iMac Pro Implications for Mac Admins

The first iMacs Pro will ship this week to some lucky buyers, just in time to keep Apple’s promise of shipping this year.

Now that we have all gotten over the sticker shock when you max out the configuration in the Store, what does the new tech in iMac Pro mean for admins?

Secure Boot

First is the new secure boot. iMac Pro comes with Secure Boot enabled and External Boot disabled. You can disable (or moderate) the settings in the new ‘Startup Security Utility’ in Recovery.

With secure boot enabled, a Mac will verify the integrity of the OS and confirm with Apple before booting. It may require an update to be installed before continuing to boot.

Somewhat surprisingly, Secure Boot on the iMac Pro will verify the integrity of a BootCamp/Windows installation as well as macOS. (The continued persistence of BootCamp makes me wonder what Apple uses it for internally.)

The support article seems to imply that on the strongest setting, the iMac Pro might force an update before you can boot. We will have to wait and see how far back Apple will “trust” older versions of macOS.

By default an iMac Pro will not boot from an external device. This setting can be changed in the ‘External Boot’ area of the Startup Security Utility.

You can still boot to the Startup Manager with the option key but when you select an external drive you will get an error message. You can only select internal drives with the option key.

Both of theses settings can probably only be disabled manually in Recovery mode. This renders most automated installation and imaging procedures useless. Also the support article states that you have to enter a local administrator password to change the setting. This can also be difficult in settings where a tech or admin might not know a local password.

NetBoot

Prohibiting External Boot will (probably) also prohibit NetBoot and NetInstall. However, Apple updated their support article “Create a NetBoot, NetInstall, or NetRestore image” with the note:

iMac Pro computers don’t support starting up from network volumes.

Also the support article “Mac startup key combinations” has added this to the description of the ‘N’ key:

iMac Pro doesn’t support this startup key.

It is as of yet unclear if this means that iMac Pro will not NetBoot under any circumstances or if it will NetBoot, but not in the default configuration and you have disable the boot security first.

The phrasing in the articles seems clear, but it may be an error/omission. If you happen to get your hands on an iMac Pro and can test, NetBoot/NetInstall, please let me (and everybody else) know.

The other question that remains is whether Internet Recovery still works on the iMac Pro. There has not (yet) been an amendment to the Internet Recovery support article. Internet Recovery is a form of NetInstall as well, albeit with a different discovery method.

Imaging is dead and NetInstall is not doing so well

So, as predicted, the iMac Pro puts yet another nail in the coffin of imaging. You will have to run the iMac Pro in a lowered security mode, for it to accept an OS that was not installed on itself and verified by the internal T2 system controller chip.

While it is still possible to disable the boot security, this has to be done manaully. There is no way to automate the deactivation, much like you cannot automate disabling SIP.

Finally, NetInstall might not work at all, even when the boot security is disabled. And even if NetInstall does still work on the iMac Pro, NetInstall is still quite broken in High Sierra: additional pkgs have to be in just the right format to work, automated installations are broken, and you cannot initiate a NetInstall remotely through a script or the management system, but have to be physically at the machine and hold the ‘N’ key. (all of these affect all Macs, not just the iMac Pro)

And even when you have managed to get all of these to work, then new security like UAKEL and UAMDM might still require an administrator to touch all the machines again after re-imaging.

“Zero-touch” deployment

When you consider the standard use case, where a Mac is in possession of a single user (whether it is owned by that user or organisation) then most of these problems are fairly easy to work around with some user guidance and education. DEP enforces enrollment and tools like SplashBuddy and DEPNotify can make the process more understandable for the user.

“Zero-touch” deployment in this case means that the IT department will not have to touch the device. Even though you can automate much of the configuration, the enrollment is not entirely automatic, the process still requires the user to be at the Mac and fill in or confirm some dialogs.

However, for other deployment scenarios, especially general access labs in education, this breaks exisiting workflows. You never know what the users (and applications) are going to do to a system, even if they don’t have adminstrative privileges. Re-imaging rather than figuring out which configuration is broken is a quick and efficient remediation for many problems.

