Weekly News Summary for Admins — 2020-07-10

This week brought more reactions to WWDC news regarding macOS 11 Big Sur, iOS 14, and the Apple Silicon transition. Apple released beta 2 for all the above (excluding the DTK), which were later released as the first public beta. We also got GM betas for macOS Catalina 10.15.6 and iOS 13.6. And a new ransomware named EvilQuest, later changed to ThiefQuest.

Busy week.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

WWDC Reactions

News and Opinion

macOS 11 Big Sur and iOS 14

Coronavirus and Remote Work

MacAdmins on Twitter

  • Victor (groob): “Erasing macOS beta 1 in recovery and selecting ”Install macOS“ installs beta2. Neat!”
  • Mr. Macintosh: “Mobile Accounts are treated as Network Accounts in Big Sur Beta 1 & 2. FB7870925 Not that you needed another reason to move to Local Accounts”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen


If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Use scout to read Property Lists

I have written a few posts in the past about parsing data from property list files in scripts and Terminal. My usual tool for this is PlistBuddy. However, PlistBuddy’s syntax is… well… eccentric.

Recently, Alexis Bridoux, who is also the main developer on Octory, introduced a command line tool called scout which solves many of the issues I have with PlistBuddy.

For example, you can pipe the output of another command into scout, something you can only convince PlistBuddy to do with some major shell syntax hackery.

So instead of this:

> /usr/libexec/PlistBuddy -c "print :dsAttrTypeStandard\:RealName:0" /dev/stdin <<< $(dscl -plist . read /Users/armin RealName)

With scout I can use this much clearer syntax:

> dscl -plist . read /Users/armin RealName | scout "dsAttrTypeStandard:RealName[0]"

The tool can also modify existing files, by changing, adding or deleting keys.

scout can also parse JSON and (non plist) XML files, so it can also stand in as a replacement for jq and xpath. It will also color-code output for property list, XML and JSON files.

I have been using scout interactively in the Terminal for a while now. So far, I have been refraining from using scout in scripts I use for deployment. To use a non-system tool in deployment scripts, you need to ensure the tool is deployed early in the setup process. Then you also have to write your scripts in a way that they will gracefully fail or fallback to PlistBuddy in the edge case where scout is not installed:

if [ ! -x "$scout"]; then
    echo "could not find scout, exiting..."
    exit 1

realName=$( dscl -plist . read /Users/armin RealName | scout "dsAttrTypeStandard:RealName[0]" )

All of this overhead, adds extra burden to using a tool. The good news is that scout comes as a signed and notarized package installer, which minimizes deployment effort.

I wills be considering scout for future projects. If anyone at Apple is reading this: please hire Alexis and integrate scout or something like it in macOS.

Weekly News Summary for Admins — 2020-07-03

The week after WWDC: time for opinion and reaction pieces. And time to dig into the betas and find the first bugs and annoying changes.

But Apple hasn’t forgotten the Catalina/iOS 13 updates either. We got new betas for 10.15.6 and iOS 13.6.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

👩🏽‍💻WWDC Reactions

📰News and Opinion

🌅 macOS 11 Big Sur and iOS 14

⚙️macOS Catalina 10.15 and iOS 13 Updates

🐦MacAdmins on Twitter

  • robb: “Because SF Symbols are characters in the Private Use Area, they render just fine in your Terminal”
  • Steve Troughton-Smith: “Now that in-app purchase is available to Family Sharing, there aren’t many reasons at all to use a paid-up-front model (asides enterprise & education distribution). You can also effectively do free trials & paid upgrades w/ IAP. Definitely going to transition all my apps to it”
  • Victor (groob): “I see a lot of macadmins asking Apple to allow enabling screen recording via MDM. I get it, it’s a burden for helpdesk to explain approving Zoom to all your users. But when your manager asks you to spy on your WFH co-workers, how will you respond?” (thread, link)
  • Rico Becker: “Apple has restricted access to ~/Library/Containers/ in Finder on macOS Big Sur. It’s only showing one folder in my case. In Terminal I can see that everything is still there. Any way to reactive the normal behavior?”
  • Carl Ashley: “Munki life hack: Use admin notes in your pkginfo to store either human or machine readable comments indicating if a package has passed OS compatibility testing coughBig Surcough.”

🐞Bugs and Security

🔨Support and HowTos

🤖Scripting and Automation

🎧To Listen

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

macOS 11

Last week at WWDC, Apple had two big announcements for the Mac platform.

The first one was a new user interface design, much closer to iPadOS and iOS. Apple considers this the “biggest design upgrade since the introduction of Mac OS X.” Because of this, Apple also gives this version of macOS the long-withheld ‘11’ as the major version number.

