Adding iPhone/iPad to Apple Business Manager with VMware Workspace ONE and AC2

I used to create a bogus MDM server in Apple Configurator 2 (AC2) and later re-assign the device in Apple Business Manager (ABM). This doesn’t seem to work anymore. I will see the device in ABM, re-assign it, but Erase All Contents & Settings would remove the Automated Enrollment flag from the device.

I later used to get the Apple Configurator 2 URL “MDM Server URL” (available from Settings > Apple > Automated Enrollment in VMware Workspace ONE), and this seemed to be working well.

Today, I downgraded an iPhone 6s from iOS 13 beta to iOS 12.4.1 to test the beta profile, then hit Prepare > Manual Configuration > Add to Device Enrollment Program, and got multiple errors, like “Invalid Profile” or another error saying it couldn’t connect to the MDM server.

I deleted the MDM server from AC2 Preferences > Server, copied the “MDM Server URL” (available from Settings > Apple > Automated Enrollment in VMware Workspace ONE) and got the error: “Unable to verify the server’s enrollment URL. Unable to read provided data.”

After much trial and error, I found another way to prepare a device, by exporting the enrollment profile (available from Settings > Apple > Automated Enrollment > Export in VMware Workspace ONE), open it in AC2 and copy the MDM Enrollment URL from the profile into AC2. This worked like a charm.

As a reference (obfuscated):

  • MDM Server URL:

  • MDM Enrollment URL (profile):

As a quick reminder, here’s the workflow to add an iPhone/iPad to Apple Business Manager with VMware Workspace ONE and AC2:

  1. Download and Install Apple Configurator 2

  2. Create a Wi-Fi configuration profile (File > New Profile)

  3. Go to Preferences > Organizations and login with your Apple Business Manager Apple ID

  4. Open VMware Workspace One, and export the enrollment profile (available from Settings > Apple > Automated Enrollment > Export in VMware Workspace ONE)

  5. Open enrollment profile in AC2

  6. Copy “MDM Enrollment URL”

  7. Go to AC2 Preferences > Servers and add a new server, paste the MDM Enrollment URL.

  8. Create a new Blueprint (or connect a device), right click > Prepare…

    1. Prepare with: Manual Configuration

    2. Select “Add to Device Enrollment Program”

    3. Click Next

    4. Select your MDM Server

    5. Select your Orgnization

    6. Skip Setup Assistant steps as needed

    7. Select Wi-Fi profile (created on step 2)

    8. Click Prepare

Deploying macOS Apps with Microsoft Intune

Microsoft Intune supports the deployment of applications using InstallApplication. This opens the possibility to manage Mac computers with Microsoft Intune, and automatically push Munki to provide additional functionality.

The process for that is outlined in How to add macOS line-of-business (LOB) apps to Microsoft Intune

Make sure:

As far as I know, there’s no way to make these macOS LOB apps to be installed during the setup assistant (also called: “Bootstrap package”. In practice, the delay between enrolment and the app being deployed can be quite long (I’ve seen 5 minutes while clicking on “Sync” frantically). Also, Microsoft Intune seem to be a little slow to report success or failure in the console. Perhaps time for a User voice feedback?

Boot to macOS Recovery in VMware Fusion 11

I found the following three ways to boot to macOS recovery in VMware Fusion, sadly they don’t all work in version 11:

  1. Add macosguest.forceRecoveryModeInstall = "TRUE" to you .vmx file – however it doesn’t seem to work with APFS volumes

  2. Add bios.bootDelay = "5000" to your .vmx file and press CMD+R during boot – doesn’t seem to work (it opens VMware Boot Manager)

  3. Use vfuse from Joe Chilcote with an AutoDMG dmg with the –recovery flag (thanks Arek!)

I found a fourth way that seem to work with VMware Fusion 11:

press “R” at the VMware logo (you may need to click in the VM so it captures your keystrokes)

press “R” at the VMware logo (you may need to click in the VM so it captures your keystrokes)

Select Enter Setup

Select Enter Setup

Select Boot from a File

Select Boot from a File

Select Recovery,[…]

Select Recovery,[…]

Select <[…]>

Select <[…]>

Select boot.efi

Select boot.efi

SSH key: How to use the keychain for the passphrase

If you use an SSH identity to connect to remote hosts, chances are you dislike typing the passphrase over and over again (especially with GitHub).