Many professional software packages are notoriously hard to install in an automated fashion and even harder to de-install cleanly. In addition, this kind of software tends to have very strict licensing terms and high prices. “Wipe and re-install” is a simple and fast workflow to ensure software and drivers are removed cleanly and repurpose a Mac (or an entire Lab of Macs) for a different task. (e.g., switch a video or audio lab to an lab with engineering and math software) Many admins have fully automated touch free workflows that can be started remotely through ssh, Apple Remote Desktop or a management system.

Not only do all of these workflows have to be re-visited and re-built without imaging, but they will not be able to run without user interaction. Without NetInstall (or if NetInstall remains broken) the user interaction may be non-trivial.

To wipe and re-install an iMac Pro, an admin has to boot to Recovery, manually erase the drive in Disk Utility and then start the installation process. The tech or admin will have to know and enter a local administrator password. Even with DEP, there are a few dialogs after the installation that need to be confirmed manually before DEP and any automation from the management system can start their work.

True “Zero-touch”, where no-one has to physically touch the Mac, (re-)deployment is not possible with Apple’s currently supported toolset for High Sierra and iMac Pro.

The Missing Piece

If macOS had an “Erase All Content and Setting” option like iOS does, then you could do a quick reset and with DEP + management system quickly restore a Mac to the previous (or a new) configuration. On iOS this is achieved by keeping the system on a separate volume from apps and user data. This separation would not be quite so easy on macOS, but with APFS snapshots the system could create (and preserve) a snapshot after a clean installation and provide hooks for scripts and management systems to restore to that.

It is quite frustrating that this option does not yet exist. Apple is removing older workflows from the toolset without providing a functioning alternative. If Apple decides to implent this function in macOS and enable its automation from an MDM, then you have the best of both worlds, the advanced security and automation and management for admins!

Make Noise

Apple seems to be unware of or indifferent to these methods and workflows. Most enterprise customers might not be affected by them. Those customers that are, need to let Apple know through the usual means: your sales reps, your support contact (if you have one) and by filing bugs.

If you are at an instituition that is considering to buy a classroom full of iMacs Pro you will have a large financial leverage with this deal. So let your sales reps and engineers know of your issues, but also be understanding that they might not have a solution for you right away.

Even so, DEP and MDM will be a major part of whatever solution you will have to use in the future. If you have not started working on your implementation yet, there is no time like the present.

Maybe you can use this article to convince your management to purchase an iMac Pro so you can test it. If that actually works, let me know. 😉

Interesting Software on Sale in the AppStores

I am working on a post on the iMac Pro, but then Apple dropped a few interesting support articles and I have to re-write the entire thing.

Until then, I found a few interesting sales going on the App Stores (iOS and Mac). Not sure how long these sale prices will be on for, so go get them! I use all of these apps regulary and recommend them often. App store links are affiliate links, so every purchase supports Scripting OS X.

Happy Holidays!

Edovia Screens: iOS, Mac

My favorite VNC/screen sharing application on iOS. Sale is for both Mac and iOS versions.

Byword: iOS, Mac

This is the app I use to write the posts for the newsletter and this blog. It is a simple yet useful markdown editor. Publishing directly from Byword to a weblog site is a free In-App-Purchase. (Not sure if this is part of the sale.)

Duet Display: iOS

Turn your iPad or iPhone into a second (or third) screen for your Mac. Duet Displays requires connection with a USB-Lightning cable to a mac but then you can use that nice retina iPad screen as extra dekstop space.

Junecloud Deliveries: iOS, Mac

My favorite package tracking software. This sale is for the Mac App Store.

Weekly News Summary for Admins — 2017-12-15

Apple certainly had a lot more stuff to deliver before the holiday break. This week we got an update for the Airport base stations, a(nother) minor bug fix for iOS 11 (fixing a HomeKit security hole) and, finally, the iMac Pro.

The iMac Pro is of course the new flagship Mac, outshining even the Mac Pro and MacBook Pro, at least for a while. While the price is definitely daunting, remember the “normal,” non-Pro iMacs are still around and you can still buy a decent retina screen iMac starting at around $1500. (I refuse to consider any Mac without an SSD do be “decent.”)

