I set up a micro.blog for this website. For now, it’ll just cross post the articles posted here. So in addition to Twitter, Facebook and this plain old website, you can now also follow on micro.blog if that is how you roll.
And now Server.app, too!
I have written a book which expands on this topic and is regularly updated. Please check it out: “macOS Installation for Apple Administrators“
There is a common understanding that celebrity deaths come in groups of three. Maybe Apple was aiming for that, too. After killing off Imaging and NetBoot/NetInstall, now there is a new support article:
Prepare for changes to macOS Server – Apple Support.
In this article Apple announces they will change the macOS Server app “to focus more on management of computers, devices, and storage on your network.” All other services will be deprecated.
The article lists the deprecated services and provides links to some open source alternatives.
- Calendar
- Contacts
- DHCP
- DNS
- Messages (Jabber)
- NetInstall (NetBoot)
- VPN
- Websites (Apache)
- Wiki
In the beginning these services will remain available when you upgrade from an older version where they are activated, but will be hidden from new installations. In some unspecified future version of macOS Server, the services will be removed.
There are few services not listed here. They were already deprecated or moved to the ‘normal’ macOS in the last Server release. Open Directory and Software Update Server were deprecated and automatically hidden in Server 5.4 (the version which was released with macOS High Sierra). At the same time, Content Caching (Caching Server), File Sharing and Time Machine services moved from the Server app to the Sharing preference pane on macOS (and are available on every Mac, without having to purchase macOS Server). Xcode Server has moved into Xcode 9.
If you are using macOS Server for one of the above solutions, what should you do?
Don’t Panic
Apple is not killing off these services immediately. Server 5.5, which was released together with macOS 10.13.3 still has all the ‘normal’ services. Apple will hide the services in the UI to discourage their use in a future release. For the time being you can continue to use them. However, you need to start planning your move away from macOS Server.
While many Mac administrators would argue that macOS Server is not and never was a “professional” server, or even a server for any kind of deployment, it has found a niche in some small network environments. While the UI was certainly never perfect is has always been somewhat easier than messing with config files.
The replacements that Apple suggest in their article are worthy solutions if you need to maintain the services locally. Many are the open source projects that Apple used inside macOS Server themselves. While this removes the UI for monitoring and configuring the services, it also takes Apple out of the loop for updates and security patches. By getting the software directly you can get more timely updates. It also requires more maintenance and effort from the administrator, especially when you are using multiple services.
To the Cloud!
However, many of the above service are better replaced by cloud-hosted services, such as Office 365 or Google for Business/Education. These will also cover user identity management (replacing Open Directory) and file sharing with cloud storage systems.
For obvious reasons, DNS, DHCP and VPN cannot be run in the cloud. For small networks, these services are usually run on the router. However, if your router cannot run these services then you can run them on a dedicated box.
For my home network I am considering (i.e. finally found an excuse for) a Raspberry Pi.
NetBoot is still dead
Apple recommends NetSUS and BSDPy for NetBoot and NetInstall. These are certainly worthy solutions to host your nbi
folders.
However, NetInstall functionality (this has been discussed before) is not present with the iMac Pro. It is to be expected that future new Mac hardware releases will follow the iMac Pro.
If you currently have a NetBoot/NetInstall based imaging or installation based workflow hosted on macOS Server, you need to be exploring alternative onboarding/setup workflows instead. DEP + MDM is the solution that Apple is pushing here.
Whatever solution you will find for your setup, it will require a lot of effort to get working smoothly. Rather than spending time and effort to move your NetBoot setup to BSDPy or NetSUS, leave it where they are for as long as they will still work and spend time on building a new supportable and supported workflow instead.
Whither macOS Server?
The Apple support article states:
macOS Server is changing to focus more on management of computers, devices, and storage on your network.
I would guess that ‘storage on your network’ means Xsan. Which some people still use. Seems weird to leave this as part of macOS Server and not split it out like other services. On the other hand it seems hard to imagine that this is some new server management feature.
What remains, is Profile Manager.
Profile Manager is considered Apple’s reference implementation of the MDM protocol. Most would not recommend using it in professional environments and few do (even fewer happily).
Now, that Apple is effectively reducing the functionality of macOS Server to Profile Manager, the question is: will it remain a mere reference implementation or will Apple finally put the resources behind Profile Manager to make it a usable, affordable and scalable solution?
Or maybe I get to write Profile Manager’s eulogy in a few years time as well. Only time will tell.
Does this mean Apple is leaving Enterprise business?
Really!? No.
