Running a Command as another User

This post is an update to an older post on the same topic. macOS has changed and I had a few things to add. Rather than keep modifying the older post, I decided to make this new one.

As MacAdmins, most of the scripts we write will use tools that require administrator or super user/root privileges. The good news here that many of the management tools we can use to run scripts on clients already run with root privileges. The pre– and postinstall scripts in installation packages (pkgs), the agent for your management system, and scripts executed as LaunchDaemons all run with root privileges.

However, some commands need to be run not as root, but as the user.

For example, the defaults command can be used to read or set a specific setting for a user. When your script, executed by your management system, is running as root and contains this command:

defaults write com.apple.dock orientation left

Then it will write this preference into root’s home directory in /var/root/Library/Preferences/com.apple.dock.plist. This is probably not what you intended to do.

Get the Current User

To get the correct behavior, you need to run the command as a user. Then the problem is as which user you want to run as. In many cases the answer is the user that is currently logged in.

I have written a few posts about how to determine the currently logged in user from shell scripts and will use the solution from those:

currentUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }' )

This will return the currently logged in user or loginwindow when there is none. This is the Posix sh compatible syntax, which will also run with bash or zsh.

Running as User

There are two ways to run a command as the current user. The first is with sudo:

sudo -u "$currentUser" defaults write com.apple.dock orientation left

The second is with launchctl asuser.

uid=$(id -u "$currentUser")
launchctl asuser $uid launchctl load com.example.agent

The launchctl command uses the numerical user ID instead of the user’s shortname so we need generate that first.

It used to be that the sudo solution would not work in all contexts, but the launchctl asuser solution would. This changed at some point during the Mojave release time.

Now, the lauchctl asuser works and is required when you want to load and unload LaunchAgents (which run as the user), but it does not seem to work in other contexts any more.

So, for most use cases, you want to use the sudo solution but in some you need the launchctl form. The good news here is, that you can play it safe and use both at the same time:

launchctl asuser "$uid" sudo -u "$currentUser" command arguments

This works for all commands in all contexts. This is, however, a lot to type and memorize. I built a small shell function that I use in many of my scripts. Paste this at the beginning of your scripts:

# convenience function to run a command as the current user
# usage:
#   runAsUser command arguments...
runAsUser() {  
  if [ "$currentUser" != "loginwindow" ]; then
    launchctl asuser "$uid" sudo -u "$currentUser" "$@"
  else
    echo "no user logged in"
    # uncomment the exit command
    # to make the function exit with an error when no user is logged in
    # exit 1
  fi
}

and then you can use the function like this:

runAsUser defaults write com.apple.dock orientation left

runAsUser launchctl load com.example.agent

Note: the function, as written above, will simply do nothing when the Mac is sitting at the login window with no user logged in. You can uncomment the exit 1 line to make the script exit with an error in that case. In your script, you should generally check whether a user is logged in and handle that situation before you use the runAsUser function. For example you could use:

if [ -z "$currentUser" -o "$currentUser" = "loginwindow" ]; then
  echo "no user logged in, cannot proceed"
  exit 1
fi

Insert this at the beginning of your code (but after the declaration of the currentUser variable) and you can assume that a user is logged in and safely use the $currentUser variable and the runAsUser function afterwards. The exact detail on when and how you should check for a logged in user depends on the workflow of your script. In general, earlier is better.

When to Run as User

Generally, you should run as the user when the command interacts with the user interface, user processes and applications, or user data. As MacAdmins these are common commands you should run as the user;

  • defaults, when reading or changing a user’s preferences
  • osascript
  • open
  • launchctl load|unload for Launch Agents (not Launch Daemons)

This is not a complete list. Third party configuration scripts may need to be run as root or user. You will need to refer to documentation or, in many cases, just determine the correct action by trial and error.

Sample Script

I have put together a script that combines the above code into a working example.