Interestingly for admins, the iMac Pro, comes with the predicted Secure Boot. There is a UI to disable it, though how you manage that setting is yet to be determined. Also, you can “restore” an iMac Pro over a Thunderbolt 3 cable with Apple Configurator 2.6. This is presumably to fix a broken firmware for the T2 processor, which controls (among other things) the Secure Boot process. There will be more interesting discoveries when MacAdmins will actually get their hands on these.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

#! On Scripting OS X

📰News and Opinion

🔨Support and HowTos

🍏Apple Support

♻️Updates and Releases

🎧To Listen

📚Support

I do not have any ads on my webpage or this newsletter. However, if you want to support me and this website, then please consider buying one (or both) of my books. (Imagine it’s like a subscription fee, but you also get one or two useful books on top!)

If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new readers make the purchase decision. Thank you (again)!

Weekly News Summary for Admins — 2017-12-08

Another Update week. Apple rushed iOS 11.2 to pre-empt a(nother) weird date releated bug. Then later that week we got the other related updates for watchOS, tvOS and macOS (10.13.2).

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

#! On Scripting OS X

Twitter:

📰News and Opinion

🔨Support and HowTos

🍏Apple Support

♻️Updates and Releases

🎧To Listen

📚Support

I do not have any ads on my webpage or this newsletter. However, if you want to support me and this website, then please consider buying one (or both) of my books. (Imagine it’s like a subscription fee, but you also get one or two useful books on top!)

If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new readers make the purchase decision. Thank you (again)!

Weekly News Summary for Admins — 2017-12-01

What a ride this week!?

If you were living under a rock, here is the quick rundown: someone notified AppleSupport on Twitter of a major security hole in High Sierra. You could get root access to a Mac by following a few simple steps at a login pane or window. It also worked remotely. Thankfully the MacAdmin community jumped right onto it and we had a workaround available very quickly. Also a nickname: “IAmRoot” Apple then provided a patch in just about 24 hours… and then another one a few hours later. (The first one broke the Local KDC file, prohibiting file sharing access.)

The patch is being (interestingly) pushed automatically without user interaction to Macs with 10.13.0 and 10.13.1.

Excellent Summary from MacMule

You can (justifiably) make arguments that errors like this are inexcusable. However, they do happen, and I learnt a lot from MacAdmins Slack about the issue, this kind of security and more about how passwords and accounts work. So thanks (once again) to the MacAdmins community for everyone who put their time into this. And also thanks to the Apple engineers involved I can only imagine what a task it must be to push a fix like this within a day.

Because of this, most other news seems to have been swamped, but you should also not miss an updated support article by Apple, where they describe the upcoming ‘User Approved MDM.’

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

#! On Scripting OS X

📰News and Opinion

🔨Support and HowTos

🍏Apple Support

📺To Watch

🎧To Listen

📚Support

I do not have ads on my webpage or this newsletter. However, if you want to support me and this website, then please consider buying one (or both) of my books. (Imagine it’s like a subscription fee or patreon, but you also get a useful book on top!)

If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!

Weekly News Summary for Admins — 2017-11-24

Happy Thanksgiving week to the readers in the United States. To everybody else: happy last week-end of November.

I put a few Black Friday Deals I found at the end of the summary.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

#! On Scripting OS X

📰News and Opinion

🔨Support and HowTos

🍏Apple Support

♻️Updates and Releases

Black Friday Deals

📺To Watch

🎧To Listen

📚Support

To support Scripting OS X, consider buying one (or both) of my books. Thank you!

If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!

Another Update for Packaging Book

I pushed another update for “Packaging for Apple Adminstrators.”

Greg Neagle posted an article recently where he describes how he sleuthed a way past an annoying High Sierra bug.

In High Sierra when you add more than one package to a custom NetInstall workflow with System Image Utility or startosinstall all the custom packages will fail.

