Weekly News Summary for Admins — 2017-06-23

I have gotten some positive and encouraging feedback on this newsletter. Glad you all like it. I thought some people might prefer the weekly summary as an email newsletter. If you do, please subscribe here!

Subscribe to Scripting OS X Weekly Newsletter here!

!# On Scripting OS X

📰News and Opinion

🔨Support and HowTos

📺To Watch

📻To Listen

📚Support

To support Scripting OS X, consider buying one (or both) of my books. Thank you!

If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!

Post WWDC Summary

Earlier this year I wrote a post on whether packaging is dead. Since I wrote a book on Packaging and have also invested much of my career in macOS I do have quite some interest in the topic.

(Please buy the book! If you have bought and read it, please leave a review!)

After that post I made myself a reminder to re-visit the topic post WWDC. I was very much expecting to be proven wrong or hopelessly optimistic. This reminder has been bugging me for a while. I have had a hard time to consolidate my thoughts into writing.

It’s not that this year’s WWDC was boring. Quite the opposite. The new iPads Pro look wonderful and I want one. Apple also announced great new iMacs and MacBooks and a space-grey iMac Pro, demonstrating they still care about the Mac line. (The Mac mini, however, got no love this time around. I do hope the line gets at least a speed bump and we don’t have to wait for a the new Mac Pro to get a decent option for screenless Macs. I’ve given up on servers…) And finally, both iOS 11 and macOS High Sierra (10.13) look like solid updates with lots of new features for users and developers. This was a great WWDC!

Mac admins were concerned that this update would lock down macOS in a similar fashion to iOS. The worst case scenarios painted a picture where not even admin users would be able to get root privileges and you couldn’t install third party daemons and agents any more, fundamentally breaking the way all management systems work. Admins would have to re-work their workflows to work through MDMs, which are not yet capable to bear this burden. The new Apple File System APFS would break NetBoot and all the tools admins use to image Macs.

What happened was… well… nothing much really.

Mac-narök has been postponed.

(Excellent talk by Micheal Lynn at MacDevOps YVR, just a few minutes before the WWDC Keynote. Go watch it.)

There will be changes in High Sierra that affect admins. APFS on macOS is definitely going to happen. In the current (first) beta there is an option to disable the filesystem conversion during upgrade, but it is unknown wether that option will still exist in the release. You can now add iOS devices to DEP even if they were not registered at purchase. You can control a firmware password on Macs with profiles. There are some (minor) changes to files and folders protected by SIP.

I don’t believe or want to suggest the posts above and many other people who predicted the end of Mac Administration as we know it were hysterical or unnecessarily panicked. When they were written there were strong indications and hints that Apple was planning a lockdown of some form soon. MDM only Mac administration might still happen in a future update. However, we seem to have gotten an reprieve, which is good.

Why did the lockdown not happen now? Excellent question, which I do not know the answer to. There was a big outcry from the Mac admin community and many used their official channels (Apple reps and support, Radar, Feedback) to tell Apple what a huge imposition such a quick and drastic change would be. Also many third-party application developers are reluctant to (or cannot) move to the Mac App Store, which would be a requirement in an MDM only world.

For now it seems that common admin tools will run on High Sierra and APFS with just some minor adjustments. This includes packages! Packaging is not dead! Long live Packaging! …and all the other tools!

(On the other hand, some things may still break or be removed during the beta phase.)

Does that mean we should just happily keep doing what we are doing? No. Even if Apple does not yet enforce ‘MDM-only’ they are clearly moving towards ‘more MDM.’ We still have to re-evaluate every setting and workflow with MDM in mind. There are some great solutions already that can combine MDM with e.g. Munki, Chef or Puppet.

Even though imaging, whether you choose the “thick” or “thin” approach, will probably still work in High Sierra, you should be thinking about alternative strategies. DEP plus application installs and updates are more flexible and powerful than full disk imaging.

There are certain setups, such as classrooms and training centers, which require frequent re-imaging with short turnaround times. Ironically, the tech that was predicted to kill imaging might provide a solution. APFS disk snapshots could provide a solution for fast system restores. The tools for this do not seem to be fully in place yet, but the time to test and file bugs is now.

The MDM ‘InstallApplication’ command, which installs the agent software, such as the Munki or Jamf client, should be supported by management systems. This would allow clients to be connected to the management system without user interference and the client software to add to the limited functionality of MDM with tools that admins already have solutions and expertise for.

So the post WWDC summary: the ‘End of Things as We Know Them’ has been postponed. Imaging will still work, but you want to start examining and testing alternatives. Packages and scripts remain relevant, but there are interesting new means of distributing them.

It is already apparent the next WWDC will have more exciting news ready for Mac and iOS Admins. Until then we will be busy learning the new features and tools in High Sierra and iOS 11 and laying the groundwork to the future.

Weekly News Summary for Admins – 2017-06-16

Late summary this week. I was traveling this week-end.

Also, I have finally caved and signed up for LinkedIn. Please, connect to me there and endorse or poke me or what ever it is you do on LinkedIn… 😉 Thanks!

News and Opinion

Support and HowTos

To Watch

To Listen

Support

To support Scripting OS X, consider buying one (or both) of my books. Thank you!

If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!

Weekly News Summary for Admins – 2017-06-09

On Scripting OS X

To support Scripting OS X, consider buying one (or both) of my books. Thank you!

If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!

Quiet week in the build-up for WWDC, both here on Scripting OS X and other places. Safe traveling and lots of fun to those going to San Jose! More news next week!

WWDC

News and Opinion

Updates and Releases

Support and HowTos

To Listen

Update 1.4 for ‘Packaging for Apple Adminstrators’

One of the advantages of digital books is they can be updated like software. This is one of the motivations I had for choosing iBooks as the format for my books.

