macOS
macOS is the operating system developed by Apple for their Macintosh computers. It is the software that runs on Apple's desktop and laptop computers, providing users with a graphical user interface (GUI) and a wide range of features and functionalities. macOS offers a seamless integration with other Apple devices and services, along with a rich ecosystem of applications and software. It provides a user-friendly and secure computing environment for Mac users, enabling them to perform various tasks, access the internet, run applications, and manage their files and data.
- Apple Silicon M1 / M2 Native Client Support and Rosetta
- Bootstrap Token Management on macOS
- Change Administrator User Password on macOS
- Customised Screen Saver (macOS)
- Deploy Folder with Icons (macOS)
- Deploying CUPS printers (macOS)
- Deploying iOS Applications to macOS Devices Using FileWave
- Microsoft Enterprise Platform Single Sign-on for macOS
- EUD Security Guidance: macOS 10.13+
- FileVault
- Firmware Password (macOS 10.14 Mojave+)
- Full macOS Model name to Inventory (Custom Field)
- Hide local macOS admin users
- How to Create Local User Accounts on macOS 10.15+
- Login Window Banner (Agreement Policy) for macOS
- macOS 11 Compatible Devices (Custom Field)
- macOS 14 Compatible Devices (Custom Field)
- Admin Password management (MDM Command - macOS)
- macOS 26 Compatible Devices (Custom Field)
- Message to macOS User
- Notify Users with a dialog (macOS)
- Remove Casper JSS Client Components
- Understanding Free Space on APFS Volumes
- Wipe Device for macOS
- Troubleshooting
Apple Silicon M1 / M2 Native Client Support and Rosetta
What
14.8+ FileWave Client PKG installer now installs a native M1 or M2 client, negating the need for Rosetta 2.
macOS 26.4 will start to notify end users that Rosetta will be end of life in macOS 27.
Source: Apple EOL Advisory: Intel-Based Apps and Rosetta Dependencies on Apple Silicon
Prior FileWave client installers were for Intel only and relied on the PKG installer to install Rosetta 2 for M1 / M2 compatibility. Rosetta 2 will not be disabled on clients that already have Rosetta 2 enabled. Since newly enrolled clients, starting with 14.8.x+, will not install Rosetta 2, any other software requiring Rosetta 2 will require a Fileset to install Rosetta 2.
Note that the Administrator app still requires Rosetta 2.
When/Why
This update is for Apple M1 / M2 devices only. The installer is now a universal binary for either processor type.
How
Both the standalone DMG installer and the Custom PKG will now support both Intel and M1 / M2 natively. Create a new 14.8+ FileWave client installer from our Custom PKG Builder. The client upgrade Fileset will naturally be taken as native by macOS also.
Enable Rosetta 2
Below is an example of a script that could be used to enable Rosetta 2 through FileWave if still required for other software like the FileWave Administrator app:
#!/bin/zsh
# Determine OS version
osvers=$(sw_vers -productVersion)
# Check to see if macOS is 11 or greater
if [ ${osvers%%.*} -ge 11 ]; then
# Check processor type
processor=$(/usr/bin/uname -p)
if [[ "$processor" != "arm" ]]; then
echo "$(date) processor: ${processor}. No need to install Rosetta."
else
# Check if Rosetta process is running and instal if not found,
# perform a non-interactive install of Rosetta.
if [[ ! $(/usr/bin/pgrep -x oahd) ]]; then
/usr/sbin/softwareupdate --install-rosetta --agree-to-license
if [[ $? -eq 0 ]]; then
echo "$(date) Rosetta has been successfully installed."
else
echo "$(date) Rosetta installation failed!"
exitcode=1
fi
else
echo "$(date) Rosetta already installed. Nothing to do."
fi
fi
else
echo "$(date) Mac is running macOS $osvers"
echo "$(date) No need to install Rosetta on this version of macOS."
fi
exit 0
Here is a Fileset that uses the above example script: Install Rosetta 2.fileset.zip
Bootstrap Token Management on macOS
Introduction
macOS 10.15 Catalina introduces a new method of SecureToken enablement called Bootstrap Token. This is an MDM-based management feature to automatically provide a SecureToken on all mobile account logins. This does not affect how local accounts get SecureTokens.
What is SecureToken?
Apple introduced Secure Token as a method of creating a “chain of trust” on a machine. The result was that only a trusted user could be created from another trusted user, and only those trusted users could leverage FileVault. This ensured that - from Apple’s perspective - the machine and users on it are secure.
For many Mac admins, the Secure Token feature introduced with macOS High Sierra has been a cause for great consternation. It has forced IT teams to adjust their management workflows to be able to administer and manage devices differently, given that Secure Tokens are critical in order to safely create Mac users and manage their FileVault full disk encryption (FDE) credentials.
Why the Consternation with SecureToken?
The challenge presented by the introduction of Secure Token was that the chain of trust ultimately made user and FileVault management much more challenging. An organization’s mobile and network accounts with Apple devices did not have the ability to create users that would be granted Secure Tokens.
Only the original user on the machine was granted a Secure Token and only that account could go on to create subsequent users that would properly be granted a Secure Token. This overhead severely impacted the ability of Mac admins to remotely manage their fleet of Mac systems.
What is the Benefit of Bootstrap Token?
Catalina can give the first mobile account to log in a SecureToken if no other accounts have a SecureToken yet, but the benefit of Bootstrap Token comes when multiple users log into an encrypted machine. All mobile accounts that log in automatically get a SecureToken without having to hand one off manually.
What Happens Under the Hood?
If support of Bootstrap Token management is implemented on the MDM server-side, during device enrollment command Settings / MDMOptions with flag AllowBootstrapToken = True should be sent to the device. In this case, the device will send SetBootstrapToken and GetBootstrapToken requests to the MDM server later at the appropriate time.
To check the current status see "checking status" below
There are two main communications for SecureToken: SetBootStrapToken and GetBootstrapToken.
SetBootstrapToken request
When the first admin account is created (see Figure 1.1), MDM request SetBootstrapToken (requires DEP enrolled client) is sent from the device to the FileWave MDM server. The MDM server handles this request by storing the Bootstrap Token for the device in the appropriate place (FileWave encrypts and stores this in the inventory database).
|
|
| Figure 1.1 |
Warning: There is one limitation - If you automatically create an admin during enrollment, the SetBootstrapToken request will not be sent.
| Figure 1.2 - Not Suppressed (Token sent) This is Default DEP |
Figure 1.3 - Suppressed (Token will not be sent) Setup assistant user is standard |
| Figure 1.4 - Suppressed (Token will not be sent) No user during setup assistant |
| Trigger Escrow |
Escrowing of Bootstrap Token to server can be called with:
If the SetBootstrapToken request was properly sent to your MDM server, the output will be
If you got this error after the initial command:
The FileWave server may not be able to handle the request; make sure it is running 13.2 or greater |
GetBootstrapToken request
When a new mobile account is created (manually or automatically, see "Examples" section) MDM request GetBootstrapToken (requires DEP enrolled client) is sent from the device to MDM server (it requires a Device Enrollment Program enrolled client). The MDM server should handle this request properly by returning the stored Bootstrap Token of the appropriate device. As a result, when a mobile account logs in a SecureToken will be enabled on the account. A list of which accounts can unlock the FileVault disk can be shown by the next command:
diskutil apfs listcryptousers /
There you can see the UUID of the mobile account as well as the Bootstrap Token External Key:
Cryptographic users for disk1s5 (9 found)
|
+-- JJJJJJJJ-UUUU-IIII-OOOO-AAAAAAAAAAAA
| Type: Local Open Directory User
|
+-- KKKKKKKK-LLLL-MMMM-NNNN-BBBBBBBBBBBB
| Type: MDM Bootstrap Token External Key
|
+-- GGGGGGGG-WWWW-QQQQ-ZZZZ-CCCCCCCCCCCC
| Type: Local Open Directory User
|
+-- BBBBBBBB-AAAA-MMMM-BBBB-AAAAAAAAAAAA
| Type: iCloud Recovery User
|
+-- DDDDDDDD-0000-EEEE-DDDD-EEEEEEEEEEEE
| Type: iCloud Recovery External Key
|
+-- TTTTTTTT-0000-WWWW-TTTT-WWWWWWWWWWWW
| Type: Personal Recovery User
|
+-- NNNNNNNN-EEEE-SSSS-NNNN-EEEEEEEEEEEE
| Type: Institutional Recovery User
|
+-- JJJJJJJJ-0000-CCCC-JJJJ-CCCCCCCCCCCC
| Type: Institutional Recovery External Key
|
+-- AAAAAAAA-EEEE-FFFF-CCCC-DDDDDDDDDDD
Type: Personal Recovery Key
Compare that list with
sudo fdesetup list
to show the same UUIDs of the accounts that have SecureTokens:
localadmin, JJJJJJJJ-UUUU-IIII-OOOO-AAAAAAAAAAAA
mobileaccount,GGGGGGGG-WWWW-QQQQ-ZZZZ-CCCCCCCCCCCC
Check Escrow/Server Status
To check if Bootstrap Token was escrowed to the server, the same command as above can be used:
profiles status -type bootstraptoken
| Server Supported | Server Does not support |
|
|
| Not Escrowed | Escrowed Done |
If the Bootstrap Token was not escrowed on the server (SetBootstrapToken request was not sent to MDM server or was not handled by MDM server properly), the output will be:
You can manually trigger (see "Trigger Escrow") |
If the Bootstrap Token is already on the server the output will be:
|
Examples when Bootstrap Token helps
Example 1 - mobile account is created manually by an admin which doesn't have a Secure Token
Problem:
In macOS 10.15+ with FileVault is turned on, a network account login without Secure Token escrowed will be prompted for an admin who does have a secure token.
| Figure 2.1 |
Solution:
With the token escrowed, there is no need to enter a SecureToken administrator's name and password anymore - "Bypass" can be safely pressed and the new mobile account will be shown at the startup window after the device reboots.