In some ways Apple has never been able to enter Enterprise business with their own server products, hardware and software.
But they have been able to enter Enterprise business with their devices, Macs and iPhones and iPad. And because those devices are popular and trendy with Enterprise users, the Enterprises need to support them. That is what the MDM protocol and DEP are for.
With this step, Apple is making it clear that they are not even trying to play in the server business. They are happy to provide the MDM protocol and a reference implementation. They will support the infrastructure necessary to make DEP, MDM and VPP work. Apple is not interested in being the hardware that runs DNS, DHCP, file shares, Mail, calendaring and chat etc. Maybe not even the MDM server. Apple is very happy to leave this business to others. Apple sells devices.
macOS Server has been a neglected step child since the demise of the Xserve. I am surprised it took Apple this long to make it obvious.
I have written a book which expands on this topic and is regularly updated. Please check it out: “macOS Installation for Apple Administrators“
Weekly News Summary for Admins — 2018-01-26
Another update week! macOS 10.13.3 and iOS 11.2.5 dropped along with the usual other updates. Security Updates for Sierra and El Capitan bring Meltdown fixes and (maybe) APFS support for Sierra.
The end of one beta cycle is the begin of the next. macOS 10.13.4 and iOS 11.3 started in beta. Apple seems so proud of this update that they put up an iOS 11.3 preview. Also an announcement that the macOS Server application will be severely reduced in functionality in a future release.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
📰News and Opinion
- Apple previews iOS 11.3
- A Week With The iMac Pro – Ben Goodstein, Amsys
- The End of Munki-in-a-Box – Tom Bridge, Cannonball
- iOS 11.3 Books app confirms Apple Books Store overhaul – Guilherme Rambo, 9to5Mac
- New MDM Features for iOS 11.3 & macOS 10.13.4 – SimpleMDM Blog
- macOS Server Changes Coming Soon To A Server Near You – Charles Edge, Krypted
🔨Support and HowTos
- Jamf Pro uninstaller policies with a little help from Munki – Graham Pugh
- Secure Token and FileVault on Apple File System – Rich Trouton
- The Right OS For The Right Mac – The Mac Admin
- Extension Attribute To Check For OSX/MaMi – Charles Edge
- Jamf Pro EA: Member of AD Group – The Mac Admin
- File types, the UTI, and even more metadata – The Eclectic Light Company
- Which EFI firmware should your Mac be using? – The Eclectic Light Company
- Spectre & Meltdown Vulnerabilities Summary – Jason Broccardo Updated for 10.13.3 release
- Automated CloudFront invalidation rules – Erik Gomez
- Early notes on deploying images to iMac Pro – Greg Neagle, Managing OS X
- What is in the Sierra Security Update 2018–001? – The Eclectic Light Company
🍏Apple Support
- macOS build numbers: (thanks to Elliot Jordan)
- 10.13.3: 17D47 (iMac Pro: 17D2047)
- 10.12.6: 16G1212
- 10.11.6: 15G19009
- Prepare for changes to macOS Server
- About the macOS High Sierra 10.13.3 Update
- About the security content of macOS High Sierra 10.13.3, Security Update 2018–001 Sierra, and Security Update 2018–001 El Capitan
- macOS High Sierra 10.13.3 Update
- macOS High Sierra 10.13.3 Update for iMac Pro
- macOS High Sierra 10.13.3 Combo Update
- Security Update 2018–001 (El Capitan)
- Security Update 2018–001 (Sierra)
- About macOS Server 5.5
- About iOS 11 Updates
- About the security content of iOS 11.2.5
- About watchOS 4 Updates
- About the security content of watchOS 4.2.2
- About the security content of tvOS 11.2.5
- About the security content of Safari 11.0.3
♻️Updates and Releases
- Louis D’hauwe: “After getting removed by Apple, my Terminal app for iOS is back in the App Store with a new name: OpenTerm 🚀”
- Ken Case: “yes, we’ll be open-sourcing our iOS & Mac JavaScript-based automation framework, OmniJS.”
- jlutil – an alternate, cross-platform format for representing property lists
- Munki 3.2 Release Candidate 2
- MacQuisition 2018 R1
🎧To Listen
- The Annual Tome of Goodness, with Arek Dreyer – Mac Admins Podcast
- The Mac App Store’s Problems – AppStories
📚Support
I do not have any ads on my webpage or this newsletter. However, if you want to support me and this website, then please consider buying one (or both) of my books. (Imagine it’s like a subscription fee, but you also get one or two useful books on top!)
If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!
