The Year 2018 for Mac Admins

Happy New Year! (Again.) I started writing this post before the holidays, but it kept growing, needed revisions and additions. I did decide this review is “complete” for now, but mostly because it would be embarassing to publish a review of 2018 in February or later.

2018 was certainly “interesting” for MacAdmins.

The MacAdmins annual schedule does not really fit well with the calendaric year. The two main highlights of the year for Apple Admins are the Developers’ Conference and then the annual main release of iOS and macOS. Nevertheless, I ask for indulgence as I put down my thoughts what is going on in the MacAdmin World.

Apple is Firing on all Cylinders

Looking back, it is amazing how many new products Apple introduced in 2018. The HomePod, originally planned for late 2017 started the year. There was a overhaul of the iPad line with the new low-end model in the Spring and the new iPads Pro in October. The Fall event yielded not just one new iPhone model, but three, as well as a redesigned Apple Watch. Many new, and long-awaited Macs with the new MacBook Pro, MacBook Air, and finally a new Mac mini.

Apple also released tons of new software and services. There was Apple Business Manager, an updated Apple School Manager and Classroom app. Obviously, iOS 12, macOS Mojave and all their siblings, were introduced in the Fall and all the productivity apps, as well as the Pro apps (Logic and Final Cut) got some interesting updates. The Shortcuts app is a new (or at least re-branded) addition to iOS. Apple Books (iBooks Store) and the Mac App Store got a new design overhaul.

It is also interesting to consider the products that Apple did not update this year: AirPods, iPod touch and iPad mini, Apple TV, iMac (Pro), MacBook and Mac Pro.

Some of these (AirPods, Apple TV, iMac) are likely on a two-year upgrade cycle and should get an update in 2019. Apple famously pre-announced the (highly overdue and anticipated) new Mac Pro for 2019. The 12″ MacBook could be on a two-year cycle, but also occupies an awkward postion between the new MacBook Pro and MacBook Air. This leaves the iPod touch and iPad mini in a sad state (or maybe not?)

Apple is Pruning

Among all of these updates and new products, Apple has also pruned their product line.

Apple announced they would stop making Airport Base stations and Time Capsules. The iPhone SE was discontinued. There are no more iPhones sold with a headphone jack.

In the MacAdmin space, Apple announced the removal of many services in the macOS Server application, leaving only a few. What remains of Server is Profile Manager, Xsan and Open Directory.

All the new Macs with the T2 system controller will not NetBoot any more. All new Mac models introduced in 2018 have the T2 system controller. While this is a huge improvement in security and performance, administrators will have to adapt to the changes this heightened lockdown brings. We can’t say we haven’t been warned, though.

Apple in Enterprise is growing

Even though Apple’s events focus on the consumer business, Apple has been gaining market- and mindshare in Enterprise and businesses. We rarely get numbers on this from Apple directly, but their partners and customers seem happy enough to brag.

Apple’s strong message on privacy is aimed mostly at end users. Enterprises are listening as well, and mostly like the messaging.

Many IT organisations that traditionally only supported Windows now have to open up their services to mobile smart phone platforms. This also creates an opportunity to add support for other platforms and has led to a Mac revival in many organisations.

We are also seeing many traditional ‘Enterprise’ solutions being built with iOS support, such as Cisco Security Connector. Again, while these solutions are built mainly with iOS in mind, the less prominent elder sibling macOS often gains support as well.

Overall, the trend in many Enterprises is to support more than just one platform. This is an important change the previous “Windows, unless you have a really good reason.” Once you (have to) break with single-platform policies, then adding even more platforms becomes easier.

This process is not universal, however. Microsoft has announced it will switch to using the Chromium engine for their Edge browser, leaving only Firefox as the last major non-WebKit based browser.

Apple is reaching out

Maybe as a result of the continued interest for Apple in the Enterprise, Apple has, for the first time, officially had speakers at the Penn State Mac Admins Conference.

There have been ‘unofficial’ or even ‘undercover’ sightings of Apple employees at conferences before, but officially providing speakers for sessions is new for Apple. At least since the demise of the IT Track at WWDC in 2009. I think this is a wonderful development and hope Apple continues this new policy of communication with more conferences.

Apple employees Jeremy Butcher and Doug Brooks were guests on the MacAdmins podcast, where they talked about the new hardware, MDM and the T2 chip. This was an amazing surprise in 2018, and would have been hard to imagine just a few years ago.

Apple is Hiring

In 2018, we have seen several members of the MacAdmins community and wider Apple Tech scene get hired by Apple. I am wishing all of them the best!

I think it is great that Apple is hiring these experienced experts into the various teams and hope that their voices and skills will be valued and listened to. Much can be gained both within and outside of Apple when these skills are applied well. I do not want to imply that the existing members of the various Apple teams don’t have important skills, but ‘outside’ experience and perspective is very valuable.

On the other hand, it is a bit sad that the secretive Apple culture is now removing these voices from our community, at least for the time being. Maybe the new openness that Apple has demonstrated will allow us to hear from them before the end of their stint at Apple.

MacAdmin Community is Growing

That said, the MacAdmin community is growing at an impressive rate. The MacAdmins Slack went above 20K users with nearly 4000 weekly active users.

What I find interesting and encouraging is that these aren’t just “senior” MacAdmins with decades of Apple experience, but many young and new people who come here from other platforms or other support jobs.

To all admins new to the Mac and iOS platform: Welcome!

If you haven’t joined the MacAdmins Slack yet, do it now! You can read my “opinionated guide to MacAdmins Slack” first.

The Admin Environment is getting more complex and integrated

Another good reason to welcome all those new admins is that we have a lot of need for them. More and more organisations are in need of MacAdmins. But also the Apple platforms are required to integrate into more and more other complex systems and platforms.

Laptops and smart phones aren’t standalone devices anymore, but work within a complex web of networks, services, other devices and applications. No piece works entirely without any of the others.

With the demise of the Xserve, the Mac mini Server and, most recently, macOS Server, “Mac” admins have to use other platforms to host essential services. This provides several features, such as virtualization and cloud services, that aren’t possible with macOS.

