Weekly News Summary for Admins — 2023-01-27

Update week! As expected, we got the updates for macOS 13.2, iOS 16.3, and all the other updates that go along with these.


(Sponsor: SentinelOne)

The Complete Guide to Understanding Apple Mac Security for Enterprise

Everything you need to know to understand the strengths and weaknesses of the security controls built into Apple Macs and the macOS platform.

Continue Reading Here >>


📸Focus

The day before macOS 13.2 was published was the day that a 90 day major upgrade deferral limit on macOS ran out. Because of the, well…, state of what is software update on macOS, this has some interesting and some unexpected side effects. (I talked about the state of software update in my Year 2022 summary.)

When you are managing a 90 day deferral on major macOS updates, a user on an MDM enrolled Mac will now see the full (~12GB) macOS 13 upgrade in the Software Update pane. Apple is withholding the smaller delta upgrade option from managed Macs because of a bug in macOS 12.3 through 12.6 that resulted in the delta upgrade ignoring the major deferral time, and using the minor deferral time instead. This bug was fixed in 12.6.1.

The user will see 13.0, and not 13.1 or 13.2, since those were released less than 90 days ago still fall under the limitation. However, after the Mac has completed the upgrade to 13.0, the 13.1 and 13.2 updates are minor updates and will fall under the (likely much shorter) minor upgrade deferral time. This means that after going through the trouble of upgrading to 13.0 the user will immediately see that 13.1 is available and then, whenever the minor deferral period for 13.2 is over, see the 13.2 update as well. This might lead to two or three updates within a few days, which is not the experience we want for our users.

The major deferral period is only useful for the first 90 days after the release of a major version of macOS. Afterwards it is actually somewhat detrimental, as it doesn’t prevent the major upgrade, but does prevent the user getting to the latest minor version in one step. I recommend MacAdmins that have set a major deferral to change its value to match the minor deferral period now, to avoid getting users getting double-hit by the upgrade-then-update workflow. Also, since 13.1 and 13.2 are offered as delta upgrades, this will reduce the download volume and overall time for the upgrade.

The other side-effect, however, is that delta-upgrades and updates can be started by non-admin users, which may or not be beneficial to your particular plans and workflows. Full updates (i.e. 13.0 on managed Macs), on the other hand, require admin privileges to start. This may give admins who want some extra time to defer upgrades to 13.0 a bit more time, because the trick of blocking the macOS Installer application for the full 13.0 upgrade will work, at least until the 90 day deferral on 13.1 expires.

In case you were wondering, that will be March 13. Apple has a support page for this.

When Apple prepares to release macOS 14 (Sequoia, I have been expecting macOS “Sequoia” for years…) in September, remember to change the major deferral back to your preferred value. Or you can follow Fraser Hess’s advice and ‘Embrace the upgrade.’

To be able to fully ’embrace the upgrade,’ you need to be downloading and testing the betas, not only with major updates, but through out the year. As Ed Marczak points out, MacAdmins really need to be signed up for AppleSeed for IT and actively testing the beta releases with their deployment. Testing with the betas should give you the time to verify and report issues, and, even when they can’t be fixed in time, be prepared with temporary update deferrals or instructions for the support team and users on how to mitigate the issues.

MacAdmins should also be following the MacAdmin news, events, and posts in the community, but if you are reading this news summary, you already are! When you happen to talk with someone who was blind-sided by all this, then please recommend they subscribe!

🌼macOS Ventura 13.2 and iOS 16.3

Note: links to support articles should go to the US versions as localizations might take a while to be available. Nevertheless, the Apple web site might redirect you to the localized version. You can select the localization in the lowest right corner of a Apple support page.

macOS Ventura 13.2

macOS 13.2 (22D49), 12.6.3 (21G419), 11.7.3 (20G1113)

iOS 16.3 and iPadOS 16.3

Apple Platform Deployment Guide

Other Systems

Applications

Apple Support

Community

📰News and Opinion

🦣Social Media

  • Adam Codega on Mastodon: “You can’t use traditional methods to check app versions of apps like Chrome that update silently, the app version on disk is going to be the latest but the app version running in memory is going to be older. There’s a one liner you can use to check the running version of Chrome but I recommend using a custom config profile or CBCM and setting Chrome to notify and enforce a restart after X time.”
  • Adam Codega on Mastodon: “Zoom can be set to automatically restart itself under certain conditions: ‘Auto install an available update when the device is idle. Idle devices must be: No current meeting, phone call, or contact center engagement, No upcoming meeting within 30 minutes, Screen is locked or screen saver is active'”
  • Ed Marczak on Mastodon: “Apple isn’t perfect with communication to admins, but I am shocked—SHOCKED!—at the number of admins that don’t: a) pay attention to betas, and have a robust testing group (or at least have one of their own devices on the beta track) And b) Just don’t pay attention to any Apple docs and comms. Hey MacAdmins: help yourselves. Have a testing plan for new releases, and help the people that you serve have a smooth upgrade. Get onto Appleseed and read the release notes.”
  • mwichary on Mastodon: “TIL after all these years: In macOS Finder you can press space to do a quick preview. But hold ⌥ and space, and the preview goes full screen. (Annoyingly, you cannot press space to exit, though.)” (‘esc’ key for exit)

