Hello Experts,

We are in the process of deploying Microsoft Windows 365 Cloud PC across our organization. Many of our employees use Macs, and during testing we identified an issue: when connecting to Windows 365 Cloud PC from a Mac via the Windows app and running Zoom within the Cloud PC, there is a noticeable lag in both audio and video.

This issue does not occur when accessing Windows 365 Cloud PC from a Windows device, which led us to conclude that the problem is specific to Macs. We also tested with the Zoom Universal Plugin for Mac, but it did not resolve the issue.

Could you help us understand the possible cause of this problem? It seems there may be limitations related to how hardware resources are shared when connecting from a Mac. The lag is significant and has become a major source of frustration for our Mac users.

Looking forward to your guidance.

I’m curious from the Mac admin side: when you hand gear off or sell to a tech recycler, what’s the #1 thing you care about?

Is it: – Data security / erasure certificates – Rebates / recovering some value – Logistics (easy pickup etc) – Reporting / compliance (SOC 2, ISO, etc.) – Something else entirely?

I’ve seen these priorities vary a lot depending on whether the push is coming from IT, finance, or sustainability. Wondering what matters most to you in the trenches.

Ahem.. everyone.

I have made a small dylib that makes GoFetch way harder to use but doesn't mitigate it (obv it's to Apple to release a REAL mitigation).

It is only for MacOS yet (being that the nature of the patch is that it's a dylib) and personally I may have plans for the future (but uncertain) to port it to Asahi I guess...

But to try to limit it.. I have made a small dylib that tries to hint to the MacOS scheduler to use efficiency cores (E-cores) which aren't affected by GoFetch for the current process and adds some jitter to make timing less precise, disrupting this side-channel attack which relies on high-resolution timing to infer data.

The E-core trick may or may not work since it's just a hint and the scheduler is responsible for the final decision.

WARNING. This is only intended to serve as a sort of temporary trick to make the bar higher for GoFetch exploitation before Apple releases something way better for M1/M2.

Here it is (however must be compiled): https://github.com/Izgip/GoFetch-Mac-Mitigation/tree/main

You can now maybe ask for how to use it or whatever questions related to the patch:

Has anybody used Apple Business Management coupled with Apple Business Essentials. Helping a friend of my really stream line her business and she already has an iPhone, uses iPads for part of her work, and is probably gonna buy a mac mini M4 for the front desk. So she has a really good setup. Looking at 5-10 devices. 5-7 employees.

Is it good? All the videos ive seen on it are at least 2-3 years old and I know a lot can change

Edit for clarification: She owns a Head Spa

Hi everyone,

I’m the CTO and co-fonder of a very small start-up. We’ve just signed our first few clients and we’re about to onboard our very first employee (big milestone for us!), who’ll get a MacBook Pro. I’m not a sysadmin by any means, but we do need to make sure the device is sensibly secured.

I’ve read a bunch of articles online about Apple Business Manager (ABM) and MDM. Honestly, it’s a bit overwhelming. I don’t want to spend days setting up a single computer, but I also don’t want to make choices that cause long-term pain.

I’ve looked at MDM providers like Jamf and Kandji, but many seem to have minimums around 25 devices.

My questions:

• What’s the bare minimum process to onboard a single Mac properly? For example: buy from the Apple Store, set up ABM, then link it to an MDM?
• Do you know any MDM provider that works well for a tiny fleet (1–5 devices)?
• More generally, any simple, straightforward tips or gotchas for securing one Mac for a new hire?

Cheers.

(N.B.: This post is not related to Server-Side Copy.)

Hello!

To put it gently, Mac OS’ default SMB client behavior out of the box, especially when working with many small files (or just many files in general) is, well, bad. This is entirely MacOS falling down on proper SMB optimization, not a TrueNAS issue.

I know that TrueNAS’ smb4.conf already contains some MacOS-related optimizations, so I’m looking more at my client Mac now. TrueNAS’ SMB configuration also accounts for the underlying filesystem being ZFS, which generic Samba Mac optimization tutorials don’t.