To disable SecureToken for an admin, use:
sysadminctl -secureTokenOff
To check if Secure Token is enabled or not, use:
adminsysadminctl -secureTokenStatus
Example 2 - mobile account is created automatically when profile Mobility is used
With macOS 10.15 and FileVault turned on, profile Mobility was installed on the device with the option 'Create mobile account when user logs in to network account'.
| Figure 2.2 |
After a network account login, a mobile account is created automatically (as the "Bypass" button from the dialog "Enter a SecureToken ..." was pressed implicitly). A new mobile account will be shown at startup window after the device reboots.
In comparison: when the same actions are done on macOS 10.14, there is one additional dialog (see figure 2.1) to enter a SecureToken administrator's name and password during the auto-creation of a mobile user. If "Bypass" will be pressed, the new mobile account will not be shown at the startup window after the device reboots and FileVault should be enabled manually for each new mobile account.
Summary
If FileVault is already encrypted, the new mobile account(s) will be added to the preboot unlock user list automatically. No need to update preboot and do other additional work like past OSes.
Change Administrator User Password on macOS
This article will guide you through importing a Fileset that will give you the ability to change the Administrator password on macOS devices.
Requirements:
- FileWave Admin
- macOS Client
Steps to Deploy:
-
Download and Import the Fileset
- Download Change Admin Password (Ventura+).fileset.zip
- Import the Fileset into FileWave Admin.
-
Edit Environment Variables
- This Fileset uses Environment Variables to determine the Admin username, current password, and new password. You need to edit these variables to add your Admin account information and new password.
- To do this, double-click on the Fileset to open it.
-
Navigate to the Script
- Update Environment Variables
- Test your deployment
- Finally, deploy the Fileset to a test device with this Admin account and update the model.
- Verify the new password works after deployment.
Tested on macOS Ventura and Sonoma (macOS 13+). The script should reflect a proper success or failure in Fileset Status if the AdminPassword or AdminUsername value is incorrect.
Customised Screen Saver (macOS)
Description
Use this example Fileset to install a custom macOS screen saver (.saver) that displays a static image or custom HTML/JavaScript, then set it as the login window screen saver with a profile.
Ingredients
- FileWave Central
- Example Fileset: Example_FileWave.saver.zip
Taken from: https://github.com/tlrobinson/WebSaver
Directions
Fileset Installation
- Download and unzip the
Example_FileWave.saver.zipattachment from this article. - Import the Fileset in FileWave Central.
Customize the screen saver name (optional)
- Open the Fileset contents.
- Expand
/var/scripts/498452. The number will differ in your Fileset. - Select
FileWaveExampleScreenSaver.sh.
- Select Get Info > Executable.
- Set LaunchArgument 1 to the desired screen saver name, replacing
FileWave. - Repeat the same LaunchArgument change for
RemoveFileWaveScreenSaver.sh.
Customize the source file (optional)
- Replace
/tmp/FileWave.saver/Contents/Resources/fw.pngwith the image you want to display. - Edit
/tmp/FileWave.saver/Contents/Resources/index.htmland replacefw.pngwith the new image filename.
Optional
You can replace the entire contents of index.html with your own HTML/JavaScript if the screen saver should show more than a static image.
Test
Associate the Fileset to a test Mac first. After installation, the example screen saver should appear as shown below:
Set Screen Saver as Default
- Open Profile Editor and select Login Window.
- Set Use screen saver module at path to
/Library/Screen Savers/FileWave.saver. ReplaceFileWave.saverwith your custom name if you changed it above.
Login Window profile requirement
Edit an existing Login Window profile if you already use one. If this is your first Login Window payload, review the other profile settings before deploying it.
Deploy Folder with Icons (macOS)
Description
This article shows how to deploy macOS folders or applications with custom icons. Apple changed how Finder stores some icon metadata, so older packaging methods may deploy the folder but miss the icon.
Information
This process has three parts:
- Create a Fileset that includes the folders or applications with custom icons.
- Create an activation script.
- Set the script properties so FileWave passes the folder or application paths to the script.
1. Create the Fileset
To build the Fileset, first apply a custom icon to the folder or application on macOS. Choose Get Info on the folder or application, then drag the icon or image file onto the icon at the top of the Get Info window:
Create a standard Fileset from that folder or application.
2. Create an activation script
Highlight the Fileset and choose the script icon.
In the window that opens, select Activation Script, then create a script. In this example, the script is called add-xattr.sh. The script should contain:
#!/bin/bash
{
for directory in "$@"
do
xattr -wvx com.apple.FinderInfo '00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00' "$directory"
done
}
3. Change the script properties
After you create the script, highlight it and choose Properties.
Edit the Executable tab so the launch argument matches the path to the folder or application that has the custom icon.
Associate the Fileset. When the Fileset deploys, the folder or application should keep the chosen icon.
Multiple folders with icons
The Fileset can contain multiple folders with custom icons. For each folder with a custom icon, add a matching launch argument in the Executable tab.
Deploying CUPS printers (macOS)
Before you begin
We first need to setup the CUPS printers on a single test device. Once they are manually setup please test each individual printer and ensure they work as you'd like them to before proceeding. Note that you want to setup ONLY the printers you want to deploy via CUPS in this method. If possible have these as your only printers on the device to make things easier.
Creating Fileset
1.) Create a new folder on your Desktop(or anywhere safe) titled cups
3.) Copy the following files into your cups folder on the desktop:
- printers.conf
- printers.conf.O
- the entire ppd folder
The ppd folder should show the names of all the printers you manually setup. If you have other printers you don't want to deploy delete them from the ppd folder in the new location before proceeding.
4.) Open terminal and give full access to the config files via the below commands:
$ sudo -s
$ chmod 755 /Users/<your user here>/Desktop/cups/printers.conf
$ chmod 755 /Users/<your user here>/Desktop/cups/printers.conf.O
To make things easier you can type chmod 755 and then drag/drop the file into terminal to have it automatically fill in the appropriate path.
5.) Create a new empty fileset. Filesets > New Desktop Fileset > Empty
6.) Open your fileset by double-clicking on it and uncheck "Hide unused folders"
7.) Click on etc/ to highlight it and then click "Import File/Folder"
- If asked to replace a folder go ahead.
8.) Import the cups folder that you created on your desktop.
9.) In the fileset click the arrow to the left of etc and then to the left of cups to show the contents of the folders. This should match the folder on your desktop with all files included
10.) Highlight printers.conf then click "Get Info" at the top, click the verification tab and select "Download if missing" then click Apply at the bottom right.
11.) Repeat step 8 for printers.conf.O as well.
12.) Test deploy by sending to a single machine and verify it works properly before deploying out to the rest of your clients.
The reason we change the verification settings for only these two files is that the printers.conf and printers.conf.O files are dynamically changing when any changes are made regarding printers on the end computer. Filewave would detect the change and then try to overwrite the config with what's in this filset thus potentially breaking the printers on your devices.
Deploying iOS Applications to macOS Devices Using FileWave
What
FileWave can associate iOS app Filesets with compatible macOS devices. If Apple allows the app to run on Mac and your organization has available licenses in Apple School Manager or Apple Business Manager, FileWave can install that app on eligible macOS devices.
When/Why
When to Use
Use this when an iOS/iPadOS app is also available for Mac, often because the vendor ships it as a Universal app or Catalyst app. Associating the iOS app Fileset with macOS devices lets you:
- Expand app availability: Provide a Mac-compatible iOS app to users on supported Macs.
- Reuse the existing assignment workflow: Manage the app through the same iOS app Fileset instead of building a separate macOS package.
- Keep app access consistent: Offer the same app to users who move between iPad and Mac workflows, when the vendor supports that use case.
Why This Feature Matters
Apple silicon Macs running macOS 11 Big Sur or later can run supported iPhone and iPad apps when the app developer allows Mac availability. In FileWave, this means organizations can:
- Use available app licenses: Assign eligible app licenses to compatible Macs.
- Support mixed Apple fleets: Make the same supported app available across iPad and Mac where the vendor permits it.
- Track deployment from FileWave: Monitor installation through FileWave instead of treating the Mac install as a separate manual process.
How
Prerequisites
Before deploying iOS applications to macOS devices, ensure the following conditions are met:
- Compatible macOS devices: Devices must be running macOS 11 Big Sur or later on Apple silicon.
- Compatible applications: The iOS/iPadOS app must be available for Mac. If the developer has disabled Mac availability, FileWave cannot force the app to install on macOS.