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

♻️Updates and Releases

📺To Watch

🎧To Listen

📚Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2023-01-20

Not only did we get release candidates for the iOS 16.3 and macOS 13.2 updates next week, but Apple also released new MacBooks Pro and a new Mac mini with M2 and M2 Pro and Max chips. Also, they released a second generation big HomePod.


(Sponsor: SentinelOne)

Top 10 macOS Malware Discoveries in 2022

How did threat actors change their TTPs in 2022? What new trends did we observe? Improve your defenses by understanding the most recent macOS malware families.

Continue Reading Here >>


The Mac mini with the M2 Pro chip closes an annoying gap that Apple has had in their Mac portfolio. In the Intel Mac era, the use case for a powerful desktop Mac was covered by the high-end iMac and Mac mini, as well as the low-end Mac Pro. With M1 chips the Mac mini and iMac with M1 maxed out at 16Gb of RAM. The Mac Studio starts with the M1 Max chip at a higher price point. The Intel Mac mini sort had to fill that particular gap.

But the new Mac mini with the M2 Pro Chip nicely fills this slot, where is provides more CPU, GPU, RAM, and SSD than the ‘plain’ M1/M2 while staying below the Mac Studio’s price range.

I can see many uses for this “Mac mini Pro” especially for users who prefer the size, battery life, and price point of the MacBook Air over the more powerful 14″ and 16″ MacBooks Pro, but may want just that more power on their desktop connected to a multi-display setup. Also, lightweight video and audio editing stations that may have been limited by the ‘plain’ M1’s RAM limitation, should be fine with the Mac mini with the M2 Pro. One of the amazing aspects of the Mac mini is that its particular design has been nearly unchanged since 2010.

With the introduction of the Mac mini with the M2 Pro chip, Apple has also removed this second-to-last remaining Intel Mac, the 2018 space gray Mac mini with a 6-core Intel core i5 chip, from the store. The 2019 Mac Pro is now the last remaining Intel Mac.

There are still some weird empty spots left in the product line up. The iMac 24″ still has the ‘plain’ M1, and the ‘M2 or M2 Pro’ options would fit the iMac line nicely, too. Many are hoping for a larger iMac display option, but I am not so sure this is in Apple’s plans (I’d love to be wrong). The option to connect a second, external display on a potential ‘iMac with M2 Pro,’ could be a workable alternative, leaving the high-end, multi-screen setups to the Mac Studio and Mac Pro.

The other empty spots in the Mac line-up are at the extreme ends. The Apple silicon Mac Pro will be a challenge and come under intense scrutiny from the Pro users that need that level of power and expandability and those that claim to. A new, smaller MacBook in the style of the 12″ MacBook, or 11″ MacBook Air, which gives up some processing power in favor of size, portability, battery life and (maybe) price, would be quite interesting. I’d also like Apple to take a stab at a ‘Mac nano’ closer in size to the Apple TV, which can be powered over USB-C/Thunderbolt and connected to a display or dock with a single cable.

It is also rare that Apple revives a product after discontinuation, which makes the new 2nd generation HomePod quite intriguing. The original HomePod was never for sale in my region, so I set up two pair of IKEA’s Symfonisk speakers in our house, which work fine. But I wish the Sonos software which powers the Symfonisk speakers would support HomeKit and Shortcuts better, or at all. I also have a single HomePod mini. The options to ‘move’ music (and radio and podcasts) from the phone or Mac to the HomePod are more powerful than on the Sonos software, but the Siri-only interface is still bewildering to me. There is also an interface to control the HomePod in the Home app, but that also seems quite unintuitive. On the other hand, the size of the HomePod mini allows me to take it on travels, which I think is wonderful.

In non-hardware news, the X World conference has announced dates for their conference in Melbourne, Australia on March 30 and 31 making it the next upcoming MacAdmin conference.

As always, you can find an overview on my conference page.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Focus

I want to take this as chance to explain my treatment of Twitter going forward for now:

I have always used third-party Twitter clients (mostly Tweetbot) over the web interface or their native app. I have always found the web interface confusing, grating, and just too much attention-seeking. I had stopped interacting on Twitter after the takeover and only used it to catch up with some accounts which I have not found to be elsewhere.

