Install Bash 5 on macOS

The default bash on macOS is still bash v3:

$ bash --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin18)
Copyright (C) 2007 Free Software Foundation, Inc.

Just recently, bash v5 was released. The discrepancy comes from the fact that bash has been licensed as GPL v3 since version 4. Apple does not include GPL v3 licensed tools with macOS.

However, nothing is keeping you from downloading and installing the latest bash version.

New features include, among many other things, associated arrays (i.e. dictionaries) and better auto-completion setup.

While you would think this is a common desire, most pages I have found will simply point to Homebrew to download and install a newer bash version.

The main challenge with using brew is that it does not work on the scale that MacAdmins require. brew is designed for single user installation, where the user has administrator privileges. brew’s workflows do not scale to large deployments controlled with a management system.

Ideally, there would be package installer for the latest bash version. Unfortunately, the bash project does not provide one.

In this post, I will show how you can install the latest bash version without brew and how to build an installer package for deployment.

Manual Installation

This requires Xcode or the Developer Command Line Tools to be installed.

First, download the source for the latest bash version from this page. As of this writing the latest version is bash-5.0 and the file you want is bash-5.0.tar.gz. Once downloaded, you can expand the archive in Finder by double-clicking.

Update: I have a post with some updated instructions to include the patches to bash 5.0.

Open a Terminal window and change directory to the newly expanded bash-5.0 directory. Then run the configure script there.

$ cd ~/Downloads/bash-5.0
$ ./configure

The configure process will take a while, there will be plenty of messages showing progress.

Once the configure process is complete. You can build bash with the make command.

$ make

This will build the bash binary and the supporting files in the current directory. That’s not where we want it in the end, but it is probably a good idea see if the build process works. This will (again) take a while. There will be some odd looking warnings, but you can ignore those.

When make succeeds, you can actually install bash v5 with

$ sudo make install

This will build and install the bash binary and supporting files in /usr/local/bin and /usr/local. sudo is required to modify /usr/local.

If you were just looking for a way to install bash v5 without brew, you are done!

There is more useful information in the rest of the post, though, so keep reading!

How the new and the old bash interact

By default, the bash v5 binary is called bash and will be installed in /usr/local/bin. The macOS default PATH lists /usr/local/bin before /bin where the default bash v3 binary, also called bash, is located.

This means, that when a user types bash in to a shell, the version in /usr/local/bin will be preferred over the pre-installed bash v3.

You can test this behavior in Terminal. Since the default shell has not yet been changed from /bin/bash the Terminal still opens to bash v3. You can test this by showing the BASH_VERSION environment variable:

$ echo $BASH_VERSION
3.2.57(1)-release

But when you then run bash it will invoke /usr/local/bin/bash, so it will run the new bash v5. It will show this in the prompt, but you can also verify the BASH_VERSION.

$ bash
bash-5.0$ echo $BASH_VERSION
5.0.0(2)-release

This might be the setup you want, when you want to use bash v5 always. It might lead to some unexpected behavior for some users, though.

One option to avoid this ambiguity is to rename the binary in /usr/local/bin to bash5. But then other tools such as env (mentioned below) will not find the binary any more.

Note: the PATH in other contexts will likely not contain /usr/local/bin and further confuse matters.

bash v5 and Scripting

Scripts using bash, should have the full path to the binary in the shebang. This way, the script author can control whether a script is executed by the default bash v3 (/bin/bash) or the newer bash v5 (/usr/local/bin/bash or /usr/local/bin/bash5).

It is often recommended to use the env command in the shebang:

#!/usr/bin/env bash

The env command will determine the path to the bash binary in the current environment. (i.e. using the current PATH) This is useful when the script has to run in various environments where the location of the bash binary is unknown, in other words across multiple Unix and Unix-like platforms. However, this renders the actual version of bash that will interpret the script unpredictable.

For example, assume you have bash v5 installed in the default configuration (as /usr/local/bin/bash. A script with the shebang #!/usr/bin/env bash launched in the user environment (i.e. from Terminal) will use the newer bash, as /usr/local/bin comes before /bin in the search order.

When you launch the same script in a different context, e.g. as an installation script, an AppleScript, or a management system, /usr/local/bin will likely not be part of the PATH in that environment. Then the env shebang will choose /bin/bash (v3). The script will be interpreted and might behave differently.

Administrators prefer certainty in their managed environments. Administrators should know the location and versions of the binaries on their systems. For management scripts, you should avoid env and use the proper full path to the desired interpreter binary.

The solutions to resolve the ambiguity are

  • use the full path to the binary in the shebang
  • manage and update the additional custom version of bash with a management system
  • (optional) rename the newer bash binary to bash5 or bash4 (this also allows you to have bash v4 and bash v5 available on the same system)
  • Scripting OS X: On the Shebang
  • Scripting OS X: Setting the PATH in Scripts

Changing a user’s default Shell to bash v5

Even though we have installed bash v5, the default shell of a new Terminal window will still use the built-in bash v3.

The path to the default shell is stored in the user record. You can directly change the UserShell attribute with dscl, in the ‘Advanced Options’ of the ‘Users & Groups’ preference pane, or in Directory Utility.

There is also a command to set the default shell:

$ chsh -s /usr/local/bin/bash
Changing shell for armin.
Password for armin: 
chsh: /usr/local/bin/bash: non-standard shell

The chsh (change shell) command will check for allowed shells in the /etc/shells file. You can easily append a line with /usr/local/bin/bash to this file, and then chsh will work fine.

$ chsh -s /usr/local/bin/bash
Changing shell for armin.
Password for armin:

Note: if you choose to rename the bash binary, you have to use the changed name in /etc/shells and with chsh.

Remember that just running chsh will not change the shell in the current Terminal window. It is best to close the old Terminal window and open a new one to get the new shell.