In some organisations, you may still be able to have a single admin to manage everything tech related, but in most cases Mac and iOS engineers will have to work within teams of admins managing multiple different services and platforms.

Not only do traditional Mac admins have to learn other platforms and services, but the admins with backgrounds in these other platforms are now confronted with Mac and iOS and many of them are starting to take reponsibilities for these platforms as well. Once again, welcome!


We got the --eraseinstall option for the startosinstall command. You can tell this got me excited because I helped build an app around that. Also, the startosinstall command was made official by Apple, after lurking in the macOS installer application bundle for a few system releases.

Together with APFS for all drives in Mojave, MacAdmins can now build a new installation based workflow for all Macs that can support 10.14 and beyond. You can read more about this in my latest book (another highlight for me in 2018) ‘macOS Installation for Apple Administrators.’

The new Mac hardware is definitely interesting. The Mac mini didn’t just get a speed bump, but a major boost. Apple has clearly recognized that the mini is not only being used as a cheap entry-level Mac, but as a “Pro” device where an iMac, iMac Pro or Mac Pro is overkill.

The T2 System Controller chip has been in every new Mac model introduced in 2018. Even the new MacBook Air and Mac mini have the T2. I really appreciate the performance and security implications. But the T2 brings with it new limitations and workflows for MacAdmins.

Still Missing for Admins

Much has been said about Apple’s ‘misses’ for 2018. From a ‘normal’ user perspective I liked Rene Ritchie’s summary: Vector Apple misses

Since admins are also users, all of those topics are relevant to us, too. However, as MacAdmins we have other concerns as well.

Mac App Store: VPP vs Subscription and in-App-Purchases

The Mac App Store application got a visual overhaul in Mojave. The backend, however, remains an utter mess. (I am still continually annoyed by the fact that I cannot search, purchase or even reliably view apps for other platforms.) While I approve of the application sandbox on macOS in general, the limitations imposed by Apple still exclude entire categories of useful tools and applications from the Mac App Store.

Nevertheless we have been promised more software for the Mac App Store, most prominently Microsoft’s Office 365 Suite. Since Apple showed off Adobe Photoshop for iPad in the Fall event, there may also be hope for Adobe applications. Both of these solutions are from prominent large vendors and one would presume the app would be free in the Mac App Store (like on iOS) but require an subscription (Office 365 or Adobe Cloud) to unlock or activate.

Apple mentioned at WWDC in June that they were adapting the rules to allow for more apps in the Mac App Store. They explicitly mentioned Barebones’ BBEdit and Panic’s Transmit, both of which were present in the Mac App Store previously, but left because of limitations. Panic published Transmit in November, with a yearly subscription price. You can still get Transmit for a fixed single price from their website.

Apple has been pushing the subscription model as a solution for vendors to get recurring income without paid upgrades. Other apps, like the great applications from the OmniGroup, are also free to download, but require an in-app purchase to unlock the full feature set. While subscriptions and in-app purchases have their downsides, I think they can be a useful solution for developers and users.

However, when you need to buy applications in large numbers from the Mac App Store, Apple will refer you to their Volume Purachasing Program (VPP) now called “Applications and Books” as part of the Apple Business Manager or Apple School Manager. Neither subscriptions nor in-app purchases are supported by VPP.

Furthermore, MDM commands are sent to a client without the expectation of any feedback, other than that the command was received. The installation may fail and the MDM will not care. Some management solutions close the loop by reporting installed applications back through a custom agent and can take action on that data. But it would be nice if this loop were closed by the MDM protocol and agent directly.

The example of Transmit shows that Apple seems to be working on expanding and refining the set of entitlements available. This is promising, but as the continued absence of BBEdit demonstrates, still requires a lot more work, time and patience.

Obviously, Apple will not comment on future features. These limitations have existed for several years now. On macOS, software vendors at least have the option of offering installers and volume or education licenses outside of the store. But, as subscription and in-app purchase models are becoming more popular in the iOS App Store, this is turning into a problem not only for macOS.

All of these limitations are holding back the App Stores and VPP as a deployment tool. I believe that pushing VPP applications with an MDM could be useful and powerful. Admins can securely push a VPP app and its configuration together with a profile or managed app config and manage licensing or subscription, without the need scripting or packaging. On iOS, VPP is the only solution for this. But Apple is hobbling their own solution by not offering subscription or in-app purchase VPP.

Full “Zero-touch” Deployment

Apple and many management system vendors like to tout “zero-touch” deployment. This of course means “zero-touch” for IT department. I do appreciate the elegance of these kinds of workflows, where a device can be shipped directly to the user and the device is automatically enrolled on first setup. This allows for deployment workflows that simply weren’t possible before.

That said, there are other environments with vastly different requirements. Especially education setups still have labs or carts full of iMacs or MacBooks. Imaging and NetBoot are dead for new Mac models with T2 chip and Secure Boot. But the new deployment models always require user interaction at some point during the re-install/enrollment workflow.

When you use DEP (Automated MDM Enrollment), you can suppress most of the screens during system and user setup, but there are a few screens (Region, keyboard layout, possibly time zone, and then, of course, approving the Remote Management) that you cannot skip. Any deployment workflow will stall at this point, until someone physically clicks through those dialogs.

You can skip SetupAssistant and DEP entirely and enroll to the MDM with a script or pkg. This defers the mandatory clicking for user approval to the end of the deployment workflow, but there are still some configuration and deployment tasks, that have to be put on hold until user-approval of the MDM is given. Third Party Kernel Extensions and tools that require PPPC approval can’t be installed without a UAMDM.

User-approval should be required during a manual enroll or after an enrollment done with a script. This is a necessary security measure to prevent computers from being enrolled to rogue MDMs by malware.

However, automated enrollment with DEP should not require any user interaction. Once a Mac is listed in the Apple Business/School Manager, it should be considered owned by the organization. I believe admins should have the option to pre-configure and skip every step of the setup workflow.

macOS Installer Versions

Apple has finally acknowledged the startosinstall command, was among my highlights. They also added a very useful option with --eraseinstall. To use this tool, you need to have the “Install macOS *.app” on the Mac (or an external storage). And you need the correct version.