Weekly News Summary for Admins — 2020-08-21

Welcome back! I get the impression I was the only one to take a while off this summer. So many post to sort through and link to…

I will be presenting at Virtual JNUC2020 this year. My session is “Scripting Jamf: Best Practices” (JNUC307) and is scheduled for Oct 1 at 11am CT (18:00 Central European time). The entire session schedule can be reviewed on their site and you can still register for free!

I am also preparing something for the MacSysAdmin Online. This will be a free online event this year where they will publish some of the best presentations from previous years and new content as well. You can support the team by buying the MacSysAdmin Online T-Shirt, which will also enroll you in an exclusive giveaway raffle.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS 11 Big Sur and iOS 14

macOS Catalina 10.15 and iOS 13 Updates

MacAdmins on Twitter

  • William Smith: “Small undocumented change with Policies in Jamf Pro 10.22 that I didn’t learn about until today: New policies no longer automatically include the Restart payload.”
  • Victor (groob): “Instead of asking ”experts“ for how you’d go about doing something, tell them what you tried, and ask why it’s not working.”
  • Anthony Reimer: “Intriguing. On the new 27-inch iMac, you can not customize the 256 GB of storage on the base model. You must move up to the middle model to get 512GB or more of storage.”
  • Victor (groob): “Four betas. Four subtle ways Apple broke a core workflow in MDM zero touch provisioning. All undocumented.”
  • Graham Pugh: “Jamf Self Service policies will not run on macOS 10.12 Sierra on Jamf Pro versions 10.22 and above. Jamf will not fix this as they drop support for Sierra in the next release.”
  • Anthony Reimer: “I’ve updated my Mac Obsolescence chart with the new iMac (hopefully making an appearance in a home near me). obsolescence.jazzace.ca
  • Per Olofsson: “Companion niche tip: creating a sparsebundle from a folder and then converting it to a compressed read only dmg is multithreaded and faster than creating the dmg directly. In my testing the resulting dmg will also be smaller.”
  • Neil Martin: “TIL in profilecreator if you long-click the export button, you can export your payloads as MCX-style plists – handy!”
  • Erik Schwiebert: “Two month alert! Microsoft support for Office 2016 for the Mac ends on October 13, 2020

Bugs and Security

Support and HowTos

Scripting and Automation

Updates and Releases

To Watch

To Listen

Just for Fun

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2020-07-24

You can’t really tell it from the weather here in the Netherlands, but summer is here!

Summer brings more beta testing: the third beta of the new Apple systems dropped this week. It also brings vacation. This newsletter will be on vacation until late August. As usual, I will keep gathering interesting posts and links and return with a big August summary.

Hope you get to enjoy your summer and vacation. Stay safe!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS 11 Big Sur and iOS 14

Coronavirus and Remote Work

MacAdmins on Twitter

  • Rich Trouton: “I’ve bought a share of Jamf stock. Now I can show up at both JNUC and shareholder meetings with my gripes.”

Bugs and Security

Support and HowTos

Scripting and Automation

Updates and Releases

To Watch

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Installomator Updated: v0.3

It’s been more than a month since the last update, and while there has been work on the dev branch, I was quite distracted with other things (like this). The good news is, that there have been quite a few contributions from others! A huge thanks to all who helped make this a better script.

All it took was for me to find some time to put all the contributions together, which I finally found some time for.

What’s new in v0.3:

  • added several new labels for total of 98
  • removed the powershell labels, since the installer is not notarized
  • when run without any arguments, the script now lists all labels
  • changed how zips are expanded because this was broken on Mojave
  • improved logging in some statements
  • several more minor improvements

Get the script and find the instructions on the GitHub repo.

Some of the contributions and requests have not yet been addressed. I believe they will require some more thinking and planning. I would like to approach those in the next version.

If you have any feedback or questions, please join us in the #installomator channel on MacAdmins Slack.

Thanks again to all those who contributed!

