Hi! I'm a Mac admin based in Austin, TX and I've uploaded some helpful scripts and configuration profiles compatible with macOS High Sierra and Mojave. You may freely use or modify anything I upload, but please check out the MIT license.
- In macOS Mojave a user might encounter new privacy permission pop-ups when they launch apps like Microsoft Office, VirtualBox, or even Terminal. I built one giant profile at my org, however I have split that into multiple profiles based on the app so that you can upload to your MDM server, or copy and paste what you need.
- You can find more information about the PPPC profiles from Apple https://help.apple.com/deployment/mdm/#/mdm38df53c2a
- My profiles tend to focus on granting access to:
SystemPolicyAllFilesexample: Terminal, iTerm, or Sophos Anti-VirusAppleEventsexample: Dropbox, Microsoft AutoUpdate, Skype for Business, or VirtualBoxAccessibilityexample: Citrix Receiver/Workspace, Parallels Desktop, VirtualBox, or TeamViewer QuickSupport
- You cannot pre-approve Location Services, Microphone, or Camera access.
- skip_ChooseYourLook_signed.pkg
- Add this pkg to your existing imaging workflow (MDM solution/Munki/NetInstall/AutoDMG)
- Skips the Choose Your Look screen introduced in 10.14
- Pkg has a Product ID and is signed
- skipprivacy_signed.pkg
- Add this pkg to your existing imaging workflow (MDM solution/Munki/NetInstall/AutoDMG)
- Skips the Data & Privacy screen introduced in 10.13.4
- Pkg has a Product ID and is signed
The scripts folder contains helpful scripts compatible with macOS Mojave and High Sierra.
-
resetTCC_mic_camera
- Resets the camera and microphone properties in the TCC database
- Useful if an end user unintentionally denies access to the camera or microphone in a chat app like Skype, Slack, WebEx, or Lifesize.
-
create_admin_user: use
sysadminctlto create an admin account that is granted a secureToken.- The script assumes the current logged in user is an admin with
secureToken(like a chain-of-trust system) - It uses the password passthrough option
-to avoid plaintext passwords in the script. - You cannot automate this script by incorporating into a .pkg and have it run as
rootThere must be physical user interaction by the admin via the GUI or CLI for High Sierra to grantsecureToken. Therootuser does not havesecureTokentherefore it cannot issue that attribute to a new user account. - I create a pkg that pre-stages the script
/path/to/script.command - Use a simple LoginHook with your MDM provider, or incorporate into NoMAD using the
SignInCommandkey in a configuration profile - Example:
open /path/to/script.command - macOS grants
secureTokenunder these scenarios:- You have a DEP-enrolled Mac, and your MDM service supports user creation during MDM PreStage enrollment (the only truly automated option)
- In the GUI, either in macOS Setup Assistant or System Preferences
- Using
sysadminctlwith theinteractiveargument
- You can run
sysadminctl -adminUser AdminUserHere -adminPassword AdminPasswordHere -addUser NewUserNameHere -fullname "New User Name Here" -password NewUserPasswordHere -adminand incorporate into a pkg (or run as root) however the new user account will not receive a secureToken.
- The script assumes the current logged in user is an admin with
-
admin_pwreset: Reset a user account password in High Sierra
sysadminctl -resetPasswordForwill always create a new Keychain- You don't necessarily need to know the existing user password (that you want to reset), so long as another admin user exists to to authenticate.
-
outlook_timezone: If a user is unable to resolve time zone mismatch errors in Microsoft Outlook 2016. I incorporate this script into a pkg to run as
root. You may have to addsudoin your environment. -
startosinstall_usbdisk: Place a macOS 10.13.4 (or later) installer on an external USB disk and run this command to begin an erase & install of macOS.
- If you have any additional pkgs, add them in the same directory.
- Target must be running 10.13 (or later)
- Not a bootable installer. Apple needs to update
createinstallmediato support additional flags, like:--eraseinstall--agreetolicense--nointeraction--installpackage(can be used multiple times, but keep the total number of pkgs and file sizes to a minimum)--newvolumename
I use Munki to deploy apps and custom pkgs at my organization. Munki supports startosinstall to re-image already-deployed Macs.
- An admin (or the user) visits Managed Software Center and downloads the macOS installer as an
OnDemandoptional_install - Munki supports the
startosinstallcommand, I add additional flags like...--eraseinstall--agreetolicense--nointeraction--installpackage(can be used multiple times, but keep the total number of pkgs and file sizes to a minimum)--newvolumename
The profiles folder contains helpful mobileconfig files for use with your MDM service. The PayloadRemovalDisallowed key may be set to -bool value true or false depending on the profile. Please adjust the profile removal restrictions as needed when uploading to your MDM service.
-
Hide 32-bit Alerts: suppresses the 32-bit compatibility warnings for legacy software in High Sierra and Mojave
-
Suppress secureToken Window: suppresses the secureToken activation window that appears when an Active Directory-bound account signs into the Mac for the first time. Helpful for loaner Macs or computer lab environments
-
Skip Choose Your Look: skips the Setup Assistant screen for choosing between Light and Dark mode in Mojave
-
Skip Privacy Warning: skips the Setup Assistant screen for Data & Privacy in High Sierra and Mojave
-
block_macosbeta: Prevents users from installing macOS beta releases
-
chrome_settings: Sets some basic Chrome browser settings including:
- preset bookmarks folder on bookmarks toolbar
- preload Chrome extensions
- set Java and Flash URL exceptions
- set homepage
- set first run tabs
- previous versions of this profile set Chrome as the default browser, however in macOS High Sierra the user will still encounter default browser confirmation alerts regardless if that specific key is preconfigured in a profile
-
Multiple Microsoft Office profiles: Settings to reduce the number of dialog windows need to configure a user account if your org is using Office 365.
- Suppresses "new feature" alerts & autodiscover auto-acceptance alerts.
- Suppresses user requests for diagnostic info.
- Sets the default save location to a "local" Mac location, and not OneDrive.
-
delay_updates: Delay macOS software updates by 30 days. Apple has the ability to bypass this restriction to push critical security patches.
-
disable_icloud_sync: Allows users to enable iCloud Drive on their Mac, however the iCloud Documents & Desktop sync feature is disallowed
-
disable_pw_change: If your users should reset their local Mac passwords using NoMAD, this restriction disables the Change Password button in System Preferences. Admins may still reset user passwords using the
sysadminctlcommand or via your MDM service -
expand_dialogs: Forces the expanded save and print dialog windows in macOS
-
kernelext_symantec: Allows macOS to load kernel extensions for Symantec Anti Virus 14
-
nomad_example: template for deploying NoMAD in your environment
-
block_profiles: Prevents users from clicking the Profiles pref pane in System Preferences
-
lock_screen: multiple settings for the lock and login screens
- sets a lock screen message (and prevents users from changing it)
- Allows Touch ID and auto unlock with Apple Watch
- Disables the guest account
- Enforces fast-user switching
- Requires a user password 5 seconds after screensaver or sleep
- Shows the Sleep, Restart, and Shutdown buttons at the lock screen
- Disables auto user login
- Presents username and password fields instead of user account icons at the lock screen.
- Note: The FileVault login screen will always show user account icons
-
menubar_icons: Hide the Siri button in the menu bar, and always show:
- AirPlay
- Wifi
- User's full name (for fast-user switching)
- Battery icon with percentage
- Bluetooth (macOS hides this by default)
- Clock
- Volume (hidden by default)
- VPN (hidden by default)
-
enable_firewall: enforces the firewall, installed apps are able to receive incoming connections