You can take a look at the new UI on Apple’s Big Sur preview page or you can download the beta from your AppleSeed for IT or Developer account. It shares many elements, styles and icons with iOS or iPadOS.

The other major announcement is that the Mac platform will have a transition from Intel CPUs to ‘Apple Silicon’ chips built by Apple themselves, just like the iPhone and the iPad. The Developer Kit for testing purposes is powered by the A12z chip that powers the iPad Pro, but Apple was insistent that future, production Macs would have chips designed specifically for Macs and not be using iPad or iPhone chips.

These are big announcements, for sure. But what do they mean for the macOS platform? And for MacAdmins in particular?

Apple’s commitment to Mac

There was a time not so long ago, where you got the impression that the Mac platform was merely an afterthought for Apple. I think it started after the release of the ‘trashcan’ Mac Pro. During those years, I think there was legit concern that Apple would lock down macOS as tightly as they did iOS, breaking what makes the Mac special.

Some of the recent additions to macOS, such as the increased privacy controls with their incessant prompts for approval, deprecation of built-in scripting run-times like Python and Ruby and even the deprecation of bash in favor of zsh, have made some ‘Pro’ users nervous and afraid that Apple wants to turn macOS in to iOS.

Now the unification of the user interface can add to those concerns: will macOS turn into iOS and iPadOS in more than just look and feel?

On the other hand, Apple has been more vocal and open about their plans for the Mac. This started when Apple announced they were working on a new Mac Pro in April 2017.

In Mojave (2018), and then Catalina (2019), Apple introduced several technologies unique to macOS:

  • System and Network Extensions
  • File Providers
  • DriverKit
  • Notarization
  • zsh as new default shell, dash

These technologies exist because Apple wants (or needs) to increase the security of macOS. Kernel extensions, which provide unfettered access to all parts of the system are replaced with System and Network extensions and DriverKit. Notarization allows Apple to check and certify software delivered and installed outside of the Mac App Store. zsh allows Apple and their users to move forward from a 13-year old bash version.

But, if Apple wanted to lock down macOS as completely as iOS and iPadOS, they wouldn’t have to introduce these new technologies to macOS. Instead, they are introducing new technologies to allow certain characteristics of macOS to continue, even with increased security. This is a lot of effort from Apple, which convinces me that Apple sees a purpose for macOS for years to come.

What are these characteristics that Apple thinks are special for the macOS? Apple told us in the Platforms State of the Union session this year. Starting at 15:10 Andreas Wendker says:

“Macs will stay Macs the way you know and love them. They will run the same powerful Pro apps. They will offer the same developer APIs Macs have today. They will let users create multiple volumes on disks with different operating system versions and they will let users boot from external drives. They will support drivers for peripherals and they will be amazing UNIX machines for developers and the scientific community that can run any software they like.”

This short section makes a lot of promises:

  • Pro Apps: including third party pro apps, like Affinity Photo, Cinema 4D, Photoshop, shown previously, and Microsoft Office, and Maya which were shown in the Keynote
  • Developer APIs: no reduced feature set
  • Disk and OS management: multiple volumes, external storage and boot, multiple versions of macOS on one device
  • Peripheral ports with custom drivers
  • UNIX machines for developer and science tools (this includes Terminal, Craig Federighi confirmed this in John Gruber’s interview)
  • ‘any software you like’
  • ‘flexibility and configurability’ (earlier in the presentation)

Apple wants to assure us that they understand what the macOS platform is used for. Remember that Apple uses macOS themselves for many of these tasks and it is unlikely they would want to switch to Windows or Linux based PCs for their work.

With all these assurances you can consider the UI changes to go merely ‘skin deep.’ Whether you like the new UI or not, the wonderfully complex innards of macOS should still be there for you to explore and (ab)use.

Mac Transition

When Apple announced the transition to Apple Silicon in the keynote, it felt like a repeat of the 2006 Keynote where Steve Jobs announced the Intel transition. Apple is even re-using the names for the technologies ‘Universal’ and ‘Rosetta,’ albeit with version ‘2’ attached. This is of course entirely intentional. Apple wants to assure that they have done this before and it worked out well.

How well this will really work will depend, not only on Apple alone, but on the third party developers. While Rosetta worked surprisingly well during the Intel transition, there was noticeable lag in some cases, and the soft couldn’t really unlock all of the hardware until there was a re-compiled version. I remember that every developer would proudly announce the availability of a universal binary.