The latest update (v1.4) for ‘Packaging for Apple Administrators’ is now available in the iBooks Store. If you have already purchased the book, iBooks should notify you that an update is available. If you have not bought the book yet then you can get it now and future updates as well!

This is the largest update I have done on this book so far. It contains a few sections that I had wanted to be in the book, but had to leave out for one reason or another:

  • new appendix with a printable Command Reference List
  • minor layout and design updates
  • added screen shot for ‘Show Files’ in Installer.app
  • added instructions for the productsign tool
  • added section on Bundle Relocation
  • added quickpkg to ‘Other Package Builders’
  • added Jamf Composer to ‘Other Package Builders’

The largest new part is the section on Jamf Composer. Composer is the packaging tool from Jamf, provided as part of the management application suite (or as a standalone). Composer has some strengths and many issues. The new section will walk through the process of creating packages with Composer and discuss the strengths and weaknesses and when other tools may be more appropriate.

Another new section is the new ‘Packaging Command Reference’, which are two pages with the most commonly used commands for working with packages. The pages are also available as a PDF in the book’s resources so you can print them and keep them near your workplace for quick reference.

If you like the book, please leave a rating on the iBooks Store. Your rating will help other admins find the book! Thank you!

Weekly News Summary for Admins – 2017-06-02

Quiet week in the build-up for WWDC, both here on Scripting OS X and other places. Safe traveling and lots of fun to those going to San Jose! More news next week!

Conferences

Updates and Releases

Support and HowTos

To support Scripting OS X, consider buying one (or both) of my books. Thank you!

If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!

Weekly News Summary for Admins – 2017-05-26

On Scripting OS X

To support Scripting OS X, consider buying one (or both) of my books. Thank you!

If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!

Updates and Releases

Posts and Opinion

Support and HowTos

To Listen

Relocatable Package Installers and quickpkg Update

In my book “Packaging for Apple Administrators” I show a great use of pkgbuild to wrap an application in a package installer:

$ pkgbuild --component /Applications/Numbers.app Numbers.pkg

If the application is not already in the /Applications folder, you have to add the --install-location:

$ pkgbuild --component /Volumes/Firefox/Firefox.app --install-location /Applications Firefox.pkg

This is great and wonderful, but has one drawback: the installers pkgbuild creates this way are ‘relocatable’. When the installer does not find the application in the target location, it will look if the application is installed elsewhere on the system. If it finds the ‘relocated’ application bundle, it will happily try to update it in the new location.

Usually this is not a big problem on managed systems. However, if users have copies of applications in unusual locations, e.g., because they do not have permission to install in /Applications or because they themselves are admins with dozens of versions in ~/Library/AutoPkg, then this can lead to unexpected behavior or failure.

The common solution to this is to create ‘non-relocatable’ installer packages.

What makes a pkg relocatable

The relocate element in the PackageInfo file in an installer package controls this behavior. You can see the PackageInfo file in Pacifist or with pkgutil:

$ pkgutil --expand Firefox.pkg Firefox_expanded
$ more Firefox_expanded/PackageInfo 

Among much other data you will see this xml element:

<relocate>
    <bundle id="org.mozilla.firefox"/>
</relocate>

This tells the Installer to look for an application bundle with the given identifier and install in that location. To disable this, you can replace the above element with an empty relocate element:

<relocate/>

Then installer will install or upgrade in the given install-location (e.g. /Applications) only.

You can apply this change to the expanded PackageInfo file with a text editor and re-create the pkg file with

$ pkgutil --flatten Firefox_expanded/ Firefox-nr.pkg

(‘nr’ for ‘non-relocatable’)

However, applying these steps after creating each package is tedious and error-prone, so we want to look for a better solution.

Telling pkgbuild to not re-locate

The pkgbuild man page mentions there is an option to create non-relocatable installer pkgs with the BundleIsRelocatable option in a ‘component property list’. This is great, since it is better to use documented options, rather than hacking the PackageInfo directly. However, to use the --component-plist option with pkgbuild you have to use the --root option rather than the --component option This requires a bit more effort.

First create a project folder:

$ mkdir -p Firefox/payload
$ cd Firefox

And copy the application to the payload directory:

$ cp -R /Volumes/Firefox/Firefox.app payload/

Then you can use pkgbuild’s --analyze to create a template component property list:

$ pkgbuild --analyze --root payload Firefox-component.plist
pkgbuild: Inferring bundle components from contents of payload
pkgbuild: Writing new component property list to Firefox-component.plist

You can then open the generated property list file in a text or property list editor. You will see several values for different settings and a list of ChildBundles. Change the value of the BundleIsRelocatable key from <true/> to <false/>. You can do this in the editor or with the plutil command:

$ plutil -replace BundleIsRelocatable -bool NO Firefox-component.plist

Then build the package with pkgbuild:

$  pkgbuild --root payload --identifier org.mozilla.firefox --version 53.0.3 --install-location /Applications --component-plist Firefox-component.plist Firefox-53.0.3.pkg

This will build the package installer with an empty relocate element.

Note: munki-pkg has an option suppress-bundle-relocation which achieves the same result.

QuickPkg

This approach can be useful but is still complicated. To simplify the creation I have updated my quickpkg tool to create non-relocatable packages by default. You can change the new default behavior with the --relocatable option.

$ quickpkg ~/Downloads/Firefox\ 53.0.3.dmg 
Firefox-53.0.3.pkg

Enjoy!

Weekly News Summary for Admins – 2017-05-20

On Scripting OS X

To support Scripting OS X, consider buying one (or both) of my books. Thank you!

If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!

Updates and Releases

Posts and Opinion

Support and HowTos

Conferences

To Listen