- Licenses: Sufficient licenses must be available through Apple School Manager (ASM) or Apple Business Manager (ABM).
Monitoring and Troubleshooting
- License availability: Make sure enough licenses are available. If licenses are exhausted, the app will not install on additional devices.
- Deployment status: Use FileWave Central to monitor deployment status and confirm installation.
- Compatibility issues: If the app fails to install, confirm that the app is available for Mac and that the device meets Apple's requirements. If the app installs but will not open, the app vendor may need to update the app for macOS compatibility.
Related Content
Microsoft Enterprise Platform Single Sign-on for macOS
What
Platform Single Sign-on (Platform SSO or PSSO) extends Apple's Extensible SSO framework to the macOS login and account experience. For Microsoft Entra ID deployments, this workflow builds on FileWave's Microsoft Enterprise SSO plug-in for Apple devices guidance and Apple's Platform Single Sign-on for macOS framework.
With password authentication, Platform SSO can synchronize the user's local macOS account password with their Microsoft Entra ID password. Depending on the operating system version, identity provider support, and payload settings, Platform SSO can also support other authentication methods such as Secure Enclave-backed platform credentials or smart cards.
After registration, Platform Single Sign-on status appears under the user's account in System Settings > Users & Groups:
When/Why
Use Platform SSO when you manage Mac computers with FileWave and want users to sign in with their Microsoft Entra ID identity while reducing local password drift. This builds on the Microsoft Enterprise SSO plug-in by extending the SSO experience closer to the local Mac account and login workflow.
How
Below are the main requirements and deployment steps to review before using the example profile.
Platform SSO requirements
A Mac running macOS 13 or later. Microsoft currently recommends macOS 14 Sonoma or later for the best Entra Platform SSO experience, and some newer Apple Platform SSO features require later macOS versions.
A mobile device management (MDM) solution that supports the Extensible Single Sign-on payload with Platform SSO settings. In FileWave, this means an MDM-enrolled Mac, such as Automated Device Enrollment or User Approved MDM enrollment.
An identity provider and SSO extension that support the Platform SSO authentication method you plan to use.
For Microsoft Entra ID Platform SSO, Microsoft lists the Company Portal app version 5.2404.0 or later, Microsoft Authenticator, and user permissions to register or join devices to Microsoft Entra ID as requirements.
One of the supported authentication methods for your deployment. This example focuses on password authentication, where the user's local password and Entra ID password are synchronized.
Note: If the Mac is unenrolled from MDM, Apple notes that the Mac is also unregistered from the identity provider.
WS-Trust federation
WS-Trust federation is supported in macOS 13.3 or later. This allows Platform SSO to authenticate users when their account is managed by an identity provider federated with Microsoft Entra ID.
Deployment
The example below uses a Profile Fileset with a default password-authentication Platform SSO configuration:
- Profile - Entra ID Platform SSO.fileset.zip
Install the Microsoft Company Portal app before targeting users for Platform SSO. You can deploy it through FileWave or have users install it manually. Microsoft provides the current Company Portal app here: Company Portal app.
Please note: Company Portal is required for Microsoft's Platform SSO implementation because it contains the Microsoft SSO extension. Users generally do not need to configure Company Portal directly, but the app must be present and current enough before Platform SSO registration is expected to work.
End-user interaction required
After successful deployment, the user should see a Registration Required notification in macOS:
When the user starts registration, macOS and Microsoft Entra ID will prompt the user to authenticate. Depending on the configuration, this can include entering the local or Platform SSO password and completing Microsoft Entra device registration:
After registration, the user can confirm status in System Settings > Users & Groups by clicking the information button next to their account. The Platform Single Sign-on section should show the configured method, registration state, and token state.
Notes and Observations
- If multi-factor authentication is enabled in your environment, Microsoft app sign-in prompts depend on your Microsoft Entra ID and Conditional Access/security settings.
- The downloadable example Fileset is a starting point. Review the payload, registration-token placeholder, authentication method, and tenant-specific settings before deploying it in production.
Related Content
- Microsoft Enterprise SSO plug-in for Apple devices KB
- Apple documentation: Platform Single Sign-on for macOS
- Microsoft Learn: macOS Platform Single Sign-on overview
EUD Security Guidance: macOS 10.13+
Information
The Nation Cyber Security Centre has various guides on security. This article covers a section of the End User Device Security Collection and how to use FileWave to monitor or follow the guidance as laid out:
From the document:
This guidance was developed following testing performed on MacBook Pro and MacBook Air devices running macOS 10.13 (High Sierra)
It's important to remember that this guidance has been conceived as a way to satisfy the 12 End User Device Security Principles. As such, it consists of recommendations and should not be seen as a set of mandatory instructions requiring no further thought.
Risk owners and administrators should agree a configuration which balances business requirements, usability and security.
As set out from the list, here are some solutions. For descriptions of Configuration Profiles, please consult FileWave Profile Editor section.
Custom Fields
Below are additionally some custom fields for reporting on the status of pertinent settings. These have been described as if using the new Custom Fields introduced in 12.7+.
For using these Custom Fields with earlier versions of FileWave, these will need to be added as Filesets and edited to write custom values to the client using fwcld.
The Custom Fields provided are examples using English. Where searching for text in response to a command is concerned, if the OS is running a different language, the script may need to be altered to match.
Assured data-in-transit protection, VPN Profile
VPN may be configured using Configuration Profiles
Assured data-at-rest protection, FileVault
FileVault may be configured using Configuration Profiles
Custom Field to show current FileVault status:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
fv_status=$(fdesetup status 2>/dev/null)
error_code=$?
if [ $error_code -ne 0 ]
then
echo "Error: "$error_code
else
case $fv_status in
*"Off"*)
echo "Off"
;;
*"On"*)
echo "FileVault"
;;
*)
echo "$fv_status"
;;
esac
fi
exit 0
Custom Field to show if device supports FileVault Authenticated Restart. N.B. This requires FileVault to be enabled to work.
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
filevault_auth_bypass=$(fdesetup supportsauthrestart) 2>/dev/null
if [ $? -ne 0 ]
then
echo Unsupported
else
echo $filevault_auth_bypass | sed -e 's/t/T/g' -e 's/f/F/g'
fi
exit 0
Authentication
Either:
* Users have two passwords – one for FileVault 2, and one to login and unlock their device (see Provisioning Steps for how to achieve this)
* Or users have one password which fulfils both requirements.
DEP Profile can include a local admin account to be created during enrolment, which could be hidden.
The user should be required to authenticate to the device in line with your organisation’s authentication policy (see Authentication Policy).
This user’s login password derives a key which encrypts certificates and other credentials, giving access to organisational services.
Secure boot
Set an EFI (firmware) password to make it more difficult for an attacker to modify the boot process. However, with physical access, the boot process can still be compromised.
Firmware password can be set using the provided recipe: Firmware Password (macOS 10.14 Mojave+)
Custom Field to show Firmware Status:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
if [ -e /usr/sbin/firmwarepasswd ]
then
firmware_status=$(firmwarepasswd -check | awk '{print $NF}')
error_code=$?
if [ $error_code -ne 0 ]
then
echo "Error: "$error_code
else
echo "$firmware_status"
fi
else
echo "N/A"
fi
exit 0
Platform integrity and application sandboxing, SIPs
SIPs is on by default and is unlikely to be disabled. However, FileWave has a default inventory item to check that SIP is enabled:
Application whitelisting
Use the MDM to whitelist default macOS applications. Use GateKeeper to prevent the installation and running of unsigned applications. An organisation application catalogue can also be used which only contains enterprise-approved or in-house applications.
Custom Field to display Gatekeeper version:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
defaults read /var/db/gkopaque.bundle/Contents/Info.plist CFBundleShortVersionString
exit 0
Malicious code detection and prevention
XProtect is built into macOS. It has a limited signature set which is maintained by Apple to detect widespread malware. XProtect will also restrict vulnerable plugin versions (such as Java) to limit exposure. Several third-party anti-malware products also exist which attempt to detect malicious code for this platform. Content-based attacks can be filtered by scanning capabilities in the organisation.
Custom Filed to display XProtect version:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist Version
exit 0
Security policy enforcement
Mark MDM profiles as non-removable so the user cannot remove them and alter their configuration.
General setting of each profile has an option to deny profile removal under the Security option.
External interface protection
USB removable media can be blocked through MDM if required. If an EFI password is set, DMA is only possible when the device is booted and unlocked.
Restrictions profile may be used to control access to external media
Device update policy
MDM can be used to audit which App Store software and OS versions are installed on a device. The attached script will turn on automatic updates, but this cannot be achieved remotely with MDM.
By default, this cannot be achieved over MDM. However, FileWave has the option for a Custom Settings profile that could control this over MDM
Event collection for enterprise analysis
macOS logs can be viewed by a local administrator on device, or from a distance using remote administration tools. Third-party software can also be used to automate log collection.
Client Info has an option to view Command History. Client Info and Client Monitor have the option to view FileWave logs by default.
Viewing macOS logs would involve another method. Options could include:
- Fileset Activation Script to read the file. Output of scripts can be viewed in the Fileset Status view; right click on Script and choose 'View Script Output'.
