New Support Articles for High Sierra

Apple has released a few support articles relevant for Mac Administrators:

These contain a few very interesting and useful pieces of information.

System Installation and Upgrades

The article lists four supported methods of installing or upgrading macOS:

The article explicitly states installing with Target Disk Mode is not supported. Also it states that “monolithic imaging” is neither supported nor recommended for “upgrading or updating”. The reason given is that firmware updates, which may be required for the new version of macOS, will not be applied with monolithic imaging or installing over Target Disk Mode.

Interestingly enough the article goes on to say that imaging can be used to restore a Mac to the currently installed macOS version. You can build images from/with APFS volumes with Disk Utility/diskutil and System Image Utility.

This is a surprisingly detailed amount of guidance from Apple. It does not matter whether you use “fat imaging” where you capture a fully installed image from an existing installation or “thin imaging” where you create a base system image with some small additional installations with a tool like AutoDMG.

You should not use imaging to upgrade an OS, either major or minor upgrades. You can, however, still use imaging to restore a Mac quickly to the currently installed OS version. Keeping the firmware of the Mac in sync with the OS is the obvious reason, but remember that TouchBar MacBook Pros have a separate firmware/OS for the TouchBar/Secure enclave controller. Also the APFS file system conversion that happens during the macOS High Sierra upgrade rearranges the system volume layout.

If you don’t need to quickly restore Macs often, you should interpret this as the official direction to abandon imaging. You should use one of the supported installation and upgrade methods for the OS and a software management system such as Munki, Jamf Pro, Filewave etc. for the additional software and configuration.

If you are in an environment where you frequently need to quickly restore Macs (classrooms and loaner laptops), then you need two workflows: one to upgrade the OS and firmware, and another for the quick restoration using imaging (which I assume will still work with Target Disk Mode).

Imaging is dead!

(except for some particular use cases)

Some people are already working on extracting the firmware update part from the system image installer and that may be useful for some workflows. But in general it will be less effort and trouble to go with the recommended, supported solutions.

If you need to check if the firmware of a given Mac matches the OS, you can use this table provided by Pepijn Bruienne.

You can see your firmware version in the System Profiler application, it is listed under ‘Hardware’ as ‘Boot ROM Version.’ You can also use the system_profiler command: system_profiler SPHardwareDataType

Secure Kernel Extension Loading

The article on Secure Kernel Extension Loading (SKEL) recaps what we already know from Technical Note TN2459 but has two very interesting additions:

In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra.
In a future update to macOS High Sierra, you will be able to use MDM to enable or disable SKEL and to manage the list of kernel extensions which are allowed to load without user consent.

Once again this provides fairly obvious direction: you should use MDM in some form to manage Macs.

You do not have to use a combined solution for MDM and software management (e.g. Jamf or Filewave) but can combine an MDM with a different management solution (e.g. Munki and/or Chef or Puppet). SimpleMDM and AirWatch are leading with solutions that support installing the client agents over the MDM InstallApplication command, which means you can distribute Munki etc. to Mac clients even over DEP.

APFS

The article on APFS also recaps much of what we already know. However there is one sentence which clarifies when a Mac will be upgraded to APFS and when it will remain on HFS+:

When you upgrade to macOS High Sierra, systems with all flash storage configurations are converted automatically. Systems with hard disk drives (HDD) and Fusion drives won’t be converted to APFS. You can’t opt-out of the transition to APFS.

In other words: spinning disks (including Fusion) remain on HFS+, “pure” SSDs get APFS. You get no choice either way. Since the conversion to APFS seems to contain more that merely the filesystem conversion (APFS system volumes have a different partition layout).

The APFS conversion is another step that will happen when you run the macOS Installer, rather than when you image. Technically you will able to build an APFS macOS image on an SSD Mac and then image that to a Mac with spinning disk, but the result is not supported according to the upgrade article.

It will be interesting to see if Fusion drives will be added to APFS support in a future update. It might be that the parts to support multi-drive APFS aren’t quite ready yet, or that Apple considers the benefits are not worth the effort, and Fusion drives should be considered a fading tech from now on.

Disk Utility can format external drives as APFS, but consider that those will only be readable by Macs with 10.12.6 and 10.13.

Summary

I am sure I missed a lot of pieces, things are still fresh and not even entirely out of beta yet. New workflows and methods will definitely emerge once High Sierra is released. However, now we actually got some specific “dos and don’ts” from Apple. Use these to plan your future workflows and infrastructure. If you have not started testing with the developer beta or public beta yet, now is the time.

Leave a Reply

Your email address will not be published. Required fields are marked *