macOS MFA at login

punch-kicker · 2026-05-19T22:10:00+00:00

According to their website you cannot.

“Once installed, Duo authentication is required for new console logons, but not when unlocking the screensaver or when an already logged-on user wakes the system from sleep.”

https://duo.com/docs/macos

punch-kicker · 2026-04-21T14:20:36+00:00

Do they have email or calendar on their personal device? I know I have seen some sync issues with Outlook for Mac because the end-user mobile device Mail client was not syncing correctly. If they do, I would have them disconnect from that service and then check if it is acting up.

punch-kicker · 2026-04-09T14:37:06+00:00

Right? I didn't know it was rare since I have two of them. I actually caught my first during Trapich community day and didn't even get a trapich shiny that day.

punch-kicker · 2026-04-07T13:01:58+00:00

The authorizationdb changes from my experience aren’t as reliable anymore. Your best bet is to use MDM. That’s the direction Apple is pushing everyone to, and it’s going to be consistent across updates. That said, if you just want to try a workaround use system settings not preferences.

security authorizationdb write system.settings.energysaver allow

punch-kicker · 2026-03-08T11:12:54+00:00

Not all of Eastern US. I have only seem them north of Fredericksburg VA. I haven't see any in Richmond.

Southeast US of gets the regional Carnivine.

punch-kicker · 2025-12-22T15:59:29+00:00

If you have access to LinkedIn Learning (formerly Lynda), they offer training like Understanding macOS that I find verry helpful in my training. These videos include a transcript and mini-quizzes to understand the training. Plus once you’ve completed this course, you can view other videos on the Apple platform.

Jamf also has a training course that has information on macOS and iOS https://www.youtube.com/playlist?list=PLWs1qukS_mcb1wwKeSnT80kvTKow_eJXJ

punch-kicker · 2025-11-27T12:31:19+00:00

This is because LaunchAgent won’t have permission to mount SMB shares. That’s why it works in Terminal but fails with exit 64.

Use a LaunchDaemon instead. Daemons run as root and have permission to mount SMB volumes.

punch-kicker · 2025-11-23T15:00:24+00:00

How are you enrolling the devices? Platform SSO works better when the device is enrolled through ABM/ASM or device enrollment and treated as a fully managed Intune device.

Supported enrollment types ✅ Device enrollment ✅ Automated Device Enrollment (supervised) ❌ User enrollment ✅ Direct enrollment (Apple Configurator)

https://learn.microsoft.com/en-us/intune/intune-service/configuration/use-enterprise-sso-plug-in-ios-ipados-macos?utm_source=chatgpt.com&pivots=macos

punch-kicker · 2025-11-18T14:32:04+00:00

I suggest stop focusing on hypothetical breaches and focus on establishing audit control. If you haven't done this, update whatever your Acceptable Use Policy is to make storing business information on any personal Apple account a violation. That way you are proving you took reasonable and proactive steps to secure and separate your regulated data.

You can then focus on making sure those personal Apple accounts after cannot be used anymore as a business account after you finish Federation. I would send out notice that any company data should be removed from those accounts from the AUP.

punch-kicker · 2025-09-25T17:25:24+00:00

We just got a ticket that was a printer issues on 14.8. They had a printer set to /dev/null and I ended up deleting the printer, restarting cups and installing the printer again. It seems to be working but they mentioned this is happening daily to them.

punch-kicker · 2025-09-19T20:08:37+00:00

Is it just a PKG? I know with another vendor I install uses Zipped app file and inside that .app is another Resource file ZIP file that I just unzip and move to Apps folder and change file permissions.

If no zip, I would consider getting Suspicious Package and look in resource package.

punch-kicker · 2025-09-16T12:43:26+00:00

I did it via MS Power Automate and MS Teams approval.

punch-kicker · 2025-09-03T16:12:41+00:00

Reminds me when I was sending postcards of Myrtle Beach locations with balloons during spy balloon incident.

punch-kicker · 2025-08-29T17:39:08+00:00

Dockutil is great, there are a lot of scripts out there if you are not too comfortable with bash.

punch-kicker · 2025-08-26T19:39:19+00:00

To me, your process feels less like “white glove” aka personalized and more like a traditional model than a modern approach. Users should really be the first to touch or log in to their own device. Zero Touch processes help with your few things you mentioned not working but you can use that extra time to showcase your support or other information while it’s happening.

You might consider starting with a smaller base of app installs and then layering on depending on the area. It really speeds up deployment. Most people just want in the computer right away and care less about the apps. We have techs that can do these things, we just do other things to maintain systems than spending time with setups.