Hardware specific builds of macOS aren’t a new thing. When new Apple hardware is released, it usually comes with a very specific build of macOS that will run exclusively on that hardware. Usually with the next update to macOS the hardware specific build will be merged into the main macOS build and we have a universal installer application again. There are exceptions: the iMac Pro had an hardware specific build for two updates and was not merged until 10.13.4.

The 2018 MacBook Pros were released with a hardware specific build of macOS 10.13.6. Since 10.13.6 was the final update for 10.13, admins holding on to 10.13 for the time being will have to provide and manage the general version of 10.13.6 as well as the hardware specific build for the 2018 MacBook Pros.

Additionally, it is really hard to get a hardware specific macOS installer application through any official means from Apple. You can download the generic installer from the Mac App Store on any Mac that support High Sierra other than the 2018 MacBook Pros. You should be able to download the hardware specific build of 10.13.6 on a 2018 MacBook Pro that requires it, but that process has been riddled with errors and bugs.

All these various builds and versions are tracked and communicated by MacAdmins, but not by Apple. As of this writing, this Apple Support article has no mention of the hardware specific builds of 10.13.6 or any Mojave version, even though it was updated in December. There were specfic builds for the 2018 MacBook Pro (17G2208), Mac Mini (18A2063), MacBook Air (18B2107) and MacBook Pro with the Vega card (18B3089).

This is horribly frustrating. Greg Neagle reverse engineered the download process of the macOS install application and built a script. The script will still have to be run on the respective hardware, but it is more reliable to download a specific installer than the Mac App Store.

I am (once again) hugely grateful for Greg’s effort. However, that so many MacAdmins rely on a hack to download the essential piece of the deployment workflow, is nothing but a disgrace, no matter how well-executed the hack is.

On top of that, security updates don’t increase the version number, but do change the build number, resulting in a confusing list of possible build numbers for 10.13.6.

Apple has provided helpful download links for older macOS versions as support pages. These links lead to the Mac App Store. But links to older macOS downloads will fail on any Mac that doesn’t support that particular macOS version.

I understand that normal end users probably shouldn’t be able to view or download a version of macOS that cannot be installed, but there should be an official way for MacAdmins to download older versions of macOS, even when they working on the latest and greatest Mac.


Documentation on Apple’s Support pages has seen improvements in some ways. There were several timely articles posted around the release of Mojave. We got great security documents on Secure Boot and the T2 chips. We got a first, though still incomplete, glimpse at APFS documentation. The MDM specification and Configuration Profile reference moved from HTML to a PDF document, which makes it harder to read or process, but it is still being regularly updated.

Overall, however, I still have to give Apple a failing grade for documentation from a MacAdmin perspective. Crucial pieces of the deployment workflow, such as the startosinstall command, Secure Token and APFS FileVault, or how to determine which software and scripts to add to a PPPC profile have been reverse engineered by admins in the field and there is still, more than a year after High Sierra and four months after the release of Mojave, no or very sparse documentation from Apple on any of these topics.

Thanks to the amazing efforts of fellow MacAdmins we have great documents and tools for many of these topics. The spirit of sharing and communication in the MacAdmins community does everyone credit.

With success stories like SAP and IBM, no-one can credibly claim Apple is not “for the Enterprise.” Apple wants to push quick release cycles and fast adoption of new macOS upgrades and updates. I agree with these goals. But a quick update cycle also requires similarly quick releases of documentation. When you want admins to support the latest and greatest release, then you need to tell them how, and not wait for someone to reverse engineer everything.

Looking to 2019

What will 2019 bring for MacAdmins?

New Mac Pro

The highly anticipated new, “modular” Mac Pro is on the top of that list. Will it be able to excite the Pro customers? We can probably also expect a new Apple branded display to supplement the Mac Pro. Since Apple has introduced external GPUs for the MacBooks, I am wondering if a new Apple Display might come with a GPU, rather than relying on the GPU power in the Mac. I am also curious if Apple can and will use Thunderbolt 3 in other ways to make the new Mac more “modular.”

The 2018 Mac mini turned out to be more powerful than any Mac mini before. You can configure up to six i7 cores, 64GB RAM and 10GigaBit Ethernet. On top of that you get four Thunderbolt 3 ports for expansion. With a powerful eGPU or an hypothetical display with GPU, the Mac mini can already be seen as a “modular Pro Mac.” Obviously, high-end users want even more RAM, cores, and something more powerful than an i7. The iMac Pro scales from 8 to 18 Xeon cores, and 128GB of RAM, so that should be the baseline for the Mac Pro. But how else will the new Mac Pro distiniguish itself from the Mac mini and the iMac Pro? It’ll be fun to speculate and then analyse the reality.

My prediction for release date? Most likely at WWDC, though there is a chance Apple might do a special event earlier in the year.

More Security and Control

The 2018 Mac models have shown that the T2 system controller or its successor will be in all Mac models going forward. It provides better and faster local disk encryption, Secure Boot, system activation at installation, and can block external boot. Apple has had these “features” in iOS for years.

Secure Boot can be disabled and external boot can be “unblocked” on Macs, but a new system out of the box will have the most secure settings. This follows the model that SIP and user-approved Kernel extension have set in the past.

Apple could start mandating some of these settings. However, they have not mandated SIP even after several years, might be a sign that they will keep those ‘backdoors’ available for a bit longer. (I don’t recommend disabling any of these security features, they are there for a reason.)

Having T2 (or something better) across all Macs could allow Apple to implement some other options, such as stopping to activate/sign older macOS versions, blocking them from being installed. Before they can do that effectively, we will have to wait out the life time of pre-T2 Mac models. Even though all new Mac models in 2018 have the T2, Apple still sells models without T2 chips, such as the entry level MacBook Pro and MacBook Air. To effectively implement something like this, Apple would have to wait until a large fraction of the installed base has the T2 (or better) chip. Given the current life time of Mac hardware this will take at least three to five years.