Packaging bash v5 for mass deployment

While these steps to install and configure bash v5 on a single Mac are simple enough, they would not work well with a management system for hundreds or thousands of Macs. We want to wrap all the files that make install creates into a package installer payload.

The --help option of the configure script yields this useful information:

By default, make install' will install all the files in/usr/local/bin,/usr/local/libetc. You can specify an installation prefix other than/usr/localusing–prefix, for instance–prefix=$HOME`.

When we run the configure script with the --prefix option it creates a folder suitable as a payload for a package installer. We can then use pkgbuild to build to create an installer pkg:

$ cd ~/Downloads/bash-5.0
$ mkdir payload
$ ./configure --prefix=/Users/armin/Downloads/bash-5.0/payload
$ make install
$ pkgbuild --root payload --install-location /usr/local --identifier org.gnu.bash --version 5.0 bash-5.0.pkg
pkgbuild: Inferring bundle components from contents of payload
pkgbuild: Wrote package to bash-5.0.pkg

(Note: the --prefix argument requires an absolute path.)

Automate the package creation

So, we have our workflow for building an installer package to distribute and configure bash v5:

  • download the archive
  • extract the archive
  • run configure with the --prefix argument
  • run make install to create the files in a payload folder
  • optional: rename the resulting bash binary to bash5 to avoid conflicts
  • add a postinstall script that adds /usr/local/bin/bash[5] to /etc/shells if not yet present
  • build the installer with pkgbuild

This sounds like a workflow ripe for automation. You can get the script from this repository.

You can pass a different (valid) bash version number as an argument to the script, e.g. 4.4.18. (I did not test anything significantly older.) The script does not autodetect the latest version and defaults to version 5.0 when no argument is given. When an update to bash v5 is published, you will have to modify the version line or run the script with an argument.

I have not (yet) figured out how to detect the latest version from the download web page. An autopkg recipe will have to wait for that. (If someone else wants to tackle that, please do!)

Weekly News Summary for Admins — 2019-02-22

Some more rumors this week, which keep foreshadowing an “interesting” year for Mac Admins.

We also have mandatory two-factor authentication, some audio bugs, interesting documentation from Microsoft, lots of great posts from fellow admins (as usual, many thanks!), and a few updates and releases.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • Allen Golbig: “If you use smartcards in your environment, the latest Insider Fast build of Microsoft Outlook 16.23 (190212) supports CryptoTokenKit! ”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

Apple Two-Factor Authentication for a Secondary Apple ID

Apple sent an email to developers, stating that later this months, two-factor authentication will be required for Apple IDs used for developer accounts.

If you, like me, use separate Apple IDs for your personal iCloud and your developer accounts, this will pose some kind of challenge. There is a solution, however Apple does not document it very well.

Update: Apple now has a very detailed support page for this topic.

Two-factor authentication for the primary account

Assumption: you have two-factor authentication (2FA) enabled on your primary, personal Apple ID, and are logged in to that account on your Mac(s) and iOS devices. If you haven’t done that yet, do it now. 2FA does increase your account security significantly.

You can enable 2FA on any device logged in to the account in the iCloud Settings or preference pane. As part of the setup you can provide one or more phone numbers as a fall back mechanism. If no devices can be prompted through Apple’s built-in 2FA, it will send an SMS to the trusted phone numbers. You can use the same phone number for multiple Apple IDs, but there seems to be some limit on how often you can do that.

Enable 2FA for the secondary account

Assumption: The secondary account is your developer Apple ID, you don’t use it for iCloud storage, device backups, mail etc. You use it to log in to developer.apple.com and iTunes Connect, and to get all the certificates and other resources you need as a developer.

The challenge here is that you can only enable 2FA on the first account logged in to iCloud on a device. You could log out of your primary iCloud account, and the log in with the secondary, but this will disrupt a lot of things on your device. I’d rather avoid that.

On a Mac, you can have a separate iCloud account for each local user. So, it is easiest to create a second user account, log out of your first account, log in to the new second account and set up iCloud and 2FA for the developer Apple ID on this second local account.

You can sign in to the secondary Apple ID enable 2FA in System Preferences -> iCloud -> Account Details -> Security as described in Apple’s Support Article.

Follow the prompts to set up 2FA, you can re-use the same phone number as a trusted number. (There seem to be limits to how often you use the same phone number, but two accounts works fine for me.)

Once 2FA is set up, we don’t need the second user account on the Mac any more. Sign out of iCloud, log out of the second account and back in to your normal user account.

If you are ok with using SMS authentication (Apple calls this ‘two-step authentication’, rather than ‘two-factor authentication’) then you are done. However, many will argue codes over SMS are not good enough for secondary authentication, so we want go to ‘full’ 2FA.

Use the secondary Apple ID

As it turns out, you can be logged in to multiple iCloud accounts on the same device or account. Certain services, such as iCloud storage, or the Photo Library, will only work with the primary iCloud account, but other services, including 2FA, will work for all iCloud accounts.

On your iOS device go to Settings > Passwords & Accounts > Add Account, and choose to add another iCloud account. You probably want to turn off all services, like Mail, Calendar, etc. secondary account.

Second iCloud Account on iPhone
Second iCloud Account on iPhone

On the Mac you can do the same in System Preferences > Internet Accounts. You can use both your Mac and iOS devices for 2FA.

Second iCloud Account on macOS
Second iCloud Account on macOS

Now the secondary Apple ID will prompt the devices you are logged in as for 2FA.

2FA prompt on the iPhone
2FA prompt on the iPhone

Weekly News Summary for Admins — 2019-02-15

Lots of interesting posts this week.

But most interesting for MacAdmins fighting with SecureToken, read Rich Trouton’s two posts which might help you get out of situations that were so far considered dead ends.