Weekly News Summary for Admins — 2020-07-17

No summer break yet for MacAdmins. As expected, the updates for macOS Catalina 10.15.6 and iOS 13.6 and siblings were published.

As a big reprieve for MacAdmins, the functionality of softwareupdate --ignore has been re-instated for system software updates, but only when the Mac is supervised (i.e. enrolled in MDM with Automated Deployment or user-approved MDM). This allows MacAdmins to block major updates from being installed or even notified about. This is likely a direct result of all the feedback MacAdmins have passed on to Apple.

However, this reprieve is only temporary because it is not implemented in the macOS Big Sur beta. So, keep providing feedback through all your channels to Apple, that macOS requires a managed means to block software updates for longer than 90 days, preferable indefinitely.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS 11 Big Sur and iOS 14

macOS Catalina 10.15 and iOS 13 Updates

MacAdmins on Twitter

  • Rosyna Keller: “Please, please don’t normalize right-clicking on your app to get it to run. This is a tactic malware uses to get past Gatekeeper. Screenshot from actual malware. Even after Flash died at the end of this year, this type of social engineering will continue. I hope Adobe runs PSAs.” (Image, thread)

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Documentation

To Listen

Just for Fun

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2020-07-10

This week brought more reactions to WWDC news regarding macOS 11 Big Sur, iOS 14, and the Apple Silicon transition. Apple released beta 2 for all the above (excluding the DTK), which were later released as the first public beta. We also got GM betas for macOS Catalina 10.15.6 and iOS 13.6. And a new ransomware named EvilQuest, later changed to ThiefQuest.

Busy week.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

WWDC Reactions

News and Opinion

macOS 11 Big Sur and iOS 14

Coronavirus and Remote Work

MacAdmins on Twitter

  • Victor (groob): “Erasing macOS beta 1 in recovery and selecting ”Install macOS“ installs beta2. Neat!”
  • Mr. Macintosh: “Mobile Accounts are treated as Network Accounts in Big Sur Beta 1 & 2. FB7870925 Not that you needed another reason to move to Local Accounts”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Use scout to read Property Lists

I have written a few posts in the past about parsing data from property list files in scripts and Terminal. My usual tool for this is PlistBuddy. However, PlistBuddy’s syntax is… well… eccentric.

Recently, Alexis Bridoux, who is also the main developer on Octory, introduced a command line tool called scout which solves many of the issues I have with PlistBuddy.

For example, you can pipe the output of another command into scout, something you can only convince PlistBuddy to do with some major shell syntax hackery.

So instead of this:

> /usr/libexec/PlistBuddy -c "print :dsAttrTypeStandard\:RealName:0" /dev/stdin <<< $(dscl -plist . read /Users/armin RealName)


With scout I can use this much clearer syntax:

> dscl -plist . read /Users/armin RealName | scout "dsAttrTypeStandard:RealName[0]"


The tool can also modify existing files, by changing, adding or deleting keys.

scout can also parse JSON and (non plist) XML files, so it can also stand in as a replacement for jq and xpath. It will also color-code output for property list, XML and JSON files.

I have been using scout interactively in the Terminal for a while now. So far, I have been refraining from using scout in scripts I use for deployment. To use a non-system tool in deployment scripts, you need to ensure the tool is deployed early in the setup process. Then you also have to write your scripts in a way that they will gracefully fail or fallback to PlistBuddy in the edge case where scout is not installed:

scout="/usr/local/bin/scout"
if [ ! -x "$scout"]; then
    echo "could not find scout, exiting..."
    exit 1
fi

realName=$( dscl -plist . read /Users/armin RealName | scout "dsAttrTypeStandard:RealName[0]" )


All of this overhead, adds extra burden to using a tool. The good news is that scout comes as a signed and notarized package installer, which minimizes deployment effort.

I wills be considering scout for future projects. If anyone at Apple is reading this: please hire Alexis and integrate scout or something like it in macOS.