$ git pull
Enter passphrase for key '/Users/fti/.ssh/id_rsa': 

You could certainly use an empty passphrase, but there's a better way. You can actually configure the SSH client to use your keychain instead, by creating ~/.ssh/config (I set the mode to 600):

Host *
    UseKeychain yes
    AddKeysToAgent yes

Then, at the next connection, your password will be saved!

$ ssh-add -l
The agent has no identities.
$ git pull
Enter passphrase for key '/Users/fti/.ssh/id_rsa': 
remote: Counting objects: 122, done.
remote: Compressing objects: 100% (15/15), done.
 2 files changed, 2 insertions(+), 22 deletions(-)
$ ssh-add -l
2048 SHA256:1M1I1LTcAM1IA+WdfX/ch8QzJeObHcAAcM1Idfc2gy1I1  (RSA)
$ ssh-add -l
2048 SHA256:1M1I1LTcAM1IA+WdfX/ch8QzJeObHcAAcM1Idfc2gy1I1  (RSA)
$ git pull
Already up to date.

Managing Microsoft SCEP / ESET Cyber Security for Mac

I've been willing to write a blog post about Microsoft SCEP for some time, but Neil Martin already did, and there's nothing left for me to add. Yet ;-)

If you’re using Microsoft System Center Configuration Manager (SCCM) to deal with Windows machines in your environment, you may notice that it comes licensed with an antivirus/malware product; Endpoint Protection (SCEP), with versions for Windows, Linux and macOS.
— Neil Martin

While only supports 10.6 - 10.12, we had some success forcing the installation and testing with a sample EICAR virus file. I wouldn't recommend this on production environment and would encourage you to ping your Microsoft rep. ESET Cyber Security for Mac is compatible with 10.13, so it should arrive someday soon.

  • Part 1 - Changing global settings with scep_set
  • Part 2 - Reading the logs
  • Part 3 - User-specific GUI preferences

Note: Some of this might translate to ESET using `esets_set`.

Note2: I'm not endorsing the use of this software.

Thank you Neil for your hard work!

Microsoft OneDrive: SharePoint & using the standalone installer

Microsoft OneDrive is a pretty good tool to sync OneDrive cloud storage with your Mac. It is quite similar to Dropbox, Box or Google Drive.

But when you use Sharepoint, it becomes incredibly useful. You can sync your Sharepoint folders locally! This is a feature that was recently merged from OneDrive for Business. All you need is to install Microsoft OneDrive on your Mac, connect to your SharePoint server, go to the folder you want to sync and click "Sync".

Screen Shot 2017-10-09 at 16.18.36.png

This is something that will make your Mac users pretty happy. 

Please note that the Mac App Store version don't have the same features as the standalone install. Version numbers are very similar, but the App Store version is sandboxed while the standalone version is not. It means that some feature will only be available in the latter version. So get the standalone version here. Microsoft is not so vocal about it.

You will find more information on the configuration keys you can use to manage Microsoft OneDrive here: Configure the new OneDrive sync client on macOS.

There's also two interesting scripts you can use, which you can find in

  • CollectLogsStandandalone.command will collect logs and settings and zip them on the desktop
  • ResetOneDriveAppStandalone.command will delete containers, logs, settings, finder extension and keychain items. 

It may be a good idea to create two Policies accessible in Jamf Self-Service to execute one or the other.

Eight Noteworthy channels on the MacAdmins Slack

The MacAdmins slack is probably the best place to meet MacAdmins today. The community is helpful, thankful and many vendors are present and listening. 