MacRumors points to the week of June 3 for WWDC this year (no big surprise) and Bloomberg (the other Mac rumors site) points to March 25 for a ‘subscription service’ event. Since MacADUK starts on March 26, this event could lead to some last minute slide shuffling.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

#! On Scripting OS X

📰News and Opinion

🐦MacAdmins on Twitter

  • Kyle Crawford: “Why does Apple need a sysdiagnose for a feature enhancement? Don’t they know the features of their own software? startosinstall should warn if Internet connection is needed before running. How is a having a sysdiagnose going to add any value?”
  • Jordan Rose: “Command-line tip: sftp -a is a mostly drop-in replacement for scp that allows resuming an interrupted download.”
  • Mike Boylan: “TIL about the “HP Easy Admin” tool. If you’re a school, large org, or enterprise and are looking for the HP driver package for a printer v the home/single-use Easy Setup app, you can use Easy Admin to go get the pkg-based driver installer to be used at scale.”
  • Graham Pugh: “The clear and reliable world of DEP enrollment…” (click to see full tweet)
  • Graham Pugh: “Regex of Mojave-compatible Mac model identifiers: ^(iMac1[3-8]|iMacPro|MacBook[8-9]|MacBook10|MacBookAir[5-7]|MacBookPro9|MacBookPro1[0-5]|MacMini[6-7]|MacPro[5-6])

🐞Bugs and Security

🔨Support and HowTos

🤖Scripting and Automation

🍏Apple Support

♻️Updates and Releases

📺To Watch

📚Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Book Update: macOS Installation v4

The third update to my book “macOS Installation for Apple Administrators” is available.

If you have already purchased the book, you can get the update in the Apple Books application on your iOS device or Mac.

While I was putting this book together, macOS High Sierra was very much a moving target and I had to update and change sections frequently, sometimes while they were being written. Thankfully, the changes to macOS deployment and installation have calmed down somewhat since then. While Mojave and the new Mac hardware have brought some changes, they are not as disruptive as High Sierra, UAMDM and the iMac Pro were.

Originally, I made a commitment to update the book up to the macOS Mojave release. This is the book’s first post-Mojave update. I am planning at least one more update to cover any changes the Mojave “Spring Update” might bring.

Once we know more about macOS 10.15 after WWDC, I will decide on the book’s further future. As I have outlined in my 2018 review/2019 outlook post, I don’t expect dramatic changes this year, so it will probably make sense to keep the book going for the lifetime of 10.15.

It is quite likely that the deployment workflows outlined in “macOS Installation” will serve MacAdmins well for the foreseeable future.

This update received quite a bit of new content. I have rewritten and expanded many sections. The book is now eleven pages longer than the third version and sixteen pages longer than the first release. I have added many more links to external pages, tools, posts and support articles where they are available.

The update is free when you have already purchased the book. Unfortunately, the “updates” area seems to have gotten lost in the Apple Books app re-deisgn. You can just follow the link to the Apple Book store and the app should tell you that an update is available.

If you don’t have it yet, buy it now and get all future updates for free!

Here is a detailed list of most of the changes, which you can also find in the ‘Version History’ section of the book itself. (The version history in the book is linked to the actual changed section for easier reference.)

  • added description of the new –downloadassets option when creating external installer drives
  • updated description the –preservecontainer option in Erase Installation
  • updated descriptions of Secure Boot in various locations to reflect the Mac models introduced in October 2018
  • added an overview table for which current Mac models have Secure Boot and their minimum OS Versions
  • added links to the support pages for more versions of macOS in Older macOS Versions
  • moved and extended the section on Hardware Specific Systems and Installers
  • added downgrading limitation to Erase Installation
  • added description of fdesetup list to the FileVault section
  • added description of Twocanoe’s MacDeployStick to Sideloading Packages
  • added Manual Enrollment by IT to Manual Enrollment
  • added EraseInstall application to Restoring macOS
  • added link to support article with supporting servers to Device Enrollment Program
  • several typos, changes and clarifications

Weekly News Summary for Admins — 2019-02-08

Another busy week with lots of security related news, including an update to last week’s FaceTime problem. Also, Jamf acquires Zuludesk.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Headlines

News and Opinion

MacAdmins on Twitter

  • Tim Perfitt: “Setting up a room full of dual boot macs with MacDeployStick fast at IETA. Arrived in room after 7:30 am and by 8 am this was the scene. macOS with windows 10, office, boot runner and more.”
  • Paul Hudson: “A few people have asked if it’s too late for them to start my #100DaysOfSwift challenge. Definitely not! You can start whenever you want, as long as you’re able to stick at it consistently. Make today your day.”
  • Kitzy: “Hard to believe it’s been over 3 years since we started MacAdmins.org, and how much the community has grown since then.”
  • Tim Perfitt: “I finally got a call from the app review team about my macOS app.” (Thread)

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Just for Fun

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2019-02-01

Following right after the release of the iOS 12.1.3 and macOS Mojave 10.13.3 updates last week, members of the developer/beta/seed programs got access to iOS 12.2 and macOS Mojave 10.14.4.

Even though the release notes are still quite thin, these will probably be the “Spring Updates” with some major changes, so they are worth watching and testing. The release notes for Xcode 10.2, which brings Swift 5 and Safari 12.1 are already quite interesting.

Other than that, we got Apple’s quarterly numbers, a weird FaceTime bug, which made Apple shut down the Group FaceTime servers, and a kerfuffle on dubious VPN/data gathering apps which led Apple to block the Facebook and Google Enterprise Developer certificates.

