Weekly News Summary for Admins — 2021-01-15

The year is just starting, but Apple is waking up nearly as fast as an M1 MacBook Air. We got new betas for macOS 11.2 and iOS 14.4. MacAdmins have been busy, too. Thank you for all the great articles!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS 11 Big Sur and Apple silicon Macs

macOS and iOS Updates

MacAdmins on Twitter

  • Hector Martin: “So I’m working in understanding the Apple Silicon boot/OS provisioning process. This is all subject to change, but here are some takeaways according to my current understanding.” (Thread)
  • Joel Rennich: “While it still needs work, specifically around how Apple gates token access, this is PKINIT on an iPhone using the Single Sign On Extension and a CryptoToken Kit extension at the same time.” (Movie, thread)
  • Patrick Wardle: “The ContentFilterExclusionList list has been removed (in macOS 11.2 beta 2)!! This means socket filter firewalls (such as LuLu) can now comprehensively monitor & block all network traffic)”

Bugs and Security

Support and HowTos

Scripting and Automation

Updates and Releases

To Listen

MacAdmin Pet of the Week

New Section! If you aren’t yet following Tim Perfitt of Twocanoes (MDS, Winclone and many other useful tools) on Twitter, maybe the litter of puppies they are fostering right now will convince you.

(If you have a pet you’d like to share here, ping me on Slack or Twitter.)

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Scripting OS X — Weekly News Summary for Admins — 2021-01-08

Happy New Year!

Even though the events of the last few days might make this sound cynical, I mean it honestly. Let’s make the best of it!

I really hope you got to spend the holidays safely with family and get some peace and relaxation. I used some of the extra time to (finally) finish the first draft of my next book: “macOS Terminal and Shell” It should be ready for publishing in a few weeks.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS 11 Big Sur and Apple silicon Macs

macOS and iOS Updates

MacAdmins on Twitter

  • Joachim Fornallaz: “Keyboard shortcut of the day: In Messages, hit ⌘T to bring up the Tapback chooser for the last message (or the selected one on macOS), then press 1 through 6 to select the Tapback you want.”
  • Eric Holtam: “M1 hardware cannot use a PRK to unlock and boot a FilveVaulted disk. Only user passwords. If you don’t like this regression, file feedback.”
  • Benedict Evans: “TIL: Google’s Pixel 2, released in 2017, is now unsupported and gets no new software updates. Given today’s security environment, I guess that means I should recycle it. Apple just released iOS 12.5 for devices shipped in 2013.”
  • Nathaniel Strauss: “Activation lock on AS Macs is the only way to prevent setting up a machine as new while bypassing MDM/management entirely. JamfPro doesn’t support it yet. Upvote and comment on this feature request if that matters to you.”
  • Peter Steinberger: “Homebrew deprecated and removed a parameter within 20 days, shortly before Christmas, breaking automation around the world. Our CI also broke, but I’m sympathetic to the team. The thread is so typical. Only complaining, nobody offering to help or sponsor.” (via Erik Gomez)

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2020-12-18

Last week before christmas, but Apple already had plenty to give. The updates for macOS Big Sur, iOS and siblings dropped on Monday.

As this is the first real update for Big Sur, some flaws in the new software update workflow were exposed. Victor Vrantchan did an excellent write-up.

This is the last News Summary for 2020. I’ll be taking a few weeks off and return in January.

Happy holidays and all the best for 2021!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS 11 Big Sur and Apple silicon Macs

macOS and iOS Updates

MacAdmins on Twitter

  • Tim Perfitt: “We just tested installing the just released macOS 11.1 installer from a Catalina recovery, and it still fails.” (Note: read the AppleSeed for IT release notes for macOS Big Sur 11.2 beta)
  • Mike Lynn: “When doing keychain code, if you ever get told the generic “you have the wrong parameters” -50: log stream --predicate "subsystem == 'com.apple.securityd'” So very very helpful.”
  • Mr. Macintosh: “Manual downloadable delta and combo updates for Big Sur are no longer available. I will let our resident MacAdmins expert explain: ‘If you have a need for individual downloads for Big Sur delta/combo updaters – please make sure that’s filed in an official capacity with us'”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Scripting OS X — Weekly News Summary for Admins — 2020-12-11

You might think that things are starting to quiet down as the holidays are approaching. But we got a “last minute before christmas” announcement from Apple: new over-ear headphones called AirPods Max.

