Check Installer Pkgs for deprecated scripts

macOS 10.15 Catalina will deprecate the built-in /bin/bash. I have talked about this at length.

The release notes for Catalina also tell us that other built-in scripting runtimes, namely Python, Perl, and Ruby. Will not be included in future macOS releases (post-Catalina) any more.

This means, that if you want to use bash, Python, Perl, or Ruby on macOS, you will have to install, and maintain your own version in the future.

However, scripts in installation packages, cannot rely on any of these interpreters being available in future, post-Catalina versions of macOS. Installer pkgs can be run in all kinds of environments and at all times, and you would not want them to fail, because a dependency is missing.

The good news is that we still have time. All the runtimes mentioned above are still present in Catalina, so the packages will continue to work for now. But if you are building installation scripts, you need to check if any of the installation scripts use one of these interpreters and fix them.

I recommend to use /bin/sh for installation scripts, since that will run in any macOS context, even the Recovery system.

If you are using third-party installer packages, you may also want to check them for these interpreters, and notify the developer that these packages will break in future versions of macOS.

To check a flat installer package, you would expand it with pkgutil --expand and then look at script files in the Scripts folder. This will work fine for a package or two, but gets tedious really quickly, especially with large distribution pkgs with many components (e.g. Office).

So… I wrote a script to do it. The script should handle normal component pkgs, distribution pkgs and the legacy bundle pkgs and mpkgs.

You can get the pkgcheck script from my Github repo.

What the script does

Once I had written the code to inspect all these types of pkgs, I realized I could grab all other kinds of information, as well. The script will check for:

  • Signature and Notarization
  • Type of Package: Component, Distribution, legacy bundle or mpkg
  • Identifier and version (when present)
  • Install-location
  • for Distribution and mpkg types, shows the information for all components as well
  • for every script in a pkg or component, checks the first line of the script for shebangs of the deprecated interpreters (/bin/bash, /usr/bin/python, /usr/bin/perl, and /usr/bin/ruby) and print a warning when found

How to run

Run the script with the target pkg file as an argument:

% ./ sample.pkg

You can give more than one file:

% ./ file1.pkg file2.pkg ...

When you pass a directory, will recursively search for all files or bundle directories with the pkg or mpkg extension in that directory:

% ./ SamplePkgs

Features and Errors

There are a few more things that I think might be useful to check in this script. Most of all, I want to add an indicator whether a component is enabled by default or not. If you can think of any other valuable data to display, let me know. (Issue or Pull Request or just ping me on MacAdmins Slack)

I have tested the script against many pkgs that I came across. However, there are likely edge cases that I haven’t anticipated, which might break the script. If you run into any of those, let me know. (File an Issue or Pull Request.) Having the troublesome pkg would of course be a great help.

Note: the script will create a scratch directory for temporary file extractions. The script doesn’t actually expand the entire pkg file, only the Scripts sub-archive. The scratch folder will be cleaned out at the beginning of the next run, but not when the script ends, as you might want to do some further inspections.

Sample outputs

This is a sample pkg I build in my book, it has pre- and postinstall scripts using a /bin/bash shebang:

% ./ SourceCodePro-2.030d.pkg
Signature:      None
Notarized:      No
Type:           Flat Component PKG
Identifier:     com.example.SourceCodePro
Version:        2.030d
Location:       /
Contains 2 resource files
postinstall has shebang #!/bin/bash
preinstall has shebang #!/bin/bash

This is the experimental notarized pkg installer for desktoppr:

% ./ desktoppr-0.2.pkg
Signature:      Developer ID Installer: Armin Briegel (JME5BW3F3R)
Notarized:      Yes
Type:           Flat Component PKG
Identifier:     com.scriptingosx.desktoppr
Version:        0.2
Contains 0 resource files

And finally, this is a big one, the Microsoft Office installer: (they have some work to do to clean up those scripts)

% ./ Microsoft\ Office\ 16.27.19071500_Installer.pkg
Microsoft Office 16.27.19071500_Installer
SamplePkgs/Microsoft Office 16.27.19071500_Installer.pkg
Signature:      Developer ID Installer: Microsoft Corporation (UBF8T346G9)
Notarized:      No
Type:           Flat Distribution PKG
Contains 11 component pkgs

    Type:           Flat Component PKG
    Version:        16.27.19071500
    Location:       /Applications
    Contains 3 resource files

    Type:           Flat Component PKG
    Version:        16.27.19071500
    Location:       /Applications
    Contains 2 resource files

    Type:           Flat Component PKG
    Version:        16.27.19071500
    Location:       /Applications
    Contains 2 resource files

    Type:           Flat Component PKG
    Version:        16.27.19071500
    Location:       /Applications
    Contains 2 resource files

    Type:           Flat Component PKG
    Version:        16.27.19071500
    Location:       /Applications
    Contains 2 resource files

    Type:           Flat Component PKG
    Version:        19.70.410
    Location:       /Applications
    Contains 30 resource files
    postinstall has shebang #!/bin/bash
    od_logging has shebang #!/bin/bash
    od_service has shebang #!/bin/bash
    od_migration has shebang #!/bin/bash
    preinstall has shebang #!/bin/bash