A lot of those generic tutorials are contradictory and don’t explain the settings they advise, and appear to focus entirely on the server-side.

Question: Here in August 2025, is there a cohesive set of guidelines/suggestions for optimizing Mac OS’ SMB performance with TrueNAS?

I say “with TrueNAS” because a lot of guides assume a vanilla Linux Samba server is on the other end of things, and a default TrueNAS install does not start out with the same configuration as vanilla Samba.

I’m already aware of the trick for disabling the creation of .DS_Store files on SMB shares by Mac clients, and I’m using MTU 9000 because the on-board Aquantia NIC on my Mac seems to be unable to perform well at 10 Gbps without it.

Thanks!

We have some Mac Mini devices (2018 intel) that we use to execute tasks. They're not on a UPS (I know, but it's not my fault). We're losing power, and they're not turning back on. I confirmed at the command line level that the energy setting for power on after power fail is set, but it's not working.

I see a parameter for power on wait time. It's currently set to 0.

Does anyone have any ideas about how I could make this work?

MDM Platform: Intune

We’ve been pushing configurations to grant Full Disk Access to certain apps (like CyberArk, TeamViewer, SentinelOne.. etc) without user intervention. This has worked fine for a while, but recently we’ve noticed that on many of our endpoints, these permissions are suddenly disabled. We also notice on new deployments that they no longer enable.

Has anyone else experienced this in their environment? Could this be a macOS bug? All our devices are on a DDM policy and running macOS 15.6 or 15.6.1.

Curious to hear your thoughts or if you’ve found a workaround!

Tasked with hardening cybersecurity in a business that has none. I'm a solo MSP and I've never done this before so it will be an adventure. All employee devices are using their own personal iCloud accounts on the business computers. There's near zero MFA and no IT policy. All devices are existing, no new.

What I've done:

• Get login credentials for every device.
• Instructed business owner to log into her ABM and add me as admin.
• Added the Apple ID number thing and reseller ID thing.
  • I am not full admin of this business in ABM.

From what I understand, the next steps would be to:

• Gather Mac model, processor, and OSX version to ensure they are capable of being enrolled in ABM.
• Make time machine backup of device.
• Sign out of iCloud on device.
  • This also should remove "Find My"
• Reboot into diskutil and wipe.
• Enroll in company's ABM.
• Restore time machine backup

Is this correct? Bonus question: Restoring from time machine does not include iCloud account right?

Edit: There are a couple dozen devices.

Edit: To be clear, these devices are NOT enrolled in ABM but I want them enrolled. They are active working computers with employees personal Apple IDs attached.

Hi everyone,

I have a late 2012 iMac running macOS Catalina 10.15.7, and I'd like to use it as a 2nd display for my MacBook M3 Air, where I can drag windows back and fourth and stuff

Since this iMac is fairly old, I'm not sure if this is possible; if it is, I'd love any insight/help in doing so! If it involves buying specific cables or things to make it happen, I'd be willing to

Thank you!

I was surprised that I couldn't find this answer quickly. Thought I'd ask here!

Anyone know if it's possible to disable the Apple Pay / Wallet features on a macOS device via an MDM profile? We have a fleet of machines that are BYOD so not enrolled in ADE etc, just manually enrolled in Addigy via .mobileconfig Configuration Profiles.

Recently had a situation where some users got "stuck" after reboot being asked to set up Wallet (which we/they don't want) and I'd like to be able to disable that blocking prompt...

Hi Mac Team,

I was wondering if anyone had any solutions for Exam word processors on Macs for education that have dictionary, thesaursus, spell check etc turned off. I have seen ExamWritePad for windows machines, but no options for Mac.

Any recommendation would be helpful.

Thankyou.