General  channels

  •  #ask-about-this-slack: where you can meet admins and get help on the MacAdmins slack
  •  #protips: see all posts tagged with a ProTip emoticon. 
  • #jobs-board: get and post job openings. A good tip is to set a notification for any new post, or matching a specific name (for example, state or country). Don't respond here or you'll get the 🐼. Use  #jobs-chat. Keep in mind that with more than 13.000 members, the hiring manager or a member of the team you'd join might be there. 
  • #blog-feed: your RSS reader on Slack. A good way to find new blogs. You can add yours with  /feed. Use #blog-chat to discuss posts. 

Specific channels

  • #dep : for the Apple Device Enrollment Program. It's also a great place to ask if DEP is down, should that ever happen
  • #autopkg : Tim and Hannes are present, and they do a great job populating the FAQ. So read it before asking questions. 
  • #microsoft-office : Microsoft engineers and PM are present and they listen carefully. They also help us whenever we're stuck on a difficult or exotic issue. 
  • #security : some of the best security researchers are there. It's good keeping an eye on this one. 

There are many, many more channels. Some focus on a specific technology, some others on a passion, and many are about a specific product. You can also find regional channels, like #macadminsfr for French-speaking MacAdmins. 

Please remember that this service is provided for free by volunteers. It's ok to be passionate, but don't spam. Please be nice and respectful to your peers to keep the community healthy. Remember there are many different cultures, some may be offended by something you consider harmless. 

Restoring from a snapshot with APFS

APFS now support snapshots, a feature users of Virtual Machines love and can barely live without! 

You can now take a snapshot from command line by typing "sudo tmutil snapshot" in the Terminal. 

You will then be able to browse it and restore individual files using either Time Machine GUI or the "tmutil restore" command in Terminal.  

Little known, the possibility to jump your computer back to a snapshot you previously created. 

Boot on macOS Recovery (with CMD+R) and select Restore From Time Machine Backup.  


The click Continue


Select your boot drive (from where you run the tmutil command) 


Select the Local Snapshot you want  




Restoring takes only a few seconds! 


Reboot, and done!  



For more information on APFS, I encourage you to watch Rich Trouton's talk: "Storing our digital lives: Mac filesystems from MFS to APFS" at the Pen State MacAdmins Conference 2017 conference: 

Rich will present an updated talk in a few weeks at JNUC

NSPersistentDocument: *** Assertion failure in -[NSVBSavePanel viewWillInvalidate:]

If you get the following error when saving your new NSPersistentDocument:

2017-09-17 21:14:30.531466+0200 TST_NSPersistentDocument_Override_MC[57707:11669067] *** Assertion failure in -[NSVBSavePanel viewWillInvalidate:], /BuildRoot/Library/Caches/
2017-09-17 21:14:30.543482+0200 TST_NSPersistentDocument_Override_MC[57707:11669067] -[NSVBSavePanel init] caught non-fatal NSInternalInconsistencyException 'bridge absent' with backtrace (
    0   CoreFoundation                      0x00007fff283360fb __exceptionPreprocess + 171
    1   libobjc.A.dylib                     0x00007fff4ebe4c76 objc_exception_throw + 48
    2   CoreFoundation                      0x00007fff2833be92 +[NSException raise:format:arguments:] + 98
    3   Foundation                          0x00007fff2a3d2690 -[NSAssertionHandler handleFailureInMethod:object:file:lineNumber:description:] + 193
    4   AppKit                              0x00007fff25b3ec4e -[NSVBSavePanel viewWillInvalidate:] + 188
    5   ViewBridge                          0x00007fff4c551cb3 -[NSRemoteView invalidate:] + 292
    6   ViewBridge                          0x00007fff4c55f449 -[NSRemoteView _advanceToConfigPhaseLegacy] + 1111
    7   ViewBridge                          0x00007fff4c5602dc -[NSRemoteView _viewServiceMarshalProxy:withDetailedErrorHandler:] + 230
    8   ViewBridge                          0x00007fff4c5606c5 -[NSRemoteView _viewServiceMarshalProxy:withErrorHandler:] + 78
    9   ViewBridge                          0x00007fff4c552755 -[NSRemoteView bridge] + 227
    10  AppKit                              0x00007fff25afa5f6 -[NSVBSavePanel init] + 292
    11  AppKit                              0x00007fff25afa1a1 +[NSSavePanel _crunchyRawUnbonedPanel] + 72
    12  AppKit                              0x00007fff2646c0ba -[NSDocument(NSDocumentSaving) _preparedSavePanelForOperation:] + 263
    13  AppKit                              0x00007fff2646cb1c __104-[NSDocument(NSDocumentSaving) _runModalSavePanelForSaveOperation:delegate:didSaveSelector:contextInfo:]_block_invoke_2 + 317
    14  AppKit                              0x00007fff25c0180a -[NSDocument _commitEditingThenContinue:] + 472
    15  AppKit                              0x00007fff25f97481 __62-[NSPersistentDocument _documentEditor:didCommit:withContext:]_block_invoke + 52
    16  CoreFoundation                      0x00007fff282ce52c __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
    17  CoreFoundation                      0x00007fff282b0f43 __CFRunLoopDoBlocks + 275
    18  CoreFoundation                      0x00007fff282b0d08 __CFRunLoopRun + 3128
    19  CoreFoundation                      0x00007fff282afe43 CFRunLoopRunSpecific + 483
    20  HIToolbox                           0x00007fff275cf866 RunCurrentEventLoopInMode + 286
    21  HIToolbox                           0x00007fff275cf5d6 ReceiveNextEventCommon + 613
    22  HIToolbox                           0x00007fff275cf354 _BlockUntilNextEventMatchingListInModeWithFilter + 64
    23  AppKit                              0x00007fff258cd44f _DPSNextEvent + 2085
    24  AppKit                              0x00007fff26062508 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
    25  AppKit                              0x00007fff258c225d -[NSApplication run] + 764
    26  AppKit                              0x00007fff258913fe NSApplicationMain + 804
    27  TST_NSPersistentDocument_Override_MC 0x000000010000379d main + 13
    28  libdyld.dylib                       0x00007fff4f7d3145 start + 1
    29  ???                                 0x0000000000000003 0x0 + 3

This is due to the fact that, by default, Xcode only adds the "Read Only" permission to "User Selected File".


Change it your Target > Capabilities > App Sandbox settings and rebuild!


SplashBuddy at JNUC'17

On October 25th, we’ll do the first SplashBuddy Jumpstart 

My goal is to have you walk out of the room with a fully functional SplashBuddy install, ready to be used. 

If you’re coming to JNUC, please join us! If you’re not and interested, let me know on Twitter (@ftiff) or MacAdmins Slack (#SplashBuddy) and let’s organise a webex. I also encourage you to subscribe to the SplashBuddy newsletter to get announcements and tips & tricks.  



FSMonitor: Easily find what's being modified on your file system.

What tool do you use when you try to snoop it and find which find are being modified? Do you use Jamf Composer? fs_usage? FSEventer?

Well FSMonitor might be your new best buddy. It was soft launched earlier this year. I just cannot believed I missed it. Thank you, Armin Briegel, for telling me!


Well the website is complete enough that I don't need to add anything apart from some good use cases (Tweet/Comment if you have other ones!):

  • Find which plist gets modified from a particular setting
  • Find what files get moved/installed/removed when doing something such as installing Chrome
  • See if a process is doing stuff behind your back

Just a word of caution: Packaging is hard, try not to if you can. Sometimes, pushing the original package with a Configuration Profile might suffice. Also, events might get dropped if there's too many. That's by design from the Apple API.

I'll be talking about 'JAMF and...' at JNUC ‘17

On October 26, 2017 at 11:30 (subject to change) I’ll give my first talk at a conference. 


While I loved my Macintosh Classic when I was a kid, I really started IT with FreeBSD. I loved how simple and elegant this OS was. I’m not saying it wasn’t complex and difficult to use, but the software engineers behind seemed to like simple things (as in good design). When I heard that Apple used BSD as its underlying kernel, I quickly jumped and bought a white iBook. And that was love at first use. I missed the open source part, but how happy was I to have a computer which could do a lot out of the box. And I never looked back. 