    Type:           Flat Component PKG
    Version:        4.13.19071500
    Location:       /Library/Application Support/Microsoft/MAU2.0
    Contains 2 resource files
    postinstall has shebang #!/bin/bash
    preinstall has shebang #!/bin/bash

    Type:           Flat Component PKG
    Version:        16.27.19071500
    Location:       /
    Contains 2 resource files
    dockutil has shebang #!/usr/bin/python

    Type:           Flat Component PKG
    Version:        0
    Location:       /private/tmp/
    Contains 1 resource files
    postinstall has shebang #!/bin/bash

    Type:           Flat Component PKG
    Version:        0
    Location:       /private/tmp/
    Contains 1 resource files
    postinstall has shebang #!/bin/bash

    Type:           Flat Component PKG
    Version:        0
    Location:       /private/tmp/
    Contains 1 resource files
    postinstall has shebang #!/bin/bash

Weekly News Summary for Admins — 2019-07-19

Still a lot of fallout from the Zoom invulnerability. It took Apple three updates to MRT (so far) to eradicate all the differently branded varieties of the Zoom client web server. Makes me wonder how many Macs there were or are with multiple of these clients installed.

We also got new betas for 10.14.5 and 10.15 and the respective iOS versions. Some of the worst data-destroying bugs seem to be fixed or at least mitigated but I am still not comfortable moving my production devices to the betas. That’s what test devices are there for. I am getting quite excited about some of the features I have seen, both for end-users and administrators.

One of those features is that zsh will become the default shell for macOS. If you want to know what that means, how to transfer your shell configuration, workflows, and scripts from bash to zsh, and increase your Terminal productivity, we are doing a half-day training in Amsterdam on September 6. You can get more details and sign up on our webpage!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

Many,many thanks to Erik for his contributions to the Mac Admin community and I wish him all the best for the future!

MacAdmins on Twitter

  • Timo Perfitt: “So it begins. We just signed up to be an MDM vendor. MDS DEP deployment coming soon.”

Bugs and Security

macOS 10.15 Catalina and iOS 13

Support and HowTos

Scripting and Automation

Updates and Releases

To Watch


There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

On Smart Quotes and Terminal

Typography is a wonderful art and has a long history. When humans turned from manual typesetting to machines, type writers and then computers, some compromises had to be made. One of these compromises was to use simple straight quote symbols for opening and closing the quote, rather than different quote symbols for opening and closing.

Note: which kind of quotes are used for opening and closing dependent on the language or and some convention. English uses upper quotes “…”, German opens with a lower quote: „…“, French uses ‘guillemets:’ «…», and Japanese uses hooks: 「…」

Quotation Marks have funny names in many languages. Germans call them “Gänsefüßchen,” or “little goose feet.”

See this Wikipedia article for more details.

macOS, iOS and other modern operating systems have a feature which replaces the simple or straight quote symbols with the typographic quotes. So, you type "Hello!" and the quotes are automatically replaced with the proper (depending on localization) typographic quotes. This is called “smart quotes.”

This is pretty nice, but can be troublesome when dealing with Terminal and text editors. Scripting languages and shells always use straight quotes, and cannot deal with typographic quotes.

Now, if someone sends you a command or a script that uses quotes, and it goes through an app that replaces them with smart quotes, then bash and Terminal will fail miserably.

There is not much you can do, other than be aware of this and check pasted code carefully. There is something you can do to make this easier, though.

The default monospace font used in Terminal on macOS are ‘Menlo’ or ‘SF Mono,’ depending on the macOS version. Now these are fine typefaces, but their typographic quotes are not very curly at all, making them very hard to distinguish from the ‘dumb’ straight quotes that Terminal expects. The classic ‘Monaco’ typeface on the other hand has beautiful curly typographic quotes, making them very distinct from the the straight quote.

My favorite mono space typeface ‘Source Code Pro’ also has nice curly typographic quotes. I have built this table with many common monospace typefaces and their quotes.

Quotation Mark Comparison
Quotation Mark Comparison

Now this shouldn’t be your only criteria in choosing your Terminal font, but it may be something that helps avoid quote errors.

MacADUK 2019 Presentation Video online

The recording of my MacADUK 2019 presentation: “Modern Deployment Workflows for Business” is online and available:

You can find this video and the other recorded presentations in the MacADUK 2019 playlist on YouTube.

I am really happy with how this presentation turned out and I could be more happy with the keyframe that was chosen for the video.

You can find the notes and slides at the session’s permanent page.

Many thanks again to all those who put a lot of effort into making MacADUK 2019 the great conference it was. Also thanks to the attendees with all their great feedback and applause. See you all again next year!

EraseInstall Update: Version 1.2

We (the team I work with at Pro Warehouse) have released a new version of the EraseInstall application.

Version 1.2 is now notarized, so it should continue to work with macOS 10.14.5 and newer. It also checks the battery level before starting the process and will refuse continue if the battery is low. We also fixed a few layout and other bugs.