Does anyone here use Trio MDM?

https://www.trio.so/

We are doing our POC for Kandji, and came across Trio when looking around. It basically looks like Kandji with support for windows and then it also shows you CPU usage and all… and on top of that A LIVE TERMINAL? It looks too good to be true.. is it new or something?

We use mosyle rn for 850+ Macs, did a POC for Jamf before Kandji, but didn’t like it cause it’s TOOO complicated to use for admins.

Thanks everyone!

The business I work for has decided that we don't want to allow users to login with Apple Accounts, even though we have federated our domain to Apple Business Manager. I have this working. It blocks Apple Account sign-in and adding any type of account under System Settings > Internet Accounts.

However, they have now decided that they want to allow users to add their Microsoft 365 account in Internet Accounts using the Microsoft Exchange account type.

I'm struggling to find any information on how to do this as the Internet Accounts got locked down when I disabled Apple Accounts but I didn't restrict any other account type that I am aware of. I cannot see it in my configuration profile either.

Has anyone done this before?

Ideally, it would be good to be able to have Intune configure the account automatically, but I am not expecting that to be possible. All user accounts are created with Intune using their M365 username.

We have a system that should automatically sync our MIS with ASM via SFTP. The SFTP link works and users are imported, but it used to use their email address as the AppleID, however it seems to have stopped doing this, and now just uses the default domain (which we don't really want).

We have 20+ different verified domains within ASM, which most are subdomains.

ASM forces you to choose a default domain, however we don't want this used unless they don't have an email etc.

To try and give an example without posting too much detail... A user with the email address [bob.jones@correctdomain.company.org](mailto:bob.jones@correctdomain.company.org) gets the following details in ASM:

Email: [bob.jones@correctdomain.company.org](mailto:bob.jones@correctdomain.company.org)
Managed Apple ID: [bob.jones@defaultdomain.company.org](mailto:bob.jones@defaultdomain.company.org)

Looking at the test runs from 12 months ago, Bob would have got:

Email: [bob.jones@correctdomain.company.org](mailto:bob.jones@correctdomain.company.org)
Managed Apple ID: [bob.jones@correctdomain.company.org](mailto:bob.jones@correctdomain.company.org)

I've tried Apple Support, but they have no idea what the intended functionality is, it has now gone off to further support, but this could take days or weeks to get an answer from them.

Does anyone know how it is supposed to work? Does anyone else have SFTP cretaing Managed Apple IDs on different domains? Any thoughts about how to fix it on ours?

Thanks

Hello Experts, I am looking for a free MDM tool to support iOS devices and which can be integrated with ABM. The key requirement for the tool is - It should have ADE capabilities just like Intune and it should be able to install app on the iOS device. Please, suggest.

Reading about User Profiles in Mosyle, it seems to imply that they can only work with network users (AD/LDAP). There is an option to apply them to a managed user, but apparently there can only be 1 managed user per machine. So I don't see how I'd be able to apply an admin-user config and a normal-user config separately.

For context, I'm deploying and managing a home network, so I'm thinking about separate profiles, 1 for a kid (restricted user), and 1 for an adult (admin). Additionally, thinking about a "family" computer, one that everyone in the household is using.

This seems like a perfect use case for the SSO Extension to manage users (since AD binding seems deprecated from what I've read), but then I don't know how that applies to user configs.

Any help would be appreciated 🙏

Hey everyone,

My company currently manages around 40 Mac devices using Jamf Now. It’s been great for the basics, but we’re starting to feel its limitations as we grow. I’m looking into Jamf Pro and wanted to ask if anyone here has gone through this upgrade.

Specifically:

• How was the migration process from Jamf Now to Jamf Pro? Any major challenges?
• What are the biggest differences in day-to-day management (policies, profiles, automation, patching)?
• How steep was the learning curve coming from Jamf Now?
• Do you think the upgrade is worth it for a ~40 device environment, or is it overkill?
• Any tips you wish you knew before making the jump?

We’re mainly looking for stronger inventory, patch management, and better integration with other tools. Just trying to figure out if Pro is the right move for our size, or if there are alternatives worth considering.