Some solutions never made the jump. Some software solutions got lost when Apple finally turned off Rosetta in Mac OS X 10.7 Lion, the same way some solutions did not make the jump the to 64bit and are ‘lost’ unless you hold on to Mojave.

It is fair to blame the software developer for the lack of maintenance. Not all developers have the time to put in the effort to continually update a product, or they moved on to other companies or projects. Not all software products generate enough revenue to warrant any maintenance effort. From the user perspective, software that they paid for, has an arbitrary expiration date, the software vendor blames Apple, Apple blames the vendor. This is understandably frustrating.

Apple and macOS are certainly in a different place in the market than they were in 2007, but we will have to see how well the third-party developers and vendors take to the transition this time.

macOS 11 for MacAdmins

Enterprises, schools, universities, and organizations and their users are also in a different place these days. The addition of mobile devices (phones and tablets) as essential tools for the employees has forced many organizations to change their management and access strategies to be more flexible. The massive requirement to work remotely from the Coronavirus pandemic has accelerated this shift.

But once you have reworked your deployment and management strategies to work with one different platform, then adding a third or fourth platform to the mix will be less of a barrier. It will still be a significant effort, but it will not be as daunting and impossible as that first change. The changing infrastructure requirements have worked in favor of Apple platforms for the past years, lead by iOS, but pulling macOS behind them. But Apple has not yet had enough time to lock-in to these kind of deployments.

In education, ChromeBooks are gaining ground, mainly because of the price point, but also because of a powerful management framework. Dual booting your Mac to Windows with Bootcamp will not be possible on Apple Silicon. Additional problems stemming from the transition might just be enough to push users and organizations ‘over the edge’ to switch platforms.

Apple must have considered all this and believes the benefits from building their own chips for the Mac platform outweigh the downsides. Less heat and better battery life are obvious, quick wins. Apple’s A-series chips have a dedicated Neural engine for machine learning processes, which was already demonstrated.

Apple has brought some of the security benefits from iOS to the Mac platform with the T1 and T2 chips. These provide Touch ID and a secure enclave for certificates and encrypted internal storage. By removing the Intel chipset, Apple can tighten the security even more. The new Apple Silicon based system will have new startup options and more flexible secure boot settings. External boot will not only still be possible, but not be disabled by default which will simplify many workflows for techs and admins. When you have multiple macOS systems on a drive, you will be able to disable security feature per system, so you can have a ‘less secure system’ for experimentation or development, while keeping all security features enabled for the system with your personal data.

Device Management

There weren’t many news about MDM at WWDC itself. The changes that were shown are refinements to existing workflows rather than big changes. With all the other changes, stability in MDM and management will be helpful.

We have finally been promised a true zero-touch deployment for Macs with “Auto Advance for Mac,” but are still lacking details about the exact implementation.

But there are still some huge gaps in the MDM strategy. Application deployment (VPP) is still unreliable. There is no way for organizations to purchase and manage in-App purchases and subscriptions in quantity. Many essential settings and features of macOS still cannot be set or controlled with configuration profiles or MDM commands. MDM still has no solution for installing and managing software from outside the App Store. PPPC settings are still changing and complicated to manage for admins.

Apple considers the ability to run iOS and iPadOS on macOS a huge bonus. How useful this will be in reality, outside of games, remains to be seen. But it will certainly make managing apps from the Mac App Store more essential than it is now.

The acquisition of Fleetsmith, on the other hand, will have a big impact on the Apple MDM market and users. I have described how the changes to the service have affected the users and admins in my newsletter last week. While this has cast an unnecessary shadow on the acquisition, we still don’t know what Apple’s plans regarding Fleetsmith and MDM are going to be.

Strange New World

The changes MacAdmins got for device management are useful and necessary, but evolutionary in nature. (There is nothing wrong with that.) The Fleetsmith deal shows the possibility of more and larger changes to Apple’s device management strategy in the future. It might take years before we will see the implications of this.

Versioning is always influenced by marketing. The switch from version 10 to version 11 is more than just the end of an odd versioning convention. The time where Mac OS X stands apart from the other Apple platforms is over. Apple is promising a family of devices where the user interface, hardware, and software will be unified, while preserving the special characteristics of each platform.

Apple is has explained why and how they want to distinguish macOS from the other Apple platforms. They will have to live up to these promises over the next few years. There is a balance to be kept between implementing beneficial features from the other Apple platforms and maintaining the ‘flexibility and configurability’ of macOS. There is also the possibility that some of these Mac characteristics will make their way to other Apple platforms. (multi-boot, virtualization, or custom device drivers on iPadOS?)