Important Update: Because this new version is built with Swift 5, it will require the Swift 5 Runtime Support to be installed as well, when on macOS 10.14.3 and older.

But the big new feature is that you can customize the installation process of the new macOS with custom packages.

The package installers will be installed after the macOS installation is complete but before DEP runs or the first user is created. This allows for some useful customizations and shortcuts in the deployment process.

The EraseInstall application will look for package installers (pkg) files in the /Library/Application Support/EraseInstall/Packages/ folder. When the package installers are in the correct format (see below) they will be added to the startosinstall command with the --installpackage option.

For this to work, the packages have to be ‘distribution packages with an’product archives,’ i.e. distribution packages with the identifier attribute set in the product key.

Most package installers created with tools commonly used by Mac Administrators build component packages (also called ‘flat packages’). These contain the payload files that will be installed on the target system and optional installation scripts to modify the behavior.

If you usually build your packages as component packages with pkgbuild or a similar tool, you can convert them to product archives with the productbuild command:

$ productbuild --package path/to/component.pkg
--version 1.0 --identifier com.example.package productarchive.pkg

If you use a different tool to create your packages, please consult the tool’s manual or support reference whether they create component packages, distribution packages or product archives.
munkipkg: will automatically create product archives when the distribution_style key is set to true
Whitebox Packages: identifier (id) and version can be set for a distribution package project when ‘Show Advanced User Options’ is enabled in Packages -> Preferences
Jamf Composer: cannot create distribution packages or product archives. You can convert the component packages from Composer with the above productbuild command.
pkgbuild and most other tools: creates component packages which you can convert using the above productbuild command

You can use the ‘ShowLanguageChooser’ and ‘SuppressSetupAssistant’ package installers built with these scripts as some examples to start with.

You can download the installer for EraseInstall 1.2 here.

macOS Mojave Spring Update

The macOS Mojave 10.14.4 update dropped on Monday night, along with iOS 12.2. Like last year’s 10.13.4 update, these updates didn’t only bring the usual “bug fixes and improvements” but new features, both user facing and “under the hood.”

Apple even put a section on the ‘Enterprise Content’ of the updates in the macOS release notes!

What’s new in the updates for macOS Mojave:

Enterprise content:

  • Fixes an issue that could prevent mobile accounts from logging in from an off-network Mac after changing their network account password.
  • Fixes an issue that intermittently prevented apps from downloading from the App Store or installing via MDM.
  • Mobile Active Directory accounts that have used their personal recovery key (PRK) to unlock a FileVault volume are no longer required to continue using the PRK to unlock, but can use their login password instead.

The macOS Server/Profile Manager release notes, provide more information on some management related features:


  • Export a predefined set of device information values for specified devices using a new command-line tool, exportDeviceInfo
  • Skip True Tone pane in Setup Assistant
  • Configure new restrictions: screenshot and remote screen observation
  • Configure Exchange Web Services authentication certificate
  • Configure Apple Remote Desktop access
  • Configure managed classes on student Mac computers
  • Configure Certificate Transparency payload


  • Enable or disable Voice and Data Roaming and Personal Hotspot
  • Configure new restrictions: Personal Hotspot modification (supervised only), disable server-side Siri logging
  • Display phone number, ICCID, and IMEI details of enrolled Dual SIM devices
  • Configure Certificate Transparency payload

– Configure Managed Software Updates

While I do not recommend to macOS Server/Profile Manager as a production MDM, it is useful for testing new features and as a reference implementation.

We didn’t get new, disrupting features on the scale of user-approved MDM this year, but the spring update still warrants extra attention and preparation from system admins.

Pi-Day: Let’s talk about dates, baby!

Happy Pi day!

Explanation for those who live in countries with sensible units and date notations: Americans – aside from using weird non-metric units – also have the odd habit of putting the month first in dates, then the day, then the year. So: ‘Mar 14, 2019’ or 3/14/2019. Instead of the more sensible 14.3.2019.

On the other hand, once every year, this weird notation will spell out 3.14, or the first three digits of the circle number, π (pi). And since non-mathematicians seem to love the (non-deserved) quasi-mystical nature of Pi and mathematicians are happy that at least once a year people are paying attention, Pi-day has become kind of a thing.

It’s also an excuse to bake tasty pies as a real-world dad joke manifestation, so overall, fun can be had!

But since we are talking about date notations…

While the day.month.year notation common in the rest of the world is arguably better than the American month/day/year, it is still not an ideal notation. Even better is year-month-day, especially when used with fixed digit lengths: YYYY-MM-DD, e.g. 2019-03-14.

While we will have to wait 1122 years before this notation approximates π, it has many other benefits. First, it sensibly and obviously sorts the components of date and time from largest (years) to lowest (seconds or even fractions of a second). It is fairly easy to parse in scripts and languages. When you sort ISO 8601 date strings alphanumerically, they will be in the correct order for dates. No other notation does that.

This is the reason this notation is enshrined as ISO 8601 and used in many places on your computer. For example, property lists encode timestamps in ISO 8601.

Learn more about property lists in my book: “Property Lists, Preferences and Profiles for Apple Administrators”

Jamf Extension Attributes can also be parsed properly as dates when returned in ISO 8601 format.