On the MacAdmin side, some great and timely posts on Mac App Store Office apps and Adobe’s new Shared Device Licensing.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • Julia Evans: “curl… ”
  • Tim Perfitt: “I am told by marketing people that showing you this nice photo of the MDS Automaton will convince you to buy one.”
  • Tim Perfitt: “I created this fine video on using Mac Deploy Stick to install macOS, MS Office 2016, 2 browsers, and a forking Boot Camp partition with Windows 10! How long? Holy shirt! 21 minutes from start to finish. Grab some popcorn.”
  • Jason Broccardo: “#macadmins looking for lightweight monitoring for Jamf Pro, I’ve started using JavaMelody. Just need to drop a couple jars into the WEB-INF folder and restart your app to get going. Get nagios-like graphs and data.”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Build Simple Packages with Scripts

In a past post, I described how path_helper works. As an example, I mentioned the installer for Python 3 which runs a postinstall script that locates and modifies the current user’s shell profile file to add the Python 3 binary directory to the PATH.

Not only is modifying a user’s file a horrible practice, but it will not achieve the desired purpose when the user installing the package is ultimately not the user using the system. This setup happens fairly frequently in managed deployment workflows.

As described in the earlier post, macOS will add the contents of files in /etc/paths.d/ to all users’ PATHs. So, all we have to do is create a file with the path to the Python 3 binary directory in /etc/paths.d/. A perfect task for a simple installer package.

The steps to create such an installer are simple:

$ mkdir -p Python3PathPkg/payload
$ cd Python3PathPkg
$ echo "/Library/Frameworks/Python.framework/Versions/3.7/bin" > payload/Python-3.7
$ pkgbuild --root payload --install-location /private/etc/paths.d --version 3.7  --identifier com.example.Python3.path Python3Path-3.7.pkg
pkgbuild: Inferring bundle components from contents of payload
pkgbuild: Wrote package to Python3Path-3.7.pkg

This is not so hard. However, since the path to binary contains the major and minor version number, you will have to create a new version when Python 3 updates to 3.8 (and 3.9, etc…).

So, it makes sense to script the process. With a package this simple, you can create everything required to build the package (i.e. the payload folder with contents) from the script in a temporary directory and then discard it after building.

You can find my script at this Github repository.

Note: when you modify the PATH with path_helper, your additions will be appended. The Python 3 installer prepends to the PATH. This might lead to slightly different behavior, as the Python 3 behavior overrides any system binaries. If you want to prepend for every user, you have to modify the /etc/paths file.

There are a few other simple installers where this approach makes sense. I also made a script that builds a package to create the .AppleSetupDone file in /var/db to suppress showing the setup assistant at first boot. Since I was planning to use this with the startosinstall --installpackage option, this script builds a product archive, rather than a flat component package.

You could create this package once and hold on to it whenever you need it again, but I seem to keep losing the pkg files. The script allows you to easily re-build the package in a different format or sign it when necessary. Also, dealing with the invisible file is a bit easier when you just create them on demand.

The last example creates a single invisible file .RunLanguageChooserToo, also in /var/db/. This will show an additional dialog before the Setup Assistant to choose the system language. MacAdmins might want to have this dialog for the obvious reason, but it also allows for a useful hack. When you invoke the Terminal at the Language Chooser with ctrl-option-command-T it will have root privileges, which allows some interesting workflows.

With this package the creation of the flag file happens too late to actually show the chooser. So I added the necessary PackageInfo flags to make the installer require a restart. Note that startosinstall will only respect this flag with a Mojave installer, not with High Sierra.

These three scripts can be used as templates for many similar use cases. As your needs get more complex, you should move to pkgbuild scripts with a payload folder, munkipkg, or Whitebox Packages.

You can learn about the details of inspecting and building packages in my book: “Packaging for Apple Administrators”

Weekly News Summary for Admins — 2019-01-25

This was a busy week with many important updates.

However, all this news has been overshadowed by the news of the death of Tycho Sjögren.

My condolences to his close friends and family.

Tycho was probably best known as the organiser of the MacSysAdmin conference in Gothenburg. But he had been working as an admin and trainer for decades, influencing the career of many in the Apple Admin field. You should go and read the reactions and stories on Twitter and in the #macsysadminconf channel on the MacAdmins Slack to see how far his influence reached.

Even though I have only been at MacSysAdmin for the last two years, I was immdiately struck by the atmosphere of the conference. For a speaker, Tycho’s suggestions and criticisms during preparation were helpful and spot-on, as was his praise afterwards. You could feel his deep experience and passion for the conference and, even more, the community. He would build the conference he himself wanted to experience, and as a speaker, you wanted to impress him.

Then Tycho would sit in the first row for every presentation, eagerly paying attention. MacSysAdmin is a single-track conference, because then all the attendees see the same presentations and the hallway conversations are based on the same topics. MacSysAdmin also had many chances for conversations among the participants with many breaks, good food and fun evening activities. This is a great chance to meet friends, old and new, thank people whose presentations or blog posts have helped and inspired you, share solutions, and to discuss the last session.

Tycho was able to share his interest and passion with the entire conference, and his stye and method has influenced others around the world. It lives on in all the big conferences, small local meetings, and in the online meeting places.

We will miss Tycho, but we will keep sharing his interest and passion.