Weekly News Summary for Admins — 2020-07-03

The week after WWDC: time for opinion and reaction pieces. And time to dig into the betas and find the first bugs and annoying changes.

But Apple hasn’t forgotten the Catalina/iOS 13 updates either. We got new betas for 10.15.6 and iOS 13.6.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

👩🏽‍💻WWDC Reactions

📰News and Opinion

🌅 macOS 11 Big Sur and iOS 14

⚙️macOS Catalina 10.15 and iOS 13 Updates

🐦MacAdmins on Twitter

  • robb: “Because SF Symbols are characters in the Private Use Area, they render just fine in your Terminal”
  • Steve Troughton-Smith: “Now that in-app purchase is available to Family Sharing, there aren’t many reasons at all to use a paid-up-front model (asides enterprise & education distribution). You can also effectively do free trials & paid upgrades w/ IAP. Definitely going to transition all my apps to it”
  • Victor (groob): “I see a lot of macadmins asking Apple to allow enabling screen recording via MDM. I get it, it’s a burden for helpdesk to explain approving Zoom to all your users. But when your manager asks you to spy on your WFH co-workers, how will you respond?” (thread, link)
  • Rico Becker: “Apple has restricted access to ~/Library/Containers/ in Finder on macOS Big Sur. It’s only showing one folder in my case. In Terminal I can see that everything is still there. Any way to reactive the normal behavior?”
  • Carl Ashley: “Munki life hack: Use admin notes in your pkginfo to store either human or machine readable comments indicating if a package has passed OS compatibility testing coughBig Surcough.”

🐞Bugs and Security

🔨Support and HowTos

🤖Scripting and Automation

🎧To Listen

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

macOS 11

Last week at WWDC, Apple had two big announcements for the Mac platform.

The first one was a new user interface design, much closer to iPadOS and iOS. Apple considers this the “biggest design upgrade since the introduction of Mac OS X.” Because of this, Apple also gives this version of macOS the long-withheld ‘11’ as the major version number.

You can take a look at the new UI on Apple’s Big Sur preview page or you can download the beta from your AppleSeed for IT or Developer account. It shares many elements, styles and icons with iOS or iPadOS.

The other major announcement is that the Mac platform will have a transition from Intel CPUs to ‘Apple Silicon’ chips built by Apple themselves, just like the iPhone and the iPad. The Developer Kit for testing purposes is powered by the A12z chip that powers the iPad Pro, but Apple was insistent that future, production Macs would have chips designed specifically for Macs and not be using iPad or iPhone chips.

These are big announcements, for sure. But what do they mean for the macOS platform? And for MacAdmins in particular?

Apple’s commitment to Mac

There was a time not so long ago, where you got the impression that the Mac platform was merely an afterthought for Apple. I think it started after the release of the ‘trashcan’ Mac Pro. During those years, I think there was legit concern that Apple would lock down macOS as tightly as they did iOS, breaking what makes the Mac special.

Some of the recent additions to macOS, such as the increased privacy controls with their incessant prompts for approval, deprecation of built-in scripting run-times like Python and Ruby and even the deprecation of bash in favor of zsh, have made some ‘Pro’ users nervous and afraid that Apple wants to turn macOS in to iOS.

Now the unification of the user interface can add to those concerns: will macOS turn into iOS and iPadOS in more than just look and feel?

On the other hand, Apple has been more vocal and open about their plans for the Mac. This started when Apple announced they were working on a new Mac Pro in April 2017.

In Mojave (2018), and then Catalina (2019), Apple introduced several technologies unique to macOS:

  • System and Network Extensions
  • File Providers
  • DriverKit
  • Notarization
  • zsh as new default shell, dash

These technologies exist because Apple wants (or needs) to increase the security of macOS. Kernel extensions, which provide unfettered access to all parts of the system are replaced with System and Network extensions and DriverKit. Notarization allows Apple to check and certify software delivered and installed outside of the Mac App Store. zsh allows Apple and their users to move forward from a 13-year old bash version.