Hidden in the announcement, you can see that the new AirPods Max require iOS 14.3 (and siblings) or macOS Big Sur 11.1. Sure enough, a few hours later iOS 14.3 Release Candidate (and siblings) was released to the beta channels, followed yesterday by macOS Big Sur 11.1 Release Candidate. The headphones will start shipping next week, so we can expect the updates to be released next week as well.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

macOS 11 Big Sur and Apple silicon Macs

MacAdmins on Twitter

  • Carl Ashley: “I don’t know if other macadmins knew this, but in macOS Big Sur, you can enable the SecureToken for an MDM created admin account by changing the password for that account as long as no other account has logged in first. It works in pre/postinstall scripts in packages too.”
  • Eric Holtam: “Password change isn’t even necessary. Any auth works. I use dscl . -authonly [username] [password] very early on to enable the ST on an admin account to escrow the BootstrapToken.”
  • Jason Meller: “I’ve been deeply disappointed by the state of endpoint security & mgmt. The industry has chosen a path where end-users are considered obstacles and their privacy is irrelevant. Today, Kolide is publishing a different vision. It’s called honestsecurity.” (Thread, Link)
  • Tim Perfitt: “That was easy. Signing Manager is totally made for EC2 Mac instances. Took about 2 minutes to set up. No private keys in the cloud. Used codesign to sign an app using our CTK extension connected to a remote API for signing operations.” (Thread, Image)

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Just for Fun

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Update: desktoppr v0.4

I have posted an update for desktoppr. You can download it from the repository’s releases page.

This update adds no features. It does provide support for the Apple silicon Macs with a Univeral binary and installer pkg.

In my initial testing desktoppr v0.3 worked fine on Apple Silicon Macs even without re-compiling, so I didn’t feel pressure to build and provide a universal binary.

However, since then I have learned that the package installation might trigger Rosetta installation and fail if there is no UI at that point. Also, managing the Desktop picture might happen very early in your deployment workflow, so Rosetta might not be available at that time yet.

Either way, having a universal binary and a properly configured installer pkg will be helpful in either case. If you have to support Apple silicon Macs, be sure to use desktoppr v0.4.

Platform Support in macOS Installer Packages (pkg)

Mac users and admins find themselves in yet another major platform transistion. For the duration of the transition, developers and admins will have to deal with and support software and hardware for the Intel and Apple silicon Macs. With Universal applications and Rosetta 2, Apple is providing very efficient tools to dramatically reduce the friction and problems involved.

For most end user level tasks, these tools will provide seamless experience. Universal applications will run on either platform natively and Rosetta 2 will translate applications compiled for the legacy platform (Intel) so they can run on the new Apple silicon chips. There are only a few situations where these tools don’t work: virtualization solutions and Kernel extensions.

In most cases this tools will “just work.” But for MacAdmins there is one major issue that may throw a wrench in your well-oiled deployment workflows. Rosetta is not pre-installed on a fresh macOS installation.

We can only speculate why Apple chooses to deliver Rosetta this way. In “normal” unmanaged installations, this is not a big deal. The first time a user installs or launches a solution that requires Rosetta, they will be prompted to for installation and upon approval, the system will download and install Rosetta.

As a MacAdmin, however, you want your deployments to be uninterrupted by such dialogs. Not only are they confusing to end users, but the user might cancel out of them which will result in your workflow failing partially.