Not everyone follows the WWDC announcements closely. As MacAdmins we will get many questions about the news from last week that does surface. We have to inform our organizations and our fellow employees what these changes means for them and their workflows and help them make an informed decision on which platform (Apple or other systems) matches their requirements.

There are bound to be issues with Apple’s plans. We will need to watch Apple’s strategy, give feedback on missteps and requirements. It is certainly a frustrating process, but Apple has changed features because of feedback from the MacAdmin community in the past.

If you haven’t enrolled in AppleSeed for IT yet, now is the time! Download the beta, start testing and providing feedback!s

Weekly News Summary for Admins — 2020-06-26

Phew, it’s really summer here in NL, hot and humid. And it’s been a ‘hot’ week for many other reasons, too.

This news summary took a while and is a bit later than usual… you will see why…

If I missed anything, let me know and I will catch up next week.

macOS 11 Big Sur

The WWDC Keynote didn’t disappoint. iOS 14, iPadOS 14, watchOS 7, the new tvOS, and Xcode 12 are going to be exciting updates.

Unsurprisingly, the transition of the Mac platform to ’Apple Silicon’—an as of yet unspecified custom chipset—was announced. The parallels to the Intel transition announcement in 2005 were obvious and likely entirely intentional. Apple is conveying the message: “we’ve done this before, we know what we are doing.” The Developer Kit contains a the same A12z chip that is used in the iPad Pro, but Apple was adamant that the final production Macs with Apple Silicon will have chips customized for the Mac platform and requirements and not use iPad Pro chips.

The first Apple Silicon Macs are supposed to ship before the end of this year and the transition is supposed tos take two years. Existing Macs with Intel processors will be supported with new versions of macOS for “years to come.”

What was surprising is that Apple finally moved on from the ‘10’ (or ‘X’) version number. After nearly twenty years of ‘ten-dot’ versions (more when you consider Mac OS X Server and the Mac OS X public beta) macOS ‘Big Sur’ is labelled as version 11.0. At least in the marketing material and user facing UI. Internal documentation, APIs and sw_vers use 10.16, but that may still change during the beta phase. macOS 11 Big Sur also has a new user interface design, very similar to iPadOS and iOS.

The new version number and the unified interface language is Apple’s way of telling us, that the time where macOS (Mac OS X) stands somewhat apart from the iOS based platforms is over. macOS will be unified with the other platforms in hardware (Apple Silicon), APIs (Catalyst and SwiftUI), software, and user interface.

Apple is also declaring what they consider the strengths and differences of macOS. “You can continue to install out side of the App Store.” “The Unix tools are important.” “Yes, Terminal is still there.” “Peripherals and external boot.” These and similar phrases have been frequently stated in WWDC sessions this week, including the State of the Union. We are getting assurances that the Mac will remain the Mac, while also being more like its iOS-based siblings. And the information we did get from the in-depth sessions has been supportive of those assurances.

We will have to see how this will actually play out over the “years to come.” But it is encouraging that Apple is addressing and assuaging these concerns.

Fleetsmith acquired by Apple

If all of this weren’t enough, there was another surprise announcement this week. Fleetsmith, developer and vendor of the Mac management system of the same name, was acquired by Apple.

Fleetsmith is well-known for having awesome swag at conferences. They have also been popular with MacAdmins for having a large catalog of third-party applications with up-to-date installers and configuration sets as part of their solution. This meant that admins would not have to manually download, re-package, upload and configure an update for some third-party software, but instead could rely on Fleetsmith to do that work.

Soon after the announcement of the acquisition, all these third-party application disappeared from Fleetsmith. Since the support contains such things as extensions approval and privacy preferences control, which were also removed from the catalog and hence the managed Mac clients, this would break many installations. Remote Access software might have deployed and managed this way, and was now defunct on the client machines, effectively locking out the admins and preventing remote access as a fix. The affected admins now have to re-build the third-party support and configurations manually as custom packages, to make the clients work again.

Third-party support was yanked so unceremoniously probably because hosting and redistributing third-party installers is very complicated, if not outright impossible from a legal standpoint. It has been speculated that this is the reason that Jamf’s Patch Management feature has never lived up to the initial expectations and promises. A small company like Fleetsmith might be able to ‘fly under the radar’ and get away with it, but a larger, rich company like Apple, would not want to take this risk.

Either way, the abrupt way this change was pushed, without any previous warning about the changes of support and features, was handled extremely poorly and rightfully enraged many affected customers. This immediately cast a shadow on a deal that might otherwise have been celebrated or at least been followed with interest.