Weekly News Summary for Admins — 2018-01-19
New Office! New remote control solution for Macs! New ‘Apple at Work’ pages!
Lots of new and interesting things this week to read up and keep up with.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
#! On Scripting OS X
📰News and Opinion
- Apple is getting very, very serious about enterprise IT – Jonney Evans, Computerworld
- Apple accelerates US investment and job creation – Apple
- New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more – Chance Miller, 9to5Mac
- Office for Mac turns ‘Suite 16’ – Bill Smith, Jamf Blog
- Microsoft adds drag and drop support in Office apps for iOS Insiders – MSPoweruser
- This was a comment on another post, but I… – Miles A. Leacy IV
- The end of the conference era – Marco Arment: This article is focussed on iOS/macOS developer conferences. I have a feeling most Mac focussed IT conferences are doing well.
- IT Kit – The best tools for IT professionals: New site attempting to surate a list of IT tools. The list is still quite thin, but seems to be biased towards Apple/Mac IT tools. Might be worth watching.
- Steve Troughton-Smith on Twitter: “It looks like Apple may be preparing Meltdown/Spectre mitigations for macOS 10.12 (Sierra) in an upcoming security update.”
- Not even wrong – ways to dismiss technology – Benedict Evans
🔨Support and HowTos
- Add
product id
to a distribution pkg with Packages.app – Eric Holtam, osxbytes - MacAutomation on Twitter: “Live Import into Photos from tethered iPhone”
- Bear on Twitter: “@kjaymiller made an AppleScript that imports multi-line text into Things as tasks”
- Suppressing auto-update checks for Microsoft Visual Studio Code for Mac – Daz Wallace, moof IT
- FileVault recovery key redirection profile changes in macOS High Sierra – Rich Trouton
- Analyzing a New macOS DNS Hijacker: OSX/MaMi – Patrick Wardle, Objective-See
- VMware Fusion API Explorer
- Bootstrappr – Greg Neagle
- Oracle Java 9 JDK and JRE installation scripts for macOS – Rich Trouton
🍏Apple Support
- New ‘Apple at Work’ pages and documents
- Employee Starter Guide for Mac
- Use PIV Mandatory authentication
- About the security content of Xcode 9.2
♻️Updates and Releases
- TCM – Twocanoes Software Remote Control for Mac
- Office 2016 for Mac 16.9.0 (the download links at macadmins.software have also been updated)
- WhiteBox Packages 1.2.2
- Louis D’hauwe on Twitter: “Sad news: Terminal has been removed from the iOS App Store for being “too similar to Terminal”
🎧To Listen
- The Future of Mac Labs, with Neil Martin – Mac Admins Podcast
- Siri needs to become a platform – Rene Ritchie, Vector Podcast
📖To Read
📚Support
I do not have any ads on my webpage or this newsletter. However, if you want to support me and this website, then please consider buying one (or both) of my books. (Imagine it’s like a subscription fee, but you also get one or two useful books on top!)
If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!
Weekly News Summary for Admins — 2018-01-12
Things have quieted down a bit after the Meltdown and Spectre turmoil last week. Apple has pushed updates for iOS, High Sierra, and Safari for older macOS versions.
There also was another macOS password bug, but this one is more specific and less dramatic than the #iamroot bug was.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
#! On Scripting OS X
📰News and Opinion
- Spectre & Meltdown Vulnerabilities Summary – Jason Broccardo
- The Future of Transmit iOS – Panic Blog
- Measuring OS X Meltdown Patches Performance
- macOS High Sierra’s App Store System Preferences Can Be Unlocked With Any Password – Mac Rumors
🔨Support and HowTos
- Jason Broccardo on Twitter: “sfltool in 10.13 will not get back the features it had in previous versions of the OS”
- Setting your Mac to receive macOS beta updates using seedutil – Rich Trouton
- Secure Enclave, Mac SSD hardware encryption and the future of FileVault – Rich Trouton
- Graham R Pugh on Twitter “You can’t user-approve Kernel Extensions from Remote Desktop sessions.” (This is somewhat mentioned in Apple’s support article on Kernel Extensions in High Sierra.)
- iCloud Drive can strip (meta)data from your documents – The Eclectic Light Company
- Managing Macs at Scale – Matthew Warren
- Better Jamf Policy Deferral
- Kext Team Identifiers, Vendors and BundleIDs: useful shared Google Doc, please contribute
- Applications with 32-Bit Components: future versions of macOS will not run 32bit applications any more. Shared Google Doc, please contribute.