But, if Apple wanted to lock down macOS as completely as iOS and iPadOS, they wouldn’t have to introduce these new technologies to macOS. Instead, they are introducing new technologies to allow certain characteristics of macOS to continue, even with increased security. This is a lot of effort from Apple, which convinces me that Apple sees a purpose for macOS for years to come.

What are these characteristics that Apple thinks are special for the macOS? Apple told us in the Platforms State of the Union session this year. Starting at 15:10 Andreas Wendker says:

“Macs will stay Macs the way you know and love them. They will run the same powerful Pro apps. They will offer the same developer APIs Macs have today. They will let users create multiple volumes on disks with different operating system versions and they will let users boot from external drives. They will support drivers for peripherals and they will be amazing UNIX machines for developers and the scientific community that can run any software they like.”

This short section makes a lot of promises:

  • Pro Apps: including third party pro apps, like Affinity Photo, Cinema 4D, Photoshop, shown previously, and Microsoft Office, and Maya which were shown in the Keynote
  • Developer APIs: no reduced feature set
  • Disk and OS management: multiple volumes, external storage and boot, multiple versions of macOS on one device
  • Peripheral ports with custom drivers
  • UNIX machines for developer and science tools (this includes Terminal, Craig Federighi confirmed this in John Gruber’s interview)
  • ‘any software you like’
  • ‘flexibility and configurability’ (earlier in the presentation)

Apple wants to assure us that they understand what the macOS platform is used for. Remember that Apple uses macOS themselves for many of these tasks and it is unlikely they would want to switch to Windows or Linux based PCs for their work.

With all these assurances you can consider the UI changes to go merely ‘skin deep.’ Whether you like the new UI or not, the wonderfully complex innards of macOS should still be there for you to explore and (ab)use.

Mac Transition

When Apple announced the transition to Apple Silicon in the keynote, it felt like a repeat of the 2006 Keynote where Steve Jobs announced the Intel transition. Apple is even re-using the names for the technologies ‘Universal’ and ‘Rosetta,’ albeit with version ‘2’ attached. This is of course entirely intentional. Apple wants to assure that they have done this before and it worked out well.

How well this will really work will depend, not only on Apple alone, but on the third party developers. While Rosetta worked surprisingly well during the Intel transition, there was noticeable lag in some cases, and the soft couldn’t really unlock all of the hardware until there was a re-compiled version. I remember that every developer would proudly announce the availability of a universal binary.

Some solutions never made the jump. Some software solutions got lost when Apple finally turned off Rosetta in Mac OS X 10.7 Lion, the same way some solutions did not make the jump the to 64bit and are ‘lost’ unless you hold on to Mojave.

It is fair to blame the software developer for the lack of maintenance. Not all developers have the time to put in the effort to continually update a product, or they moved on to other companies or projects. Not all software products generate enough revenue to warrant any maintenance effort. From the user perspective, software that they paid for, has an arbitrary expiration date, the software vendor blames Apple, Apple blames the vendor. This is understandably frustrating.

Apple and macOS are certainly in a different place in the market than they were in 2007, but we will have to see how well the third-party developers and vendors take to the transition this time.

macOS 11 for MacAdmins

Enterprises, schools, universities, and organizations and their users are also in a different place these days. The addition of mobile devices (phones and tablets) as essential tools for the employees has forced many organizations to change their management and access strategies to be more flexible. The massive requirement to work remotely from the Coronavirus pandemic has accelerated this shift.

But once you have reworked your deployment and management strategies to work with one different platform, then adding a third or fourth platform to the mix will be less of a barrier. It will still be a significant effort, but it will not be as daunting and impossible as that first change. The changing infrastructure requirements have worked in favor of Apple platforms for the past years, lead by iOS, but pulling macOS behind them. But Apple has not yet had enough time to lock-in to these kind of deployments.