So, while forthcoming Macs might implement stricter local security, I don’t expect major changes in 2019.

UIKit on macOS

Another big announcement at WWDC 2018 was that Apple had started to port UIKit, the framework for writing applications on iOS to macOS. For now, Apple is ‘testing’ this approach with four of their own apps: Stocks, News, Home and Voice Memos. This framework is not yet available to third party apps. (At least not officially.) The framework (the suspected code-name is ‘Marzipan’) should be available to third-party developers in ‘2019’, most liekly with macOS 10.15.

This will lower the threshold for porting apps from iOS to macOS. Apple surely expects this will be a huge boost to app availability for macOS. However, there are reasons that macOS and iOS are very separate platforms with different UI frameworks. The date or time picker in the Home app is exactly the same as in iOS and not optimized for mouse/trackpad input. None of the Marzipan apps can open multiple windows.

Overall, I think that even a poorly ported Home app is better than no Home app at all. But without multiple windows or something like AppleScript support, the macOS Home app will not live up to expectations of macOS and remain disappointing.

That said, Apple was careful and kept the Marzipan framework private for a year. There will likely be major changes to the current implementation before it is released to developers this summer. Also, it will continue to evolve with future macOS updates.

Overall, I will be looking forward to this.

ARM based Macs

ARM based Macs were predicted for 2020, rather than 2019, so it might be a bit premature.

The motivation for this might be obvious. Intel has had major setbacks in their chip roadmap while Apple own ARM-based “A”-series chips are catching up in performance. Apple has repeatedly shown that they would like to own the all the pieces that go into their devices. So it seems like an obvious, even unavoidable next step to put the A-series chips that are powering the iPad Pro into MacBooks and maybe even desktop Macs as well.

While I am not going to argue that A-series chips are powerful enough for laptops and most consumer desktops, they not yet comparable to the high end “Pro” chips, especially for desktops. Using A-series chips might allow Apple to innovate faster and lower prices, but it would further reduce the distinction between the MacBook and iPad Pro, something that is already putting pressure on the Mac platform sales and confusing for customers.

On the Mac platform, Apple just recently re-commited to Intel with Xeon in the iMac Pro and the Core i7 chips in the new Mac mini and MacBook Air. Presumably the new Mac Pro will have a Xeon chipset that can keep up and exceed the iMac Pro.

It is conceivable that Apple has some massively parallel “super-A-series” logic board design. But that would be a strange course correction away from the path that we have seen in the iMac Pro. GPU power is a key to high-performance computing, VR and AR and machine learning. Any solution Apple uses for future “Pro” Macs will have to support high-end GPUs.

Since the MacBook Air and Mac mini just got refreshes, I don’t expect any news on A-series Macs until these are up for a hardware refresh, probably in late 2020. That timeline would make it unlikely to hear anything at WWDC this year.

The 12“ MacBook is the one wildcard. The 12” MacBook remains positioned oddly between the new MacBook Air and the the 13“ no Touch-bar MacBook Pro. If Apple wanted to show off a power-sipping A-series chip in a notebook form factor, possibly at a lower US$999 entry price, a new 12” MacBook with a single USB-C port, like the iPad Pro, could work quite well.

But would this A-series notebook necessarily be a “Mac?” Keep in mind that Apple rebranded their Book store this year, possibly allowing the “iBook” brand to return to its original use.

Whether this year, next year or later, macOS on A-series will come with some pains for MacAdmins. This will be a hardware specific build of macOS that cannot merge. This new macOS will probably have a deployment even close to iOS than the current macOS. Software could be offered in fat-bundles, including the binaries for both chip sets, or merely fat installers, that choose the binary during installation. Or, the Mac App Store could be the sole means of software distribution, like on iOS.

MacAdmins have weathered transistions like these before. Both the transition to Mac OS X from “Classic Mac OS 9” and the Intel transition actually resulted in many new tools and workflows being developed and used for deployment.


Times will remain interesting and exciting for MacAdmins. It is obvious that Apple and the entire tech industry have no plans of reducing momentum or changing direction. While it is not always clear in which direction the field is moving, anyone who’d rather stand still and hold to things as they are (were), will be left behind.

Continous trouble-shooting mode and beta-testing can be tedious and frustrating, but when managed correctly, will result in an flexible and up-to-date deployment, where users can get the latest and newest hardware and software, without IT standing in the way.

On to tackle 2019!

Weekly News Summary for Admins — 2018-11-23

Just a quick roundup this week. Because of the US Thanksgiving week it is pretty quiet, and I am travelling. I will try writing up a newsletter over the next two weeks, but no promises.

I have put together a few deals. My own books are also on sale through Monday, Nov 27 (Cyber Monday)

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Black Friday Deals for Admins

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • mikeymikey: “Sounds like some Quicktime codec support changes coming again.… ”
  • Tim Hardwick: “I’ve been testing Folder Actions in macOS Mojave 10.14.1, and the results aren’t good. Apple needs to look at how new security approvals are implemented for workflows containing Apple Event scripts, because the reliability of automated actions has taken a dive.”
  • William Smith: “Microsoft Remote Desktop for Mac 10.2.4 beta introduces… SCRIPTING SUPPORT! See today’s announcement in #microsoft-rdc channel on #MacAdmins Slack for details and usage. Run ”Microsoft Remote … Remote Desktop” –script help
  • Greg Neagle: “Ralph Breaks the Internet opens today in the US and some other markets! Be sure to stay through the credits for mid-credits and post-credits scenes!”

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen


There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

macOS Installation Book – Update!

When I published my new book on “macOS Installation” I was very aware of the fact that I was trying to capture a moving target. The good thing about digital books is that they are software and, as such, can be easily updated.

Today, I pushed the first update to “macOS Installation” to include some extra information from the last few weeks.

I am somewhat surprised that neither of the two 10.13 updates since the book was released or the news about macOS Mojave (10.14) at WWDC has led to major changes.