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • Anthony Reimer:
    “#MacAdmins: I’ve updated my article from last September that lists the AutoPkg repos that cannot be seen by AutoPkgr (we’re up to 13).”
  • Carl Ashley:
    “So, #macadmins, if you need to generate a PPPCP profile to let kickstart work on macOS 10.14+, Apple KB article: https://support.apple.com/en-au/HT209161 The binary if you want to keep this in your version control is: ”/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle”
  • Josh Braun: “I just found out that TextWrangler, which I’d previously thought defunct, lives on as the freemium version of BBEdit and I’m way more psyched about this than I would’ve anticipated.”
  • Mac Justice:
    “Kind of annoyed at how both Google and Apple photos went whole-hog on fancy AI nonsense but trying to do a collaborative family vacation photo album (a pretty typical scenario!) is still full of UX pain.”
  • Daniel Jalkut: “macOS 10.14.4 will include the stable ABI Swift libraries!… ”
  • Miles Leacy: “The status item “Device Enrollment Program” covers any and all components and hosts required to deliver device enrollment services.…”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Support this News Summary

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

The Year 2018 for Mac Admins

Happy New Year! (Again.) I started writing this post before the holidays, but it kept growing, needed revisions and additions. I did decide this review is “complete” for now, but mostly because it would be embarassing to publish a review of 2018 in February or later.

2018 was certainly “interesting” for MacAdmins.

The MacAdmins annual schedule does not really fit well with the calendaric year. The two main highlights of the year for Apple Admins are the Developers’ Conference and then the annual main release of iOS and macOS. Nevertheless, I ask for indulgence as I put down my thoughts what is going on in the MacAdmin World.

Apple is Firing on all Cylinders

Looking back, it is amazing how many new products Apple introduced in 2018. The HomePod, originally planned for late 2017 started the year. There was a overhaul of the iPad line with the new low-end model in the Spring and the new iPads Pro in October. The Fall event yielded not just one new iPhone model, but three, as well as a redesigned Apple Watch. Many new, and long-awaited Macs with the new MacBook Pro, MacBook Air, and finally a new Mac mini.

Apple also released tons of new software and services. There was Apple Business Manager, an updated Apple School Manager and Classroom app. Obviously, iOS 12, macOS Mojave and all their siblings, were introduced in the Fall and all the productivity apps, as well as the Pro apps (Logic and Final Cut) got some interesting updates. The Shortcuts app is a new (or at least re-branded) addition to iOS. Apple Books (iBooks Store) and the Mac App Store got a new design overhaul.

It is also interesting to consider the products that Apple did not update this year: AirPods, iPod touch and iPad mini, Apple TV, iMac (Pro), MacBook and Mac Pro.

Some of these (AirPods, Apple TV, iMac) are likely on a two-year upgrade cycle and should get an update in 2019. Apple famously pre-announced the (highly overdue and anticipated) new Mac Pro for 2019. The 12″ MacBook could be on a two-year cycle, but also occupies an awkward postion between the new MacBook Pro and MacBook Air. This leaves the iPod touch and iPad mini in a sad state (or maybe not?)

Apple is Pruning

Among all of these updates and new products, Apple has also pruned their product line.

Apple announced they would stop making Airport Base stations and Time Capsules. The iPhone SE was discontinued. There are no more iPhones sold with a headphone jack.

In the MacAdmin space, Apple announced the removal of many services in the macOS Server application, leaving only a few. What remains of Server is Profile Manager, Xsan and Open Directory.

All the new Macs with the T2 system controller will not NetBoot any more. All new Mac models introduced in 2018 have the T2 system controller. While this is a huge improvement in security and performance, administrators will have to adapt to the changes this heightened lockdown brings. We can’t say we haven’t been warned, though.

Apple in Enterprise is growing

Even though Apple’s events focus on the consumer business, Apple has been gaining market- and mindshare in Enterprise and businesses. We rarely get numbers on this from Apple directly, but their partners and customers seem happy enough to brag.

Apple’s strong message on privacy is aimed mostly at end users. Enterprises are listening as well, and mostly like the messaging.

Many IT organisations that traditionally only supported Windows now have to open up their services to mobile smart phone platforms. This also creates an opportunity to add support for other platforms and has led to a Mac revival in many organisations.

We are also seeing many traditional ‘Enterprise’ solutions being built with iOS support, such as Cisco Security Connector. Again, while these solutions are built mainly with iOS in mind, the less prominent elder sibling macOS often gains support as well.

Overall, the trend in many Enterprises is to support more than just one platform. This is an important change the previous “Windows, unless you have a really good reason.” Once you (have to) break with single-platform policies, then adding even more platforms becomes easier.

This process is not universal, however. Microsoft has announced it will switch to using the Chromium engine for their Edge browser, leaving only Firefox as the last major non-WebKit based browser.

Apple is reaching out

Maybe as a result of the continued interest for Apple in the Enterprise, Apple has, for the first time, officially had speakers at the Penn State Mac Admins Conference.

There have been ‘unofficial’ or even ‘undercover’ sightings of Apple employees at conferences before, but officially providing speakers for sessions is new for Apple. At least since the demise of the IT Track at WWDC in 2009. I think this is a wonderful development and hope Apple continues this new policy of communication with more conferences.

Apple employees Jeremy Butcher and Doug Brooks were guests on the MacAdmins podcast, where they talked about the new hardware, MDM and the T2 chip. This was an amazing surprise in 2018, and would have been hard to imagine just a few years ago.

Apple is Hiring

In 2018, we have seen several members of the MacAdmins community and wider Apple Tech scene get hired by Apple. I am wishing all of them the best!

I think it is great that Apple is hiring these experienced experts into the various teams and hope that their voices and skills will be valued and listened to. Much can be gained both within and outside of Apple when these skills are applied well. I do not want to imply that the existing members of the various Apple teams don’t have important skills, but ‘outside’ experience and perspective is very valuable.

On the other hand, it is a bit sad that the secretive Apple culture is now removing these voices from our community, at least for the time being. Maybe the new openness that Apple has demonstrated will allow us to hear from them before the end of their stint at Apple.

MacAdmin Community is Growing

That said, the MacAdmin community is growing at an impressive rate. The MacAdmins Slack went above 20K users with nearly 4000 weekly active users.

What I find interesting and encouraging is that these aren’t just “senior” MacAdmins with decades of Apple experience, but many young and new people who come here from other platforms or other support jobs.