- Remote Control of device
- Fileset Script to upload these files to a secure share
Example Activation Script:
#!/bin/bash
cat /private/var/log/system.log
exit 0
Incident response
“macOS devices can be locked, wiped, and configured remotely by their MDM.”
Additional Custom Fields
Firewall Status:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
fw_status=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2>/dev/null)
error_code=$?
if [ $error_code -ne 0 ]
then
echo "Error: "$error_code
else
case $fw_status in
*"disabled"*)
echo "Off"
;;
*"enabled"*)
echo "Enabled"
;;
*)
echo "$fw_status"
;;
esac
fi
exit 0
Local Admins:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
/usr/bin/dscl . -read /Groups/admin GroupMembership | cut -d " " -f 3- | tr " " ","
exit 0
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
declare -a HiddenAdmins=()
function check_hidden {
while [ $# -gt 0 ]
do
IsHidden=$(dscl . read /Users/$1 IsHidden 2>/dev/null | awk '{print $NF}')
if [[ $IsHidden -eq 1 ]]
then
HiddenAdmins+=($1)
fi
shift
done
}
check_hidden $(/usr/bin/dscl . -read /Groups/admin GroupMembership | cut -d " " -f 3-)
echo ${HiddenAdmins[@]} | tr " " ","
exit 0
Visible Admins:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
#!/bin/bash
declare -a VisibleAdmins=()
function check_hidden {
while [ $# -gt 0 ]
do
IsHidden=$(dscl . read /Users/$1 IsHidden 2>/dev/null | awk '{print $NF}')
if [[ ! $IsHidden -eq 1 ]]
then
VisibleAdmins+=($1)
fi
shift
done
}
check_hidden $(/usr/bin/dscl . -read /Groups/admin GroupMembership | cut -d " " -f 3-)
echo ${VisibleAdmins[@]} | tr " " ","
exit 0
Installed Security Updates:
#!/bin/zsh
declare -a output_array=()
get_pkg_name=0
function check_duplicate {
if [ ${#output_array[@]} -eq 0 ]
then
output_array+=($1)
else
array_counter=0
while [ $array_counter -lt ${#output_array[@]} ]
do
array_counter=$(( array_counter + 1 ))
if [[ "$1" == "${output_array[${array_counter}]}" ]]
then
break
fi
if [ $array_counter -eq ${#output_array[@]} ]
then
output_array+=($1)
fi
done
fi
}
/usr/libexec/PlistBuddy -c 'Print ' /Library/Receipts/InstallHistory.plist | while read line
do
case "$line" in
*"Security Update")
get_pkg_name=1
;;
*"Security Update"*)
check_duplicate "${line##* }"
;;
*"com.apple.pkg.update.os"*|*"com.apple.pkg.update.10"*)
if [ $get_pkg_name -eq 1 ]
then
sec_number=$( echo "$line" | awk -F "." '{print $(NF-1)}' | sed 's/[A-Za-z]*//g')
check_duplicate "${sec_number}"
get_pkg_name=0
fi
;;
esac
done
echo ","${output_array}"," | tr " " ","
exit 0
Firmware Unlock Seed (password recovery key). A new key is generated with each password change. Firmware password changes require a reboot before reporting correctly. Key may only be used by Apple.
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
# Retrieve firmwarepassword unlockseed. Response may only be used by Apple to unlock the device.
# Firmware status
check_firmware=$(firmwarepasswd -check | awk '{print $NF}')
if [[ "$check_firmware" != "No" ]]
then
unlock_seed=$(firmwarepasswd -unlockseed &>/dev/null)
if [ $? -eq 0 ]
then
echo $unlock_seed
else
echo Error
fi
else
echo Disabled
fi
exit 0
Preparation for deployment
The steps below should be followed to prepare your organisation's infrastructure for hosting a deployment of these devices:
Set up an MDM server (e.g. Profile Manager on macOS Server). This may require setting up the Open Directory component of a macOS Server.
Ensure all Configuration Profiles are signed to prevent modification in transit, or post install
Create policies on Profile Manager for:
* Ensure 'Use SSL' is selected for all server settings
* VPN
* Passcode
* Disk encryption and key escrow
* Exchange/Mail/Calendar Settings.
* Disabling access to the Preference Panes in Restrictions (macOS) for iCloud and Network as access to these could be used to disable the VPN.”
FileWave can be used to mimic Profile Manager and much more.
It is worth noting however, that FileWave does not have the option to sign Configuration Profiles. This is a current Feature Request: FW-19687.
Recommendation in this case would be to use Profile Manager to sign the profile and then import this into FileWave. It is also possible to achieve this from the macOS command line:
/usr/bin/security cms -S -N "Certificate Common Name" -I "/path/to/original.mobileconfig" -o "/path/to/create/signed.mobileconfig"
Signing certificates can be generated if you have a Apple developer account or if you already have a macOS Server running and then added to the keychain prior to signing.
Policy Creations
- YES - Use SSL in various Payloads
- YES - VPN payloads
- YES - Passcode payloads
- YES - Disk Encryption with Personal and Institutional Recovery Key
- Partly - Profile may be applied to enforce both/either Institutional and Personal Recover Key. Currently storing the Personal Recovery Key is not supported. There is a Feature Request for this: FW-20543
- YES - Exchange/Mail/Calendar Settings.
- YES - Disabling access to the Preference Panes in Restrictions (macOS) for iCloud and Network as access to these could be used to disable the VPN.
“Additional Consideration
* Whitelist applications to further reduce the risk of malicious code being execute
* Tighten permissions on USB mass storage and optical devices to help prevent data loss through removable media
* Use Restrictions to blacklist locations from which users should not run applications, or whitelist trusted applications that users are allowed to run
* Include internal CA Certificates where appropriate to ensure users can authenticate network services
* Include corporate network profiles (e.g. 802.1X or Wi-Fi) to ensure that network access credentials are distributed securely”
-
YES - Whitelist applications to further reduce the risk of malicious code being execute
-
YES - Tighten permissions on USB mass storage and optical devices to help prevent data loss through removable media
-
YES - Use Restrictions to blacklist locations from which users should not run applications, or whitelist trusted applications that users are allowed to run
-
YES - Include internal CA Certificates where appropriate to ensure users can authenticate network services
-
YES - Include corporate network profiles (e.g. 802.1X or Wi-Fi) to ensure that network access credentials are distributed securely
Feature Requests
Where Feature Requests have been noted, please view release notes for added features in future updates.
This KB Contains public sector information licensed under the Open Government Licence v3.0.
http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/
FileVault
FileVault - Getting Started
Please Note
Setting up FileVault 2 with FileWave is supported with MDM enrolled macOS devices only! MDM enrolled devices are such that went through DEP enrollment or had the MDM profile installed manually.
These advanced steps are for system administrators and others who are familiar with the command line and FileWave.
What you need to begin
- FileWave version 12.9+
- macOS 10.9+ MDM enrolled in FileWave
- macOS devices have to be MDM enrolled in FileWave
What is FileVault 2
FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.
FileVault 2 has three different decrypting mechanisms:
- If a user is a part of "FileVault users", successful login unlocks FileVault
- A Personal Recovery Key (PRK) can be generated for each user and used to unlock FileVault
- An Institutional Recovery Key (IRK) - which is actually a cryptographic key pair - can be used to unlock FileVault
Setup
Full Disk Encryption Assistant
- Open the FileWave Admin
- Assistants → Full Disk Encryption Management → FDE Configuration Management...
- Once you click the "+" on the bottom left you will then be able to select the recovery key type on the right
- Personal (PRK): This will prompt the user their "FileVault Recovery Key" that the end-user will need to keep for decryption (FileWave will be able to escrow this key later)
- Institutional (IRK): A key will need to be created on your macOS device and then imported into the Disk Encryption Configurations window. Please follow the steps below
Institutional Key Creation and Import
Create an IRK keychain using the following command
sudo security create-filevaultmaster-keychain ~/Desktop/FileVaultMaster.keychain
- Unlock the keychain
security unlock-keychain ~/Desktop/FileVaultMaster.keychain
- Open Keychain Access Utility and Add (File > Add) the keychain you just created above
- Select the keychain you just added - it should contain both certificate and private key; select both and export both as .p12 file - protect the file with a password
- Back in the Disk Encryption Configurations window upload the p12 key you just created.
-
- Personal and Institutional (IRK and PRK): Provides the end user a personal key and the institutional key can be used as well
- Save
Disk Encryption Profile
Next, we will need to set up the Apple Profile that will configure and set up FileVault 2. Again your devices need to be MDM enrolled for this payload.
- Go to Filesets → New Desktop Filesets → Profile
- Once in the Profile Editor you will need to Fill out the General Payload then configure the Disk Encryption
- Now is the time to configure your FileVault 2 payload
If you are using the Escrow Personal Recovery Key you are required to put a description in the Escrow Location Description (macOS 10.13+) pane. This description can be informing the user where the key gets stored by default, which is /var/db/FileVaultPRK.dat. Or the description can be letting the user know to contact the technology department for more information.
IMPORTANT NOTE:
* If you use the option "User is not prompted for FileVault activation at login" There is a chance that FileVault may never fully activate. It is recommended you do not use this option.
* This payload can't be used in conjunction with other payloads in the same profile.