Even the release of the 2018 MacBook Pro last week confirmed our expectations rather than surprising them. Nevertheless, the updates and other new information have added up to the point where I thought it was time for an update. I have listed the changes here. You can also find the list of changes (with links to the relevant sections within the book) in the ’Version History) section of the book itself.

  • Updated Secure Boot sections to include the 2018 MacBook Pro
  • Added a few notes on Recovery and Content Caching changes with 10.13.5
  • Restructured and re-wrote the first section of Chapter 5. It is now two sections with some new figures.
  • Older macOS Versions: added a link to El Capitan download
  • APFS: replaced mentions of ‘Flash’ drives with ‘solid-state storage (SSD)’, added a note of Apple’s APFS plans in macOS Mojave
  • corrected the description of non-removable MDM profiles in ‘Avoiding DEP’

Most of the changes are in anything related to Secure Boot (because of the new MacBook Pro). I also re-wrote and clarified the first section of Chapter 5, the ‘Strange New World’ section and added a few new figures to visualize the workflows better. (You can sample read the original version.)

If you have bought the book, the update is free and you should be notified about it in the iBooks app. If you have not purchased the book yet, you can get in the iBooks Store!

Thank you!

Hasta la Vista, Imaging…

New MacBook Pros! With T2 chips!

The new features, improved RAM and SSD capacity, keyboard (!) and screens are all nice and interesting. Even more remarkable is that Apple mentions the T2 chip in the headline.

Of course, the T2 chip means, that like the iMac Pro, the 2018 MacBook Pros will not NetBoot (at all) or boot from external devices (without going through a convoluted setup process).

So far, it was possible to downgrade 2017 MacBook Pros to Sierra and keep using the same imaging procedures as before. Now, Apple has now moved their flagship Mac model to the new architecture.

If you do not have an installation based deployment based workflow prepared yet, it is high time to get one in place. I explain what you can do and some examples of how you can do it in my new book: “macOS Installation for Apple Administrators” (sample chapter here).

The Next Age of the Mac

Yesterday marked the day where Mac OS X has been available to the public longer than the previous Macintosh operating system (known as ‘Mac OS’ [with a space] or ‘Classic’ towards the end of its lifetime).

This has been noted by many on Twitter and on the Mac news sites.

I do think it is a milestone worth noting. Darwin/Mac OS X/OS X/macOS has served as a stable foundation not just for the Mac but also for the iPhone, iPad, Apple TV, Apple Watch and now even the HomePod.

However, I have also seen comments that the “next age of the Mac” will have to happen soon, because Mac OS X/macOS is so old now. That statement really bugs me.

Mac OS X was not Apple’s first attempt at an operating system to replace ‘Classic.’ In the late 80s and early 90s it was already obvious that the Macintosh System architecture would not scale to modern CPUs and work requirements. An application that crashed would normally take down the entire OS. You had to assign memory to an application manually. System Extensions would frequently conflict with each other and also crash the entire system. There was no concept protected memory or segregating processes from each other. There were no multiple users with access privileges in the file system.

The operating system had been designed for a 8MHz 16-bit CPU with 128KiloByte of RAM where every cycle and every byte had to count! Apple was now in the PowerPC era and the requirements for the system were vastly different.

Taligent, Copland and Gershwin were successive efforts and promises for a better system that each failed for various reasons. Some of the parts of each did find their way into Mac OS. Then Apple bought NeXT (and Steve Jobs) and the rest is history.

So, for most of the nineties, it was obvious that the classic Macintosh system needed replacement something newer. Microsoft had Windows NT and alternative operating systems like BeOS and NeXTStep were showing the way. By the time Mac OS X arrived, classic Mac OS was old, but users needed to hang on to it because of critical applications and workflows.

Now, in 2018, macOS might be as old as Classic was in 2001, but it doesn’t feel as old. Like the original system for the Macintosh 128K, Mac OS X 10.0 was designed for entirely different hardware and use cases. In 2001 only the high-end PowerMacs had two CPUs. Mac OS X required at least 64MB of RAM (a 500 fold increase over the original Macintosh). Laptop batteries would last for three to four hours under the most ideal circumstances. Digital photography and video was still vastly inferior to analog. Music came from CDs. Screens had far lower resolutions and security meant requiring a password to login. Wifi was new, and hardly ubiquitous. Bluetooth was brand new and used in expensive cell phones which where used for talking, not data. There was no App Store.

All of this would change, sometimes quickly, over the next years.

Mac OS X and Apple as a whole were able to adapt to these changes. Hardware and software were optimized to deal with video and media. Multi-tasking and threading were improved as multiple CPUs and cores became cheaper and common, even in laptops, tablets and phones. As mobility and power consumption got more important the hardware and software was adapted to take that into account. Security and privacy became more and more important and integrated in the operating systems and file systems.

Apple used Mac OS X as the basis for iPhone OS, porting a Unix system to a phone. There has also been much back and forth of software and technology between the two systems (or three or four). macOS and iOS have evolved, changed and adapted in a way that the classic Mac OS in the 80s and 90s did not.

I am not claiming that macOS in its current form is perfect and cannot or should not be improved. In a few days at WWDC Apple will show us how they plan to further evolve macOS and iOS to adapt further to the future and I am looking forward to it.

When you wonder ‘what is next for the Mac’ you are ignoring that in 2018, the Mac and macOS are not an isolated platform any more.

All my Apple devices talk with each other and exchange data. My Mac shows me which website I am reading on the phone. My phone unlocks my watch and my watch can unlock my Mac. I can create a note on my tablet, add pictures from the phone and finish it on my Mac. I can read messages on my Mac or have them read to me by the phone through my headphones. When I say ‘Hey Siri’ the devices that can hear me decide among themselves which should answer.

macOS and the Mac are now just a part of larger ‘system.’ This system runs on different devices: from my headphones to the iMac on my desk to servers on Apple’s data centers. It includes custom silicone, software, and data stores and relies on communication and local cached data and protocols to communicate locally and all around the world.

The digital hub has grown to the ‘digital net’, where everything is connected and (ideally) everything is available everywhere.

