The big news this week was that Apple has started removing certain iOS applications which allow fine-grained parental controls for their children’s iPhones and iPads. The first post on this in the New York Times speculated that Apple was removing products that compete with Screen Time. However, Apple clarified that these companies are using MDM (Mobile Devices Management servers) to get the features, which is a “guideline violation.”
Since this discussion involves MDM, I believe it is very relevant to Mac and iOS administrators.
You could discuss whether these services should be using MDM to get the feature set their customers desire. You could have (the ever repeating) discussion on how Apple reverses years’ worth of approvals because they now suddenly realize the app has been in violation all along. You could question how fair and reasonable the 30 days ultimatum for an updated app without MDM was, since there is no other API with a similar feature set, and how well the ultimatum was communicated.
But I want to point out that MDM enrollment, both on iOS and macOS, has to be manually initiated the user, and approved with a passcode. This required user approval, is a big hurdle for automated delpoyments, something which administrators are longing for.
The workaround for this, according to Apple is Automated Device Enrollment (formerly known as DEP) where the chain of possession from Apple, through a reseller, to the purchasing organisation is proven and logged in Apple’s servers. Even with DEP, user approval of the management features is necessay at first boot.
There have been cases where malware has installed MDM profiles on iOS and Macs and supposedly user approval should protect from these cases. Yet, when a service or application, which promises a solution the user desires, asks for approval, the user will click anything.
Users are trained to approve these security dialogs. The more dialogs the system throws at the user, the more they are trained to quickly approve and authorize them without really reading or understanding. Too much user approval can be detrimental to its purpose.
MDM servers need certificates from Apple to work. They need to register with the push notification service to communicate with the clients. The client applications that are distributed through the iOS and Mac App Stores, need developer certificates from Apple.
Apple would have many options to control and block malicious actors in this field without hurting legitimate services and administrators seeking automation.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
📰News and Opinion
- Apple Reports Second Quarter Results – Apple
- Dell Technologies and Microsoft expand partnership with new VMware Solutions – Scott Guthrie, The Official Microsoft Blog
- It’s Time to Migrate from Aperture – Jeff Carlson
- The Mac is becoming more like iOS—and I think I like it – Jason Snell, Macworld
- We Couldn’t Wait for a Foldable Mac Screen— So We Made One Ourselves – Luna Display
Parental Control Apps/MDM
- Apple Cracks Down on Apps That Fight iPhone Addiction – Jack Nicas, The New York Times
- Phil Schiller Lays Out Apple’s Case for Cracking Down on Screen Time Monitoring Apps – Eric Slivka, MacRumors
- The facts about parental control apps – Apple
- There Used to Be An App For That – OurPact
- Apple Cracks Down on Screen Time Apps That Use MDM – Michael Tsai
🐦MacAdmins on Twitter
- mikeymikey: “Different techniques, different goals. Internet recovery has been modified multiple times over the years (example change in 10.12.4), whereas netboot was a device independent standard that would have needed a total overhaul for Secure Boot.”
- Steve Troughton-Smith: “Just 35 days to WWDC! 35 days to iOS apps on the Mac, 35 days to multi-window iPad homescreen revamp, 35 days to Dark Mode on iOS”
- Steve Troughton-Smith: “Dashboard isn’t the only thing gone in 10.15 — so is 32-bit app & plugin support, Carbon, Ink, QuickTime 7 & QuickTime plugins, PPTP, and hardware RAID. You will get Python 3.7 and Ruby 2.6, at least” (Python 3 alongisde the soon-to be EOL’ed Python 2.7 would be good news.)
- Emily kw, ph.d.: “Hello. I’m a Sr. Systems Engineer for a Fortune 25 company. I am not interested in your Technical Support Specialist job offers. Goodbye.”
🐞Bugs and Security
🔨Support and HowTos
- Use Munki to install a screensaver – Mat X
- How to share files using iCloud Drive – William Gallagher, AppleInsider (via TheLoop)
- Getting 64-bit clean: now is the time – Howard Oakley
- macOS 10.14.5 beta 4 & Notarization Update – Tom Bridge
- Apple releases fourth beta of macOS Mojave 10.14.5 (18F127a) – Mr Macintosh
🤖Scripting and Automation
- Sending Autopkg and JSSImporter Notifications to Google Hangouts Chat – Matthew Warren
- macOS ‘.DS_Store’ format format spec for Kaitai Struct (via Skyper)
- Migrate your Aperture libraries to Photos or Adobe Lightroom Classic
- Upgrade from Apple Deployment Programs before December 1, 2019
♻️Updates and Releases
🎈Just for Fun
- The excellent Apple Museum in Westerbork, The Netherlands (I put this on my list of places to visit.)
There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
- Weekly Email Newsletter (TinyLetter)
- Apple News
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!