In education, ChromeBooks are gaining ground, mainly because of the price point, but also because of a powerful management framework. Dual booting your Mac to Windows with Bootcamp will not be possible on Apple Silicon. Additional problems stemming from the transition might just be enough to push users and organizations ‘over the edge’ to switch platforms.

Apple must have considered all this and believes the benefits from building their own chips for the Mac platform outweigh the downsides. Less heat and better battery life are obvious, quick wins. Apple’s A-series chips have a dedicated Neural engine for machine learning processes, which was already demonstrated.

Apple has brought some of the security benefits from iOS to the Mac platform with the T1 and T2 chips. These provide Touch ID and a secure enclave for certificates and encrypted internal storage. By removing the Intel chipset, Apple can tighten the security even more. The new Apple Silicon based system will have new startup options and more flexible secure boot settings. External boot will not only still be possible, but not be disabled by default which will simplify many workflows for techs and admins. When you have multiple macOS systems on a drive, you will be able to disable security feature per system, so you can have a ‘less secure system’ for experimentation or development, while keeping all security features enabled for the system with your personal data.

Device Management

There weren’t many news about MDM at WWDC itself. The changes that were shown are refinements to existing workflows rather than big changes. With all the other changes, stability in MDM and management will be helpful.

We have finally been promised a true zero-touch deployment for Macs with “Auto Advance for Mac,” but are still lacking details about the exact implementation.

But there are still some huge gaps in the MDM strategy. Application deployment (VPP) is still unreliable. There is no way for organizations to purchase and manage in-App purchases and subscriptions in quantity. Many essential settings and features of macOS still cannot be set or controlled with configuration profiles or MDM commands. MDM still has no solution for installing and managing software from outside the App Store. PPPC settings are still changing and complicated to manage for admins.

Apple considers the ability to run iOS and iPadOS on macOS a huge bonus. How useful this will be in reality, outside of games, remains to be seen. But it will certainly make managing apps from the Mac App Store more essential than it is now.

The acquisition of Fleetsmith, on the other hand, will have a big impact on the Apple MDM market and users. I have described how the changes to the service have affected the users and admins in my newsletter last week. While this has cast an unnecessary shadow on the acquisition, we still don’t know what Apple’s plans regarding Fleetsmith and MDM are going to be.

Strange New World

The changes MacAdmins got for device management are useful and necessary, but evolutionary in nature. (There is nothing wrong with that.) The Fleetsmith deal shows the possibility of more and larger changes to Apple’s device management strategy in the future. It might take years before we will see the implications of this.

Versioning is always influenced by marketing. The switch from version 10 to version 11 is more than just the end of an odd versioning convention. The time where Mac OS X stands apart from the other Apple platforms is over. Apple is promising a family of devices where the user interface, hardware, and software will be unified, while preserving the special characteristics of each platform.

Apple is has explained why and how they want to distinguish macOS from the other Apple platforms. They will have to live up to these promises over the next few years. There is a balance to be kept between implementing beneficial features from the other Apple platforms and maintaining the ‘flexibility and configurability’ of macOS. There is also the possibility that some of these Mac characteristics will make their way to other Apple platforms. (multi-boot, virtualization, or custom device drivers on iPadOS?)

Not everyone follows the WWDC announcements closely. As MacAdmins we will get many questions about the news from last week that does surface. We have to inform our organizations and our fellow employees what these changes means for them and their workflows and help them make an informed decision on which platform (Apple or other systems) matches their requirements.

There are bound to be issues with Apple’s plans. We will need to watch Apple’s strategy, give feedback on missteps and requirements. It is certainly a frustrating process, but Apple has changed features because of feedback from the MacAdmin community in the past.

If you haven’t enrolled in AppleSeed for IT yet, now is the time! Download the beta, start testing and providing feedback!s

Weekly News Summary for Admins — 2020-06-26

Phew, it’s really summer here in NL, hot and humid. And it’s been a ‘hot’ week for many other reasons, too.