To all admins new to the Mac and iOS platform: Welcome!

If you haven’t joined the MacAdmins Slack yet, do it now! You can read my “opinionated guide to MacAdmins Slack” first.

The Admin Environment is getting more complex and integrated

Another good reason to welcome all those new admins is that we have a lot of need for them. More and more organisations are in need of MacAdmins. But also the Apple platforms are required to integrate into more and more other complex systems and platforms.

Laptops and smart phones aren’t standalone devices anymore, but work within a complex web of networks, services, other devices and applications. No piece works entirely without any of the others.

With the demise of the Xserve, the Mac mini Server and, most recently, macOS Server, “Mac” admins have to use other platforms to host essential services. This provides several features, such as virtualization and cloud services, that aren’t possible with macOS.

In some organisations, you may still be able to have a single admin to manage everything tech related, but in most cases Mac and iOS engineers will have to work within teams of admins managing multiple different services and platforms.

Not only do traditional Mac admins have to learn other platforms and services, but the admins with backgrounds in these other platforms are now confronted with Mac and iOS and many of them are starting to take reponsibilities for these platforms as well. Once again, welcome!

Highlights

We got the --eraseinstall option for the startosinstall command. You can tell this got me excited because I helped build an app around that. Also, the startosinstall command was made official by Apple, after lurking in the macOS installer application bundle for a few system releases.

Together with APFS for all drives in Mojave, MacAdmins can now build a new installation based workflow for all Macs that can support 10.14 and beyond. You can read more about this in my latest book (another highlight for me in 2018) ‘macOS Installation for Apple Administrators.’

The new Mac hardware is definitely interesting. The Mac mini didn’t just get a speed bump, but a major boost. Apple has clearly recognized that the mini is not only being used as a cheap entry-level Mac, but as a “Pro” device where an iMac, iMac Pro or Mac Pro is overkill.

The T2 System Controller chip has been in every new Mac model introduced in 2018. Even the new MacBook Air and Mac mini have the T2. I really appreciate the performance and security implications. But the T2 brings with it new limitations and workflows for MacAdmins.

Still Missing for Admins

Much has been said about Apple’s ‘misses’ for 2018. From a ‘normal’ user perspective I liked Rene Ritchie’s summary: Vector Apple misses

Since admins are also users, all of those topics are relevant to us, too. However, as MacAdmins we have other concerns as well.

Mac App Store: VPP vs Subscription and in-App-Purchases

The Mac App Store application got a visual overhaul in Mojave. The backend, however, remains an utter mess. (I am still continually annoyed by the fact that I cannot search, purchase or even reliably view apps for other platforms.) While I approve of the application sandbox on macOS in general, the limitations imposed by Apple still exclude entire categories of useful tools and applications from the Mac App Store.

Nevertheless we have been promised more software for the Mac App Store, most prominently Microsoft’s Office 365 Suite. Since Apple showed off Adobe Photoshop for iPad in the Fall event, there may also be hope for Adobe applications. Both of these solutions are from prominent large vendors and one would presume the app would be free in the Mac App Store (like on iOS) but require an subscription (Office 365 or Adobe Cloud) to unlock or activate.

Apple mentioned at WWDC in June that they were adapting the rules to allow for more apps in the Mac App Store. They explicitly mentioned Barebones’ BBEdit and Panic’s Transmit, both of which were present in the Mac App Store previously, but left because of limitations. Panic published Transmit in November, with a yearly subscription price. You can still get Transmit for a fixed single price from their website.

Apple has been pushing the subscription model as a solution for vendors to get recurring income without paid upgrades. Other apps, like the great applications from the OmniGroup, are also free to download, but require an in-app purchase to unlock the full feature set. While subscriptions and in-app purchases have their downsides, I think they can be a useful solution for developers and users.

However, when you need to buy applications in large numbers from the Mac App Store, Apple will refer you to their Volume Purachasing Program (VPP) now called “Applications and Books” as part of the Apple Business Manager or Apple School Manager. Neither subscriptions nor in-app purchases are supported by VPP.

Furthermore, MDM commands are sent to a client without the expectation of any feedback, other than that the command was received. The installation may fail and the MDM will not care. Some management solutions close the loop by reporting installed applications back through a custom agent and can take action on that data. But it would be nice if this loop were closed by the MDM protocol and agent directly.

The example of Transmit shows that Apple seems to be working on expanding and refining the set of entitlements available. This is promising, but as the continued absence of BBEdit demonstrates, still requires a lot more work, time and patience.

Obviously, Apple will not comment on future features. These limitations have existed for several years now. On macOS, software vendors at least have the option of offering installers and volume or education licenses outside of the store. But, as subscription and in-app purchase models are becoming more popular in the iOS App Store, this is turning into a problem not only for macOS.

All of these limitations are holding back the App Stores and VPP as a deployment tool. I believe that pushing VPP applications with an MDM could be useful and powerful. Admins can securely push a VPP app and its configuration together with a profile or managed app config and manage licensing or subscription, without the need scripting or packaging. On iOS, VPP is the only solution for this. But Apple is hobbling their own solution by not offering subscription or in-app purchase VPP.

Full “Zero-touch” Deployment

Apple and many management system vendors like to tout “zero-touch” deployment. This of course means “zero-touch” for IT department. I do appreciate the elegance of these kinds of workflows, where a device can be shipped directly to the user and the device is automatically enrolled on first setup. This allows for deployment workflows that simply weren’t possible before.

That said, there are other environments with vastly different requirements. Especially education setups still have labs or carts full of iMacs or MacBooks. Imaging and NetBoot are dead for new Mac models with T2 chip and Secure Boot. But the new deployment models always require user interaction at some point during the re-install/enrollment workflow.