* Importing a profile with FileVault 2 options is not possible; FileVault 2 configuration must be created using the Assistant and Full * Disk Encryption payload; if you try to import such profile FileWave will have to remove FDE payloads before importing - FileWave can do it for you.
* If you had FDE payloads before upgrading to FileWave 12.9+, you won't be able to edit those profiles unless FileVault 2 options are removed - FileWave can do it for you.
* Escrow Personal Recovery Key is required for Authenticated Restart and being able to store the key in FileWave.
- From this point, you are ready to deploy this profile to your MDM enrolled macOS devices.
Disk Encryption Inventory Information
Now that you have FileVault 2 enabled on your device(s) you can view inventory pulled from the device(s) regarding the FileVault 2 settings:
- FDE Has Institutional Recovery Key
- FDE Has Personal Recovery Key
- FDE Is Enabled
- FDE Support
- Authenticated restart supported
- FDE Personal Recovery Key Hint Message
- Has FileWave recovery Key
Disk Encryption Recovery Key Escrow
When FileVault 2 is enabled FileWave will keep track of the configuration applied to the corresponding keys such as the Institutional Recovery Key (IRK) used to encrypt the disk and the Personal Recovery Key (PRK).
To manage these keys go to Assistants → FDE Recovery Key Management...
Once you select a device you will be able to Show Personal Recovery Key... or Download Institution Recovery Key... depending on what configuration was used to set up FileVault on that machine.
You can also delete outdated entries but keep in mind if a device has FDE managed by FileWave, it's not possible to remove FDE keys from the assistant. You have to disable FDE or remove the device from FileWave first.
Status can be:
- Disabled
- Enabled
- Pending - this is the state reported by a device between the profile installation and when FDE actually being enabled
PRK Status can be:
- Valid
- Cannot decrypt
- Invalid - no key or not a valid key
Authenticated Restart
macOS 10.13 NOT SUPPORTED
Authenticated restart using Personal Recovery Key does not work on macOS 10.13+ on APFS
This option is for Personal Recovery Key only; Institutional Keys are not supported with this option
When FileVault 2 is enabled, the device will be locked on startup. At this stage, FileWave does not connect to the device until the drive is unlocked. You need to be aware of this if you have FileVault 2 enabled on a device and then send out a Fileset that requires a reboot! After the reboot, the end-user will have to unlock the drive before the deployment can finish.
FileWave may be able to help with this using Authenticated Restart as a Fileset option. If you selected the option Escrow Personal Recovery Key when you created the Disk Encryption Profile to enable FileVault 2 then FileWave will be able to use the authenticated restart to unlock the drive without user interaction.
This option is located in the Fileset Properties for any Fileset you are requiring a reboot for.
Right-click on Fileset → Properties → Select Requires Reboot
Possible Security Risk
Keep in mind using this option can be seen as a security risk and should be used accordingly. The device will reboot unlocked so access to encrypted data is possible and until the device reboots, an escrow key is stored in memory but still encrypted.
Recent versions of macOS for FileVault IRKs
The use of Institutional FileVault keys, also known as Institutional Recovery Keys (IRK), is no longer recommended in recent versions of macOS, including macOS Ventura. The utility of IRKs for organizations has become limited, particularly on Macs with Apple Silicon, where IRKs provide no functional value. This is because IRKs can't be used to access recoveryOS, and because Target Disk Mode is no longer supported, the volume can't be unlocked by connecting it to another Mac.
Instead, the use of a Personal Recovery Key (PRK) is now recommended. A PRK provides an extremely robust recovery and operating system access mechanism, unique encryption per volume, escrow to MDM, and easy key rotation after use.
Moreover, there is only one PRK per encrypted volume. During FileVault enablement from MDM, the PRK can optionally be hidden from the user. When configured for escrow to MDM, MDM provides a public key in the form of a certificate, which is then used to asymmetrically encrypt the PRK in a CMS envelope format. The encrypted PRK is returned to MDM in the security information query, which can then be decrypted for viewing by an organization. Many MDM vendors provide the option to manage these keys to allow for viewing directly in their products. MDM can also optionally rotate PRKs as often as is required to help maintain a strong security posture—for example, after a PRK is used to unlock a volume
Additional information managing FileWave in macOS: Managing FileVault in macOS
Information regarding recent versions of macOS managing FileVault: Manage FileVault with mobile device management
Related Content
FileVault 2 enabled on macOS ADE enrollment
What
After you have configured FileVault management in FileVault - Getting Started, you can require FileVault during Automated Device Enrollment for supported macOS devices.
When/Why
FileVault protects data at rest on macOS devices. Requiring FileVault during enrollment helps ensure a Mac is encrypted before it is put into regular use, which is especially important for laptops assigned to staff who may handle sensitive data.
On macOS 14.0 or later, FileWave can enable Apple's Setup Assistant FileVault enforcement during ADE enrollment.
How
Before enabling this option, complete the FileVault configuration described in FileVault - Getting Started. Use a supported FileWave release, target devices running macOS 14.0 or later, and a FileVault disk encryption profile available for the enrollment workflow.
- In FileWave Central, go to Assistants > DEP Association Management.
- Create or edit the DEP/ADE enrollment profile you want to use.
- On the profile's Requirements tab, enable Force Setup Assistant to enable FileVault.
- Select the FileVault disk encryption profile that should be used during enrollment.
- Assign the enrollment profile as the default profile or apply it only to the devices that should use this workflow.
Test with one device before wider rollout. Confirm that the FileVault prompt appears during Setup Assistant and verify that your recovery-key workflow works as expected before assigning the profile broadly.
Related Content
Firmware Password (macOS 10.14 Mojave+)
Description
Apple have seen to make some changes regarding this over time, through versions of macOS. The following is a method that should work with macOS 10.10+ machines. This recipe allows for creating, changing or deleting the Firmware password.
This script in this recipe is setting the Firmware password of macOS devices. If set incorrectly, you could become locked out of the device. FileWave offers this script as is, use of this script is at the user's understanding and risk and FileWave holds no responsibility for devices that become locked and un-usable. If concerned, please refrain from using this script.
macOS Catalina
This script has been tested successfully on macOS Catalina (10.15.x)
Ingredients
- FileWave
- macOS 10.11+
- Supplied Fileset - Set Firmware Password V1.1.fileset.zip
macOS versions
This method uses the binary 'firmwarepasswd'. This was known to exist in all versions of macOS 10.10 and above. It is possible that this was introduced in later versions of 10.9. However, FileWave 13+ supports macOS 10.11+
Directions
- Download the above Fileset recipe and import into FileWave
- Duplicate the Fileset and append the name appropriately: New, Change or Delete
- Change the Launch Arguments to match the renamed duplicated Fileset based upon the below table
- Edit the script if required for reboot options or set Fileset Properties Reboot
- Associate, test and then deploy
Launch Arguments
To set the Launch Arguments
- Open the Fileset
- Select the script within the Fileset
- Choose Get Info
- Select Executable tab
There are 3 options for this fileset: New, Change or Delete. The Launch Arguments should be set as required based upon these options as seen in the table below:
|
Launch Argument |
New |
Change |
Delete |
|
1 |
new |
change |
delete |
|
2 |
new password |
new password |
old password |
|
3 |
old password |
Examples
Reboot Options
By default, the script will not reboot once completed. However, a reboot is required after setting. This could be achieved by setting the Fileset Properties. Alternatively, an option is built into the script to allow for this. Please edit the script appropriately:
reboot_flag=false
# Default - do not reboot at script end; consider using Fileset properties for reboot.
# Firmware password change requires reboot. Tests for alternate boot drive selected
# Alternative options: error, set or ignore
# Use ignore to set default to reboot
# Uncomment command as desired
# error: Script will abort and no firmware password will be set if set boot drive does not match current booted drive
# reboot_device error
# set: Script will set the firmware password without a reboot attempt if set boot drive does not match current booted drive
# reboot_device set
# ignore: Script will continue regardless, setting firmware password and rebooting
# reboot_device ignore
If choosing an option that does not reboot, the device will need a reboot before the firmware password setting is complete.
Options 'error' and 'set' will check to see if currently set boot drive matches currently booted drive. If true, both options will continue to set the firmware password. If false, 'error' will exit an error without any change, whilst 'set' will set the password but will not reboot.
All options: 'set', 'error' and 'ignore', will ensure (on success) that the current set boot drive matches the currently booted drive before rebooting.
Examples:
For the script to reboot, un-hash the following line:
# ignore: Script will continue regardless, setting firmware password and rebooting
reboot_device ignore
To allow the password to be changed, but only reboot if set boot drive matches currently booted drive, un-hash the following line:
# set: Script will set the firmware password without a reboot attempt
reboot_device set
Only un-hash one line from these options.
Firmware Password Unlock Seed
The unlock seed is a unique recovery key that can be used by Apple to unlock a device in the event of the password being forgotten. Please see the following KB for an example Custom Field that may be used to report this key:
EUD Security Guidance: macOS 10.13+
Full macOS Model name to Inventory (Custom Field)
Description
Need to know the full name of "Retina, 15-inch, Late 2013)" rather than the Model Identifier "MacBookPro11,3". The provided script will look up the name and write it to inventory as a custom field
If necessary, please view the following for details on creating Custom Fields.