🍏Apple Support
- About the security content of iOS 11.2.2
- About the security content of macOS High Sierra 10.13.2 Supplemental Update
- About the security content of Safari 11.0.2
- iOS Security Guide
♻️Updates and Releases
- Terminal is now available in the App Store for iPhone and iPad! 🍾 : not very useful yet, but interesting (App Store Link)
- Munki 3.2 Release Candidate 1
📚Support
I do not have any ads on my webpage or this newsletter. However, if you want to support me and this website, then please consider buying one (or both) of my books. (Imagine it’s like a subscription fee, but you also get one or two useful books on top!)
If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!
Get an Icon for your Mac
A few weeks ago I had a post about getting the “Marketing Name” for a Mac.
At that time I was also trying to get an icon or image file for the current Mac model, but could not find a way to do it.
Since then I have found that the AppKit framework provides a method to get an image for the Mac.
[NSImage imageNamed: NSImageNameComputer] # Objective-C
NSImage(named: .computer) # Swift
To get this image data into a file requires some passing through other classes. However, this is possible in Python on macOS. (I had some trouble, but figured it out with some help in the MacAdmins Slack #python channel, thanks!)These are the posts that were recommended reading or watching:
In case you need an image file for the Mac, here is the code. It will generate a 512px image for the current Mac. The two lines you may want to change are line 7 for the size of the image and line 16 for the filename.
Update: improved version here (not by me)
Weekly News Summary for Admins — 2018-01-05
Happy New Year, everyone!
For those who follow the Gregorian way of counting trips around the sun, anyway.
2018 is certainly not starting slowly. We got a good look at Secure Boot in the iMac Pro thanks to Tim Perfitt. And then we got two major security problems, endearingly called ‘Meltdown’ and ‘Spectre’.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
#! On Scripting OS X
🎇Turn of Year
- My work in 2017 – groob.io
- Apple Macintosh: What the Mac needs in 2018 – Jason Snell, Macworld
- Biggest problems facing Apple in 2018 – Rene Ritchie, iMore
- Krypted.com Turns 13 Today! – Charles Edge, Krypted.com
🖥iMac Pro
- NetInstall is Dead, too
- Network Traces from SecureBoot on iMac Pro – Tim Perfitt, Twocanoes Software
- SecureBoot & the 2017 iMac Pro – Tim Perfitt, Twocanoes Software
- The T2 chip makes the iMac Pro the start of a Mac revolution – Jason Snell, Macworld
🔐Meltdown and Spectre
- About speculative execution vulnerabilities in ARM-based and Intel CPUs – Apple Support
- About the security content of macOS High Sierra 10.13.2, Security Update 2017–002 Sierra, and Security Update 2017–005 El Capitan – Apple Support (Updated Jan, 4 for CVE–2017–5754)
- ‘Meltdown’ and ‘Spectre’ FAQ: What Mac and iOS users need to know about the Intel, AMD, and ARM flaw – Rene Ritchie, iMore
- Reading privileged memory with a side-channel – Project Zero
- Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign – The Register
- Mac Model PCID Status (Google doc)
📰News and Opinion
🔨Support and HowTos
- A Slack notification post-processor for AutoPkg/JSSImporter – Graham Pugh
- Creating local user accounts with pycreateuserpkg – Rich Trouton
- Decrypting an APFS encrypted volume using diskutil on macOS 10.13.2 – Rich Trouton
- This New Years Day, Learn The Jot Command – Charles Edge, krypted.com
- FileMaker and OmniGraffle – Sal Soghoian
- Stop Apps From Installing Automatically On A Mac When Purchased On Another Mac Charles Edge, krypted.com
- Remote control a Mac from an iPhone via Workflow – Jason Snell, Six Colors
🍏Apple Support
- A Message to Our Customers – Apple
- iPhone Battery and Performance
- Apple Developer Program Membership Fee Waivers
- Adjust SMB browsing behavior in macOS High Sierra 10.13 (from November, but new to me)
♻️Updates and Releases
- jAlly (iOS): See information on device in Jamf Pro on you iPhone!
- Pythonista 3.2 (iOS): now can save and sync files in iCloud and open Python scripts from other apps
- Jamf Pro 10.2 Beta
🛠Open Source
- Ethenyl/JamfKit: A JSS communication framework written in Swift
- Build macOS packages with GCP Container Builder
📺To Watch
- jamJAR – What, Why, How – macmule
- The macOS School of Terminal Witchcraft and Wizardry – Mac Admin and Developer Conference 2017
- Armin Briegel talks self publishing and iBooks
🎧To Listen
📚Support
I do not have any ads on my webpage or this newsletter. However, if you want to support me and this website, then please consider buying one (or both) of my books. (Imagine it’s like a subscription fee, but you also get one or two useful books on top!)