When you use DEP (Automated MDM Enrollment), you can suppress most of the screens during system and user setup, but there are a few screens (Region, keyboard layout, possibly time zone, and then, of course, approving the Remote Management) that you cannot skip. Any deployment workflow will stall at this point, until someone physically clicks through those dialogs.

You can skip SetupAssistant and DEP entirely and enroll to the MDM with a script or pkg. This defers the mandatory clicking for user approval to the end of the deployment workflow, but there are still some configuration and deployment tasks, that have to be put on hold until user-approval of the MDM is given. Third Party Kernel Extensions and tools that require PPPC approval can’t be installed without a UAMDM.

User-approval should be required during a manual enroll or after an enrollment done with a script. This is a necessary security measure to prevent computers from being enrolled to rogue MDMs by malware.

However, automated enrollment with DEP should not require any user interaction. Once a Mac is listed in the Apple Business/School Manager, it should be considered owned by the organization. I believe admins should have the option to pre-configure and skip every step of the setup workflow.

macOS Installer Versions

Apple has finally acknowledged the startosinstall command, was among my highlights. They also added a very useful option with --eraseinstall. To use this tool, you need to have the “Install macOS *.app” on the Mac (or an external storage). And you need the correct version.

Hardware specific builds of macOS aren’t a new thing. When new Apple hardware is released, it usually comes with a very specific build of macOS that will run exclusively on that hardware. Usually with the next update to macOS the hardware specific build will be merged into the main macOS build and we have a universal installer application again. There are exceptions: the iMac Pro had an hardware specific build for two updates and was not merged until 10.13.4.

The 2018 MacBook Pros were released with a hardware specific build of macOS 10.13.6. Since 10.13.6 was the final update for 10.13, admins holding on to 10.13 for the time being will have to provide and manage the general version of 10.13.6 as well as the hardware specific build for the 2018 MacBook Pros.

Additionally, it is really hard to get a hardware specific macOS installer application through any official means from Apple. You can download the generic installer from the Mac App Store on any Mac that support High Sierra other than the 2018 MacBook Pros. You should be able to download the hardware specific build of 10.13.6 on a 2018 MacBook Pro that requires it, but that process has been riddled with errors and bugs.

All these various builds and versions are tracked and communicated by MacAdmins, but not by Apple. As of this writing, this Apple Support article has no mention of the hardware specific builds of 10.13.6 or any Mojave version, even though it was updated in December. There were specfic builds for the 2018 MacBook Pro (17G2208), Mac Mini (18A2063), MacBook Air (18B2107) and MacBook Pro with the Vega card (18B3089).

This is horribly frustrating. Greg Neagle reverse engineered the download process of the macOS install application and built a script. The script will still have to be run on the respective hardware, but it is more reliable to download a specific installer than the Mac App Store.

I am (once again) hugely grateful for Greg’s effort. However, that so many MacAdmins rely on a hack to download the essential piece of the deployment workflow, is nothing but a disgrace, no matter how well-executed the hack is.

On top of that, security updates don’t increase the version number, but do change the build number, resulting in a confusing list of possible build numbers for 10.13.6.

Apple has provided helpful download links for older macOS versions as support pages. These links lead to the Mac App Store. But links to older macOS downloads will fail on any Mac that doesn’t support that particular macOS version.

I understand that normal end users probably shouldn’t be able to view or download a version of macOS that cannot be installed, but there should be an official way for MacAdmins to download older versions of macOS, even when they working on the latest and greatest Mac.

Documentation

Documentation on Apple’s Support pages has seen improvements in some ways. There were several timely articles posted around the release of Mojave. We got great security documents on Secure Boot and the T2 chips. We got a first, though still incomplete, glimpse at APFS documentation. The MDM specification and Configuration Profile reference moved from HTML to a PDF document, which makes it harder to read or process, but it is still being regularly updated.

Overall, however, I still have to give Apple a failing grade for documentation from a MacAdmin perspective. Crucial pieces of the deployment workflow, such as the startosinstall command, Secure Token and APFS FileVault, or how to determine which software and scripts to add to a PPPC profile have been reverse engineered by admins in the field and there is still, more than a year after High Sierra and four months after the release of Mojave, no or very sparse documentation from Apple on any of these topics.

Thanks to the amazing efforts of fellow MacAdmins we have great documents and tools for many of these topics. The spirit of sharing and communication in the MacAdmins community does everyone credit.

With success stories like SAP and IBM, no-one can credibly claim Apple is not “for the Enterprise.” Apple wants to push quick release cycles and fast adoption of new macOS upgrades and updates. I agree with these goals. But a quick update cycle also requires similarly quick releases of documentation. When you want admins to support the latest and greatest release, then you need to tell them how, and not wait for someone to reverse engineer everything.

Looking to 2019

What will 2019 bring for MacAdmins?

New Mac Pro

The highly anticipated new, “modular” Mac Pro is on the top of that list. Will it be able to excite the Pro customers? We can probably also expect a new Apple branded display to supplement the Mac Pro. Since Apple has introduced external GPUs for the MacBooks, I am wondering if a new Apple Display might come with a GPU, rather than relying on the GPU power in the Mac. I am also curious if Apple can and will use Thunderbolt 3 in other ways to make the new Mac more “modular.”

The 2018 Mac mini turned out to be more powerful than any Mac mini before. You can configure up to six i7 cores, 64GB RAM and 10GigaBit Ethernet. On top of that you get four Thunderbolt 3 ports for expansion. With a powerful eGPU or an hypothetical display with GPU, the Mac mini can already be seen as a “modular Pro Mac.” Obviously, high-end users want even more RAM, cores, and something more powerful than an i7. The iMac Pro scales from 8 to 18 Xeon cores, and 128GB of RAM, so that should be the baseline for the Mac Pro. But how else will the new Mac Pro distiniguish itself from the Mac mini and the iMac Pro? It’ll be fun to speculate and then analyse the reality.

