Data categories
shft organises migratable data into five categories. Each category can be independently enabled or disabled by the admin via the shft.allowedDataCategories configuration profile key.
Category reference
User Files
Category ID: userFiles
Migrates the user's personal files from standard macOS user directories.
What is included:
| Directory | Contents |
|---|---|
~/Documents | All files and subdirectories |
~/Desktop | All files and subdirectories |
~/Downloads | All files and subdirectories |
~/Pictures | Photos, screenshots, image files |
~/Music | Music files (not Apple Music library metadata) |
~/Movies | Video files |
What is not included:
- Hidden files and directories (those starting with
.) - Files in
~/Library(covered by other categories) - Files on external volumes or network drives
- iCloud Drive files that exist only as stubs (not downloaded locally)
Behaviour:
- File modification dates and extended attributes (xattrs) are preserved
- Symlinks are copied as symlinks, not dereferenced
- File permissions are preserved
Typical size: Varies widely. 5 GB to 500+ GB depending on user.
Application Data & Preferences
Category ID: applicationData
Migrates app settings, support files, and preferences so apps feel familiar on the new Mac.
What is included:
| Directory | Contents |
|---|---|
~/Library/Application Support/ | Per-app data directories |
~/Library/Preferences/ | Per-app .plist preference files |
What is not included:
- Application binaries (apps in
/Applicationsare not migrated — install them via MDM) - Caches (
~/Library/Caches) - App containers for sandboxed apps from the Mac App Store
- System-level preferences in
/Library/Preferences
Behaviour:
- Apps not installed on the destination are skipped. If the source Mac has preferences for an app that doesn't exist on the destination, those files are not transferred. A list of skipped apps is shown to the user in the completion summary.
- Only app-specific preference files (those with reverse-DNS naming like
com.company.app.plist) are evaluated for this skip logic. System preferences (com.apple.*) are always included.
Typical size: 1–20 GB.
Enterprise note: For a clean device refresh workflow, deploy apps via MDM first, then run shft. This ensures app data has a matching application on the destination.
Keychain
Category ID: keychain
Migrates saved passwords, certificates, and secure notes from the user's login keychain.
What is included:
- Generic passwords (app-stored credentials)
- Internet passwords (Safari saved passwords, website logins)
- Certificates and private keys stored in the user keychain
- Secure notes
What is not included:
- System keychain items (those require admin/root access)
- iCloud Keychain items (these sync automatically via iCloud and do not need migration)
- Kerberos tickets and other temporary authentication tokens
Security considerations:
This category requires explicit user consent. When a user enables Keychain migration, shft displays a warning explaining that all stored credentials — including saved passwords, encryption keys, and certificates — will be copied to the destination Mac. The user must acknowledge this before proceeding.
How keychain transfer works:
- shft exports keychain items using the macOS Security framework (
SecItemCopyMatching) - Exported data is encrypted using AES-256-GCM with a session key derived from the pairing code — keychain data is never written to disk unencrypted
- The encrypted blob is transferred to the destination
- On the destination, items are imported via
SecItemAdd - If an item already exists on the destination, it is updated rather than duplicated
- The encrypted intermediate file is securely deleted after import
Admin recommendation: For most enterprise environments, consider whether keychain migration is necessary. If your organisation uses a password manager (1Password, Bitwarden, etc.) and SSO, users may not need their macOS keychain migrated. Disabling this category reduces migration risk and complexity.
System Settings
Category ID: systemSettings
Migrates user-level macOS preferences — Dock layout, Finder settings, keyboard shortcuts, and accessibility options.
What is included:
| Preference domain | What it controls |
|---|---|
com.apple.dock | Dock size, position, auto-hide, app layout |
com.apple.finder | Finder view preferences, sidebar items |
.GlobalPreferences | Language, region, appearance, accent colour |
com.apple.universalaccess | Accessibility settings |
com.apple.menuextra.clock | Menu bar clock format |
com.apple.menuextra.battery | Battery menu bar display |
com.apple.screensaver | Screen saver selection |
com.apple.screencapture | Screenshot save location and format |
com.apple.desktopservices | Desktop icon behaviour |
com.apple.spaces | Mission Control and Spaces settings |
NSGlobalDomain | Global app behaviour defaults |
What is not included:
- Security preferences (
com.apple.security.*) - MDM-managed preferences (
com.apple.ManagedClient.*) - Configuration profiles (
com.apple.configurationprofiles.*) - Login window settings (
com.apple.loginwindow) - Any system-level domain that could conflict with MDM policy
How it works:
shft uses defaults export to capture each domain on the source and defaults import to apply it on the destination. System-level and security-related domains are explicitly blocked to prevent conflicts with MDM policy.
Typical size: Under 1 MB.
Browser Data
Category ID: browserData
Migrates bookmarks, history, and extensions from supported browsers.
Supported browsers:
| Browser | What migrates | Source path |
|---|---|---|
| Safari | Bookmarks, history, Reading List, extensions | ~/Library/Safari/ |
| Google Chrome | Bookmarks, history, extensions, saved form data | ~/Library/Application Support/Google/Chrome/ |
| Firefox | Bookmarks, history, extensions, saved logins | ~/Library/Application Support/Firefox/Profiles/ |
| Arc | Bookmarks, history, spaces, extensions | ~/Library/Application Support/Arc/ |
What is not included:
- Browser-synced data that lives in the cloud (Chrome Sync, Firefox Sync)
- Cached web content
- Cookies (these are generally session-specific and don't transfer meaningfully)
Requirement: browsers must be closed.
Both the source and destination Macs must have the relevant browser closed before migration begins. shft checks for running browser processes and warns the user if any are open. Transferring browser data while the browser is running can result in corrupted profiles.
Typical size: 500 MB to 5 GB per browser.
Common enterprise scenarios
New employee onboarding (clean Mac)
- Enable:
userFiles,applicationData - Disable:
keychain,systemSettings,browserData - Rationale: New employees get their files but start with fresh system settings and a clean browser environment
Device refresh (same user, new hardware)
- Enable: All five categories
- Rationale: The user should have their complete working environment on the new Mac
- Tip: Deploy apps via MDM to the new Mac before running shft so Application Data has matching apps
Hardware upgrade (Mac to Mac, same org)
- Enable:
userFiles,applicationData,browserData - Disable:
keychain(if using a password manager),systemSettings(if MDM manages settings) - Rationale: Transfer working data but let MDM handle configuration
Shared device transition
- Enable:
userFilesonly - Set
maxTransferSizeMBto a reasonable limit (e.g., 10240 for 10 GB) - Set
allowUserOverridetofalse - Rationale: Move personal files only, keep everything else clean