Apple has been standing on the sidelines of the MDM business. While they do create and sell Profile Manager as part of macOS Server, Profile Manager is usually considered a reference implementation of the MDM protocol only and it is not recommend for production use at scale (any scale, really). Now they are preparing to get more involved by providing their own, professional level MDM based on Fleetsmith’s solution. (One can imagine that there is an AirPower sized, failed ‘Profile Manager 2’ project on some servers at Apple somewhere.)

Apple has started putting some management functionality in Apple Business/School Manager. It is conceivable Apple would want to extend that to a full blown cloud-based MDM solution. But where would such a first-party management solution leave the existing MDM solutions?

There are many features the MDM protocol does not and cannot (yet) provide for Mac management. But a setup like this would relegate the current management system vendors back to local management agents, much like what Munki provides.

This is all speculation at this point of course. This could also be an ‘acquihire’ or Apple could continue Fleetsmith as a semi-independent subsidiary, much like Claris FileMaker, or follow some path in between these extremes.

There were also other MDMs that had news to share this week:
Five years behind, Five years ahead – Victor Vrantchan, MicroMDM
Kolide MDM — For Those That Don’t Need To Be “Managed”

These “years to come” will surely be interesting, as a Mac user and as a MacAdmin.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Apple Newsroom

News and Opinion

WWDC 2020, macOS 11 Big Sur and iOS 14

WWDC Sessions for MacAdmins

Some of these will be released later today. Many of these, thanks to Balmes Pavlov

Apple Developer Documentation

MacAdmins 2020 Campfire Sessions

MacAdmins on Twitter

  • Erik Gomez: “Exciting update for the macadmins/python project: This is the first automated package, driven by GitHub Actions. Thanks to @natewalck we have a signing certificate too! Unsigned, Signed and Raw framework can be downloaded here. ”
  • Damien Sorresso: “If you’re trying to mount the root volume as writeable on macOS Big Sur, here’s some stuff to know.” (thread)
  • Mark Villacampa: “Apple will be contributing patches to widely used open source projects to add support for Apple Silicon”
  • Thomas Reed: “I wonder how many workflows are going to break because macOS is now numbered 11.x instead of 10.x…”
  • Daniel Jalkut: “This caveat is buried deeply enough in the macOS Big Sur release notes that a lot of people are going to be bit by it. Creating a new volume in an existing APFS container had become the de facto best way to install a second OS.”
  • Federico Viticci: “Shortcuts got some very cool updates in iOS/iPadOS 14” (follow link for details and images)
  • Gio: “Xcode 12 creates new repos with main instead of master. Well done Apple”
  • James Thomson: “Looks like you might not be able to access a Big Sur disk under Catalina. Not ideal if you’re dual booting between the two.”
  • Rich Trouton: “For folks wanting to build macOS Big Sur VMs, I’ve updated my script for creating macOS installer disk images for virtualization software. It now will create installer disk images for Sierra through Big Sur beta 1”
  • Mr. Macintosh: “What’s new in managing Apple Devices on Big Sur!” (Thread)
  • Victor (groob): “With macOS 11 MDM can – configure a new User Account – choose to set that account as MDM managed – have flexible securetoken workflows. These changes means that’s it’s finally possible to have 1:1 managed user workflows which are purely MDM/ no network accounts.”
  • Not a Kitteh: “So what differentiates the Mac from the iPad in the future? From the SOTU, Apple says: – flexibility – configurability – external, bootable storage – drivers for peripherals – run any software”
  • Mr. Macintosh: “Big Sur Cryptographically signed system volume: ’”‘Signed system volume that protects against malicious tampering. It also means that your Mac knows the exact layout of your system volume, allowing it to begin software updates in the background’”

Support and HowTos

Scripting and Automation

Updates and Releases

To Watch

To Listen

Just for Fun


If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

About bash, zsh, sh, and dash in macOS Catalina and beyond

This is an excerpt from my book: “Moving to zsh.” At the MacAdmins Conference Campfire session I received quite a few questions regarding this, so I thought it would be helpful information. You can get a lot more detailed information on “Moving to zsh” in the book!

Calls to the POSIX sh /bin/sh in macOS are handled by /bin/bash in sh compatibility mode. You can verify this by asking sh for its version:

% sh --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin19)
Copyright (C) 2007 Free Software Foundation, Inc.

If Apple plans to eventually remove the bash binary, they need to have a replacement which handles sh.

Enter dash

Probably not coincidentally, Apple added the dash shell in Catalina. The Debian Almquist Shell (dash) is a minimal implementation of the Posix sh standard and commonly used on other UNIX and Unix-like systems as a stand-in for sh.

Apple also added dash (but not zsh) to the Recovery system in macOS Catalina. While sh is still interpreted by bash in both the Recovery system and the regular system, this is a strong indicator that Apple eventually wants to use dash as the interpreter for sh scripts.