Dates in the shell

When working in shell scripts on macOS, you can use the date command to get the current date or for other date operations. Other flavors of unix-like operating systems have a specific flag to get ISO 8601 output, but in macOS you have to format manually:

$ date -u +"%F"
$ date -u +"%FT%T"

When you want a file’s creation, access, or modification date you can use the stat command:

$ stat -f 'Created: %Sc   Modified: %Sm   Accessed: %Sa' pi-day
Created: Mar 14 08:43:07 2019   Modified: Mar 14 08:43:06 2019   Accessed: Mar 14 08:43:06 2019

You can use the -t option to format the time:

$ stat -f 'Created: %Sc   Modified: %Sm   Accessed: %Sa' -t "%FT%T" pi-day
Created: 2019-03-14T08:43:07   Modified: 2019-03-14T08:43:06   Accessed: 2019-03-14T08:43:06

Finder and macOS Interface

You can teach Finder an approximation of ISO 8601. Go to System Preferences > Language & Region and click on the ‘Advanced…’ button and select the ‘Dates’ tab:

Set something close to the ISO date format for Mac
Set something close to the ISO date format for Mac


AppleScript will use the system’s date formatter (set in System Preferences) to parse and print dates. It will use the “Full date format” to show date objects by default, which is quite elaborate.

You can declare date variables with the short format, but as soon as you “compile” the script, it will be replaced by the full format. So, this:

set thedate to date "2019-03-14"

will turn into this

set thedate to date "Thursday, 14 March, 2019 at 00:00:00"

AppleScript uses the date format defined in System Preferences, so you have to have this set up. This format will also be used when AppleScript extracts a date object to a string, but again it will use the full date format by default:

get date string of thedate
"Thursday, 14 March, 2019" 

There is, however, a short date string property you can use:

get short date string of thedate

Again, the output will depend on the format set in System Preferences.

  • AppleScript Language Guide: date


Getting and parsing ISO dates with Python is (not surprisingly) easy.

$ python
>>> import datetime

You can also parse an ISO string with python:

>>> datetime.datetime.strptime("2019-03-14T10:09:12", "%Y-%m-%dT%H:%M:%S")
datetime.datetime(2019, 3, 14, 10, 9, 12)


Swift uses the Date class to represent dates and times. There is a DateFormatter object which can convert Date objects to strings and back. There is also a dedicated, if awkwardly named, ISO8601DateFormatter class just for ISO dates and times.

let now = Date()
print(ISO8601DateFormatter().string(from: now))

let pidaywithtime = ISO8601DateFormatter().date(from: "2019-03-14T15:09:26Z")

You can even customize the behavior of the ISO8601DateFormatter:

let dateISOFormatter = ISO8601DateFormatter()
dateISOFormatter.formatOptions = [ .withFullDate, .withDashSeparatorInDate]
let piday = "2019-03-14")

The Year 2018 for Mac Admins

Happy New Year! (Again.) I started writing this post before the holidays, but it kept growing, needed revisions and additions. I did decide this review is “complete” for now, but mostly because it would be embarassing to publish a review of 2018 in February or later.

2018 was certainly “interesting” for MacAdmins.

The MacAdmins annual schedule does not really fit well with the calendaric year. The two main highlights of the year for Apple Admins are the Developers’ Conference and then the annual main release of iOS and macOS. Nevertheless, I ask for indulgence as I put down my thoughts what is going on in the MacAdmin World.

Apple is Firing on all Cylinders

Looking back, it is amazing how many new products Apple introduced in 2018. The HomePod, originally planned for late 2017 started the year. There was a overhaul of the iPad line with the new low-end model in the Spring and the new iPads Pro in October. The Fall event yielded not just one new iPhone model, but three, as well as a redesigned Apple Watch. Many new, and long-awaited Macs with the new MacBook Pro, MacBook Air, and finally a new Mac mini.

Apple also released tons of new software and services. There was Apple Business Manager, an updated Apple School Manager and Classroom app. Obviously, iOS 12, macOS Mojave and all their siblings, were introduced in the Fall and all the productivity apps, as well as the Pro apps (Logic and Final Cut) got some interesting updates. The Shortcuts app is a new (or at least re-branded) addition to iOS. Apple Books (iBooks Store) and the Mac App Store got a new design overhaul.

It is also interesting to consider the products that Apple did not update this year: AirPods, iPod touch and iPad mini, Apple TV, iMac (Pro), MacBook and Mac Pro.

Some of these (AirPods, Apple TV, iMac) are likely on a two-year upgrade cycle and should get an update in 2019. Apple famously pre-announced the (highly overdue and anticipated) new Mac Pro for 2019. The 12″ MacBook could be on a two-year cycle, but also occupies an awkward postion between the new MacBook Pro and MacBook Air. This leaves the iPod touch and iPad mini in a sad state (or maybe not?)

Apple is Pruning

Among all of these updates and new products, Apple has also pruned their product line.

Apple announced they would stop making Airport Base stations and Time Capsules. The iPhone SE was discontinued. There are no more iPhones sold with a headphone jack.