This news summary took a while and is a bit later than usual… you will see why…

If I missed anything, let me know and I will catch up next week.

macOS 11 Big Sur

The WWDC Keynote didn’t disappoint. iOS 14, iPadOS 14, watchOS 7, the new tvOS, and Xcode 12 are going to be exciting updates.

Unsurprisingly, the transition of the Mac platform to ’Apple Silicon’—an as of yet unspecified custom chipset—was announced. The parallels to the Intel transition announcement in 2005 were obvious and likely entirely intentional. Apple is conveying the message: “we’ve done this before, we know what we are doing.” The Developer Kit contains a the same A12z chip that is used in the iPad Pro, but Apple was adamant that the final production Macs with Apple Silicon will have chips customized for the Mac platform and requirements and not use iPad Pro chips.

The first Apple Silicon Macs are supposed to ship before the end of this year and the transition is supposed tos take two years. Existing Macs with Intel processors will be supported with new versions of macOS for “years to come.”

What was surprising is that Apple finally moved on from the ‘10’ (or ‘X’) version number. After nearly twenty years of ‘ten-dot’ versions (more when you consider Mac OS X Server and the Mac OS X public beta) macOS ‘Big Sur’ is labelled as version 11.0. At least in the marketing material and user facing UI. Internal documentation, APIs and sw_vers use 10.16, but that may still change during the beta phase. macOS 11 Big Sur also has a new user interface design, very similar to iPadOS and iOS.

The new version number and the unified interface language is Apple’s way of telling us, that the time where macOS (Mac OS X) stands somewhat apart from the iOS based platforms is over. macOS will be unified with the other platforms in hardware (Apple Silicon), APIs (Catalyst and SwiftUI), software, and user interface.

Apple is also declaring what they consider the strengths and differences of macOS. “You can continue to install out side of the App Store.” “The Unix tools are important.” “Yes, Terminal is still there.” “Peripherals and external boot.” These and similar phrases have been frequently stated in WWDC sessions this week, including the State of the Union. We are getting assurances that the Mac will remain the Mac, while also being more like its iOS-based siblings. And the information we did get from the in-depth sessions has been supportive of those assurances.

We will have to see how this will actually play out over the “years to come.” But it is encouraging that Apple is addressing and assuaging these concerns.

Fleetsmith acquired by Apple

If all of this weren’t enough, there was another surprise announcement this week. Fleetsmith, developer and vendor of the Mac management system of the same name, was acquired by Apple.

Fleetsmith is well-known for having awesome swag at conferences. They have also been popular with MacAdmins for having a large catalog of third-party applications with up-to-date installers and configuration sets as part of their solution. This meant that admins would not have to manually download, re-package, upload and configure an update for some third-party software, but instead could rely on Fleetsmith to do that work.

Soon after the announcement of the acquisition, all these third-party application disappeared from Fleetsmith. Since the support contains such things as extensions approval and privacy preferences control, which were also removed from the catalog and hence the managed Mac clients, this would break many installations. Remote Access software might have deployed and managed this way, and was now defunct on the client machines, effectively locking out the admins and preventing remote access as a fix. The affected admins now have to re-build the third-party support and configurations manually as custom packages, to make the clients work again.

Third-party support was yanked so unceremoniously probably because hosting and redistributing third-party installers is very complicated, if not outright impossible from a legal standpoint. It has been speculated that this is the reason that Jamf’s Patch Management feature has never lived up to the initial expectations and promises. A small company like Fleetsmith might be able to ‘fly under the radar’ and get away with it, but a larger, rich company like Apple, would not want to take this risk.

Either way, the abrupt way this change was pushed, without any previous warning about the changes of support and features, was handled extremely poorly and rightfully enraged many affected customers. This immediately cast a shadow on a deal that might otherwise have been celebrated or at least been followed with interest.