When your scripts which use the #!/bin/sh shebang strictly follow the POSIX sh standard, you should experience no problems when Apple switches to ‘dash-as-sh.’

Tripping over bashisms

However, there are some quirks of the current ‘bash-as-sh’ implementation in macOS that you need to be aware of. When bash stands in as sh, it will nevertheless continue to interpret ’bashisms’—language features available in bash but not sh—without errors.

For example, consider the following script shtest.sh:


if [[ $(true) == $(true) ]]; then
  echo "still good"
  echo "nothing is true"

This script declares the #!/bin/sh shebang and it will work fine on macOS with bash-as-sh.

% shtest.sh
still good

However, when you try to run it with zsh-as-sh or dash-as-sh, it will fail.

You can make dash interpret the script instead of bash by switching the shebang to #!/bin/dash. But macOS Catalina has another, new mechanism available. In Catalina, the symbolic link at /var/select/sh determines which shell stands in as sh. By default the link points to /bin/bash:

% readlink /var/select/sh

When you change this link to either /bin/zsh or /bin/dash, the respective other shell binary will stand in as sh.

Switch the sh stand-in to dash with:

% sudo ln -sf /bin/dash /var/select/sh

And then run the script again:

% ./shtest.sh
./shtest.sh: 3 ./shtest.sh: [[: not found
nothing is true

When interpreted with dash instead of bash, the same script will fail. This is because dash is much stricter than bash in following the sh standard. Since dash is designed as a minimal implementation of the sh standard, it has to be stricter. The double brackets [[ … ]] are a ‘bashism,’ or a feature only available in bash and other, later shells such as ksh and zsh.

Even though zsh also interprets most of these bashisms, zsh in sh compatibility mode is also stricter than bash and will error.

You can switch back to the default bash-as-sh with:

% sudo ln -sf /bin/bash /var/select/sh

Since macOS has been using bash-as-sh for a long time, there may be many such bashisms lurking in your sh scripts. You can change the above symbolic link to test your scripts with dash-as-sh.

Some common ‘bashisms’ are:

  • double square brackets [[ ... ]]
  • here documents and strings (<<< and << operators)
  • double equals operator == for tests

Shellcheck to the rescue

You can also use the shellcheck tool to detect bashisms in your sh scripts:

% shellcheck shtest.sh                                          

In shtest.sh line 3:
if [[ $(true) == $(true) ]]; then
   ^----------------------^ SC2039: In POSIX sh, [[ ]] is undefined.

For more information:
  https://www.shellcheck.net/wiki/SC2039 -- In POSIX sh, [[ ]] is undefined.

When you change the double square brackets for single square brackets, then you get this:

% shellcheck shtest.sh

In shtest.sh line 3:
if [ "$(true)" == "$(true)" ]; then
               ^-- SC2039: In POSIX sh, == in place of = is undefined.

For more information:
  https://www.shellcheck.net/wiki/SC2039 -- In POSIX sh, == in place of = is undefined.


In Catalina Apple started warning us about the eventual demise of bash from macOS. Converting your existing bash scripts and workflows to zsh, sh, or bash v5 is an important first step. But you also need to consider that the behavior of sh scripts will change when Apple replaces the sh interpreter.

Weekly News Summary for Admins — 2020-06-12

WWDC is looming! We got a bit more detail on the schedule for the first day (June 22). over the following week, Apple will release recorded sessions each day at 10am Pacific Time. Talk about an ‘info dump!’ There will also be ‘1–1 Developer labs’ which you can sign up for and new Developer forums (fora?) which go online June 18.

The rumors are running hot with Mark Gurman all but confirming the ARM transition for Macs to happen over the next year, and a new iMac design.

Apple has also announced the demise of iBooks Author and iTunes U. Neither comes as a great surprise, since both have been very much abandoned with only minimal updates over the last few years.

Don’t be concerned about the future of my books. I had already switched to Pages for ‘Moving to zsh’ and the next book I am working on. Once Apple offers the import function, I will move and update the older books to Pages as well. Even so, the existing books in the Apple Books Store will remain there to be bought and read, even after iBooks Author has ‘expired.’

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

MacAdmins 2020 Campfire Sessions

These are the slides and notes for yesterday’s session. The recorded videos of my and William Smith’s session ‘An Introduction to regex’ will be made available soon.

Last week’s sessions’ recordings are now available:

You can still register for the upcoming sessions. You can see the schedule here.