If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!
MacAD.UK Interview on self-publishing Books
To build up anticipation for their conference, MacAD.UK are posting articles and interviews with the speakers. Today, you can hear me speak about my books and process on self publishing and (seemingly but not really unrelated) how much I like the “Harry Potter” series.
Want to write a book? Armin Briegel Talks Self Publishing macOS and iBooks
And, yes, now it is official, I will speak at MacAd.UK. You will learn the topic in the interview.
Watch the interview and then go get my books!
NetInstall is Dead, too
I have written a book which expands on this topic and is regularly updated. Please check it out: “macOS Installation for Apple Administrators“
Tim Perfitt of Twocanoes Software (Winclone, SD Clone, etc.) got an iMac Pro.
For obvious reasons he immediately looked at the details of the new boot process, and has found some details that were speculated or unknown so far. Most of this happened on Twitter, which is a quite hard to put together afterwards, so here is a summary: (there were several members of the Mac Admin community involved, thanks to all of them!)
Update: Tim Perfitt now as an excellent detailed post on his findings here.
- macOS build for the iMac Pro is
17C2120
the iMac Pro will not NetBoot, even with Secure Boot disabled - a local administrator’s password is required to disable Secure Boot or enable External Boot
- you cannot disable Secure Boot or enable External Boot before the first installation as there is no local administrator
- you can still erase the system volume without a local administrator’s password
- re-enabling Full Security in the Secure Startup Utility requires an internet connection
- reseting the NVRAM will reset SIP, but not the Secure Boot setting
- FileVault/Full Disk Encryption is not enabled by default
- Secure Boot requires an internet connection when it attempts to fix the boot files. This will not work with proxies. Also requires access to
17.*
addresses. - iMac Pros will still boot when offline
- for Bootcamp, Secure Boot will verify the Windows bootloader
- the iMac Pro does not only kill imaging and NetBoot, but also the remaining EFI ROM tones (also noted in this support article, startup chimes already went away with 2017 MacBook and MacBook Pro models, thanks to Arek for pointing that out)
- iMac Pro Essentials (iBook Manual)
- iMac Pro Help Pages
There are probably a few more details which will come out as other admins get their iMac Pros in the following days and weeks. But this gives us enough confirmation of facts to know:
NetBoot is dead!
Don’t Panic!
So the news of NetBoot’s demise has not been exaggerated. Also it is to be expected that all new hardware from Apple going forward will have Secure Boot and probably not NetBoot.
MacAdmins will all need to plan ahead and look at the options that are on the table for Mac management going forward.
There is speculation that the current TouchBar MacBook Pros might get Secure Boot added in a future update to 10.13. Even if that is not the case, then it is a safe assumption that future Mac releases will contain the T2 system controller or something similar and have the same Secure Boot features (or lack thereof).
Deployment Strategies Going Forward
Device Enrollment Program and Mobile Device Management (DEP + MDM) is certainly Apple’s deployment method of choice. They have been pushing to this for a few years now and it has also been the way to manage iOS devices.
DEP is a process where a new device (iOS or Mac) is registered to your organization at purchase and you can assign it to your Mobile Device Management server through Apple’s website.
At it’s very first boot, the Mac will check with Apple’s DEP servers and get the MDM’s information, register with the MDM and then the management settings take over, adding configuration, software and, with some management systems, local tools to install and manage non-AppStore software.
When a Mac’s system volume is erased and macOS is re-installed the process starts over, keeping the Mac managed by the same MDM.
Apple has also made DEP+MDM a requirement to manage Kernel Extensions without user interaction. Furthermore, Apple states that going forward, the “approved” level of MDM (either by DEP or explicit user interaction) will be used for more configurations in the future.
This is similar to “supervised” iOS devices. However, Apple provides two means to supervise an iOS device: with DEP and by manually connecting an iOS device to a Mac with Apple Configurator. The process with Configurator can be automated, aside from the manual connection. On macOS the manual (“user-approved” MDM enrollment) cannot be automated and cannot even be performed over remote control.
In general, DEP+MDM works well. It enables certain management styles and workflows that were not possible before. An organization can order a device from Apple or a reseller and have it sent directly to an employee. When the employee unboxes the new device it is registered with the organization’s MDM and receives configuration profiles and software, even when the device is off-site.
Apple and MDM vendors like to call this workflow “zero-touch” deployment, because the IT department does not have to touch the device. This is a great improvement for many Mac administrators.