Not all of this works all the time yet. Why the iPhone still cannot pickup a playlist from where I paused it on the Mac is still an absolute mystery to me.

When this new system fails, we get very frustrated, there is no ‘shell’ we can drop down to, to fix a thing. It is often quite impossible to even figure out in which part of this net of devices and services the problem is occuring.

macOS, iOS, iCloud, Siri, HomeKit, Bluetooth and Wifi, Messaging, email, App Stores and third party apps, devices and services like Google, Office 365, 1Password, etc.

Hardware, software and services. All have to work together in the digital net.

When Apple introduced Mac OS X one of the main benefits was that you could easily manage multiple users on one device.

Now, 17 years later, we have multiple devices per user.

I want is the Mac to keep evolving and adapting with my digital net, so I can continue to use its strengths (large screen, CPU/GPU power, storage, high throughput I/O) and supplement its weaknesses (not mobile, few sensors) with the other devices and services. I don’t want the Mac to fall behind or out of the digital net.

I want to stop having to think about whether something I want to do is a “Mac” task or a “phone” task, but whether I’d rather have a keyboard and a large screen or maybe prefer to do it in a chair in the backyard or by talking with Siri, while walking somewhere. Not all those options will work for every task, but I’d like the options to increase. And I want the Mac to be part of that.

I don’t expect a new age for the Mac. I don’t want a new age for the Mac. That would be too small, too myopic, too limiting.

The next age of the Mac is with the digital net and it has already begun.

Dutch MacAdmins Meeting: 8 June

The (ir)regular meeting of Dutch MacAdmins will happen again! We will meet on June 8, 14:00-17:00 at SAP Netherlands in ‘s-Hertogenbosch. Main topics will be:

  • WWDC news and how it affects MacAdmins
  • Mac management at SAP
  • anything else you may want to bring up

Join #thenetherlands channel on MacAdmins Slack for questions, feedback and great discussions or if you want to volunteer to present.

Registration (Eventbrite, free)

Converting Composer dmg ‘installers’ to pkg

Jamf Composer has always had two formats to build installers. The standard pkg and the seemlingly standard (but not) dmg. The pkg option will build a standard pkg installer file, which will install with any system that can install pkg files.

The dmg option will build a standard dmg disk image file, with the payload of the installer as contents. On its own, however, this dmg cannot do anything. The Jamf Pro management system how ever will understand what to do and how to install the files from the dmg to a system. There are certain features in Jamf Pro which can install and distribute files to user directories and templates (called ‘Fill User Templates’ FUT and ‘Fill Every User’ FEU) which only work with dmg installers in Jamf Pro.

However, Jamf themselves have been recommending to use the standard pkg format in favor of their proprietary use of dmg. Also the Composer application is 32-bit and its future is uncertain.

Luckily there are plenty of great other third-party tools to build installer packages. I cover many of them in my book: Packaging for Apple Administrators

In general, it is probably preferable to re-visit your imaging process and rebuild any installer you still may have in dmg format from scratch. However, in some cases that might not be possible or necessary.

Since the Composer generated dmgs contain all the files for the payload in the proper folder structure you can just use the entire mounted volume as your payload root for pkgbuild. You can easily convert a Composer generated installer dmg to a standard pkg with these commands:

1) mount the dmg:

$ hdiutil attach /path/to/Sample.dmg

this will output a bunch of info, the very last bit is the mount point of the dmg /Volumes/Sample (the name will depend on the dmg)

2) build a pkg with the contents of the mounted dmg as a payload:

$ pkgbuild --root /Volumes/Sample --version 1.0 --identifier com.example.sample --install-location / Sample-1.0.pkg

This will create Sample-1.0.pkg in your current working directory. (I like to include the version in the pkg file name, but that is entirely optional.)

3) cleanup: unmount the dmg

$ hdiutil detach /Volumes/Sample

Obviously this will not work well with other dmgs, such as Full System dmgs, or dmgs downloaded from the web, which contain an app that should be dragged to /Applications to install (use quickpkg for those dmgs).

macOS 10.13.4 Spring Update for Mac Admins

With the recent release of 10.13.4 (the ‘spring update’) a few things have changed for the deployment of macOS. The initial premise is still unchanged: Imaging is still dead.

(NetInstall got a bit of a life extension, though.)

I have written a book which expands on this topic and is regularly updated. Please check it out: “macOS Installation for Apple Administrators

Quick Recap

High Sierra came with many features for both users and admins. However, for Mac admins it brought the support article HT208020: “Upgrade macOS on a Mac at your institution”. In this article Apple lists the supported means of installing and upgrading macOS and explicitly states that ‘monolithic imaging’ is not recommended and will not ensure that the firmware of a Mac is of the correct version to run the OS image that was just laid down. (I posted an article on this back in October.)

Then, with the release of the iMac Pro in December, it became clear that NetBoot and NetInstall, will not be supported with the new hardware. The assumption is, that will also be true for all new Macs with the T2 or a newer system controller. (My post on that, from December.)

NetBoot and NetInstall are used by many administrators to provide a centralized workflow to (re-)deploy or re-purpose a Mac. Common tools are macOS Server’s NetInstall, DeployStudio, AutoCasperNBI, or Imagr.

On top of that some NetInstall features, such as automated installation and adding custom packages were broken in earlier releases of 10.13.

Also booting off external drives became much harder on the iMac Pro, since its default security prohibits external boot and you have to go through the entire installation process before you can re-enable it.

Also Apple announced that the macOS Server app will lose most features, including NetBoot/NetInstall in a future release later this year. (My post on that, from January.)

What changed in 10.13.4?

The ‘spring update’ macOS 10.13.4 brought a few welcome changes.

We got a glimpse of some of these in February when HT208020 was briefly updated with new information. Interestingly, now that 10.13.4 is released, HT208020 has not been updated.

