The fifth part of the my tutorial on using Swift with the Jamf Pro API is published over on the Jamf Blog. A post with some of the background for this tutorial (and presentation) is here.
I am gathering all the links to the tutorial on the presentation page. There will be at least one, but more probably two more installations!
This is the time of the year where we get regular updates for macOS, but not that many new features. It is also time where MacAdmins adopt the new versions, either by choice or because the 90 day deferral limit has expired for good a while back. This is a busy time for MacAdmins.
(Sponsor: Mosyle)
The only Apple Unified Platform for Business
Mosyle is the only solution that fully integrates Enhanced MDM, Endpoint Security, Internet Privacy & Security, Single Sign-On, and Application Management on a single Apple-only platform.
Click here to learn why Mosyle is all you need to work with Apple.
We also got the second beta for macOS 13.3 and iOS 16.4 and Apple is testing the new Rapid Security Response technology again. It is encouraging that they are testing this “in the field” and hopefully that will make a big difference in reliability.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
It is here! The second edition of the wonderful and encompassing guide to everything Mac and iOS management: Apple Device Management Second Edition by Rich Trouton and Charles Edge. Many congratulations to them!
If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
After a few weeks of releases, this week was a bit quieter. Still a nice selection of posts and articles, thanks to all the authors who share their experience.
(Sponsor: Mosyle)
The only Apple Unified Platform for Business
Mosyle is the only solution that fully integrates Enhanced MDM, Endpoint Security, Internet Privacy & Security, Single Sign-On, and Application Management on a single Apple-only platform.
Click here to learn why Mosyle is all you need to work with Apple.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
Surprise update week! We got a security update for the Apple platforms and the new betas for macOS 13.3 and iOS 16.4
(Sponsor: Mosyle)
The only Apple Unified Platform for Business
Mosyle is the only solution that fully integrates Enhanced MDM, Endpoint Security, Internet Privacy & Security, Single Sign-On, and Application Management on a single Apple-only platform.
Click here to learn why Mosyle is all you need to work with Apple.
The security update is overshadowed by a fraction of managed clients booting to recovery during the update, which can be problem to overcome, when you have managed recovery lock.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
Even though Apple still hasn’t released a beta for macOS 13.3 and iOS 16.4, there are several updates for tools from the MacAdmins community, be sure to check out that section.
(Sponsor: Mosyle)
The only Apple Unified Platform for Business
Mosyle is the only solution that fully integrates Enhanced MDM, Endpoint Security, Internet Privacy & Security, Single Sign-On, and Application Management on a single Apple-only platform.
Click here to learn why Mosyle is all you need to work with Apple.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
The MacAdmins Foundation has announced that they can now provide Apple Developer ID signing identities to MacAdmin open source projects.
Open source projects for the Mac usually have the choice between not signing their software releases, or signing them with a personal or organizational Apple Developer ID, which cost a yearly subscription and, in the case of the personal ID, literally puts the name of the main lead in the signature.
The MacAdmins Foundation certificates now provide another option, that will be very attractive for some projects. Nudge is the first tool that has been released with a MacAdmins Foundation signature.
If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
We have released a new minor version of Installomator. Version 10.3 contains several new labels and some very important fixes to existing labels. You can see the details in the v10.3 release notes.
We have also released a first beta for the v11.0 release.
Having a beta parallel to a new minor release is a new approach for us. The way Installomator is built, changes and additions to labels do not (well, should not) affect the hundreds of other labels. This allows us to add and update labels quite easily. (We have added and updated 205 labels since v9.2, and 37 labels since 10.2) The minor updates focus on adding new labels and updating the existing labels, mostly because the names or download URLs change on the vendor side. Since not everyone is comfortable with the intricacies of git and GitHub, frequent minor releases are important to keep Installomator working for everyone that uses it.
However, we want to update the script and functionality in the script, as well. But since any change to behavior of the main script might affect all 500+ applications, we have to tread very carefully here. Last year, we had an extended beta period for v10, which was necessary to identify some problems with the changes. However, we didn’t release new minor updates during that beta phase which means that many labels in the v9.2 release broke over the beta phase.
Because of this, I have studied some new git and GitHub skills. Now, there will be a minor release with new and updated labels, as well as a new beta for v11.0 with some new features, that we are quite excited about. We will keep this up until we deem v11 to be ready for production.
Do not use v11.0beta1 in production! That is what the v10.3 release is for. But please, test the beta in your testing environments and report all issues that you find. This will help us build a better, safe, and stable Installomator v11.0.
As always, many thanks to everyone who is helping to make this project so much better than I could have ever imagined…
How is it February already? Didn’t we just do New Year’s and that January thing?
(Sponsor: SentinelOne)
macOS Payloads: 7 Prevalent and Emerging Obfuscation Techniquese
Learn about the techniques behind the latest macOS threats and stay ahead of the game in protecting your enterprise. From hidden scripts and shell script compilers to obfuscated Python, Cobalt Strike and more.