I was expecting the worst for Twitter after the takeover, but even so, the utter lack of respect, decency, and humanity shown to employees, advertisers, users/creators, and now third-party developers has been shocking.

I understand that Twitter as a business was probably in for some tough times either way. But economic pressure is no excuse for this crass, and cowardly behavior. You should not assume malice where incompetence is an explanation. In this case, though, it just might be both.

I have stopped reading Twitter entirely. I am in the process of removing Twitter references from my pages. (Though I might not have found every reference yet.) Weblog entries will still automatically post to Twitter, but I will not engage there any more, at all.

It used to be that Twitter would provide a majority of the traffic going to my weblog, second only to search engines. This started to change earlier last year with a significant drop in November, which continues to this day. Other social media such as the Mastodon Fediverse and LinkedIn seem to making up for that drop and I am active and engaged there, as well as the MacAdmins Slack.

News and Opinion

Social Media

Security and Privacy

Support and HowTos

Scripting and Automation

Updates and Releases

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2023-01-13

Happy New Year 2023!

Back after the winter holiday break and things are already going strong!


(Sponsor: SentinelOne)

7 Ways Threat Actors Deliver macOS Malware in the Enterprise

Learn how to build more resilient defenses by understanding the vectors threat actors use for initial compromise on macOS endpoints.

Continue Reading Here >>


Many of you seem to have taken the time to post a lot of interesting articles and tools. Many interesting posts and releases. Thanks to everyone!

MacDevOpsYVR 2023 is announced for June 21-22, 2023 in Vancouver, Canada! (Speaker Application form at bottom of that page)

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Highlights

News and Opinion

macOS Ventura and iOS 16

macOS and iOS Updates

Social Media

  • Andrew MacKenzie on Twitter: “Installomator is my new benchmarking tool. for everything in $(Installomator.sh) ; do Installomator.sh $everything ; done Also my new speedtest.”
  • Adam Tomczynski on LinkedIn: “To help you learn and prepare for the Apple Device Support exam, I created flashcards with the documentation provided by Apple.”

Security and Privacy

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

The Year 2022 for MacAdmins

It’s been quite a while since I last did a year-end review for MacAdmins. A lot has happened since then. Surprisingly, some things have not made much progress at all, while others have been quite dramatic. This post will be a mix of what has happened in the last four years, and mostly what has happened more recently this year.

Upgrade and update schedule

Apple’s calendar, and thus the year for MacAdmins (note: I am using this term to include admins that manage all Apple devices, even when you don’t manage Macs, specifically), is dominated by WWDC in June and the major platform OS releases which happen in September/October. The “Spring Updates” in the March/April time frames have become another marker in the year, as Apple often adds features specifically for education and enterprise to theses “minor” releases.

Apple has begun to defer major new features to releases from the main ‘dot-zero’ releases to later updates. SharePlay was added to Monterey and iOS in the December update and Universal Control (my favorite new feature to the Apple Platforms) had to wait until 12.3, where it was added as a beta. This year, iCloud Data security and the new Freeform app were released with macOS Ventura 13.1 and iOS 16.2. Other features promised at WWDC, such as Rapid Security Response updates, or using physical security keys with your Apple ID, are still outstanding but appeared in the 13.2 beta.

We can only guess at the motivations for this spread out feature release. It could be that pandemic logistics led to the delays, or maybe Apple has been planning it this way, all along. Overall, I think this is an improvement. Major, one-a-year releases are a relic of the past, when software companies had to pack lots of new features into releases to justify the price of the upgrade. Remember when Microsoft and Apple used to charge for major system updates?

Nowadays, we don’t pay for system updates anymore, at least not directly. As our devices are now “always on” and “always-connected” and store and connect to so much critical, personal, and sensitive data, keeping devices up-to-date protects from a vast number of bugs and security issues. This is consistently the number one advice to start improving your security stance, and rightly so. Free upgrades and updates remove a barrier for adoption. Spreading out relevant improvements and features across “minor” updates should also motivate users and organizations to adopt updates faster.

Apple’s productivity apps (formerly known as ‘iWork’ and what is left of ‘iLife’) and ‘Pro’ apps (Logic Pro, and Final Cut Pro) have mostly been disconnected from system updates. The latest versions run on both Ventura and Monterey, even though some features are only available on the latest version. Many third party apps are also supporting multiple versions of the host system.

I think Apple might benefit from de-coupling more ‘system’ apps from the OS release schedule and putting them in the App Store. Freeform could have been such an app, as well as Notes, Reminders, Books, Weather, Stocks, etc… This might force the developer teams to adapt the apps to the App Store, and “eat their own…” … “drink their own champagne.”

App Store Woes

In my review for 2018, I complained that, while Apple was pushing for developers to adopt subscriptions and in-App purchases, there was no means for organizations to purchase or subscribe these in bulk. Four years later, there still isn’t.