My prediction for release date? Most likely at WWDC, though there is a chance Apple might do a special event earlier in the year.

More Security and Control

The 2018 Mac models have shown that the T2 system controller or its successor will be in all Mac models going forward. It provides better and faster local disk encryption, Secure Boot, system activation at installation, and can block external boot. Apple has had these “features” in iOS for years.

Secure Boot can be disabled and external boot can be “unblocked” on Macs, but a new system out of the box will have the most secure settings. This follows the model that SIP and user-approved Kernel extension have set in the past.

Apple could start mandating some of these settings. However, they have not mandated SIP even after several years, might be a sign that they will keep those ‘backdoors’ available for a bit longer. (I don’t recommend disabling any of these security features, they are there for a reason.)

Having T2 (or something better) across all Macs could allow Apple to implement some other options, such as stopping to activate/sign older macOS versions, blocking them from being installed. Before they can do that effectively, we will have to wait out the life time of pre-T2 Mac models. Even though all new Mac models in 2018 have the T2, Apple still sells models without T2 chips, such as the entry level MacBook Pro and MacBook Air. To effectively implement something like this, Apple would have to wait until a large fraction of the installed base has the T2 (or better) chip. Given the current life time of Mac hardware this will take at least three to five years.

So, while forthcoming Macs might implement stricter local security, I don’t expect major changes in 2019.

UIKit on macOS

Another big announcement at WWDC 2018 was that Apple had started to port UIKit, the framework for writing applications on iOS to macOS. For now, Apple is ‘testing’ this approach with four of their own apps: Stocks, News, Home and Voice Memos. This framework is not yet available to third party apps. (At least not officially.) The framework (the suspected code-name is ‘Marzipan’) should be available to third-party developers in ‘2019’, most liekly with macOS 10.15.

This will lower the threshold for porting apps from iOS to macOS. Apple surely expects this will be a huge boost to app availability for macOS. However, there are reasons that macOS and iOS are very separate platforms with different UI frameworks. The date or time picker in the Home app is exactly the same as in iOS and not optimized for mouse/trackpad input. None of the Marzipan apps can open multiple windows.

Overall, I think that even a poorly ported Home app is better than no Home app at all. But without multiple windows or something like AppleScript support, the macOS Home app will not live up to expectations of macOS and remain disappointing.

That said, Apple was careful and kept the Marzipan framework private for a year. There will likely be major changes to the current implementation before it is released to developers this summer. Also, it will continue to evolve with future macOS updates.

Overall, I will be looking forward to this.

ARM based Macs

ARM based Macs were predicted for 2020, rather than 2019, so it might be a bit premature.

The motivation for this might be obvious. Intel has had major setbacks in their chip roadmap while Apple own ARM-based “A”-series chips are catching up in performance. Apple has repeatedly shown that they would like to own the all the pieces that go into their devices. So it seems like an obvious, even unavoidable next step to put the A-series chips that are powering the iPad Pro into MacBooks and maybe even desktop Macs as well.

While I am not going to argue that A-series chips are powerful enough for laptops and most consumer desktops, they not yet comparable to the high end “Pro” chips, especially for desktops. Using A-series chips might allow Apple to innovate faster and lower prices, but it would further reduce the distinction between the MacBook and iPad Pro, something that is already putting pressure on the Mac platform sales and confusing for customers.

On the Mac platform, Apple just recently re-commited to Intel with Xeon in the iMac Pro and the Core i7 chips in the new Mac mini and MacBook Air. Presumably the new Mac Pro will have a Xeon chipset that can keep up and exceed the iMac Pro.

It is conceivable that Apple has some massively parallel “super-A-series” logic board design. But that would be a strange course correction away from the path that we have seen in the iMac Pro. GPU power is a key to high-performance computing, VR and AR and machine learning. Any solution Apple uses for future “Pro” Macs will have to support high-end GPUs.

Since the MacBook Air and Mac mini just got refreshes, I don’t expect any news on A-series Macs until these are up for a hardware refresh, probably in late 2020. That timeline would make it unlikely to hear anything at WWDC this year.

The 12“ MacBook is the one wildcard. The 12” MacBook remains positioned oddly between the new MacBook Air and the the 13“ no Touch-bar MacBook Pro. If Apple wanted to show off a power-sipping A-series chip in a notebook form factor, possibly at a lower US$999 entry price, a new 12” MacBook with a single USB-C port, like the iPad Pro, could work quite well.

But would this A-series notebook necessarily be a “Mac?” Keep in mind that Apple rebranded their Book store this year, possibly allowing the “iBook” brand to return to its original use.

Whether this year, next year or later, macOS on A-series will come with some pains for MacAdmins. This will be a hardware specific build of macOS that cannot merge. This new macOS will probably have a deployment even close to iOS than the current macOS. Software could be offered in fat-bundles, including the binaries for both chip sets, or merely fat installers, that choose the binary during installation. Or, the Mac App Store could be the sole means of software distribution, like on iOS.

MacAdmins have weathered transistions like these before. Both the transition to Mac OS X from “Classic Mac OS 9” and the Intel transition actually resulted in many new tools and workflows being developed and used for deployment.

Finally

Times will remain interesting and exciting for MacAdmins. It is obvious that Apple and the entire tech industry have no plans of reducing momentum or changing direction. While it is not always clear in which direction the field is moving, anyone who’d rather stand still and hold to things as they are (were), will be left behind.

Continous trouble-shooting mode and beta-testing can be tedious and frustrating, but when managed correctly, will result in an flexible and up-to-date deployment, where users can get the latest and newest hardware and software, without IT standing in the way.

On to tackle 2019!