A week has passed since the release of macOS 13.2 and iOS 16.3 and no beta for 13.3 and 16.4 yet. I don’t think we should read too much into this, but it is unusual.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
Congratulations to all who got (or will get) the scholarship certifications and many thanks to the Mac Admins Foundation for making this possible!
The Penn State MacAdmins conference announced the date this week. Also, JNUC opened their registration. If you are planning to present at conferences, now is the time to start making plans. You can find a list of the conferences so far along with links to their information, registration, and ‘call for sessions’ pages on my conference page.
After three years of mostly virtual presentations, fun as they were, I have to remember that participating on-site in four or more conferences is probably not a wise choice…
If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
Update week! As expected, we got the updates for macOS 13.2, iOS 16.3, and all the other updates that go along with these.
(Sponsor: SentinelOne)
The Complete Guide to Understanding Apple Mac Security for Enterprise
Everything you need to know to understand the strengths and weaknesses of the security controls built into Apple Macs and the macOS platform.
The day before macOS 13.2 was published was the day that a 90 day major upgrade deferral limit on macOS ran out. Because of the, well…, state of what is software update on macOS, this has some interesting and some unexpected side effects. (I talked about the state of software update in my Year 2022 summary.)
When you are managing a 90 day deferral on major macOS updates, a user on an MDM enrolled Mac will now see the full (~12GB) macOS 13 upgrade in the Software Update pane. Apple is withholding the smaller delta upgrade option from managed Macs because of a bug in macOS 12.3 through 12.6 that resulted in the delta upgrade ignoring the major deferral time, and using the minor deferral time instead. This bug was fixed in 12.6.1.
The user will see 13.0, and not 13.1 or 13.2, since those were released less than 90 days ago still fall under the limitation. However, after the Mac has completed the upgrade to 13.0, the 13.1 and 13.2 updates are minor updates and will fall under the (likely much shorter) minor upgrade deferral time. This means that after going through the trouble of upgrading to 13.0 the user will immediately see that 13.1 is available and then, whenever the minor deferral period for 13.2 is over, see the 13.2 update as well. This might lead to two or three updates within a few days, which is not the experience we want for our users.
The major deferral period is only useful for the first 90 days after the release of a major version of macOS. Afterwards it is actually somewhat detrimental, as it doesn’t prevent the major upgrade, but does prevent the user getting to the latest minor version in one step. I recommend MacAdmins that have set a major deferral to change its value to match the minor deferral period now, to avoid getting users getting double-hit by the upgrade-then-update workflow. Also, since 13.1 and 13.2 are offered as delta upgrades, this will reduce the download volume and overall time for the upgrade.
The other side-effect, however, is that delta-upgrades and updates can be started by non-admin users, which may or not be beneficial to your particular plans and workflows. Full updates (i.e. 13.0 on managed Macs), on the other hand, require admin privileges to start. This may give admins who want some extra time to defer upgrades to 13.0 a bit more time, because the trick of blocking the macOS Installer application for the full 13.0 upgrade will work, at least until the 90 day deferral on 13.1 expires.
In case you were wondering, that will be March 13. Apple has a support page for this.
When Apple prepares to release macOS 14 (Sequoia, I have been expecting macOS “Sequoia” for years…) in September, remember to change the major deferral back to your preferred value. Or you can follow Fraser Hess’s advice and ‘Embrace the upgrade.’
To be able to fully ’embrace the upgrade,’ you need to be downloading and testing the betas, not only with major updates, but through out the year. As Ed Marczak points out, MacAdmins really need to be signed up for AppleSeed for IT and actively testing the beta releases with their deployment. Testing with the betas should give you the time to verify and report issues, and, even when they can’t be fixed in time, be prepared with temporary update deferrals or instructions for the support team and users on how to mitigate the issues.
MacAdmins should also be following the MacAdmin news, events, and posts in the community, but if you are reading this news summary, you already are! When you happen to talk with someone who was blind-sided by all this, then please recommend they subscribe!
Note: links to support articles should go to the US versions as localizations might take a while to be available. Nevertheless, the Apple web site might redirect you to the localized version. You can select the localization in the lowest right corner of a Apple support page.
macOS 13.2 (22D49), 12.6.3 (21G419), 11.7.3 (20G1113)
If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
Not only did we get release candidates for the iOS 16.3 and macOS 13.2 updates next week, but Apple also released new MacBooks Pro and a new Mac mini with M2 and M2 Pro and Max chips. Also, they released a second generation big HomePod.
(Sponsor: SentinelOne)
Top 10 macOS Malware Discoveries in 2022
How did threat actors change their TTPs in 2022? What new trends did we observe? Improve your defenses by understanding the most recent macOS malware families.
The Mac mini with the M2 Pro chip closes an annoying gap that Apple has had in their Mac portfolio. In the Intel Mac era, the use case for a powerful desktop Mac was covered by the high-end iMac and Mac mini, as well as the low-end Mac Pro. With M1 chips the Mac mini and iMac with M1 maxed out at 16Gb of RAM. The Mac Studio starts with the M1 Max chip at a higher price point. The Intel Mac mini sort had to fill that particular gap.