There are two solutions. The first is to install Rosetta as early as possible in the deployment process. Apple provides a new option for the softwareupdate command to initiate the installation. Graham Gilbert and Rich Trouton have already published scripts around this. Have this script run early in your deployment workflow on Apple silicon and subsequent apps and tools that require Rosetta should be fine.

The other solution is to avoid requiring Rosetta and thus the prompt for Rosetta.

I mentioned earlier that we can only speculate as to why Apple has made Rosetta 2 an optional installation. One possible explanation is, that Apple believes Rosetta will not be a necessary installation for very long. An extra dialog and installation will make users and developers more aware of software that “needs an update” and motivate developers to provide Universal applications faster.

When a user opens an application that requires Rosetta for the first time, before Rosetta is installed, the system prompts to install. The same thing can happen with an installer package. The system might prompt to install Rosetta before a certain package is installed. However, not all packages trigger the dialog. I was curious what is required in the package to trigger or to avoid the prompt.

Aside from legacy formats, there are two types of packages. The first are “plain” packages, which are also called component packages. These packages have a payload and can have pre- and postinstall scripts, but other than that, there is little metadata you can add to influence the installation workflow.

This is where “distribution packages” come in. Distribution packages do not have a payload or installation scripts of their own, but contain one or more component packages. In addition, distribution packages can contain metadata that influences the installation workflow, such as customization of the Installer.app interface, system version checks, prompting the user to quit running applications before an installation and software requirements and a few more.

Note: learn more about the detailed differences between component and distribution packages in my book: “Packaging for Apple Administrators

You can build a distribution package from a component package with the productbuild command:

> productbuild --package component.pkg distribution.pkg

Since most of the extra features of distribution packages are only effective when the installation package is launched manually in the Installer application, MacAdmins usually just build component pkgs.

The confusing part here is that both component pkgs and distribution pkgs have the same file extension. They are hard to distinguish even from the command line. To tell them apart, you can expand a pkg with the pkgutil command and look at the files in the expanded folder. Component pkgs have (among other files) a PackageInfo file and distribution pkgs have a Distribution file:

# component pkg
> pkgutil --expand component.pkg expanded_component_pkg
> ls expanded_component_pkg
Bom
Payload
Scripts
PackageInfo

# distribution pkg
> pkgutil --expand distribution.pkg expanded_distribution_pkg
> ls expanded_distribution_pkg
component.pkg
Distribution

For distribution pkgs, the Distribution file is an XML file which contains the configuration data for the package. One tag in this XML is the options tag which can have a hostArchitectures attribute. According to [Apple’s documentation on this tag](A comma-separated list of supported architecture codes), the hostArchitectures are a “comma-separated list of supported architecture codes.”

Apple documentation is a bit aged, so it gives i386, x86_64, and ppc as possible values. However, when you read the productbuild man page on macOS Big Sur you will see that arm64 is a new valid value. We will also find these extremely helpful note:

NOTE: On Apple Silicon, the macOS Installer will evaluate the product’s distribution under Rosetta 2 unless the arch key includes the arm64 architecture specifier. Some distribution properties may be evaluated differently between Rosetta 2 and native execution, such as the predicate specified by the sysctl-requirements key. If the distribution is evaluated under Rosetta 2, any package scripts inside of product will be executed with Rosetta 2 at install time.

When a distribution pkg has this attribute and it contains a value of arm64 then the installation process on an Apple silicon Mac will not check if Rosetta is installed. When arm64 is missing from the hostArchitectures, or the attribute or tag are missing entirely, the installation process on an Apple silicon Mac will asume the pkg requires Rosetta and prompt to install when necessary.

There is more good news in the next note in the man page:

NOTE: Starting on macOS 11.0 (Big Sur), productbuild will automatically specify support for both arm64 and x86_64 unless a custom value for arch is provided.

When you use productbuild to create a distribution pkg on Big Sur (Intel and Apple silicon) both arm64 and x86_64 will be added to the configuration by default.

But, when you use productbuild on Catalina or earlier, the attribute will be lacking, when means that when someone installs that pkg on an Apple silicon Mac, it will assume it requires Rosetta and prompt for installation.