However, there are a few downsides to DEP+MDM:
External Dependency
Apple’s DEP servers are an external dependency and a single-point-of-failure in the deployment workflow. There were a few outages of the DEP system this year. Even worse, Apple does not include the DEP service in their status overview page. This leaves Mac admins wondering if a problem is on their side or with Apple.
DEP availability
DEP is not available in all regions where Macs are sold. With imaging and NetInstall off the table, this is leaves only manual installation and MDM enrollment/approval for management.
Also, a client has to be online and the network to have access to Apple’s servers. This requires un-proxied access to Apple’s 17.*
IP range. However, especially when you are outside of the US, the processess at installation may attempt to connect to other IP addresses as well.
With Apple Configurator an administrator can also add existing iOS 11 devices into DEP, not just new ones. This option is not available for existing Macs.
User Interaction
DEP + MDM allows to automatically enroll devices without requiring IT to touch a device. However, the process is not automated. There has to be a user present to interact at several points with the Mac for the initial setup. While profiles can manage and reduce the user input required during setup, there are a few steps you cannot automate away.
Also the enrollment process will only install the management tools then show the user the desktop. Actual installation of software packages takes place in the background and might take a long time. This can leave the user confused as to what is going on. Certain management options, such as enabling FileVault may require a logout or restart, interrupting the user with whatever they started to do on their new Mac or leaving the Mac in an unsecure state until the user restarts.
This downside of DEP is so glaring that many open source solutions have sprung up to provide a user interface for the post-DEP initial configuration cycle.
(I am probably missing some, let me know!)
This innovation and initiative of individual admins and the community as a whole is admirable. Thanks to all who provide!
Either way, administrators using DEP + MDM have to be aware of the time required for the download and installation of large software packages and choose which pieces are absolutely required and which can be deferred to be installed later at a time of the user’s choice through a self service portal.
Software and Configuration Management
DEP handles the initial connection to the MDM. The MDM can push and enforce profiles to control some settings. The MDM can also initiate installation of (Mac) App Store software through the Volume Purchase Programm (VPP).
To manage software and configurations that are not in the Mac App Store or not supported by configuration profiles, administrators need to install a local tool on the client system.
The MDM protocol provides a tool called InstallApplication
that will instruct a client Mac to download a pkg file and install it. For example, the Jamf Pro management suite uses this to install the jamf
binary tool, which then can take over and perform many other management tasks, which the MDM system does not provide.
Some management systems (so far I know of SimpleMDM and AirWatch, let me know if I missed any) allow admins to provide their custom installer to install a local management tool (e.g. Munki, Puppet)
Notably, Apple’s reference MDM implementation, Profile Manager (part of the macOS Server app) does not allow for custom installs.
Erik Gomez has done outstanding work documenting his experiences with this process. The entire series is worth reading. but if you want to catch up quickly, the recent posts have a good summary of the status quo and a real-world implementation.
Offboarding, Re-installation and Re-purposing
Once the initial configuration is complete, MDM+VPP+management system will take care of installations and software updates. However, there are situations, where you will want to ‘nuke and pave’ or ‘wipe and re-install.’
There are many reasons an admin may want to do this, most of them involve ‘configuration drift.’ I.e. over time as more and more software gets installed and configured on a given system, errors and conflicts pile up and cause problems. At this point it is usually easier to ‘nuke and pave’ or ‘erase and install’ than to track down the actual conflicts.
In an ideal world, all the configuration owned by a user would be exclusively in that user’s home directory and you would only have to delete and recreate that user, rather than the entire system. However, we do not live in that world.
Many pieces of software store configuration in central locations, but still assume that these central locations are writable by the user. In most setups this is the case, because by default users are admins on macOS. However, this spreads configuration and other data all through the system, making it impossible to isolate all changes.
With imaging and NetInstall, admins could use the same workflow for the initial installation and configuration than for subsequent-installations.
Furthermore, the process could be automated to the point were no local interaction was necessary, or just the minimal interaction of someone restarting a Mac and holding the ‘N’ key. From then on all steps could run fully automatically and without interaction. Further more, imaging with block copy was fast.
With High Sierra, Imaging is not supported anymore, except in very specific circumstances. Automated Installations with NetInstall are broken. And with the iMac Pro the option for NetInstall goes away completely. (Which may explain why automated NetInstall was not fixed in High Sierra.)
This leaves manually booting to (Internet) Recovery, erasing the startup volume in Disk Utility and re-installing macOS as the only means of re-installing a Mac. After the installation DEP should re-connect the Mac with the MDM and management should take over.