Information
Since the introduction of Apple's new randomized serial numbers, the method of using Apple's online lookup service does not work with these devices. However, all modern devices have a store of a product name locally on the device. The below method will check for the existence of a local name, but if not found, will query Apple instead based upon the Serial Number of the device
Note, that the name stored locally may differ slightly from the one provided by Apple's lookup server. To give an indication of the difference in details see the below table (sometimes they will match):
Examples:
| Name as indicated by Apple's servers and About This Mac | Name as stored in local file |
| MacBook Pro (13-inch, M1, 2020) | MacBook Pro (13-inch, M1, 2020) |
| MacBook Pro (Retina, 15-inch, Mid 2015) | 15" MacBook Pro with Retina display (Mid 2015) |
| iMac (21.5-inch, Late 2009) | iMac Intel Core 2 Duo (widescreen, Late 2009) |
| Mac mini (Late 2012) | Mac mini (Late 2012) |
Virtual Devices
Virtual machines do not have legitimate Apple serial numbers by default and you may use virtual machines with the FileWave client. Since the serial number is used to determine the macOS model, additionally the script has been designed to allow for machines built using VMware. Similar consideration could be taken for devices built with other viritualisation software: e.g. Parallels, VirtualBox, etc.
Script
Although this uses a local file, for older hardware information may be missing. In this instance it will attempt to pull the information directly from Apple:
#!/bin/zsh
mac_model=$(sysctl -n hw.model)
if [[ "$mac_model" =~ ^"VMware" ]]
then
echo "$mac_model"
exit 0
fi
# File that stores device information. Old models may not have this file. Additionally some models only have a description
# Information is not exactly the same as that reported through About This Mac, but is similar enough to suffice in most instances
apple_locale=$(defaults read /Library/Preferences/.GlobalPreferences.plist AppleLocale)
attr_file="/System/Library/PrivateFrameworks/ServerInformation.framework/Versions/A/Resources/${apple_locale}.lproj/SIMachineAttributes.plist"
if [ -e "$attr_file" ]
then
# Use marketingModel if available
model_name=$(/usr/libexec/PlistBuddy -c "Print :${mac_model}:_LOCALIZABLE_:marketingModel" "$attr_file" 2>/dev/null)
# If not found, use description if available
if [ -z $model_name ]
then
model_name=$(/usr/libexec/PlistBuddy -c "Print :${mac_model}:_LOCALIZABLE_:description" "$attr_file" 2>/dev/null)
fi
fi
# If not found in plist check ioreg. Apple seemed to have stopped populating the plist file, but do populate ioreg data now
if [ -z "$model_name" ]
then
model_name=$(ioreg -c IOPlatformDevice | awk -F "\"" '/product-name/ || /product-description/ {print $(NF-1); exit}')
fi
# If still not found, try to get the details from Apple
if [ -z "$model_name" ]
then
# Redirect standard error as macOS 10.10.x has an unfixed bug with system_profiler
serial_number=$(ioreg -l | awk -F "\"" '/IOPlatformSerialNumber/ {print $(NF-1)}')
# Get serial number length, note wc includes new line character
# For serials of 11 characters, last 3 digits of serial required
# For serials of 12 characters, last 4 digits of serial required
serial_number_length=$(echo $serial_number | wc -c)
# wc also adds empty spaces
case $serial_number_length in
*"13"*)
serial_number=$(echo $serial_number | awk '{print substr( $NF, length($NF) - 3, length($NF) ) }')
;;
*"12"*)
serial_number=$(echo $serial_number | awk '{print substr( $NF, length($NF) - 2, length($NF) ) }')
;;
*)
echo "$mac_model"
exit 0
;;
esac
model_name=$(curl -s https://support-sp.apple.com/sp/product\?cc=$serial_number | sed 's|.*<configCode>\(.*\)</configCode>.*|\1|')
# If this still fails, just return the hardware model details
if [[ "$model_name" =~ "error" ]]
then
model_name="$mac_model"
fi
fi
if [ -z $model_name ]
then
echo "$mac_model"
else
echo "$model_name"
fi
exit 0
Hide local macOS admin users
Description
Use a FileWave Fileset script to hide local macOS admin accounts from the login window while keeping the Other option available for manual username/password sign-in.
Ingredients
- FileWave Central
- A plain-text editor for reviewing the script before deployment
Directions
- Make an empty Fileset with a script that runs at activation.
- Use this example script to hide eligible local admin accounts at login and show the "Other..." option so authorized admins can still sign in with a username and password. This example uses Apple's loginwindow Hide500Users preference, so test it with the way your local admin accounts are created before broad deployment.
#!/bin/sh # This script is a Postflight sample # benm @ fw #hide the just made admin account and enable screen sharing echo "hiding local admins at the login window" #enable hidden admins sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES #enable "other..." option at login window sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool TRUE - To show those accounts at the login window again, deploy:
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool NO
How to Create Local User Accounts on macOS 10.15+
Description
Provided is a scripted recipe to create a local user account on macOS devices associated with the below Fileset. Options allow for creating:
- Admin or standard accounts
- Hidden or visible accounts
Other values may be specified.
Information
Requirements are:
- 'Create macOS user' Fileset - Create macOS User.fileset.zip
- Some consideration regarding user name, password and ID numbers
Customised values are set with the use of Environment Variables. Settings within the downloaded recipe are:
Customisation includes:
- username - unix shortname (no spaces)
- realname - long display name
- password - users password
- group_id - user's primary group id
- shell_type - e.g /bin/bash, /bin/zsh
- islocaladmin - set user to be a local admin TRUE/FALSE
- is_hidden - set user to be an invisible account TRUE/FALSE
- id_choice - set to be a dedicated value [static_id] or find next available value [next_id]
- unique_id - either the ID to use when id_choice is static_id or the beginning ID of a range of IDs to attempt when id_choice is set to next_id
- end_id - for next_id, the end value of range of IDs to stop testing and if reached script will exit 1
- enable_secure_token - enable secure token for the new user TRUE/FALSE
- admin_user - short name of a local administrator (only required if enable_secure_token is set as TRUE)
- admin_password - password of admin_user (only required if enable_secure_token is set as TRUE)
'id_choice'
This options is stating whether the id to be used will be solely one preset value or if a range of values should be attempted; first available will then be attempted.
|
static_id |
When set as 'static_id', the value set in 'unique_id' will be used as the users ID. If this value is already in use, the script will exit with an error. |
|
next_id |
When set as 'next_id', a range of values will be tested starting at 'unique_id' and ending with 'end_id'. The first available value found will be used. If none are found the script will exit with an error. |
'username'
This is the short name of the user. If the name already exists on the device, the script will exit with an error.
'islocaladmin'
If set as TRUE, the new user will be added as an administrator of the device
'is_hidden'
If set as TRUE, the new user will be hidden
'enable_secure_token'
If set as TRUE, the new user will be enabled as a secure token user. This options requires the following values to also be set: admin_user and admin_password
Other
All other values should be edited as desired
Directions
To create a user:
- Download the above Fileset and import into FileWave
- Edit the Environment Variables as required
- Associate and Update Model to test devices
- Once tested associate to greater quantity or all devices.
Example
Consider a device that already has 3 local accounts, with user IDs 501, 502, 503. Settings could then be either:
- Variable: id_choice
- Value: static_id
- Variable: unique_id
- Value: 504
or may look something like:
- Variable: id_choice
- Value: next_id
- Variable: unique_id
- Value: 501
- Variable: end_id
- Value: 600
In the first instance, ID 504 will be attempted. This is useful if all devices are the same and it is considered desirable that all users of this name have the same ID on each device.
In the second instance, 501 will be attempted, then 502 and 503, when finally 504 will be met, found to be free, and then be attempted. This option is particularly useful for devices where an unknown quantity of user accounts may exist on each device and the users' ID is not considered important.
Considering this example with all other settings as default, the following account should be created:
NFSHomeDirectory: /Users/fwadmin
PrimaryGroupID: 20
RealName:
FileWave Admin
RecordName: fwadmin
UniqueID: 504
UserShell: /bin/zsh
Additionally, the user will be a local Admin, but the account was not set as hidden
Login Window Banner (Agreement Policy) for macOS
Description
Use a macOS PolicyBanner file when users must accept an agreement or notice before they log in.
Ingredients
- FileWave Central
- A managed macOS computer
- A text editor application
Directions
Creating the text file
- Open a text editor.
Apple TextEdit works for this. On a default macOS installation, it is located at Macintosh HD → Applications → TextEdit.app.
- Add the agreement or notice text you want shown at the login window, then save the file with this base name:
|
|
Use one of these supported file extensions:
.txt- plain text only.rtf- rich text with formatting such as color and font choices.rtfd- rich text directory with formatting and images
A sample RTFD file is attached: PolicyBanner.rtfd_.zip.
Placing the text file into the Fileset
- Download the sample Fileset: Custom-LoginWindow-Agreement.fileset.zip.
- Import the Fileset into FileWave Central.
- Open the Fileset and go to the
/Library/Security/folder. - Replace
PolicyBanner.txtwith yourPolicyBanner.txt,PolicyBanner.rtf, orPolicyBanner.rtfdfile. - Set the permissions and owner so standard users cannot edit the file.