My first job was at Apple, as an AppleCare agent. I quickly moved to Tier 2, then became a Software Test Engineer thanks to Benoit Roche. But that was just before the release of the iPhone, where all the resources were dedicated to it, and i wasn’t in the loop. I got QuickTime for Windows. Adding the fact that this was in Ireland and my girlfriend was living in Paris, i quickly resigned and came back to Paris. Well... enough digression.  

Long story short, I became a MacAdmin. And implemented Jamf Pro in 2011. I instantly loved this product, thanks to the Jumpstart. I love that it was made by and for MacAdmins. The community is positive and helpful, something quite rare in IT administration.

Six years later, I will be on stage to talk about its Open Source ecosystem.  


My goal is to invite MacAdmins to use open source projects with Jamf Pro, and get them to contribute back to the community.  

I was a consumer for ten years, until I started to release some scripts and tools. Releasing a new version of pmbuko’s KerbMinder was a major milestone for me. At that time, few people knew about Enterprise Connect, and NoMAD didn’t exist. Perhaps I helped spark the « you don’t need to bind your Mac computers anymore » by adding a login dialog box to KerbMinder. Joel and Rick did such a good job we soon decided to stop development of KerbMinder and ADPassMon. 

Then I started SplashBuddy. I focused on the things I love most: good design, open source and community. Today, many people use it. I don’t have the exact figures, but I know it’s used in many environments worldwide. The feedback has been overwhelmingly positive.

If you have an Open Source software you're using with Jamf and would like to showcase, please give me a shout on Twitter (@ftiff) or Slack.


High Sierra: Set a Global Shortcut to Lock Screen

Some time ago, I made ftiff/MenuLock to help users lock the screen of their Mac with a simple key shortcut (CMD+L, like on Windows). 

In High Sierra, this will be native with CMD+CTRL+Q, and I will deprecate MenuLock.

But this doesn't mean you cannot change the shortcut. macOS has a built-in way to change shortcuts:

  1. Open System Preferences
  2. Open Keyboard Preference Pane
  3. Go to Shortcuts tab
  4. Select "App Shortcuts"
  5. Click "+"
  6. Select "All Applications", "Lock Screen" and type your shortcut.
  7. Quit System Preferences
Adding a shortcut

Adding a shortcut

Here it is!

Here it is!

Now, you can use CMD+L to lock your Mac. And it's changed in the Apple Menu!

Screen Shot 2017-09-04 at 10.41.48.png

Note: This shortcut is system-wide and will take precedence over any other shortcut, like going to location bar on Safari. Learning CMD+CTRL+Q is best ;-)

dot_clean -- Merge ._* files with corresponding native files

When you copy certain macOS files to a non-HFS+/APFS formatted disk (such as a file share), the metadata will be extracted from the files and put in invisible files starting with `._`.

This can leads to issues or can look garbage when you send these files to Git.

According to Apple: 

Before Mac OS X, the Mac OS used ‘forked’ files, which have two components: a data fork and a resource fork. The Mac OS Standard (HFS) and Mac OS Extended (HFS Plus) disk formats support forked files. When you move these types of files to other disk formats, the resource fork can be lost.

With Mac OS X, there is a mechanism called “Apple Double” that allows the system to work with disk formats that do not have a forked file feature, such as remote NFS, SMB, WebDAV directories, or local UFS volumes. Apple Double does this by converting the file into two separate files. The first new file keeps the original name and contains the data fork of the original file. The second new file has the name of the original file prefixed by a “._ “ and contains the resource fork of the original file. If you see both files, the ._ file can be safely ignored. Sometimes when deleting a file, the ._ component will not be deleted. If this occurs you can safely delete the ._ file.

I'm don't necessarily agree that deleting them is harmless. I've seen cases where doing so would create issues. Last time I remember was while I was an assistant editor for a feature film. I did an rsync and forgot the -E flag. All the asset files lost their metadata and I had to reimport all  manually in Final Cut Pro.