In the MacAdmin space, Apple announced the removal of many services in the macOS Server application, leaving only a few. What remains of Server is Profile Manager, Xsan and Open Directory.

All the new Macs with the T2 system controller will not NetBoot any more. All new Mac models introduced in 2018 have the T2 system controller. While this is a huge improvement in security and performance, administrators will have to adapt to the changes this heightened lockdown brings. We can’t say we haven’t been warned, though.

Apple in Enterprise is growing

Even though Apple’s events focus on the consumer business, Apple has been gaining market- and mindshare in Enterprise and businesses. We rarely get numbers on this from Apple directly, but their partners and customers seem happy enough to brag.

Apple’s strong message on privacy is aimed mostly at end users. Enterprises are listening as well, and mostly like the messaging.

Many IT organisations that traditionally only supported Windows now have to open up their services to mobile smart phone platforms. This also creates an opportunity to add support for other platforms and has led to a Mac revival in many organisations.

We are also seeing many traditional ‘Enterprise’ solutions being built with iOS support, such as Cisco Security Connector. Again, while these solutions are built mainly with iOS in mind, the less prominent elder sibling macOS often gains support as well.

Overall, the trend in many Enterprises is to support more than just one platform. This is an important change the previous “Windows, unless you have a really good reason.” Once you (have to) break with single-platform policies, then adding even more platforms becomes easier.

This process is not universal, however. Microsoft has announced it will switch to using the Chromium engine for their Edge browser, leaving only Firefox as the last major non-WebKit based browser.

Apple is reaching out

Maybe as a result of the continued interest for Apple in the Enterprise, Apple has, for the first time, officially had speakers at the Penn State Mac Admins Conference.

There have been ‘unofficial’ or even ‘undercover’ sightings of Apple employees at conferences before, but officially providing speakers for sessions is new for Apple. At least since the demise of the IT Track at WWDC in 2009. I think this is a wonderful development and hope Apple continues this new policy of communication with more conferences.

Apple employees Jeremy Butcher and Doug Brooks were guests on the MacAdmins podcast, where they talked about the new hardware, MDM and the T2 chip. This was an amazing surprise in 2018, and would have been hard to imagine just a few years ago.

Apple is Hiring

In 2018, we have seen several members of the MacAdmins community and wider Apple Tech scene get hired by Apple. I am wishing all of them the best!

I think it is great that Apple is hiring these experienced experts into the various teams and hope that their voices and skills will be valued and listened to. Much can be gained both within and outside of Apple when these skills are applied well. I do not want to imply that the existing members of the various Apple teams don’t have important skills, but ‘outside’ experience and perspective is very valuable.

On the other hand, it is a bit sad that the secretive Apple culture is now removing these voices from our community, at least for the time being. Maybe the new openness that Apple has demonstrated will allow us to hear from them before the end of their stint at Apple.

MacAdmin Community is Growing

That said, the MacAdmin community is growing at an impressive rate. The MacAdmins Slack went above 20K users with nearly 4000 weekly active users.

What I find interesting and encouraging is that these aren’t just “senior” MacAdmins with decades of Apple experience, but many young and new people who come here from other platforms or other support jobs.

To all admins new to the Mac and iOS platform: Welcome!

If you haven’t joined the MacAdmins Slack yet, do it now! You can read my “opinionated guide to MacAdmins Slack” first.

The Admin Environment is getting more complex and integrated

Another good reason to welcome all those new admins is that we have a lot of need for them. More and more organisations are in need of MacAdmins. But also the Apple platforms are required to integrate into more and more other complex systems and platforms.

Laptops and smart phones aren’t standalone devices anymore, but work within a complex web of networks, services, other devices and applications. No piece works entirely without any of the others.

With the demise of the Xserve, the Mac mini Server and, most recently, macOS Server, “Mac” admins have to use other platforms to host essential services. This provides several features, such as virtualization and cloud services, that aren’t possible with macOS.

In some organisations, you may still be able to have a single admin to manage everything tech related, but in most cases Mac and iOS engineers will have to work within teams of admins managing multiple different services and platforms.

Not only do traditional Mac admins have to learn other platforms and services, but the admins with backgrounds in these other platforms are now confronted with Mac and iOS and many of them are starting to take reponsibilities for these platforms as well. Once again, welcome!


We got the --eraseinstall option for the startosinstall command. You can tell this got me excited because I helped build an app around that. Also, the startosinstall command was made official by Apple, after lurking in the macOS installer application bundle for a few system releases.

Together with APFS for all drives in Mojave, MacAdmins can now build a new installation based workflow for all Macs that can support 10.14 and beyond. You can read more about this in my latest book (another highlight for me in 2018) ‘macOS Installation for Apple Administrators.’

The new Mac hardware is definitely interesting. The Mac mini didn’t just get a speed bump, but a major boost. Apple has clearly recognized that the mini is not only being used as a cheap entry-level Mac, but as a “Pro” device where an iMac, iMac Pro or Mac Pro is overkill.

The T2 System Controller chip has been in every new Mac model introduced in 2018. Even the new MacBook Air and Mac mini have the T2. I really appreciate the performance and security implications. But the T2 brings with it new limitations and workflows for MacAdmins.