However, you cannot completely automate the DEP interaction, so after waiting for ~30minutes for the installation to complete, someone has to confirm a few dialogs before managed installation can kick in and do the rest of the work. All this interaction is time-consuming and error-prone.
“Erase all Contents”
On iOS, you rarely have to re-install the system. Instead there is a function ‘Erase all Contents and Settings’ which restores a device to a clean unconfigured state, from which DEP and then the MDM can take over. You can even send the wipe command over the air with an MDM. (On iOS you also have to manually confirm a few dialogs before DEP and MDM can take over, but the entire process is much faster.)
Until Apple provides this feature on macOS locally and remotely, admins who rely on fast restores either have to stay on Sierra, postpone new hardware purchases, or revisit and redesign their workflows.
This mostly affects education customers with lab deployments. Other large Mac deployments were a Mac is “owned” by a single user, are less affected by this.
Sidenote on Mac App Store and VPP
Mac App Store applications have to be sandboxed, which means they can’t even access all of the user home directory, only their designated sandbox. Managing these applications and the data is much more manageable than other Mac applications and tools where anything goes.
On iOS, the App Store and VPP are the only means of distributing applications, and this is much simpler and manageable. However, the App Store rules prohibit entire classes of tools and services. While the Mac App Store enforces similar rules, users can still download and install applications and tools outside of the Mac App Store. For most Mac users, this is the defining advantage of macOS.
However, this higher complexity of software and deployment methods, requires more complex deployment and configuration workflows.
MDM + VPP cannot handle this complexity, which is why management systems, such as Jamf Pro, Filewave, and Munki, exist and need to exist for macOS management.
Also I need to say that not all software and installers need to be as complex as they are. Most software that comes with complex installation tools are unnecessarily complex and error prone. Often the developers are just taking a cheap shortcut, by assuming the current user has write access to the application bundle, or has admin privileges, etc.
However, there are still entire classes of professional software, that even if they did simplify their applications and installers, would not currently be allowed in the Mac App Store (IDEs and developer tools, hardware drivers, certain virtualization software features, anything that needs root access, etc.)
Also the App Stores (on macOS and iOS) have features, that cannot be purchased or distributed by VPP. In-App-Purchases and subscriptions cannot be purchased or distributed. Recently, Pre-orders for a special price were added as a feature to the App Stores, but these can also not be used for VPP.
Overall, I would love if all software were available in the (Mac) App Store and could be managed and distributed with VPP, but we are a long way from that reality.
Why all this?
By now it seems fairly obvious that Apple wants to get macOS system security to a point where only Apple can ever affect and change system software and firmware. That is a worthwhile goal. It means that your data is secure on an encrypted drive, they decryption key is locked in the secure enclave, but Apple can design solutions like TouchID and FaceID to unlock everything quickly.
To close the loop for all this security, the system needs to be able to verify and confirm that the software running the system (both the OS and firmware) are up to date and in their original state.
Imaging, NetBoot and NetInstall bypass most of this security. I believe it could be possible to create a networked installation workflow with all the security in mind, but it might just not be worth the effort. Apple seems to think this is not worth doing right now.
And remember that imaging and NetInstall are not valuable in themselves, but they are valuable as tools to achieve something useful, namely: automated installation and configuration of Macs.
DEP + MDM + VPP gets us there in many situations. In many use cases, DEP allows for workflows that were not possible before. Other technologies in macOS High Sierra (snapshots) promise some more useful tools, but they are not quite there yet.
Right now the gap between what we currently use as admins and what will come down the road is getting really wide.
Where to go from here?
There are two things a system administrator needs to balance:
- provide a stable and efficient environment to manage the computers, software, configurations, and users
- adapt the environment and workflows for new and future requirements and technologies
These to goals are often at odds and balancing them is a circus act in the best of times. Right now Apple is making our collective lives harder by shaking the rope we are standing on and throwing a few new balls in to the juggling act at the same time.
Apple and the MDM vendors are providing a powerful new solution DEP + MDM which works well for some deployement styles (1-to–1 deployments).
History has shown, that going against Apple’s vision of how their devices should be used, will not result in a smooth experience. Take a good look at your deployments using imaging and NetInstall: might a different deployment scenario work?
In education, labs are often used because certain software is too complex or expensive to be provided to all laptops. In this case virtualization, switching to another software solution or different OS might be a solution. (And please let your Apple rep know you are considering switching to another OS. That is the great leverage we have on Apple to support better workflows.)