There have been some changes. Apple has given the developers the option of adding ‘unlisted’ apps to the App Store. These are not visible to the general public, but an organizational customer can access and purchase these apps in the “App & Books” section of Apple Business/School Manager. This can be a useful approach for some business models, such as custom branded or entirely custom built apps. But it might also create an huge logistical overhead for the developer and the customer. If Apple were to add subscriptions and in-App purchases to the “Apps & Books” section of the Apple Business/School Manager, it would simplify a lot.

Sidenite: Apple renamed the Volume Purchase Program (VPP) to the “Apps & Books” section in Apple Business/School Manager. When you refer to just “Apps & Books” it is always very awkward and confusing and specifying that you mean the “Apps & Books section in Apple Business/School Manager” is quite cumbersome. Can we please have VPP back?

One change that the App Stores did see this year is increasing ads in the store. Apple, who has been creating record profits over the past years, keeps insisting that they deserve a significant share of everything sold through their App Stores and also believes developers could pay them even more to be featured in ads in the App Store. When they don’t, a user searching for your app, might just get a competitor ad in front of the search results. The new ad strategy was further soured by the fact that gambling and similar dubious ads were quite prevalent during the initial roll-out of the new ad system.

I understand that Apple didn’t get to aforementioned record profits by being generous and leaving money on the table. However, intrusive ads for suspect apps and services do not improve the user experience. On top of that, the App Stores are filled with scammy, quickly and shoddily created apps that are optimized for search, implementing dark (and sometimes evil) UI patterns, often outright rip-offs of legit apps or otherwise fraudulent. On the other hand, we still regularly hear from legit developers who are having bizarre interactions getting their apps through the approval process.

All of these pieces together give the impression that Apple is trying to milk the App Stores for every possible cent of service revenue, rather than improving the experience for users, developers, and admins. This is probably not a fair accusation, but I really believe Apple has to put more effort into conveying what their challenges are and what they are doing to address the concerns of users, developers, and admins.

The EU commission, after regulating charging ports for phones and other electronic devices, seems to have gotten a taste for regulating tech giants and this might be motivating Apple to allow non-App store means of installing software on iOS. Note that Apple already has non-App Store installation on macOS, but still has some security measures (signed and notarized apps and installers) for security. This could be transferred to iOS.

Maybe Device Management

Apple has continuously added management features for devices enrolled into an MDM. While there used to be confusing differences between manually enrolled devices and devices using automated enrollment (formerly known as DEP), now every enrolled device is considered “supervised.” There are more commands you can send to your devices, such as to enable Remote Management for Macs and tell the device to download and (eventually, maybe) install a particular software update.

You, dear reader, may be rolling your eyes right now, as the use of these commands is infamously buggy and unreliable. The one-sided nature of the communication between the MDM server and the device is the problem. To put it simply, the MDM protocol blasts out a command to the client and that is where, as far as the traditional MDM protocol is concerned, the interaction ends. The MDM client doesn’t report executing the command and its success back to the server. Many management systems attempt to close this loop with reporting through a local agent on macOS, with varying success.

In 2021, Apple introduced a new version of the MDM protocol, which indicates a plan to close this loop. Declarative Device Management (DDM) was very limited in scope in its first version that shipped with iOS 15 and iPadOS 15 for user-driven enrollment. With iOS 16, iPadOS 16 and macOS Ventura 13, declarative device management is now available for all types of enrollment. While the scope of data reported back by the MDM client is still quite limited, this does seem very intriguing for future workflows.

I don’t blame Apple at all for introducing a major refactoring of a protocol used to manage millions of devices slowly and carefully. Moving cautiously and not breaking stuff (or more than is absolutely necessary) is the correct approach here, even though MacAdmins have been suffering the unreliability of the old protocol and are impatient for fixes.

But here’s an update… so install me, maybe…

One area, where we can see the effects of moving with less caution is managed software updates on macOS. In macOS Catalina Apple split the system and data volumes of macOS, further increasing the security in Big Sur by cryptographically sealing the system volume. The security benefits are enormous, but this made the update process much more cumbersome. Along the way, the softwareupdate command line lost its ability to ‘ignore’ certain updates, and the replacement feature, an configuration profile with deferral durations is limited to 90 days.

On Apple silicon Macs, the update process requires user interaction to enter the password to unlock the volume. The MDM commands providing new functionality around software updates and upgrades, are unreliable and impossible to enforce. Some of this comes from MDM’s one-way-communication, but much of it is because the daemons and processes are buggy.