Still Missing for Admins

Much has been said about Apple’s ‘misses’ for 2018. From a ‘normal’ user perspective I liked Rene Ritchie’s summary: Vector Apple misses

Since admins are also users, all of those topics are relevant to us, too. However, as MacAdmins we have other concerns as well.

Mac App Store: VPP vs Subscription and in-App-Purchases

The Mac App Store application got a visual overhaul in Mojave. The backend, however, remains an utter mess. (I am still continually annoyed by the fact that I cannot search, purchase or even reliably view apps for other platforms.) While I approve of the application sandbox on macOS in general, the limitations imposed by Apple still exclude entire categories of useful tools and applications from the Mac App Store.

Nevertheless we have been promised more software for the Mac App Store, most prominently Microsoft’s Office 365 Suite. Since Apple showed off Adobe Photoshop for iPad in the Fall event, there may also be hope for Adobe applications. Both of these solutions are from prominent large vendors and one would presume the app would be free in the Mac App Store (like on iOS) but require an subscription (Office 365 or Adobe Cloud) to unlock or activate.

Apple mentioned at WWDC in June that they were adapting the rules to allow for more apps in the Mac App Store. They explicitly mentioned Barebones’ BBEdit and Panic’s Transmit, both of which were present in the Mac App Store previously, but left because of limitations. Panic published Transmit in November, with a yearly subscription price. You can still get Transmit for a fixed single price from their website.

Apple has been pushing the subscription model as a solution for vendors to get recurring income without paid upgrades. Other apps, like the great applications from the OmniGroup, are also free to download, but require an in-app purchase to unlock the full feature set. While subscriptions and in-app purchases have their downsides, I think they can be a useful solution for developers and users.

However, when you need to buy applications in large numbers from the Mac App Store, Apple will refer you to their Volume Purachasing Program (VPP) now called “Applications and Books” as part of the Apple Business Manager or Apple School Manager. Neither subscriptions nor in-app purchases are supported by VPP.

Furthermore, MDM commands are sent to a client without the expectation of any feedback, other than that the command was received. The installation may fail and the MDM will not care. Some management solutions close the loop by reporting installed applications back through a custom agent and can take action on that data. But it would be nice if this loop were closed by the MDM protocol and agent directly.

The example of Transmit shows that Apple seems to be working on expanding and refining the set of entitlements available. This is promising, but as the continued absence of BBEdit demonstrates, still requires a lot more work, time and patience.

Obviously, Apple will not comment on future features. These limitations have existed for several years now. On macOS, software vendors at least have the option of offering installers and volume or education licenses outside of the store. But, as subscription and in-app purchase models are becoming more popular in the iOS App Store, this is turning into a problem not only for macOS.

All of these limitations are holding back the App Stores and VPP as a deployment tool. I believe that pushing VPP applications with an MDM could be useful and powerful. Admins can securely push a VPP app and its configuration together with a profile or managed app config and manage licensing or subscription, without the need scripting or packaging. On iOS, VPP is the only solution for this. But Apple is hobbling their own solution by not offering subscription or in-app purchase VPP.

Full “Zero-touch” Deployment

Apple and many management system vendors like to tout “zero-touch” deployment. This of course means “zero-touch” for IT department. I do appreciate the elegance of these kinds of workflows, where a device can be shipped directly to the user and the device is automatically enrolled on first setup. This allows for deployment workflows that simply weren’t possible before.

That said, there are other environments with vastly different requirements. Especially education setups still have labs or carts full of iMacs or MacBooks. Imaging and NetBoot are dead for new Mac models with T2 chip and Secure Boot. But the new deployment models always require user interaction at some point during the re-install/enrollment workflow.

When you use DEP (Automated MDM Enrollment), you can suppress most of the screens during system and user setup, but there are a few screens (Region, keyboard layout, possibly time zone, and then, of course, approving the Remote Management) that you cannot skip. Any deployment workflow will stall at this point, until someone physically clicks through those dialogs.

You can skip SetupAssistant and DEP entirely and enroll to the MDM with a script or pkg. This defers the mandatory clicking for user approval to the end of the deployment workflow, but there are still some configuration and deployment tasks, that have to be put on hold until user-approval of the MDM is given. Third Party Kernel Extensions and tools that require PPPC approval can’t be installed without a UAMDM.

User-approval should be required during a manual enroll or after an enrollment done with a script. This is a necessary security measure to prevent computers from being enrolled to rogue MDMs by malware.

However, automated enrollment with DEP should not require any user interaction. Once a Mac is listed in the Apple Business/School Manager, it should be considered owned by the organization. I believe admins should have the option to pre-configure and skip every step of the setup workflow.

macOS Installer Versions

Apple has finally acknowledged the startosinstall command, was among my highlights. They also added a very useful option with --eraseinstall. To use this tool, you need to have the “Install macOS *.app” on the Mac (or an external storage). And you need the correct version.