Adding both architectures by default is a useful default. But can we set the value explicitly when we build the distribution pkg? And can we do so on Catalina?

Yes, you can, of course. There are even two solutions. First, instead of letting productbuild generate the Distribution xml, you can build and provide a complete Distribution xml file with the --distribution option. That will give you full, fine-grained control over all the options.

The second solution is a bit easier. You can create a requirements.plist property plist file in the form:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>arch</key>
        <array>
                <string>x86_64</string>
                <string>arm64</string>
        </array>
</dict>
</plist>

Then you can provide this property list file to the productbuild command with the --product option.

> productbuild --package component.pkg --product requirements.plist distribution.pkg

This way, productbuild still generates the Distribution xml and merges in your choices from the requirements.plst. There are other options you can add which are documented in the productbuild man page.

Both of these approaches will work on Catalina as well. This way you can explicitly tell the installer system which architectures your packages will run with and not leave anything to chance.

In Whitebox Packages you can configure the hostArchitectures attribute under the “advanced options” for a distribution package.

As far as I can tell, when you install a component pkg, no checks for Rosetta are performed. Nevertheless, this is not something I would rely on. For packages that are crucial to the deployment workflow, I would recommend going the extra step and creating a distribution pkg from the component pkg with the proper flags set. This way you can ensure proper behavior.

Of course, if your package installer contains any form of Intel-only, not-universal binary, you should not abuse this just to skip the annoying Rosetta dialog, as it might lead to problems later. But, when the software you are installing is universal, you sould use this to tell the system which platforms your package supports.

Weekly News Summary for Admins — 2020-12-04

Many interesting posts this week that go in depth on Big Sur and Apple silicon topics.

We also got an announcement that you can new “rent” an Apple Mac mini from Amazon EC2. While this seems to be a fairly expensive choice, it should enable some really interesting solutions. When you need a less expensive solution for this, remember there is MacStadium.

We also got new betas for iOS 14.3 (and siblings) as well as macOS 11.1.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

Apple Silicon M1 Macs

macOS 11 Big Sur

macOS and iOS Updates

MacAdmins on Twitter

  • Tim Perfitt: “So I have two 2020 MacBooks Airs, one intel and one M1. Trying to find a consistent way to install Big Sur on them. it has proven to be surprisingly difficult for both of them for different reasons.”
  • Jason Broccardo: “Pro Tip: If Do Not Disturb is enabled on Big Sur, the Menu Bar clock is dimmed. If you’d rather not drive yourself nuts trying to figure out why the clock is dimmed, turn off DND”
  • Wil Shipley: “Dear Apple security team: Please explain what we should tell our customers when they want to revert to a Time Machine backup for a sandboxed shoebox app.” (Thread)

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Scripting OS X — Weekly News Summary for Admins — 2020-11-27

Much quieter week after the last two newsletters were loaded with many posts on Big Sur and the Apple silicon Macs. This week is Thanksgiving week in the US and many companies, including Apple, close offices for this holiday.

So, whether you are currently in a food-induced stupor, getting ready for some Black Friday shopping, or you are merely enjoying the peace and quiet because the Americans are distracted for a few days: Happy Thanksgiving!

At Thanksgving, it is traditional to state what you are grateful for. I am very grateful for all the readers. And also, for all the people who share their knowledge and experiences in posts and articles, so that I have intersting links to share!

Thank you, all! Stay Safe.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

Apple Silicon M1 Macs

macOS 11 Big Sur and iOS 14

MacAdmins on Twitter

  • Hannes Juutilainen: “When you don’t know if you should write your log file into /Library/Logs or /var/log, you should definitely create a third dir and call it /var/logs
  • William Smith:
    “Today, JamfSoftware releases Jamf Pro 10.26. My favorite new feature is a revamped Application & Custom Settings payload for macOS Configuration Profiles. It now supports editable plists within the GUI! And it makes uploaded plists editable too.”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Ten Years of Scripting OS X

The oldest post on this weblog happened ten years ago. It makes me especially proud, that the first post has aged quite well. (The second post, not so much.)