The improvements made to the software update system are useful. One of the new features is that Macs with macOS Monterey 12.3 and higher can install a ‘delta’ upgrade to upgrade to Ventura. This has been an option for minor updates for a while, and will speed up the upgrade process and require less free disk space. However, in 12.3 through 12.6 the system would evaluate the minor update deferral to this, instead of the major upgrade deferral. This was discovered late in the Ventura beta phase, after 12.6, the final, non-security update for Monterey was already published.

Apple reacted by fixing the bug in 12.6.1 and deferring the incremental upgrade for MDM-enrolled Macs until 13.1. They documented the problem and the solution in a support article.

The Good News

I have listed quite a number of challenges and problems, and there are probably more that I have not mentioned. But this is where I do want change tone. Because, as frustrating and challenging this bug is, it was discovered because Apple made the new functionality available to MacAdmins through AppleSeed for IT and once it was reported and confirmed Apple moved quickly to address it.

MacAdmins also communicated that a new feature in macOS Ventura which notifies users of background and login items would need to have management options for managed deployments. Apple added a configuration profile that could lock certain items away from user interaction. In macOS Monterey, Apple added ‘Erase all Contents and Settings’ to macOS, which is wonderfully useful to MacAdmins testing enrollment workflows. It also came with configuration profile settings to restrict the feature in managed settings.

AppleSeed for IT is a great program that allows MacAdmins to test early betas. Access to AppleSeed for IT requires a Managed Apple ID. That also means the feedback can be attached to the organisation and tracked and weighted accordingly within Apple. The past years have shown that concerns from MacAdmins can be addressed, sometimes during the beta phase (another reason to test betas early and provide feedback).

One improvement that stems from this feedback is that Apple now regularly provides full installers and IPSWs of beta releases and security updates, even for the previous two versions of macOS.

As my list of problems earlier in the post shows, not all is perfect yet. Some problems, like the App Store, are connected to larger strategic decisions, and others linger for a time, because they are very complex (move to declarative device management) or, well, laden with other bugs (software update). Nevertheless, the impression that Apple is providing a dedicate channel for large-scale organizations, and listening and addressing concerns is, for MacAdmins who have been doing this for a while, quite surprisingly novel.

I welcome and applaud the efforts being made here. I can only imagine the internal friction some of these policies and ideas have to overcome. Many thanks to everyone inside Apple who is representing the MacAdmin community!

Over the past years, Apple has hired several members of the MacAdmin community to work on their Enterprise software and strategy. In 2020, Apple acquired the management software developer company Fleetsmith and all of their talent.

Apple has also provided a lot of new documentation for MacAdmins, most prominently the Apple Platform Deployment and Apple Platform Security guides, as well as a number of support articles that are regularly updated. These are excellent documents, which provide a lot of valuable information.

There are still some aspects that are woefully under-documented, such as creating installer packages, providing privacy exemptions to shell scripts, and how certain aspects of the configuration profile/preferences system work. In general the MacAdmin community will step up to reverse engineer those and share their findings. it would be great to see even more engagement from Apple in these areas.

Apple also re-introduced new deployment and support training programs and certifications.

Essentials

After years of slowly reducing its feature set, Apple completely retired macOS Server and Profile Manager. Some of the services such as file sharing and content caching can still be enabled on ‘standard’ macOS.

Apple introduced Apple Business Essentials, which is a cloud hosted management system, aimed at small organizations with relatively simple requirements.

Business Essentials is, for now, only available in the US. When you have set it up, it appears in the Apple Business Manager interface. Its feature set for management is still quite rudimentary, even when you consider the target market. However it does include the option of adding increased iCloud storage and Apple care to the license, which is very intriguing. Hopefully, these options will be available to large orgs that are using other management systems through some other channel.

The most intriguing aspect of Apple Business Essentials is that now Apple is both the provider and a user of the MDM protocol. The limitations and restrictions of the protocol that challenge the Business Essentials team, should (hopefully) be reflected in updates to the MDM protocol. This is obviously speculation, but I believe that declarative device management and Apple Business Essentials being introduced at more or less the same time is not a coincidence. I also believe that going forward, we will see Business Essentials and DDM gain features together.

Cloud Migration

With the decline of a Apple-native server, MacAdmins need to integrate with other platforms for enterprise services, such as identity management, file sharing and syncing, VPN and other security tools. If your organization’s reaction to this is to start integrating the Macs into the Active Directory environment, then you are missing out on another important change in the industry: the move to cloud services and zero-trust network access.

When setup and managed correctly cloud services and a zero trust strategy allow secure access to the organization’s resource from any managed and secured device, where it may be. While the move to the new cloud-based model has been present for at least a decade, the pandemic definitely forced many organizations to re-assess and accelerate its adoption.

Adopting new security and deployment workflows also opens the door to new options, such as using tablets and phones and employee platform choice models.