An easy way to fix this is to run the `dot_clean` command, available from the optional Command Line Tools.

dot_clean /Users/fti/Git/SplashBuddy

How to pronounce my name

One of the oldest sound I remember using on my PC was Linus Torvalds', available on If I remember well, I would do `cat > /dev/dsp` to listen to it.

So I did the same

Now you know how to pronounce my name "François Levaux-Tiffreau" but in short "François Levaux" and my nickname "ftiff" (f-tiff, not "stiff").

François is pronounced "fʁɑ̃swa":

  • fʁ: french
  • ɑ̃: la vie en rose
  • swa: swag

Levaux is pronounced "ləvo":

  • l
  • ə: about
  • v
  • o: no

There you know! It may not be as easy to remember as Puhpine Brieyen, but I'm at the WWDC and I really want to finish this blog post, send my essay for my MSc and enjoy it.

me @ SAN JO

me @ SAN JO

Surfin' USA

Just a small break while packing my stuff for the WWDC. I cannot express how happy I am to finally attend it. I remember when I was 7, asking my father every weekend to drive me to Apple France to visit it. He never did. 

As WWDC is my Christmas, I'm now in the mood of reflecting back on the year that just passed.  

A lot of thing happened: 

  •  Amaris and I launched an Apple Service and Competency Center. We are now partnering within Apple Professional Services and in the process of becoming Jamf Integrator. Our goal is to support internal and external needs for Apple expertise in Europe. More on that soon. 
  • SplashBuddy (formerly CasperSplash) is still not released, as I set the bar too high. The software in itself is pretty simple, but most of the work is to make it solid and easy to use. It's great to see more and more people using it.  
  • We've hired Merieme Paulouin and Christoph Fellner, two amazing MacAdmins. But more will join later this year! 
  • My partner is pregnant with another boy, making the life so much fun and interesting 🙄😂 
  • I spent most of my free time cursing about my MSc in Information Systems Management at the University of Liverpool. and i will continue to do so for the next two years... yippee!

So i hope to take the few days in San Jose to relax and learn. My priorities:

  • meet developers
  • enjoy the bay with my Stand Up Paddle
  • Attend the Keynote
  • Get a free Siri Speaker (offered to all attendees like the iSight camera, of course)

and technically, learn about:

  • UX
  • Localization
  • Cocoa Bindings
  • Best practices  

If you're around, please ping me on Slack or twitter (@ftiff). I'll be around SF/San Jose from June 2 to 10, then around Austin/Houston until 12. 

Making sense of NSOSStatusErrorDomain:-67846

Ever wondered what mean the errors when a Configuration Profile fails to install?

For example: NSOSStatusErrorDomain:-67846

The easiest way is not to go to Jamf Nation, but start with

With this, we get the following output: errSecRequestLost -- "The request was lost". A good indication that you may have a firewall trying to mess with SSL (something known as Man-in-the-Middle or MitM).

Changing the network solved this issue, and the configuration profile (SCEP Certificate) installed correctly.

KerbMinder will no longer be maintained

We announced on April 1st that KerbMinder and ADPassMon would no longer be maintained.

KerbMinder was a python script created by Peter Bukowinski that would automatically create and renew Kerberos tickets. In 2015, I became a contributor to the project and adapted it so it could run without the computer being bound to AD.

It was a game changer. Not binding to AD became cool and everyone started to talk about it. 

Ben Toms took over ADPassMon from Peter and did some awesome changes. We then created a "secret" channel on Slack to discuss how we could merge the two software together to have it create and renew Kerberos tickets, alert the user when his password was expiring and automatically mount shares (with the help of @kylecrawshaw). 

Then life got in the way. My main client bought Apple Enterprise Connect, and all the others in the team got new jobs. But Joel Rennich joined the channel.

He took over and created NoMAD with the notable help of Owen Pragel. This is what Gala would have been.

Now what's next?

Apple Enterprise Connect and NoMAD are better than KerbMinder and ADPassMon combined. 

We created the following table to assist in choosing between the two. 

In production, I've only used Apple Enterprise Connect. I can assure it's a great software, and support is amazing. I had very good feedback from NoMAD too. 

Thank you all for being part of the journey.