If you use the .rtfd format:
1. The file appears as a folder because it contains separate text and image files.
2. URLs and other hyperlinks do not work when macOS displays the banner at the login window.
3. You will not be able to export the RTFD later because of its folder format.
Notes
Apple's current policy banner guidance is available at How to set up policy banners in macOS.
macOS 11 Compatible Devices (Custom Field)
Description
Details on identifying compatible devices for macOS 11 (Big Sur) using a Custom Field.
|
macOS |
|
Custom Field, returns either: compatible or incompatible |
Example query view:
Ingredients
- macOS - Custom Field exported file: Custom Big Sur Compatible Devices.customfields.zip
Directions
- Download the Custom Field exported file and unzip
- From the Admin console, open: Assistants > Custom Fields
- Choose Import
- After importing, select desired value for Assigned to all devices
- Save
Details for Importing and Exporting Custom Field Files
May be assigned to all devices, since Windows script is configured to return: NA
macOS 14 Compatible Devices (Custom Field)
Description
Details on identifying compatible devices for macOS 14 (Sonoma) using a Custom Field.
|
macOS |
|
Custom Field, returns either: compatible or incompatible |
Example query view:
Ingredients
- macOS - Custom Field exported file: FileWave CF macOS 14 Compatible.customfields
Directions
- Download the Custom Field exported file and unzip
- From the Admin console, open: Assistants > Custom Fields
- Choose Import
- After importing, select desired value for Assigned to all devices
- Save
Details for Importing and Exporting Custom Field Files
May be assigned to all devices, since Windows script is configured to return: NA
Admin Password management (MDM Command - macOS)
What
The Admin Password Management command lets FileWave change the managed local admin password on eligible macOS devices through MDM. Use it for the admin account that FileWave created during Automated Device Enrollment (DEP/ADE), without needing physical access to the Mac.
When/Why
When to use this:
- Security rotation: Change managed admin passwords on a schedule that matches your organization's policy.
- Suspected exposure: Rotate the password if someone who should not know it may have had access.
- Staff changes: Update the password when IT staff with admin access leave or change roles.
- Compliance: Keep local admin credentials aligned with internal or regulatory password requirements.
Why use this feature:
- Remote password reset: Change the managed admin password across selected Macs from FileWave Central.
- Less hands-on work: Avoid touching each device when the only required change is the local admin password.
- Controlled access: Keep the managed admin credential current without changing unrelated user accounts.
How
Prerequisites
- Enrollment: The Mac must be enrolled through Automated Device Enrollment (DEP/ADE).
- Apple OS/hardware: The device must be an Apple silicon Mac running macOS 15.0 or later.
- Managed admin account: The admin account must have been created during DEP/ADE enrollment using the profile options.
If you create the admin account required for this feature, also review Bootstrap Token Management on macOS.
Steps to change the admin password
- In FileWave Central, select the Mac, then choose MDM > Change Admin Password... from the device context menu.
Important notes
- Secure delivery: FileWave sends the new password through the MDM command channel.
- User impact: Changing the admin password can affect scripts, services, or workflows that still rely on the old credential.
- Team communication: Tell other IT staff when the managed admin password changes so they do not keep using the old value.
Common questions
If you are looking for a way to reset a Mac's managed local admin password, rotate a DEP-created admin password, or change an ADE admin account password remotely, use the Change Admin Password MDM command from FileWave Central.
Related Content
macOS 26 Compatible Devices (Custom Field)
Description
Details on identifying compatible devices for macOS 26 (Tahoe) using a Custom Field.
|
macOS |
|
Custom Field, returns either: compatible or incompatible |
Example query view:
Ingredients
- macOS - Custom Field exported file: FileWave CF macOS 26 Compatible.customfields
Directions
- Download the Custom Field exported file and unzip
- From the Admin console, open: Assistants > Custom Fields
- Choose Import
- After importing, select desired value for Assigned to all devices
- Save
Details for Importing and Exporting Custom Field Files
May be assigned to all devices, since Windows script is configured to return: NA
Message to macOS User
Description
This Fileset recipe shows you how to send a Message via a dialog box to a User currently logged on to a Mac, using a fileset.
This Fileset will make the FileWave Client wait with further deployments until the end user has acknowledged the dialog and closed it with "ok". If you want to change that behaviour so that it just displays a message and then deploys further filesets, refer to the last step of the recipe.
Ingredients
Directions
- Download the attached zip file, uncompress it and import it into FileWave Admin via Drag & Drop , or by clicking "New Desktop Fileset" , "Import".
- Double-Click the FileSet to display its contents, and drill down to the /usr/local/scripts folder.
- Click once onto the message.txt and then the "Edit Text" button on the top of the FileSet Window to edit the file. Adjust the message to what you need it to say, and confirm with "OK".
- Associate the FileSet to a Mac where somebody is currently logged in , update the model , and observe the message popup.
- If you want to change the behaviour of this fileset so that it just displays a message, and then goes on deploying further filesets, do the following :
- open the FileSet by double-clicking it
- drill down to the /usr/local/scripts folder
- click once onto the display-alert-on-current-users-desktop.sh , and then the "Get Info" button
- Select the "Executable" tab
- Uncheck the "Wait for exectuable to finish" checkbox
- Confirm with ok
- Test your fileset by associating it and running Model Update
Related Content
Notify Users with a dialog (macOS)
Description
The provided Fileset is an example of notifying users, in particular, a message regarding the Fileset status when downloading and installing new Filesets.
The Fileset is designed to:
- Create a continually running service that monitors Fileset changes
- Where Fileset changes occur, begin monitoring the FileWave Client log file
- If the preset text strings are found in the log file, send this to the Notification Centre
- Lastly, where another preset text is found, stop monitoring the log file
The service has been built to be actioned automatically by the user logging in. Where Filesets are disassociated, each has a pre-uninstallation script to ensure that the services are also removed.
Ingredients
- Provided Fileset:
|
↓ macOS |
Directions
For the example provided:
- Download the necessary provided Fileset
- Upload using FileWave Admin
- Create a Deployment to the appropriate devices
- 'Update Model'.
Fileset scripts may be modified for personal preference. In each Fileset, there is a script that is executed by the local computer service. The scripts are using a pattern match. The pattern matching may be edited as required, removing or adding appropriately.
macOS
Locate the "prompt_user.sh" file within the Fileset and choose to edit. In the following code block snippet from this script, the case statement is pattern-matching text. In the provided example, the script is looking for lines that contain any one of the following:
- Model version
- Downloading Fileset
- Done activating
- Activate all
Where found, the 'show_message' function is being used to prompt the user:
prompt_user.sh
# * are wildcard entries and | acts as a logical OR
case "$line" in
*"Model version"*|*"Downloading Fileset"*|*"Done activating"*|*"Activate all"*)
show_message
;;
The second part of the case statement is causing the script to exit. The pattern match this time is any line that contains:
- Data successfully sent to the inventory server
prompt_user.sh
*"Data successfully sent to the inventory server"*)
exit 0
;;
Notification Center Permissions
Notifications are a user's choice. Users must accept notifications when prompted.
The section below of the 'com.filewave.promptuser.plist' may be edited as desired, where the defined keys determine the following:
- 'the_title' is the Title of the notification
- 'bundle_id' defines an App bundle. That bundle's name and icon will be displayed:
com.filewave.prompt_user.plist
<key>EnvironmentVariables</key>
<dict>
<key>the_title</key>
<string>FileWave Message</string>
<key>the_subtitle</key>
<string></string>
<key>bundle_id</key>
<string>com.filewave.fwGUI</string>
</dict>
Users may still allow Notifications in System Preferences if previously denied:
Launch Services
Once a launch service is running, editing an already loaded script will have no impact on the current service; the service itself must be reloaded. If parts of the Fileset are edited after association, consideration should be taken into account to ensure those changes are made active.
Notes
The above provides an example of notifying users using a service. However, with some adaptation, messages could be sent in other ways at alternate times to users.
Related Content
Remove Casper JSS Client Components
Description
To remove all Casper JAMF Software-related components from computers that have been managed by the JSS.
Ingredients
- FW Central
- (Other tools, features, and applications that will be needed)
Directions
- Create a new empty Fileset (From the Fileset View : New Desktop Fileset > Empty : Type a Name > OK)
- With it selected: Click the Scripts item in the button bar
- Create a new activation script and name it.
- Paste the script below and edit
#!/usr/bin/env zsh # This will remove JAMF from macOS # Function to identify the location of the jamf binary CheckBinary() { # Identify location of jamf binary using modern command substitution jamf_binary=$(which jamf) # Evaluate conditions to identify the correct binary path if [[ -z "$jamf_binary" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/sbin/jamf" elif [[ -z "$jamf_binary" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/local/bin/jamf" elif [[ -z "$jamf_binary" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/local/bin/jamf" fi # Error handling for missing jamf binary if [[ -z "$jamf_binary" ]] || [[ ! -x "$jamf_binary" ]]; then echo "Error: jamf binary not found or not executable." exit 1 fi } # Function to remove the JAMF framework RemoveJamf() { "$jamf_binary" removeFramework || { echo "Error: Failed to remove JAMF framework." exit 2 } } # Main script execution CheckBinary RemoveJamf # Exit with a success status exit 0 - Associate as standard or scheduled
Understanding Free Space on APFS Volumes
What
This article explains why free space on APFS volumes can look different from free space on older file systems such as HFS+.