Apple’s market share rises

The pandemic did not just accelerate adoption of remote work technologies, but also gave Apple and especially the Mac platform a huge boost in sales. The reasons for all of this are complex, but might be explained by a combination of the introduction of the Apple silicon Macs, and Apple managing the world-wide supply chain issues better than the competition. With the cloud/zero trust migration and interest in the “employee choice programs” in organizations we get a wave of interest in Apple in the Enterprise, something which Apple and the various Apple management server developers are happy to encourage.

Sidenote: it is still astounding to me that we now have not just one or two management systems that focus on managing Apple platforms, but a long list with some healthy competition.

In the most recent quarterly earnings call Apple has warned that the ongoing supply chain issues might be finally catching up with then, as well. We will see how that works out, but keep in mind even if Apple does sell less devices than in previous years, they will still gain market share if the competitors are affected even worse.

Apple silicon

It had been rumored for a long time, but in 2020, in their first online WWDC keynote, Apple announced they would transition the Mac platform to CPUs based on the A-series used in iPhones and iPads. The first Macs to switch where the MacBook Air, MacBook Pro 13″, and the Mac mini. Even though Apple started at the low-end of the Macs, they impressed with the performance, but most with the energy usage.

When I attended and presented at JamfNation User Conference in San Diego, earlier this year, I noticed that the venue lacked the formerly ubiquitous chains of power strips running through the audience areas. Attendees didn’t seem to care. No-one was crowded around power outlets in the hallways either. Nevertheless, when I was presenting I faced the usual sea of MacBooks, presumably people taking notes and still paying attention, right? With Apple silicon MacBooks, battery anxiety isn’t really a thing anymore.

The Apple Studio, the first new Mac model since the introduction of the MacBook Air, also showed that the Apple Silicon can scale to really high performance requirements, as well. The one Mac model that has not transitioned to Apple silicon is the Mac Pro. It’ll be interesting to see how Apple addresses the challenge of building an expandable Apple silicon Mac Pro. I would also like to see Mac minis and iMacs based on the ‘Pro’ chip series rather than the base M1 models that we have now.

The Apple silicon transition was very smooth from a software perspective. Apple used their experience and technologies from the PowerPC to Intel transition. Rosetta 2 was surprisingly efficient, even though the decision to make it an additional installation still seems odd.

The most frustrating part (at least for me) was that several developers didn’t (and still don’t) provide universal apps and/or installers. This seems to be mostly affecting electron-based apps, which doesn’t improve my general disposition to this developer platform.

Mac Admins Open Source Projects

Incidentally, I had started an open source project in early 2020 which was happened to be a solution for this particular problem. Installomator is a script that can download, verify, and install a large number of software titles. When the first Apple silicon Macs started, Installomator was ready to download the proper installer for the platform it is running on, even with non-universal apps and installers.

Installomator has turned out to be my most successful open source project, yet. Many thanks to all the co-maintainers and contributors who have helped expand and build the project, far beyond what I could have done on my own.

But it is just one of a plethora of popular and useful open source projects in the MacAdmins community. Some, like Munki and AutoPkg have been around for long time (at least in computer years) and are still going strong, while others have emerged just recently.

What follows is a list of projects that I have been using myself in some form or another in the last year. It is by far not even attempting to to be complete list of worthy MacAdmin open source projects.

Erik Gomez’s Nudge and Kevin White’s super, both address the challenges in managing software updates on macOS. They have slightly different approaches and configurability. If you are thinking that you need a workflow to, well, ‘nudge’ or force users to apply updates, look at these before you re-invent the wheel.

Graham R. Pugh’s inadequately named eraseinstall.sh can be used to automate the process of non-destructively upgrading and updating macOS. Erasing and re-installing is just one of the options. This is especially interesting as a workflow to upgrade Macs from older versions of macOS to a more current one.

Bart Reardon’s swiftDialog is an app that allows providing a user interface from shell scripts. It has found fast adoption among MacAdmins. Mostly because Bart is very responsive to issues and feature requests. There are some scripts, like Dan Snelson’s excellent Setup Your Mac script which uses swiftDialog for user interaction and progress display. Installomator can interact with swiftDialog to display download and installation progress.

JamfUpload (also from Graham R. Pugh) is a set of processors for AutoPkg which allows to upload and manage installers in Jamf Pro. JamfUpload is a replacement for the older, now deprecated JSSImporter.

iMazing Profile Editor is not open source, but still worth mentioning here, as this free tool to create configuration profiles, gets the descriptions for third party software from the open source ProfileManifests repo. This repo was originally started for the now retired ProfileCreator app from Erik Berglund, and it lives on in being iMazing Profile Editor. (Note: iMazing is a sponsor of the Scripting OS X Weekly News Summary for Admins, but I have been happily using and recommend iMazing Profile Editor long before.)