Apple has been standing on the sidelines of the MDM business. While they do create and sell Profile Manager as part of macOS Server, Profile Manager is usually considered a reference implementation of the MDM protocol only and it is not recommend for production use at scale (any scale, really). Now they are preparing to get more involved by providing their own, professional level MDM based on Fleetsmith’s solution. (One can imagine that there is an AirPower sized, failed ‘Profile Manager 2’ project on some servers at Apple somewhere.)

Apple has started putting some management functionality in Apple Business/School Manager. It is conceivable Apple would want to extend that to a full blown cloud-based MDM solution. But where would such a first-party management solution leave the existing MDM solutions?

There are many features the MDM protocol does not and cannot (yet) provide for Mac management. But a setup like this would relegate the current management system vendors back to local management agents, much like what Munki provides.

This is all speculation at this point of course. This could also be an ‘acquihire’ or Apple could continue Fleetsmith as a semi-independent subsidiary, much like Claris FileMaker, or follow some path in between these extremes.

There were also other MDMs that had news to share this week:
Five years behind, Five years ahead – Victor Vrantchan, MicroMDM
Kolide MDM — For Those That Don’t Need To Be “Managed”

These “years to come” will surely be interesting, as a Mac user and as a MacAdmin.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Apple Newsroom

News and Opinion

WWDC 2020, macOS 11 Big Sur and iOS 14

WWDC Sessions for MacAdmins

Some of these will be released later today. Many of these, thanks to Balmes Pavlov

Apple Developer Documentation

MacAdmins 2020 Campfire Sessions

MacAdmins on Twitter

  • Erik Gomez: “Exciting update for the macadmins/python project: This is the first automated package, driven by GitHub Actions. Thanks to @natewalck we have a signing certificate too! Unsigned, Signed and Raw framework can be downloaded here. ”
  • Damien Sorresso: “If you’re trying to mount the root volume as writeable on macOS Big Sur, here’s some stuff to know.” (thread)
  • Mark Villacampa: “Apple will be contributing patches to widely used open source projects to add support for Apple Silicon”
  • Thomas Reed: “I wonder how many workflows are going to break because macOS is now numbered 11.x instead of 10.x…”
  • Daniel Jalkut: “This caveat is buried deeply enough in the macOS Big Sur release notes that a lot of people are going to be bit by it. Creating a new volume in an existing APFS container had become the de facto best way to install a second OS.”
  • Federico Viticci: “Shortcuts got some very cool updates in iOS/iPadOS 14” (follow link for details and images)
  • Gio: “Xcode 12 creates new repos with main instead of master. Well done Apple”
  • James Thomson: “Looks like you might not be able to access a Big Sur disk under Catalina. Not ideal if you’re dual booting between the two.”
  • Rich Trouton: “For folks wanting to build macOS Big Sur VMs, I’ve updated my script for creating macOS installer disk images for virtualization software. It now will create installer disk images for Sierra through Big Sur beta 1”
  • Mr. Macintosh: “What’s new in managing Apple Devices on Big Sur!” (Thread)
  • Victor (groob): “With macOS 11 MDM can – configure a new User Account – choose to set that account as MDM managed – have flexible securetoken workflows. These changes means that’s it’s finally possible to have 1:1 managed user workflows which are purely MDM/ no network accounts.”
  • Not a Kitteh: “So what differentiates the Mac from the iPad in the future? From the SOTU, Apple says: – flexibility – configurability – external, bootable storage – drivers for peripherals – run any software”
  • Mr. Macintosh: “Big Sur Cryptographically signed system volume: ’”‘Signed system volume that protects against malicious tampering. It also means that your Mac knows the exact layout of your system volume, allowing it to begin software updates in the background’”

Support and HowTos

Scripting and Automation

Updates and Releases

To Watch

To Listen

Just for Fun

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!