WWDC 2020

macOS Catalina 10.15 and iOS 13 Updates

MacAdmins on Twitter

  • Mr. Macintosh: “WWDC20 only 2 weeks away! I will be reporting again live with a new 10.16 Need to Know Changes Article. The page will be a perfect bookmark for all the latest info.” (Thread)
  • Seamus Johnson on LinkedIn: “Happy 18th Birthday Jamf!” (read post for more)

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen


If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Installomator updated: v0.2

It’s been nearly a month since I introduced Installomator.

Since then, it has gotten lots of feedback from others and many contributions. As the changes, fixes and additional apps have accumulated, I have created a 0.2 release to get a stable new version. If you like living on the edge you can also use the dev branch for the latest update.

Changes in this version:

  • many fixes for broken URLs and other bugs
  • pkgInDmg and pkgInZip now search for the first pkg file in the archive in case the file name varies with the version
  • notification on successful installation can be suppressed with the NOTIFY variable
  • Apple signed installers and apps that don’t have a Team ID are verified correctly now
    improved logging
  • several new applications: count increased from 62 in v0.1 to 87 in v0.2

Thanks to all who contributed!

Also, if you haven’t already, you want to read Mischa’s guest post on using Installomator with Jamf Pro.

Weekly News Summary for Admins — 2020-08-05

“So, do you think one day robots will have human rights?”

“Perhaps,” the robot said, “but first I want to see all humans have human rights.”

“What do you mean? All humans do have human rights. It’s in the name.”

“Then I first want to see all humans considered human.”

“Oh. Yeah.”

(Micro SF/F stories)

📰News and Opinion

🔥MacAdmins 2020 Campfire Sessions

These are the slides and notes for yesterday’s sessions. The recorded videos will be made available soon.

You can still register for the upcoming sessions. You can see the schedule here. (Yes, that is me presenting next week on “Moving to zsh.”)

⚙️macOS Catalina 10.15 and iOS 13 Updates

🦠Coronavirus and Remote Work

🐦MacAdmins on Twitter

  • Arroz: “macOS supplemental update: 1.59 GB. iOS minor update: 77 MB. It almost seems like someone cared enough to implement an efficient incremental update… for just one of the platforms.”
  • Victor (groob): “Apple should remove package scripts. Rather than removing though, I’d love to see a stricter API. Scripts would be great with an embedded language like starlark.”
  • Darren Wallace: “New Apple Business Manager (only) Terms and Conditions incoming on the 16th June 2020. Must be agreed to continue with Automated Enrolments and Volume Distribution. The updated terms should already be viewable here.
  • Tim Sutton: “Whoever at Apple decided that all of system_profiler’s datatypes arguments should redundantly contain SP and DataType, and that they be case-sensitive..”
  • Eric Holtam: “Any developer that wants to know how to provide release notes see BBEdit. This. This is how you provide release notes.

🐞Bugs and Security

🔨Support and HowTos

🤖Scripting and Automation

♻️Updates and Releases

📺To Watch

🎧To Listen

🎈Just for Fun

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Using Installomator with Jamf Pro

I introduced the Installomator script a while back. We have been using the script with our own Jamf Pro server and some of our customers.

Since I built the script, you’d think I’d have pretty good idea on how it should be deployed. But then Mischa van der Bent showed me a better way of using Installomater with Jamf Pro and I asked him to write it up for a blog post. Since he doesn’t have a blog of his own (yet), he has allowed me to post his instructions here.

Note: Installomator is designed so it can work with other management systems, too. If you have implemented Installomator with a different management system, let me know!

Everything that follows is from Mischa:


After you have downloaded or cloned Installomator from Github, you can run Installomator.sh from the command line or from your management system:

> ./Installomator.sh googlechrome

The script requires a single argument: a label that chooses the application to download and install. (you can find a list of labels of applications in the Labels.txt file in the repository)

Adding the Installomator Script to Jamf Pro

The first thing we need to do is create a new Script in Jamf by going to Settings > Computer Management > Scripts.
In the General section you can give the Script a Display Name. I called mine Installomator. Assign a category and add the link to the GitHub repository to the notes as a reminder of the source of this script.

In the Script section, paste the entire code from the Installomator.sh file.

Important: Change the DEBUG variable from 1 to 0 for using Installomator in procduction, otherwise it will not actually install the new software.

The script requires a single argument and designed to use argument 4 from Jamf when present.

We can set the Parameter Label of parameter 4 to “Application name” in the Options section. This is going to be a reminder that we need to fill in the argument when we are creating a policy. You can leave the labels for the other parameters empty or fill in “DONT-USE” because the script does not use the other arguments.

We are done here and you can save the Script.