There are many more open projects and scripts available. Many thanks to everyone in the MacAdmins community who is sharing their work, experience and time!

MacAdmins Foundation

The amazing nature of the MacAdmins community is worth preserving and nurturing. The MacAdmins Foundation was created for this purpose. One immediate goal is to ensure that platforms such as the MacAdmins Slack stay available for everyone. The Foundation was announced a bit prematurely when Apple announced the new training modules and a partnership with the MacAdmins Foundation to provide access to scholarships.

This is a most welcome formalization of the community of MacAdmins and I looking forward to the other projects and plans coming to fruition! So far, the MAF is US-based and quite US-centric. While I understand the necessity to start somewhere, I am a bit impatient for more global representation.

Please join in supporting the MacAdmins Foundations going forward. If you haven’t yet, join the MacAdmins Slack to see what this all is about. If nothing else, the merchandise is amazing!

Happy New Year, 2023!

This covered a lot, but I still probably forgot to mention some things…

If you stuck with me through this long review of 2022 (and a few things that happened before), you will not be surprised to hear that I see the future of Apple in organizations and the MacAdmins community very positively. I am looking forward to seeing what 2023 brings for us and when it happens, you will read about it in the Weekly News Summary!

See you next year!

Weekly News Summary for Admins — 2022-12-16

The holidays are near, the year is approaching its end. But for MacAdmins, this remained a busy week. The first update for macOS Ventura was released alongside iOS and iPadOS 16.2 many other updates.


(Sponsor: iMazing)

Your favorite tool for configuring & provisioning fleets of Apple mobile devices

Automatically back up devices, restore, wipe, set up, supervise, and enroll with your MDM provider—locally and easily with iMazing Configurator.

And don’t miss iMazing Profile Editor, our free and well-loved utility for composing comprehensive configuration profiles for iPhones, iPads, and Macs.


This is the first macOS update after the “special measures” to avoid a bug in the macOS software update system present in 12.3 though 12.6 that would consider upgrades to 13.x as updates with regard to managed deferrals. Now, Monterey client in that version range will present 13.1 to the end user, even if major updates are managed to be deferred. Apple has updated the support article on this.

The new updates bring some new features, as well. The new Freeform app seems like a nice tool. I have actually used Keynote for similar tasks, but I think Freeform is a bit, well, free-er and creative. We also got the new Advanced Data Security for iCloud, network locations make a return to macOS Ventura, and “Apple Music Sing”…

This is the last news summary for the year 2022. Many thanks to all of you readers!

Happy Holidays and all the best for the new year 2023!

The news summary will return on 13 January 2023. See you then!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS Ventura 13.1 and iOS 16.2

macOS Ventura 13.1

iOS 16.2 and iPadOS 16.2

Apple Platform Deployment Guide

Other Systems

Applications

Apple Support

Community

Social Media

  • @mikeymikey@hachyderm.io: “JUST A REMINDER: 13.1 is the first Ventura update past the 30 day hold for OTA major upgrades for MDM managed macOS devices. If you have devices on 12.3-12.6 still and you DO NOT have a minor deferral in addition to a major deferral – on these buggy versions of macOS (12.6.1+ fixes the bug), 13.1 OTA will be seen as a -minor- update, not major and as such will NOT be deferred by only having a major deferral in place.” (Thread)
  • @scriptingosx@mastodon.social: “Apple’s new Freeform app seems nice. I can see myself using this. However, there are no Shortcuts actions and no AppleScript dictionary. (I know… what was I expecting…) I can think of several workflows where Freeform would fit in wonderfully. Now imagine you could add buttons with shortcuts or Apple scripts in Freeform!”

Security and Privacy

🔨Support and HowTos

Scripting and Automation

Updates and Releases

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2022-12-09

Even though Apple did not release macOS 13.1 and iOS 16.2 this week, we did get release candidates for all the platforms. That means a release next week is very probable.


(Sponsor: iMazing)

Your favorite tool for configuring & provisioning fleets of Apple mobile devices

Automatically back up devices, restore, wipe, set up, supervise, and enroll with your MDM provider—locally and easily with iMazing Configurator.

And don’t miss iMazing Profile Editor, our free and well-loved utility for composing comprehensive configuration profiles for iPhones, iPads, and Macs.


Even so, Apple already published a press release describing new privacy and security features of the new updates. Users will be able to enable end-to-end encryption on more information that Apple devices store in iCloud, use physical security keys as an extra authentication factor for Apple IDs, and get warnings when a contact in iMessage might be compromised. The details on the ‘Advanced Data Protection for iCloud’ were Apple worth a new section in the updated Apple Platform Security guide.