However, we got new detailed information in this article:

Enterprise content:
 - No longer disables User Approved Kernel Extension Loading on MDM-enrolled devices. For devices with DEP-initiated or User Approved MDM enrollment, administrators can use the Kernel Extension Policy payload.
- Improves Spotlight search results for files stored on network mounts.
- Properly evaluates ACLs on SMB share points.
- Adds the --eraseinstall flag to the startosinstall command in the macOS Installer app at Contents/Resources/startosinstall. Use this flag to erase and install macOS on a disk. For details, run startosinstall with the --usage flag.
- Updates System Image Utility to allow creating NetInstall images that erase and install macOS to a named target volume.

Robert Hammen posted a great summary on Slack.

Not documented here, but 10.13.4 also fixes the bug that the defaults command deletes non-plist files.


The first one is really important. Apple introduced a new security feature called “User Approved Kernel Extensions” (UAKEL) in 10.13. This means that third party kernel extensions have to be approved by the user at the Mac (within 30 minutes after installing) before they can be loaded.

Prepare for changes to kernel extensions in macOS High Sierra – Apple Support

In 10.13.0–10.13.3 Apple simplified the life of Mac admins by disabling UAKEL on Macs which were enrolled with an MDM. In 10.13.4 Apple added a Kernel Extension Policy profile payload which allows Mac admins to whitelist certain Kernel Extensions centrally from the MDM.

This is a useful addition and allows Mac admins to manage Kernel Extensions before they are installed and without the necessity of user interaction.

However, 10.13.4 also changes the previous behavior for UAKEL on MDM managed Macs. Since admins now have a way of whitelisting Kernel Extensions, UAKEL will be enabled, even on MDM managed Macs.

If you were installing a Kernel Extension on a managed Mac from 10.13.0 to 10.13.3 it would work, since MDM disabled UAKEL. Once you upgrade that Mac to 10.13.4, UAKEL will turn active and it will block the Kernel Extension from loading, unless there is a profile whitelisting the extension!

When the extension was previously manually approved on 10.13 or grandfathered in when the Mac was upgraded from 10.12, then it will still run under 10.13.4. While all of this has some internal logic, it will lead to strange situations were Kernel Extensions will load on some clients and not load on others.

The best way to avoid the confusion is to have the Kernel Extension Policy profile ready and in place before your clients update to 10.13.4. In other words: now!

User Approved MDM

However, (yes, there is another ‘however’ here). The Kernel Extension Policy profile has to “be delivered via a user approved MDM server.” This is another level of security introduced to keep the user in the loop.

Apparently there is malware/trojans that tricks users into accepting MDM profiles to connect their iOS devices or Macs to malicious MDMs. I am not convinced these new measures will be effective against this kind of trickery, though.

Macs deployed with the Device Enrollment Program (DEP) are considered “user approved” by default. Otherwise the user has to approve the MDM profile when it is installed. Again, this cannot be automated or approved over remote control.

This can throw a wrench into non-DEP installation workflows (sometimes also called user-initiated enrollment). Some management systems will let the user download a pkg that installs the MDM profile and necessary certificates. Some solutions install the MDM through an agent software (which is still necessary for many tasks that the mdm client software cannot perform). Either of these workflows will require the user to go to the Security pane in system preferences within 30 minutes after installation.

Note: Jeremy Baker found a creative way that uses User-interface scripting to click the approve button. However, his script requires Accessibility access for the script, which also cannot be provided in an automated fashion. (The database in question is protected by SIP.)

However, in 10.13.4, when a User installs the MDM profile directly by double-clicking it, they will be prompted to approve the MDM as part of the profile installation dialogs, streamlining the process.

Rich Trouton has documented the new workflows for the user in these articles:

For Jamf you will need to upgrade your Jamf Pro server to version 10.3 to get the new workflow. Other management solutions may already implement this or also need to be on the latest version to work well with these new requirements.


The next interesting new feature is for startosinstall which gains a new --eraseinstall option.

Graham Pugh has already documented this very well:

Erase All Contents And Settings – erase and reinstall macOS in situ

This allows for automated workflows where you can wipe and re-install macOS, add a few custom packages to the installation process with --installpackage arguments, which configure your management system. Then after first boot your management system takes over and installs/configures the rest.

It is important to note that startosinstall uses some APFS volume creation trickery to make --eraseinstall work. This means that you cannot run --eraseinstall on a Mac with a HFS+ system volume. You have to already be on a 10.13 system with APFS to use this option.

Nevertheless,--eraseinstall is a welcome and necessary addition to startosinstall. However, what struck me most about this is that this is the first time Apple is even mentioning the startosinstall command in any documentation. Since this tool is central to many approaches to automate the installation process, I am happy it is finally getting recognized as ‘official’.


The last feature isn’t really new. Apple fixed a bug that has been around since 10.13.0. In previous versions of 10.13, when you built a NetInstall set with System Image Utility and chose the option for “Automated Erase Install” on a certain volume (by name), the installation would just stall at a grey screen. Now, this option works as expected, when you build the NetInstall set from 10.13.4.

The days of NetInstall are still numbered because the iMac Pro (and presumably future Macs with similar controllers) cannot NetBoot at all, and macOS Server is loosing NetInstall along with many other services. Nevertheless, this provides another Apple-supported workflow for automated erase and re-install which you can customize with your own packages.

NetInstall (with or with out the erase) is also a good workflow to upgrade Macs with older versions of macOS to 10.13. (In this case we don’t care that it doesn’t work for iMac Pros, since they already come with 10.13.)

Since, currently, in most deployments the iMacs Pro will be a significant minority (if present at all), this allows administrators to deploy a well known workflow (NetInstall) for the existing fleet this year, while figuring out new workflows (startosinstall + DEP?) for future Macs.

There are, however, still a few kinks left with NetInstall workflows:

More Options

There was no Spring Update resurrection: Imaging is still dead.

It is obvious, that while Apple may not be going in exactly the direction that we would like them to, they are listening to criticism and providing solutions, albeit slowly. The additions to startosinstall and the fix to NetInstall now allow for automated wipe and install workflows. These were not really possible before.

However, installation workflows, however you start them, are much slower than block copying a prepared image. This is an important consideration for education deployments, which usually re-image dozens, hundreds, or even thousands of Macs over the summer break.