To make sure that we are targeting to the right devices with an older release version we need to create a couple of things.

I’m going to use Jamf Patch Management to determine the latest release version of Google Chrome. Jamf will check the version before publishing this into the Patch Management. And if the software title is not in Jamf default Patch Management list you can create your own Patch Management source and add this on to Jamf Pro. You can also join the community patch server.

Go to Patch Management under Computers > Content Management and create a New Software Title. We are going to use Jamf Repository. Scroll down the list and select Google Chrome.
The only thing we need to set here is the Software Title Settings and assign a Category. You can select the Jamf Pro Notification option to get emails when an update is posted..

Jamf Patch Management will query the inventory and list the clients where Google Chrome is installed and their versions. We now have the all the information we need!

Two Smart Computer Groups

Go to Smart Computer Groups and create a new one. I called this “Google Chrome not installed or out of date”

In the ‘Criteria’ section I add two criteria:

  • Patch Reporting Software Title: after choosing this select the right report; for our example select “Patch Reporting: Google Chrome”
  • change the ‘Operator’ to “Less than” with the ‘Value’ “Latest Version.”
  • add a second line and Changed the AND/OR to “or” and for the second criteria I used “Application Title”
  • change the ‘Operator’ to “does not have” with the ‘Value’ “Google Chrome.app”

This Smart Group will contain the clients where the application is not installed or is not up to date.

Unfortunately, we cannot use this smart group with a Policy. When you try you will get this error ‘Policy scope cannot be based on a smart computer group that uses the “latest version” criteria.’

But there is a work around:

  • create a second Smart Group, I called this one “Member of Google Chrome not installed or out of date”
  • in the ‘Criteria’ section add the criteria “Computer Group” changed the ‘Operator’ to “member of” with the ‘Value’ to “Google Chrome not installed or out of date”

The result is the same as the Smart Computer Group “Google Chrome not installed or out of date” but we can use this in a policy.


Let’s put all the bits and pieces together and create one policy that will install or update to the latest release version of Google Chrome. We also want to promote this in Self Service and we want to push this out as a mandatory update with a deferral duration of 7 days.

  • go to Policies and create a new one. I called this policy “Google Chrome”
  • use “Recurring Check-in as the trigger, and set the custom event value to ”googlechrome.” With the custom trigger name, we can use this policy in a script or can test with the terminal command sudo jamf policy -event googlechrome -verbose
  • set the ‘Execution Frequency’ to On-Going.
  • add the Installomator script to the payload
  • the Priority doesn’t matter, because there is no package, so leave it default ‘After’
  • in the Parameter values you see that the first one is ‘Application name’ (which we set earlier). Set “googlechrome” as value.

I removed the payload “Restart Options” because we don’t need to restart after we install Google Chrome , we can leave it there, but I like to keep my policies clean.

We need to report back to the Jamf Pro Server that we just installed the latest version so we are going to add the payload “Maintenance” and enable “Update Inventory” (this should be enabled by default).

We are done with the payload and need to set the Scope:

  • under target we add the Smart Computer Group: “Member of Google Chrome not installed or out of date”

Self Service

  • enable “Make the policy available in Self Service”
  • leave the Display Name the same as Policy.
  • Button Name Before Installation: use “Install”
  • Button Name After Installation: use “Update”
  • give a Description to display for the policy in Self Service like “Install or Update to the latest release of Google Chrome”
  • upload or select the Google Chrome icon for making the Self Service pretty (you can use the macOS Icon Generator app)
  • under User Interaction we change the Deferral Type to “Duration” and use 7 days.
  • we don’t need to set a Start or Complete Message (Installomator can notify on success)

Now, we can save and test the policy.


I tested this Policy with a couple of scenarios;

The first scenario is: no Google Chrome installed. Second: old version Google Chrome installed, notification for update, end user deferral, and later installation from the Self Service. Third: Google Chrome Beta is installed

The first scenario is easy, after running the policy latest version get installed.

In the second scenario I got prompted with the following message, and I submitted 1 hour.

I can’t install this update before the hour because I got this message in the jamf log “Policy ‘Google Chrome’ will not be executed because it was deferred by the user.”

The last scenario I installed the Google Chrome Beta version 84.0.4147.30, the latest version in Patch Management (for this moment) is 83.0.4103.61. This beta version registers as an “Unknown Version” and it will not fall into scope.

I can use this policy with the Installomator script to install the latest version on a clean machine, and I can push out an update (with a deferral time) to push a mandatory update in a polite way 😉

Because Installomator is checking the Developer Team ID of Google directly, I can be confident that it is the real installer from Google. So, we get security with less effort.