Hardware specific builds of macOS aren’t a new thing. When new Apple hardware is released, it usually comes with a very specific build of macOS that will run exclusively on that hardware. Usually with the next update to macOS the hardware specific build will be merged into the main macOS build and we have a universal installer application again. There are exceptions: the iMac Pro had an hardware specific build for two updates and was not merged until 10.13.4.

The 2018 MacBook Pros were released with a hardware specific build of macOS 10.13.6. Since 10.13.6 was the final update for 10.13, admins holding on to 10.13 for the time being will have to provide and manage the general version of 10.13.6 as well as the hardware specific build for the 2018 MacBook Pros.

Additionally, it is really hard to get a hardware specific macOS installer application through any official means from Apple. You can download the generic installer from the Mac App Store on any Mac that support High Sierra other than the 2018 MacBook Pros. You should be able to download the hardware specific build of 10.13.6 on a 2018 MacBook Pro that requires it, but that process has been riddled with errors and bugs.

All these various builds and versions are tracked and communicated by MacAdmins, but not by Apple. As of this writing, this Apple Support article has no mention of the hardware specific builds of 10.13.6 or any Mojave version, even though it was updated in December. There were specfic builds for the 2018 MacBook Pro (17G2208), Mac Mini (18A2063), MacBook Air (18B2107) and MacBook Pro with the Vega card (18B3089).

This is horribly frustrating. Greg Neagle reverse engineered the download process of the macOS install application and built a script. The script will still have to be run on the respective hardware, but it is more reliable to download a specific installer than the Mac App Store.

I am (once again) hugely grateful for Greg’s effort. However, that so many MacAdmins rely on a hack to download the essential piece of the deployment workflow, is nothing but a disgrace, no matter how well-executed the hack is.

On top of that, security updates don’t increase the version number, but do change the build number, resulting in a confusing list of possible build numbers for 10.13.6.

Apple has provided helpful download links for older macOS versions as support pages. These links lead to the Mac App Store. But links to older macOS downloads will fail on any Mac that doesn’t support that particular macOS version.

I understand that normal end users probably shouldn’t be able to view or download a version of macOS that cannot be installed, but there should be an official way for MacAdmins to download older versions of macOS, even when they working on the latest and greatest Mac.


Documentation on Apple’s Support pages has seen improvements in some ways. There were several timely articles posted around the release of Mojave. We got great security documents on Secure Boot and the T2 chips. We got a first, though still incomplete, glimpse at APFS documentation. The MDM specification and Configuration Profile reference moved from HTML to a PDF document, which makes it harder to read or process, but it is still being regularly updated.

Overall, however, I still have to give Apple a failing grade for documentation from a MacAdmin perspective. Crucial pieces of the deployment workflow, such as the startosinstall command, Secure Token and APFS FileVault, or how to determine which software and scripts to add to a PPPC profile have been reverse engineered by admins in the field and there is still, more than a year after High Sierra and four months after the release of Mojave, no or very sparse documentation from Apple on any of these topics.

Thanks to the amazing efforts of fellow MacAdmins we have great documents and tools for many of these topics. The spirit of sharing and communication in the MacAdmins community does everyone credit.

With success stories like SAP and IBM, no-one can credibly claim Apple is not “for the Enterprise.” Apple wants to push quick release cycles and fast adoption of new macOS upgrades and updates. I agree with these goals. But a quick update cycle also requires similarly quick releases of documentation. When you want admins to support the latest and greatest release, then you need to tell them how, and not wait for someone to reverse engineer everything.

Looking to 2019

What will 2019 bring for MacAdmins?

New Mac Pro

The highly anticipated new, “modular” Mac Pro is on the top of that list. Will it be able to excite the Pro customers? We can probably also expect a new Apple branded display to supplement the Mac Pro. Since Apple has introduced external GPUs for the MacBooks, I am wondering if a new Apple Display might come with a GPU, rather than relying on the GPU power in the Mac. I am also curious if Apple can and will use Thunderbolt 3 in other ways to make the new Mac more “modular.”

The 2018 Mac mini turned out to be more powerful than any Mac mini before. You can configure up to six i7 cores, 64GB RAM and 10GigaBit Ethernet. On top of that you get four Thunderbolt 3 ports for expansion. With a powerful eGPU or an hypothetical display with GPU, the Mac mini can already be seen as a “modular Pro Mac.” Obviously, high-end users want even more RAM, cores, and something more powerful than an i7. The iMac Pro scales from 8 to 18 Xeon cores, and 128GB of RAM, so that should be the baseline for the Mac Pro. But how else will the new Mac Pro distiniguish itself from the Mac mini and the iMac Pro? It’ll be fun to speculate and then analyse the reality.

My prediction for release date? Most likely at WWDC, though there is a chance Apple might do a special event earlier in the year.

More Security and Control

The 2018 Mac models have shown that the T2 system controller or its successor will be in all Mac models going forward. It provides better and faster local disk encryption, Secure Boot, system activation at installation, and can block external boot. Apple has had these “features” in iOS for years.

Secure Boot can be disabled and external boot can be “unblocked” on Macs, but a new system out of the box will have the most secure settings. This follows the model that SIP and user-approved Kernel extension have set in the past.