When/Why
APFS free-space values can move around because macOS accounts for snapshots, clones, sparse files, and shared container space. That matters when you are checking whether a Mac has enough usable storage for updates, deployments, or troubleshooting.
How
-
Traditional file systems such as HFS+: Free space is usually calculated by subtracting occupied storage blocks from the total volume capacity.
-
Snapshots: APFS snapshots can hold blocks that look deleted from the live file system. Deleting a snapshot may free space, but the amount depends on what other snapshots still reference.
-
Clones: APFS cloned files can share storage blocks at first. As the files change, they use additional space. Finder may show the files separately while APFS still accounts for the shared blocks.
-
Sparse files: Sparse files reserve a logical size that can be much larger than the data they currently store. Copying or saving them without preserving the sparse format can expand them to their full size.
-
Other volumes: APFS containers share free space across volumes. macOS decides how much space volumes such as Data and VM use inside that shared container.
-
Free-space estimates: APFS and macOS report changing estimates for available space, including space that can be reclaimed from snapshots or other system-managed storage.
Because APFS can reuse, share, or reclaim blocks, a single free-space number may not tell the whole story. Check the context before assuming a Mac is out of space or before using Finder-reported values as the only source of truth.
For a second opinion, see the related links below. The linked diskspace tool can help return APFS-aware available-space values from the command line.
Related Links
- Free space on an APFS volume is an illusion – The Eclectic Light Company
- GitHub - scriptingosx/diskspace: macOS command line tool to return the available disk space on APFS volumes
Wipe Device for macOS
What
Use Wipe Device... to send Apple's Erase Device MDM command to a managed Mac. On macOS 12 and later, supported Apple silicon and T2 Macs use Erase All Content and Settings (EACS) when preflight checks pass. If EACS cannot run, the Mac follows the selected obliteration fallback behavior.
When/Why
Use this command when a managed Mac needs to be erased for redeployment, recovery, or retirement. Older Macs and macOS 11.x behavior use obliteration, which removes critical files and data and leaves the Mac needing a reinstall or recovery workflow.
How
Record the Find My Mac PIN before sending a Wipe or Lock command. FileWave does not record this PIN in the logs, and you may need it for recovery.
Upon receiving this command, the device performs preflight checks to determine if the device is in a state that allows EACS.
Choose the device's obliteration fallback behavior before sending the command:
Do Not Obliterate:
- If EACS preflight fails, the device responds to the server with an Error status and doesn’t attempt to erase itself.
- If EACS preflight succeeds but EACS fails, then the device doesn’t attempt to erase itself.
Obliterate With Warning
- If EACS preflight fails, the device responds with an Acknowledged status and then attempts to erase itself.
- If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.
Default
- If EACS preflight fails, the device responds to the server with an Error status and then attempts to erase itself.
- If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.
The Remote Wipe dialog lets you choose this behavior before sending the command:
|
|
|
|
Related Content
Troubleshooting
Apple Metadata Missing After Fileset Installation (macOS)
Description
In some instances Metadata is added to items to provide additional features, however, this Metadata may not be transferred when the App is delivered as a standard Fileset. Where this occurs, the Metadata may be re-injected using a script. An example of this is highlighted in our KB on Deploying Folders with Icons.
Teamviewer is another example of this. The Quick Support version of the App has the option to include customisation, as per their guidelines. In fact, the Tool: FileWave QS App implements this to provide branding, user name and a personalised design.
When customisation is configured on this App, the App receives additional Metadata. If the Metadata were not restored, the customisation would be lost and the App would appear as the basic, standard looking App.
Instructions
To ensure the Metadata is re-applied after installation as a standard Fileset, the following should be followed:
- Use a command line tool to read the Metadata prior to making the Fileset
- Create an Activation or Postflight Script, to re-insert the Metadata, as part of the Fileset
To read the Metadata, open Terminal and run the following command, editing the path to match the required location. Using FileWave QS App as an example:
$ xattr -l ~Downloads/FileWave\ QS.app
com.TeamViewer.ConfigurationId: idcr6bwpyh
A script may now be created to re-instate this Metadata, again changing the path if the App is installed somewhere other than Applications.
#!/bin/zsh
xattr -w com.TeamViewer.ConfigurationId idcr6bwpyh /Applications/FileWave\ QS.app
exit 0
If using an alternative customised Teamviewer QS App, change the name to match the created App and use the reported value from the query to set the matching ID.
Verification
To ensure the script is run again if Verification actions a repair or re-instatement of the App, a Verification Script will also be required with the same contents.
On installation, all applied customisation should appear as expected. This same process may be applied to any additional Metadata that may be lost during Fileset installation.
Example Fileset
This example Fileset includes:
- Version 14 of Teamviewer FileWave QS
- Postflight Script
- Verification Script
FileWave TV QS Version 14.fileset.zip
When updated versions of Teamviewer FileWave QS are supplied, then the Fileset should be updated with this newer download, to replace the current application.
iOS 12 / macOS 10.14+ and self-signed certificates
Starting with iOS 12 and macOS 10.14, Apple rejected server certificates that use RSA keys smaller than 2048 bits. In FileWave environments, this most often affects older self-signed certificates, especially on servers originally set up before FileWave 9.0.
If your FileWave server uses a trusted CA-issued certificate, or a self-signed certificate generated by FileWave 9.0 or later, you are typically already meeting this specific 2048-bit key-size requirement.
How to check the certificate RSA key size
macOS, Linux:
openssl x509 -in /usr/local/filewave/certs/server.crt -text -noout | grep Public-Key
Windows:
C:\OpenSSL-Win64\bin\openssl.exe x509 -in C:\ProgramData\FileWave\FWServer\certs\server.crt -text -noout | FINDSTR Public-Key
Windows does not include OpenSSL by default, so you may need to install it first. One common source is Win32/Win64 OpenSSL.
Recommended solution
The best long-term fix is to use a root-trusted certificate from a Certificate Authority. If you already have a wildcard certificate, you may be able to use that for your FileWave server. For more guidance, see Root Trusted SSL Certificate (Using and Renewing).
If you must stay self-signed
Renew the certificate with a 2048-bit RSA key or larger, then make sure devices trust the new certificate before you switch the server to it. The safest order is:
- Create the new key and certificate.
- Deploy the new certificate to devices so it is trusted before the cutover.
- Switch the FileWave server to the new certificate after the trust profile is in place.
- Recreate Automated Device Enrollment (ADE/DEP) profiles and associations if your workflow requires it.
For the detailed renewal steps, see Renew FileWave Server Self-signed Certificate. If you are specifically working through iOS trust behavior for self-signed certificates, Renew MDM self signed SSL certificate with iOS devices is also useful.
If devices have already upgraded and no longer trust the old certificate, recovery may require manually installing and trusting the new certificate until normal communication is restored.
Newer Apple releases introduced additional certificate requirements beyond key size. If you are troubleshooting iOS 13, macOS 10.15, or later, also review SSL Server Certificates - iOS 13 and macOS 10.15.
Related Content
M1 Silicon macOS and Recovery
Description
Apple silicon Mac computers use a different Recovery startup flow than Intel Mac computers, and Activation Lock can affect recovery after erase or restore workflows.
FileWave has seen cases where Apple silicon Mac computers were no longer accessible after the first reboot following Automated Device Enrollment. This appears to be related to the managed admin account never completing a login before that reboot.
Erasing M1 devices
Apple Configurator can revive or restore Apple silicon Mac computers. This requires a second Mac and the requirements listed in Apple's guide:
https://support.apple.com/en-gb/guide/apple-configurator-2/apdd5f3c75ad/mac
- Up-to-date Apple Configurator app
- Network access to Apple
- USB-C to USB-C cable (supporting both power and data)
Follow Apple's restore or revive workflow for the affected Mac.
Activation Lock
If Activation Lock was enabled, the Mac may ask for an Apple ID and password after restore. For organization-owned devices, use Recovery Assistant to enter the MDM Activation Lock bypass code instead.
Activation Lock bypass codes are available from the FileWave Central Assistants menu:
- Activation Lock Management
Recovery Mode
On Apple silicon Mac computers, hold the power button until the screen shows 'Loading startup options' to enter Recovery.
https://support.apple.com/en-gb/guide/mac-help/mchl82829c17/mac
To enter the Activation Lock code:
- Choose 'Recovery Assistant' from the menu bar
- Select with MDM key
- Use the key from the FileWave Central Activation Lock Management window for this device
https://support.apple.com/en-gb/guide/mdm/apd593fdd1c9/web
At this point the device should be accessible again and can be enrolled again if needed.
Failure to Personalize
Apple also documents this restore-related error:
- "An error occurred while preparing the update. Failed to personalize the software update. Please try again."
Apple's article for this issue is here:
https://support.apple.com/en-us/HT211983
The previous startup keys combinations used for Intel macOS devices do not apply to M1 Silicon macOS devices:
https://support.apple.com/en-gb/HT201255