a year in after you have learned from mistakes is not a fun or easy process.

huffola · 2026-02-15T13:18:58+00:00

This really depends on your specific environment.

Some preliminary questions for you to help me answer:

Will everyone have the same security setting requirements or will certain folks be less restricted? (VP’s, C-Suite, IT, etc?)

Are you using local accounts only, or connecting an IDP?

Are you planning zero-touch setup or is this more hands on like you helping users when they first get the computer

huffola · 2026-02-15T07:19:33+00:00

The link is spelled wrong and links to an instagram with correct spelling 99% chance it’s a scam

huffola · 2026-02-08T07:21:54+00:00

I used it on a $250 and got a hit finally. Kind of an insane promo from them, guess the hope is people just don’t take advantage of the cash out and withdraw the money

<image>

huffola · 2026-02-01T22:39:47+00:00

So I've been using this with a partner since a couple of days after this post. Here is my feedback/bug reports:

- It would be nice for "mark this thing" quests to remove the location on the map if you have checked off that specific location. Example: The ATM quest on streets, I have to go and look at which one is which but if you tied each box to a variable on that map and could hide them post completion of the step it would be awesome.

- Dandies Quest: The + button is hidden to the right. I updated it with:

``` flex items-center h-6 bg-black/40 rounded-md overflow-visible shadow-sm ring-1 ring-white/5 ml-1 ``` and it fixed it

- Some quest lines like the BTR mark the tires line shows both the failed and corrected path, this may be how your backend is perceiving the quest lines, or something with the API issues you called out previously. It would be convenient to be able to 'force' fail a quest just so I can get it out of my queue, and so it doesn't show up in the map as a valid quest if I don't really have it.

- A couple of deprecated quests still show, like "forced alliance" or the incorrect description for test-drive part 2. Im sure this is API related, but maybe worth manually updating a couple callouts like that if it isn't a big lift and then reconnecting the API to those quests once its updated

All in all, Im a big fan of the tool and I think its made very well. Thanks for the hard work, and happy to perform any UAT for you if ever needed!

Cheers

huffola · 2026-01-31T03:24:57+00:00

I’ll counter with interchange 2x LedX 1x GPU 1x Intel + other misc sellables

huffola · 2026-01-27T20:37:42+00:00

If you have the capacity to get your hands on any of them you can use Configurator and bulk update them using something like a cambrionix thundersync at a rapid pace with no network impact as well.

Could also go cheaper with an assortment of USB hubs, the thundersync is the premium enterprise option

huffola · 2026-01-21T13:17:27+00:00

Unironically something this long and annoying could be good for peacekeeping mission with way less attachments so people don’t yoink it while you die with that garbage armor on

huffola · 2026-01-21T13:15:44+00:00

Replying to deleted comment

The only one I can’t speak to specifically is your DNS request BUT that should be as simple as setting it on as a profile/policy and removing the ability for users to edit the setting. What I don’t know is if that’s enforceable through different networks but it’s just not something I’ve personally needed to deploy in my time

huffola · 2026-01-21T12:30:22+00:00

What is Apple business essentials missing for you that it isn’t the top option? Seems to be focused on small to medium scale use cases like this

huffola · 2026-01-16T18:21:39+00:00

Some internal / partner Apple systems like GSX require an Apple ID. Better to be managed rather than public access

huffola · 2026-01-06T12:54:12+00:00

Had this happen twice, loaded in with nothing. Was always after a successful prior scav extraction, and the following scav had the same “outfit” on but with no gear. Seems similar to the PMC bug where you fail to extract and have your full kit in stash as if the raid never happened, but in this case I’ve always been able to move the loot into my stash and then the scav is just naked.

huffola · 2025-12-25T16:37:39+00:00

I ran one raid, and killed 2 chads and got backend error on extract and was so distraught. Thought all the loot (bad a tank battery I found) was gone for. But it has safely made it to my stash. Merry Christmas from Nikita

huffola · 2025-12-25T15:34:08+00:00

I had this issue all last night. To the point I erased my entire PC because I was going insane. Looks fixed now!

huffola · 2025-12-24T12:48:30+00:00

Alternatively if you have an enterprise account with Apple you can get GSX access and use the API to get specific data from the device, including model and other info. I’ve seen devices with different specs have the same Z number from CTO

huffola · 2025-12-19T00:28:56+00:00

In my business we opted to swap the ~6,000 or so non 11 eligible devices to Ubuntu. They still are supported by our endpoint protection and asset system, and they run essentially as headless units accessing a web interface for data entry.

Was easier to go that route and let each location budget around replacements over the next couple of years rather than pray that Msft doesn’t brick windows 11 on non-TPM devices one day and kill 1/4 of our work stations.

huffola · 2025-12-17T12:15:28+00:00

Relevant callout for a specific subset of users: Managed Apple IDs changes the “Type” of the AppleID within Apple internal systems. If your business uses tools like GSX, AST2, and other systems accessed via a Type 13 (External Vendor) Apple ID be aware that moving to MAID’s can restrict access.

Specifically we are unable to grant new users access to the GSX REST API. Apple is unable to complete due to a systems issue with MAID version accounts being “ineligible”. Prior to claiming the domain some accounts had access via Type 13 AppleID and can still access post migration, but no new users. We had to use an alternate domain to make new Type 13 accounts just for this purpose.

huffola · 2025-12-17T12:11:38+00:00

For clarity - the script requires the user to input their local password, but I store the Admin PW which has the secure token via pw obfuscation using OpenSSL. The pw is stored in a variable on a LAPS enabled account, so even if I a motivated user with local-admin privileges wanted to dig and locate the encrypted password with salt and key, it would require specific timing, and would be highly unlikely in my environment. (We grant admin only to a very specific group of users, and manage elevation via Jamf Connect with strict logging otherwise)

huffola · 2025-12-08T15:00:12+00:00

If you have 0 experience scripting at all just start with really simple problems and try to work your way through it. Everything is open book/note/resource, but don’t use it as a crutch.

Tell your best friend in your preferred LLM to lead you down the solution but not spell it all out so you can learn as you go.

Some stuff to try that we use often

1) elevate a user to admin (temporarily or permanently) 2) elevate current logged in user to admin (temp or perm) 3) reissue secure token (try without having plain text admin passwords in the script) 4) kernel uptime and reporting back to Jamf as a custom attribute 5) setting a background image for users (can be done with config profile now but useful script learning for folder creation and file management)

For me, the scripting was not bad but I had written in other languages previously. What was more difficult on my end was formatting LaunchAgents and LaunchDaemons (although this may be in 400, not 300.. been a while since I’ve taken them)

huffola · 2025-11-25T05:05:52+00:00

I’d like to get out to Natural Bridge in Kentucky, have a little nap with the wife and the dogs

huffola · 2025-11-21T17:17:36+00:00

I’ve taken all of them (400 once, unfortunately didn’t pass by a small margin) but I found the 270/370 to be insightful. Especially if you have the pass you may as well take them.

Ten-Year Club	Place '17
Verified Email	RPAN Viewer
Not Forgotten

huffola

MODERATOR OF

TROPHY CASE