But the new Mac mini with the M2 Pro Chip nicely fills this slot, where is provides more CPU, GPU, RAM, and SSD than the ‘plain’ M1/M2 while staying below the Mac Studio’s price range.
I can see many uses for this “Mac mini Pro” especially for users who prefer the size, battery life, and price point of the MacBook Air over the more powerful 14″ and 16″ MacBooks Pro, but may want just that more power on their desktop connected to a multi-display setup. Also, lightweight video and audio editing stations that may have been limited by the ‘plain’ M1’s RAM limitation, should be fine with the Mac mini with the M2 Pro. One of the amazing aspects of the Mac mini is that its particular design has been nearly unchanged since 2010.
With the introduction of the Mac mini with the M2 Pro chip, Apple has also removed this second-to-last remaining Intel Mac, the 2018 space gray Mac mini with a 6-core Intel core i5 chip, from the store. The 2019 Mac Pro is now the last remaining Intel Mac.
There are still some weird empty spots left in the product line up. The iMac 24″ still has the ‘plain’ M1, and the ‘M2 or M2 Pro’ options would fit the iMac line nicely, too. Many are hoping for a larger iMac display option, but I am not so sure this is in Apple’s plans (I’d love to be wrong). The option to connect a second, external display on a potential ‘iMac with M2 Pro,’ could be a workable alternative, leaving the high-end, multi-screen setups to the Mac Studio and Mac Pro.
The other empty spots in the Mac line-up are at the extreme ends. The Apple silicon Mac Pro will be a challenge and come under intense scrutiny from the Pro users that need that level of power and expandability and those that claim to. A new, smaller MacBook in the style of the 12″ MacBook, or 11″ MacBook Air, which gives up some processing power in favor of size, portability, battery life and (maybe) price, would be quite interesting. I’d also like Apple to take a stab at a ‘Mac nano’ closer in size to the Apple TV, which can be powered over USB-C/Thunderbolt and connected to a display or dock with a single cable.
It is also rare that Apple revives a product after discontinuation, which makes the new 2nd generation HomePod quite intriguing. The original HomePod was never for sale in my region, so I set up two pair of IKEA’s Symfonisk speakers in our house, which work fine. But I wish the Sonos software which powers the Symfonisk speakers would support HomeKit and Shortcuts better, or at all. I also have a single HomePod mini. The options to ‘move’ music (and radio and podcasts) from the phone or Mac to the HomePod are more powerful than on the Sonos software, but the Siri-only interface is still bewildering to me. There is also an interface to control the HomePod in the Home app, but that also seems quite unintuitive. On the other hand, the size of the HomePod mini allows me to take it on travels, which I think is wonderful.
In non-hardware news, the X World conference has announced dates for their conference in Melbourne, Australia on March 30 and 31 making it the next upcoming MacAdmin conference.
As always, you can find an overview on my conference page.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
I want to take this as chance to explain my treatment of Twitter going forward for now:
I have always used third-party Twitter clients (mostly Tweetbot) over the web interface or their native app. I have always found the web interface confusing, grating, and just too much attention-seeking. I had stopped interacting on Twitter after the takeover and only used it to catch up with some accounts which I have not found to be elsewhere.
I was expecting the worst for Twitter after the takeover, but even so, the utter lack of respect, decency, and humanity shown to employees, advertisers, users/creators, and now third-party developers has been shocking.
I understand that Twitter as a business was probably in for some tough times either way. But economic pressure is no excuse for this crass, and cowardly behavior. You should not assume malice where incompetence is an explanation. In this case, though, it just might be both.
I have stopped reading Twitter entirely. I am in the process of removing Twitter references from my pages. (Though I might not have found every reference yet.) Weblog entries will still automatically post to Twitter, but I will not engage there any more, at all.
It used to be that Twitter would provide a majority of the traffic going to my weblog, second only to search engines. This started to change earlier last year with a significant drop in November, which continues to this day. Other social media such as the Mastodon Fediverse and LinkedIn seem to making up for that drop and I am active and engaged there, as well as the MacAdmins Slack.
If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
Happy New Year 2023!
Back after the winter holiday break and things are already going strong!
(Sponsor: SentinelOne)
7 Ways Threat Actors Deliver macOS Malware in the Enterprise
Learn how to build more resilient defenses by understanding the vectors threat actors use for initial compromise on macOS endpoints.
Many of you seem to have taken the time to post a lot of interesting articles and tools. Many interesting posts and releases. Thanks to everyone!
MacDevOpsYVR 2023 is announced for June 21-22, 2023 in Vancouver, Canada! (Speaker Application form at bottom of that page)
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
for everything in $(Installomator.sh) ; do Installomator.sh $everything ; done Also my new speedtest.”If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!