Apple could start mandating some of these settings. However, they have not mandated SIP even after several years, might be a sign that they will keep those ‘backdoors’ available for a bit longer. (I don’t recommend disabling any of these security features, they are there for a reason.)

Having T2 (or something better) across all Macs could allow Apple to implement some other options, such as stopping to activate/sign older macOS versions, blocking them from being installed. Before they can do that effectively, we will have to wait out the life time of pre-T2 Mac models. Even though all new Mac models in 2018 have the T2, Apple still sells models without T2 chips, such as the entry level MacBook Pro and MacBook Air. To effectively implement something like this, Apple would have to wait until a large fraction of the installed base has the T2 (or better) chip. Given the current life time of Mac hardware this will take at least three to five years.

So, while forthcoming Macs might implement stricter local security, I don’t expect major changes in 2019.

UIKit on macOS

Another big announcement at WWDC 2018 was that Apple had started to port UIKit, the framework for writing applications on iOS to macOS. For now, Apple is ‘testing’ this approach with four of their own apps: Stocks, News, Home and Voice Memos. This framework is not yet available to third party apps. (At least not officially.) The framework (the suspected code-name is ‘Marzipan’) should be available to third-party developers in ‘2019’, most liekly with macOS 10.15.

This will lower the threshold for porting apps from iOS to macOS. Apple surely expects this will be a huge boost to app availability for macOS. However, there are reasons that macOS and iOS are very separate platforms with different UI frameworks. The date or time picker in the Home app is exactly the same as in iOS and not optimized for mouse/trackpad input. None of the Marzipan apps can open multiple windows.

Overall, I think that even a poorly ported Home app is better than no Home app at all. But without multiple windows or something like AppleScript support, the macOS Home app will not live up to expectations of macOS and remain disappointing.

That said, Apple was careful and kept the Marzipan framework private for a year. There will likely be major changes to the current implementation before it is released to developers this summer. Also, it will continue to evolve with future macOS updates.

Overall, I will be looking forward to this.

ARM based Macs

ARM based Macs were predicted for 2020, rather than 2019, so it might be a bit premature.

The motivation for this might be obvious. Intel has had major setbacks in their chip roadmap while Apple own ARM-based “A”-series chips are catching up in performance. Apple has repeatedly shown that they would like to own the all the pieces that go into their devices. So it seems like an obvious, even unavoidable next step to put the A-series chips that are powering the iPad Pro into MacBooks and maybe even desktop Macs as well.

While I am not going to argue that A-series chips are powerful enough for laptops and most consumer desktops, they not yet comparable to the high end “Pro” chips, especially for desktops. Using A-series chips might allow Apple to innovate faster and lower prices, but it would further reduce the distinction between the MacBook and iPad Pro, something that is already putting pressure on the Mac platform sales and confusing for customers.

On the Mac platform, Apple just recently re-commited to Intel with Xeon in the iMac Pro and the Core i7 chips in the new Mac mini and MacBook Air. Presumably the new Mac Pro will have a Xeon chipset that can keep up and exceed the iMac Pro.

It is conceivable that Apple has some massively parallel “super-A-series” logic board design. But that would be a strange course correction away from the path that we have seen in the iMac Pro. GPU power is a key to high-performance computing, VR and AR and machine learning. Any solution Apple uses for future “Pro” Macs will have to support high-end GPUs.

Since the MacBook Air and Mac mini just got refreshes, I don’t expect any news on A-series Macs until these are up for a hardware refresh, probably in late 2020. That timeline would make it unlikely to hear anything at WWDC this year.

The 12“ MacBook is the one wildcard. The 12” MacBook remains positioned oddly between the new MacBook Air and the the 13“ no Touch-bar MacBook Pro. If Apple wanted to show off a power-sipping A-series chip in a notebook form factor, possibly at a lower US$999 entry price, a new 12” MacBook with a single USB-C port, like the iPad Pro, could work quite well.

But would this A-series notebook necessarily be a “Mac?” Keep in mind that Apple rebranded their Book store this year, possibly allowing the “iBook” brand to return to its original use.

Whether this year, next year or later, macOS on A-series will come with some pains for MacAdmins. This will be a hardware specific build of macOS that cannot merge. This new macOS will probably have a deployment even close to iOS than the current macOS. Software could be offered in fat-bundles, including the binaries for both chip sets, or merely fat installers, that choose the binary during installation. Or, the Mac App Store could be the sole means of software distribution, like on iOS.

MacAdmins have weathered transistions like these before. Both the transition to Mac OS X from “Classic Mac OS 9” and the Intel transition actually resulted in many new tools and workflows being developed and used for deployment.


Times will remain interesting and exciting for MacAdmins. It is obvious that Apple and the entire tech industry have no plans of reducing momentum or changing direction. While it is not always clear in which direction the field is moving, anyone who’d rather stand still and hold to things as they are (were), will be left behind.

Continous trouble-shooting mode and beta-testing can be tedious and frustrating, but when managed correctly, will result in an flexible and up-to-date deployment, where users can get the latest and newest hardware and software, without IT standing in the way.

On to tackle 2019!