This weblog was (quite obviously) inspired by the weblogs of Greg Neagle, Rich Trouton, Ben Toms, and many others. I wanted to share and give back to the MacAdmins community. I have always enjoyed scripting, in the sense of tinkering and combining tools in useful, or sometimes just funny ways and sharing that seemed like an obvious thing to do.

I wasn’t really planning on honing my writing skills for writing books later. As many of these personal weblogs go, I posted quite irregularly for the first few years. Still, I was often quite excited when a post got dozens of views.

As it turns out, a weblog is also a decent marketing platform for a self-published book (or two, or three, or four). When you are writing a book, there are always a few things that don’t quite “fit in” and that then get turned into a blog post. Once I got into the habit of posting regularly, the viewer numbers and the books sales increased. At some point, my ranking in the weird black magic that is the Google algorithm reached some critical point and the views from searches started pouring in.

Having posts being read and re-shared does give you a bit of a thrill. And I wanted to share that feeling. I started the weekly news summary to have a place where all the great work of fellow MacAdmins (and related experts) is gathered. I got requests to have an email newsletter fairly quickly. We passed 1000 subscribers on the email newsletter in October, and many more read it on the website.

Last week, according to the Jetpack metrics, this site had its millionth unique visitor overall and its 500.000th unique visitor in this calendar year. Yes, that means traffic is more than doubling year over year.

Back when a post would get hundreds of views that was exciting. The traffic now is still exciting, but also a bit humbling. So, thank you all for being here and reading and sharing my posts and books.

There was never a big strategy or plan. But I am very happy how everything worked out. Over the years, writing for the weblog gave me confidence to write and self-publish a book. The books and posts lead to conference presentations, which lead to more posts and books and the newsletter. And the best part is: I got to meet and befriend some pretty great people from all over the world.

And true to the spirit of how the last ten years turned out, I have no plans or strategies for major changes in the near future. I will keep the things that work and try new things as they occur to me. That doesn’t mean that there won’t be a few minor changes happening soon, though.

On to the next ten years!

Weekly News Summary for Admins — 2020-11-20

This summary isn’t quite as big as last week’s, but very close.

This week many people got their hands on the first Macs with Apple silicon M1 chips. The reviews and benchmarks are in and it looks as if Apple wasn’t over promising. Many software vendors are shipping updates for Big Sur and Universal app support. This is definitely an interesting and busy time.

Whether your organisation can dive head-first into Big Sur and Apple silicon deployment or you have to (or want to) hold back for a while, there will be articles in here to help you.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

💻Apple Silicon M1 Macs

🌅macOS 11 Big Sur

⚙️macOS and iOS Updates

🐦MacAdmins on Twitter

  • Laura Rösler: “Every fifth Mac is on Big Sur. After 5 days (including initial crash of Apple services, weekend and issues with macOS 11 Internet Recovery) we’re up to more than 5800 Macs with macOS 11.”
  • macshome: “Remember that if you don’t have installer packages that declare arm64 support then the Installer will trigger the Rosetta 2 install as well. Even if the contents are universal.”
  • Rich Trouton: “Need the model numbers for the new Apple Silicon Macs? Mac Mini: Macmini9,1 MacBook Pro: MacBookPro17,1 MacBook Air: MacBookAir10,1 Developer Transition Kit: ADP3,2”
  • Nathaniel Strauss: “‘If upgrading from macOS Sierra or later, macOS Big Sur requires 35.5GB of available storage to upgrade. If upgrading from an earlier release, macOS Big Sur requires up to 44.5GB of available storage.’ Nearly 1/3 of a 120 GB SSD. “

🐞Bugs and Security

🔨Support and HowTos

🍏Apple Support

♻️Updates and Releases

🎧To Listen

🎈Just for Fun

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!