To buy some time, you could hold on to Sierra for a while longer. Right now, all Macs except the iMac Pro still support Sierra. As new hardware gets released next year, your options will dwindle. Maybe your organization can accelerate or postpone purchases with that in mind. This cannot last forever, but buy you some time.
However, any new Mac releases will, like the iMac Pro, require High Sierra and (most probably) have the same Secure Boot features. How will you support those when they are purchased? The high price of the iMac Pro might discourage purchases, but for how much longer. You will need to have an answer in place.
(Also, this is great argument that you need an iMac Pro for testing, now… 🙂 )
Your answer may very well be, that you will have to accept the extra manual affort required to (re-)install High Sierra based Macs. However, then you had better have an idea of how much more effort and time will be required, to justify the extra workload to your organization.
Test, test, test!
Do you have a DEP + MDM solution in place? Did you get the budget for it? Are you testing deployment workflows with it? For the past year and more, the writing has been on the wall that this is the way to go. If you haven’t started on this by now, you really, really have to.
Do you have an idea/solution on how to smoothen the new deployment workflow for you or your users? Whether it is just an idea or a finished workflow, please discuss and share it in the MacAdmin community. The MacAdmins Slack is a great place to start. Maybe someone in the community will figure out how to use APFS snapshots to quickly and reliably restore a Mac to a well-known state before Apple does.
There are already someinterestingideas out there.
Maybe you’ve already done all this and found a setup that works for you. Well done! This would be a great time to present your solution and how you got there at a Mac Admin meeting or conference. Many other admins would love to learn from you. (Or just write a blog post.)
Talk with your Apple Reps, file bugs, etc. Don’t expect Apple to bring back imaging or NetInstall, but do point out the shortcomings of Apple’s solutions going forward.
The orchestration for Apple to get the new hardware and software components and pieces in place must be enormous. Some pieces take longer and with patience we will see how everything fits together.
We are living in interesting times!
Happy New Year 2018!
I have written a book which expands on this topic and is regularly updated. Please check it out: “macOS Installation for Apple Administrators“
Weekly News Summary for Admins — 2017-12-22
Happy Holidays!
We made it! This is the last news summary for 2017. Presumably, much of the industry will take a break over the holidays and new year’s. Either way, I will and I hope you can, too.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
#! On Scripting OS X
- iMac Pro Implications for Mac Admins
- Interesting Software on Sale in the AppStores
- On Twitter: “Mac Terminal #ProTip: Use shift-command-A to select the output of the last command (‘Select Between Marks’)”
📰News and Opinion
- Apple off to a promising start with its revamped pro Mac lineup
- Apple’s new Utility library will power up command-line apps – Paul Hudson
- Google Maps’s Moat – Justin O’Beirne
- NetBoot – a nail in the coffin? – Neil Martin
- Apple Rumored to Combine iPhone, iPad, and Mac Apps to Create One User Experience – Michael Tsai
- MOXiI 1st Ed now officially Free – Jonathan Levin
🔨Support and HowTos
- Jamf Pro 10.1.0 pulled
- Robert Hammen on Twitter: “Heads up #macadmins – Microsoft added a new version of Microsoft Remote Desktop (10.0.1) to the Mac App Store, as a new product, not an upgrade. Fun for VPP and Self Service users everywhere”
- Jason Broccardo on Twitter: “What @hammen is taking about with Microsoft RDC”
- mdmscripts/dep – Erik Gomez
- Use SF Mono Outside of Terminal and Xcode – Collin Donnell
- Custom DEP, Part 8: Things to look out for – Erik Gomez
- Custom DEP, Part 9: A practical example of InstallApplications, Crypt, DEPNotify and Munki – Erik Gomez
- Custom DEP Packages – Graham Gilbert
- MacBook Pro Requires Update to High Sierra to Fresh Install Windows Fall Creators Update (1709) – Tim Perfitt, Twocanoes Software
- Different block size of SSD in the same model MacBook Air– Tim Perfitt, Twocanoes Software
🍏Apple Support
Updated for iMac Pro
- Create a NetBoot, NetInstall, or NetRestore image – Apple Support
- How to select a different startup disk
- How to reset the System Management Controller (SMC) on your Mac
♻️Updates and Releases
- Jamf Pro 10.1.1
- Apple Configurator 2.6.1 Bug fixes for 2.6
- Microsoft Remote Desktop 10.1.0
🎧To Listen
📚Support
I do not have any ads on my webpage or this newsletter. However, if you want to support me and this website, then please consider buying one (or both) of my books. (Imagine it’s like a subscription fee, but you also get one or two useful books on top!)
If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!