Thanks in advance! 🙏

Preface: I have been using WakeMeOnLan for basic Windows network administration for a few years, and it is truly wonderful to have information like NetBIOS and DNS device names and Vendor Identification for various reasons.

Until today, I didn't know of any MacOS-compatible tools that were anywhere near as useful and free. I've spent the past week working on this application from scratch with Claude and GPT-5 Agents, and I'm very pleased with the result!

WoL-Caster can operate with it's own GUI and CLI. At launch, it will scan every detected network adapter across entire subnet ranges, delivering real information on all network devices. In the MacOS menu bar of the GUI, WoL-Caster's persistent data can be imported and exported. By clicking the "📄 Export Data" sort button above the device tree, the contents of persistent data are instantly printed to a terminal window. Any amount of targets can be armed; by arming Network adapters, magic packets can be sent to any and every possible target, even if they haven't been detected. History (persistent storage) can be cleared. Other than importing and exporting .JSON files, the CLI is just as powerful, and includes a Debug mode that extends to the GUI as well, and is saved in persistent data. GUI and CLI both share the same .JSON persistent data, so certain states are saved across interfaces.

The MacOS binary is universal; I've successfully tested it on a 2012 MacBook Pro and a 2024 M3 Max MacBook Pro.

I would want to know if this tool suddenly existed, so I felt compelled to share!

WoL-Caster on GitHub

I run a few macs and an Active Directory domain (using Samba) at home, which I use for secure SSO to SMB shares and some VMs (I want to avoid NTLM and use Kerberos).

Is there any way of getting the Kerberos Single Sign-on extension working without an MDM?

As is, I manually have to open the Ticket Viewer to get a TGT before interacting with Kerberos resources, and there is no equivalent that I know of in iOS.

I already use the Apple Configurator to create profiles that I manually deploy to my devices to set up Wi-Fi, VPN, certs and the like, so a way to leverage that would be perfect.

Originally posted in k12sysadmin: Has anyone found a real-world, reliably functional, work-around to get Google Docs to play nice on MacOS machines?

Last school year our 6th-8th graders used Google Classroom extensively on MacOS devices. Working with our students with tech accommodations it quickly became apparent that Google Docs disables all of Apple's own Accessibility tools, with varied results across Chrome and Safari. Furthermore, Google Doc's own accessibility functions were extremely unreliable.

This even impacted hardware, with students having to stop using any advanced headphones (AirPods, etc.) as they would completely stop working within Google Docs, and go back to headphones that lacked any advanced features.

Significant reliability issues persisted across both Google Docs tools, and native MacOS tools, and across both Safari and Google Chrome (with some functions being more reliable in one browser, and others being more reliable in the other.)

Symptoms were random in both severity and frequency, but ultimately severe enough that by the end of the school year all of our students with accommodations were extremely frustrated and implementing their own work-arounds.

It appears that Google Docs is 'breaking' Core Services (likely, since this impacts advanced hardware relying on Core Services), or that Google Docs is so non-standard and poorly implemented that it effectively has the same result.

Has anyone here found a solution for getting MacOS and Google Docs to play nicely? Have any of you switched to iPads (research suggests these might work better)?

Thank you for any help or feedback you can provide!

We have configured a Passcode configuration profile enforcing a complex passcode of 8 characters.

However, we now see that during Account Creation in Setup Assistant, a simple 4-character passcode can still be entered. This was not possible before.

Once the user logs in, the Passcode configuration profile does not remain active until after the first reboot.

Has something changed? And how do we fix this?

Should we apply the Passcode configuration profile during the PreStage?

I have an OWC mercury raid dock with 4TB storage. I have two folders on there, one is a Photos archive @ 515.34GB and the other is a Time Machine destination @ 288.14GB. But the RAID says i've used 3.67TB ? I assume TM has a temp file or something that has ballooned, but daisy disk errors when i try to scan as administrator. Any tips? TIA