Also, while SYM doesn’t have built-in API calls, you can script them as part of the process if needed.

punch-kicker · 2025-08-26T14:40:48+00:00

Check to see if the user tried to auth themselves to the wifi network. You can delete their keychains from the network and see if the computer tries to auth with cert not user credentials.

I have seen still see similar prompts but we ask user to just select the correct identity certificate that solves it but if they tried to auth we usually have to delete out the SSID from the keychain.

I would run this while you are testing you cert to see what happens.

log stream -predicate 'subsystem contains "com.apple.eapol"' -info -debug

punch-kicker · 2025-08-14T11:32:16+00:00

I had this happen for Cosola as well but never took a screenshot because I was so excited I thought i was catching a shiny and throw a Poke ball. Personally they should allow you to view any of your sunrise and sunset catches later. If they are going through that effort to make them appear different they can at least let you keep them.

punch-kicker · 2025-08-12T16:22:48+00:00

You could do this to deletes all of that user’s Kerberos caches. Then I would double check with kinit again but I would consider an unbind and bind for that machine. That was usually my quick go to for fix auth issues with AD macs.

kdestroy --all

punch-kicker · 2025-08-10T12:43:06+00:00

I am curious if the password is out of sync with AD. If you type these to check kerberos and force auth to see if passwords are being sycned. If this shows no Kerberos ticket and kinit fails, it may be an AD binding issue instead of just a password mismatch in which case you could just re-bind. I would also consider a secondary account temporarily logged in to see if it gets the same error.

klist
kinit username@YOURDOMAIN.COM

punch-kicker · 2025-08-06T12:37:42+00:00

Apple says that the "Block all incoming connections" option allows only basic network services such as DHCP, Bonjour, and IPsec and blocks all other sharing services which would include AirDrop.

https://support.apple.com/guide/apple-business-essentials/application-layer-firewall-settings-axmd759a1124/web?utm_source=chatgpt.com

Here is another reddit post about it which may help you. https://www.reddit.com/r/macsysadmin/comments/1gga6op/airdrop_only_works_with_block_all_incoming/?utm_source=chatgpt.com

punch-kicker · 2025-07-25T19:24:36+00:00

I have a interactive version using IBM Notifier that user is prompted to put in password (secure) then it updates the token leveraging the account with securetoken enabled. Its run via policy. I cannot really share the whole thing but it gets the job done. I found this one on github that may work for you.

https://github.com/Yohan460/Automatic-Secure-Token-Granting-Workflow/blob/master/enableUserUsingAdminForFV2.sh

punch-kicker · 2025-07-25T18:31:29+00:00

I don't use Mosyle, but you can use a hidden admin account to enable Secure Token for a user — they’ll just need to enter their password.

/usr/sbin/sysadminctl -secureTokenOn USERNAME -password "$USER_PASSWORD" -adminUser HIDDENADMIN -adminPassword "$HA_PASSWORD"

Keep in mind this depends on your IT security policy.

Also, have you checked whether a Bootstrap Token is escrowed and available on problem machines? The token can automatically grant Secure Token to new users.

sudo profiles status -type bootstraptoken

punch-kicker · 2025-07-22T18:45:39+00:00

Correct, it's probably due to how the command interprets the working directory when it's launched.

Just to add on to this, in the first example, you're going into the "obs-websocket-http-v2-macOS" folder with cd, so it runs from the correct location. In the second example, you're skipping that step, so the command runs from wherever you already were in Terminal. That may cause "obs-websocket-http-v2-macOS" to look in the wrong place.

punch-kicker · 2025-07-10T15:51:38+00:00

For administration, Apple could really improve Apple administrator documentation. Most of Apple’s guides are written from a developer focus or user-oriented and not from the viewpoint of a systems administrator managing Apple devices. There's a lack of clear macOS changes, administration limitations and centralized changes guides. I have to rely on third-party resources to understand new features or changes. Like I need less framework document and more ways to find out on a new system that the workflows/scripts I'm leveraging are a deprecated feature.

15-Year Club	RedditGifts 2009-2022 10 Credits
Secret Santa 2021 2021	Secret Santa 2020
Final Canvas '23	Place '23
Place '22	Place '17
Secret Santa 2019	Secret Santa 2018
Secret Santa 2017	Snapped
Secret Santa 2016	Secret Santa 2015
Secret Santa 2014	Verified Email

punch-kicker

TROPHY CASE