But this update now provides a few useful options for High Sierra:

  • use NetInstall Automated Erase to wipe and upgrade existing Macs from earlier macOS versions to 10.13
  • use startosinstall to upgrade and update Macs (including iMac Pros) to the latest version of 10.13
  • use startosinstall with --eraseinstall to ‘wipe and install’ existing 10.13 Macs
    • this will only work with 10.13 SSD Macs with APFS. Since Fusion drives and HDs cannot get APFS yet, you will have to use NetInstall to convert/upgrade these Macs, when (if ever) they support APFS
    • iMac Pros cannot use automated NetInstall, however, since they definitely have APFS 10.13 already installed, you can use startosinstall --eraseinstall
  • if fast restore times are important (like a loaner MacBooks scenario, where devices need to get reset to a well-known state quickly), use any of the above to get the Macs up to the latest 10.13, then you can still use imaging to quickly lay down a ‘fresh’ image of the same macOS version
    • you will need to put in extra effort to keep the image system version in sync with the version installed (or upgraded) on the target Macs

Now is the time to start testing, testing, testing to get your workflows ready for the summer re-installation marathon and the 10.14 release in the fall. (And to give Apple another chance to fix the remaining issues in the next update.)

I have ignored the file share changes in this post. While these are certainly important, they don’t really have influence on deployment strategy.

Join the MacAdmins on the MacAdmins Slack to share experiences and solutions!

Apple’s new Upgrade/Update Strategy

There is another aspect of the Spring Update.

Apple switched to the yearly upgrade cycle for Mac OS X with 10.7. (Upgrade meaning a ‘major’ version change, i.e. 10.8 -> 10.9. Nevermind that Apple uses the second version number for the major version. More on macOS version numbers here.) Apple did summer releases for 10.7 and 10.8 and then switched to the Fall release schedule. Since 10.9 releases have been reliably in late September or October.

The rule used to be that upgrades would bring lots of new features, both visible to the user and under the hood and then Apple would release updates (the third number in the version) to fix bugs and issues. Sometimes new features would be introduced in updates, but those were rare exceptions and usually done to match with iOS or iCloud (dotMac, Mobile Me) features.

The rule of thumb was that the first two or three releases were for ‘early adopters’ only and it would be fairly safe to migrate to the new major version by the third or fourth update. Admins could join the developer program to get access to the developer releases of the next upgrade after WWDC, but getting your hand on early releases of the updates was more difficult.

iOS, on the other hand, has had a different pattern. Apple released iOS 4.2 in the spring with new features to support the then new iPad. Since the iPad and iPhone hardware releases rarely synced to the same time of year, iOS has had a pattern with a major new iOS release in the Fall (usually with a new iPhone) and a ‘Spring Update’ with new features to match with a new iPad.

Even though the Mac hardware follows yet other cycles. We now see this Fall Upgrade/Spring Update pattern with macOS as well.

Apple has added new features in 10.13.4. Some are visible to users (eGPU support, Business Chat, new privacy dialogs), some are for client management (UAMDM, UAKEL profiles, new configuration profile documentation).

We now also have a public beta program for iOS and macOS which covers not just the major upgrades, but ‘minor’ updates as well. The beta versions for iOS 11.4 and macOS 10.13.5 were released right after 11.3 and 10.13.4. And it looks like they will contain yet more new features (iMessages on iCloud and AirPlay 2).

The fact that Apple is willing to add new features or change existing fucntionality at any time during the update cycle is a win to users. It is also a reaction to competitors more-cloud based solutions that can be updated at any time.

However, for us admins this means change:

  • the notion of a ‘stable’ release is a thing of the past.

Features might be added or changed at any time during the upgrade cycle. Different parts of the deployment and workflow will be in different stages of ‘maturity’. Additionally, parts of the workflow (DEP, MDM, and VPP) exist in the cloud and might also change at any time (Apple School Manager was not introduced with a major iOS release and it looks like Apple Business Manager will not sync with a major iOS or macOS release, either).

macOS and iOS don’t stand alone. Apple (and third parties) are building networks of operating systems, software, devices and cloud-based services. Scheduling these releases in to a yearly major update cycle must be nearly impossible. It is also not necessary as distribution of software has become reliable, secure, and fast enough to push frequent updates.

In some ways Apple is reacting to their more cloud-based competitors, which can and will push incremental updates to their systems continually.

  • ‘permanent beta’ mode

The beta versions for iOS 11.4 and macOS 10.13.5 were released hours after the release 11.3 and 10.13.4. If you are concerned how the new updates will work (or not) in your environment, you have to be testing now.

This is being a pro-active adminstrator. Rather than waiting for problems to occur and trying to fix them, you are anticipating problems and trying to pre-empt them. The traditional release cycle of the past allowed us to switch between the two roles over the year. Now, we are either in permanent beta-test or in permanent break/fix.

I don’t think any one likes it, but it is the situation we have to deal with and I don’t see that changing any time soon. You will have to adapt your and your organization’s workflows to adapt to this new situation.

  • Apple is listening and communicating the changes

Provide feedback (bugreports) to Apple. Not all the issues you find will be fixed (some might be).

However, this gives you time to document issues for your users and allow you to implement management strategies to ameliorate them. (Even if all you can do is write knowledge base articles along the line of “we know this is broken” you are saving some people a lot of time and nerves.)

I find it very interesting and encouraging that we are learning about these changes in offical support articles. Also then changes to UAKEL and UAMDM were based on user feedback, mainly adminstrators who complained that the feature as it was initially implemented was unmanageable.

Of course there are many other challenges and issues which have not been fixed (yet). But it is encouraging to see this kind of feedback work.

I have written a book which expands on this topic and is regularly updated. Please check it out: “macOS Installation for Apple Administrators

MacAD.UK Terminal Witchcraft and Wizardry Session

The fine people from MacAD.UK have started putting the sessions from this year’s conference online for every one to use.

The video of my presentation titled “The macOS School of Terminal Witchcraft and Wizardry” was uploaded earlier today. Go watch it!

You can find the slides and some notes on my session here.