With the release of 13.1, the special treatment of macOS 13 updates for managed Macs is likely to end, as well. You might see 13.1 as an update (rather than a full upgrade) on Macs running 12.3 through 12.6. We won’t know for sure until the update is released, but you still have a few days to get devices on 12.6.1.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS Ventura and iOS 16

Security and Privacy

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2022-12-02

We got another round of betas for macOS Ventura 13.1 and iOS/iPadOS 16.2. If the schedule from previous years can be taken as guidance, next week is a good guess for the release date. Maybe a week more, since this week’s release was not labeled as release candidate.


(Sponsor: iMazing)

Your favorite tool for configuring & provisioning fleets of Apple mobile devices

Automatically back up devices, restore, wipe, set up, supervise, and enroll with your MDM provider—locally and easily with iMazing Configurator.

And don’t miss iMazing Profile Editor, our free and well-loved utility for composing comprehensive configuration profiles for iPhones, iPads, and Macs.


Jamf has released the session recordings from the Jamf Nation User Conference earlier this year on YouTube, accessible to all! There are 151 videos, many of which should be interesting, even when you don’t use Jamf as your management server. I have updated the resources page for my session, as well as my conferences overview page.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS Ventura and iOS 16

macOS and iOS Updates

Social Media

  • SentinelOne on Twitter: “10 wrong assumptions about #macOS #security A thread”
  • Basic Apple Guy on Twitter: “iCloud Storage Over the Years” (Image)
  • MartinLang on Twitter: “The SAPTechEd 2022 keynotes had lots of ‘Mobile Moments’ in them. Native Mobile apps are definitely a thing across SAP’s entire Solution and Tech portfolio. I wanted to share some of these mobile moments in this thread.”
  • Mr. Macintosh on Twitter: “Apple uses the terms ‘Shipping OS’ or ‘version of macOS that came with your Mac’ Purchased: M1 16″ MBP on 10/18/21 = Monterey 12.0.1 M1 16″ MBP on 11/30/22 = Ventura 13.0 The 16″ was shipped with Ventura, but it can still be downgraded to 12.0.1 My Apple Silicon macOS chart” (click for chart and short thread)

Security and Privacy

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Just for Fun

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Update: Installomator v10.1

Minor update to Installomator, which brings it to version 10.1. Added and updated a bunch of labels. Many thanks to all who contributed!

  • updated Jamf/Dialog scripts icon handling (#778)
  • Readme Updates (#744)
  • new labels:
    • amazoncorretto11jdk (#721)
    • amazoncorretto17jdk (#721)
    • bbeditpkg (#720)
    • boop (#781)
    • camtasia2021, camtasia2022 (#730)
    • jamfcpr (#753)
    • jetbrainsrider
    • lgcalibrationstudio (#763)
    • mendeleyreferencemanager (#713)
    • microsoftofficefactoryreset (#751)
    • microsoftofficeremoval (#755)
    • mist-cli (#733)
    • mist (#732)
    • mobiletolocal (#752)
    • netiquette (#770)
    • todoist (#769)
    • transfer (#773)
    • vpntracker365 (#760)
    • zerotier (#785)
  • updated labels:
    • 1password8 (#759)
    • amazoncorretto8jdk (#721)
    • camtasia (#730)
    • citrixworkspace (#731)
    • code42 (#766)
    • drawio (#725)
    • duodevicehealth (#761)
    • idrive (#726)
    • idrivethin (#727)
    • macfuse (#714)
    • microsoftazuredatastudio (#788)
    • nudge (#754)
    • prism9 (#746)
    • skype (#762)
    • synologydriveclient (#789)
    • ultimakercura (#740)

Weekly News Summary for Admins — 2022-11-25

Happy Thanksgiving to all who celebrate it this week! Happy “quieter than usual” Thursday and Friday to everyone else!


(Sponsor: iMazing)

iMazing Logo

Your favorite tool for configuring & provisioning fleets of Apple mobile devices

Automatically back up devices, restore, wipe, set up, supervise, and enroll with your MDM provider—locally and easily with iMazing Configurator.

And don’t miss iMazing Profile Editor, our free and well-loved utility for composing comprehensive configuration profiles for iPhones, iPads, and Macs.


If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS Ventura and iOS 16

Social Media

  • L0Psec on Twitter: “When querying macOS unified logs via the log command, I was looking for a location of known subsystems I could use. Found them within: /System/Library/Preferences/Logging/Subsystems/ On 12.6.1, this directory contains 292 plists. Example in screenshot.”
  • Mr. Macintosh on Twitter: “Almost a month after the release of Ventura, Monterey has taken the lead. Monterey took the lead from Ventura on November 10th and has not given it up since then.”
  • @Morpheus______ on Twitter:macOS/iOS Entitlements Database now with Monterey and Ventura entitlements.”

Security and Privacy

Support and HowTos

Scripting and Automation

Apple Support

To Watch

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!