Greg’s workaround involves adding an identifier and version to each of the distribution packages. It is still an open question why this data is required, but the workaround is easy enough.

I have added a section on how to do this to the “Building Distribution Packages” section of the book. As always: if you have already purchased the book, you can download the update with new content for free in the iBooks application on your Mac, iPad or iPhone. Or go and get the book now!

Rich Trouton also updated his “First Boot Package Install Generator Tool” to provide this data.

On the macOS Version

In many administration scripts, you need to check the version of macOS, to make sure you don’t try to access features that are not present on other versions.

Note 2020-09-09: I have a new post about this, updated for macOS 11 Big Sur: macOS Version Big Sur Update

Getting the Version

On macOS you can get details on the version of the currently running system with the sw_vers command:

$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.13.1
BuildVersion:   17B48

You can add the -productVersion argument to get just the product version number:

$ sw_vers -productVersion
10.13.1

The first part of the version number (“major” version) is always 10 (so far). The second part (“minor” version) denotes the version of macOS (11: El Capitan, 12: Sierra, 13: High Sierra, etc.) and the third (“patch” or update version) the update number. (Useful list of macOS versions and names on Wikipedia.)

Note: because the first part of the version for macOS is always 10, some call the second number the major version of macOS and the third the minor version. It does not really matter as long as you are explicit what you mean and remain consistent. Documentation in code helps avoid confusion.

You can test for a specific version with string comparison:

if [[ $(sw_vers -productName) == "10.12.6" ]]; then
    echo "Sierra"
fi

This will get tedious when you need to check for many patch versions. The [[ operator let’s you use the asterisk * as a wildcard in string comparisons:

os_ver=$(sw_vers -productVersion)
if [[ "$os_ver" == 10.13.* ]]; then
    echo "macOS High Sierra"
elif [[ "$os_ver" == 10.12.* ]]; then
    echo "macOS Sierra"
else
    echo "(Mac) OS X something"
fi

But even that can get tedious when you have a range of minor versions. Often you want to check for the minor version to be higher than a certain number (i.e. “Mavericks and later”)

Splitting the Version

You could split the version into its parts with awk:

echo "minor version:" $(sw_vers -productVersion | awk -F. '{ print $2; }')
echo "patch version:" $(sw_vers -productVersion | awk -F. '{ print $3; }')

This works well, but is a bit unwieldly.

You can also split the version string into a bash array:

os_ver=$(sw_vers -productVersion)

IFS='.' read -r -a ver <<< "$os_ver"

echo "minor version: ${ver[1]}"
echo "patch version: ${ver[2]}"

The read command splits the string into a bash array with the periods as a separator. There is a lot going in this command, so let’s have a look at the pieces.

First we assign the ‘.’ to the IFS environment variable. Characters in the IFS (“Internal Field Separator”) variable are used by bash to split strings into their pieces. The normal IFS variable consists of the whitespace characters: space, tab and newline. However, we want to change this so that the read command splits at the periods in our version string. This syntax with the variable assignment directly followed by the command without a separator tells bash to change the IFS variable just for the next command. This way the standard IFS variable is not affected.

The read command splits the input into an array and assigns it to the ver variable. Then we can get the elements in the ver array using the ${ver[index]} notation. (bash arrays are zero-indexed, so the first element ${ver[0]} will always be 10.

Once you have split out the parts of the version string, you can then use them for numerical comparisons:

if [[ "${ver[1]}" -ge 9 ]]; then
    echo "somewhere in California"
elif [[ "${ver[1]}" -ge 2 ]]; then
    echo "officially a feline"
else
    echo "secretly a feline"
fi

Get the macOS version from other Volumes

The sw_vers command only show the version for the currently booted system. System administrators often need to know the version of the OS installed on a different volume. Usually this happens in the context of installations. In installation scripts the installer system will pass the path to the target volume as the third argument $3.

Learn all about installer packages and installation scripts, read my book “Packaging for Apple Administrators

On macOS the system version information is also stored in a property list file in /System/Library/CoreServices/SystemVersion.plist. In an installation script (postinstall or preinstall you can get the target system with:

/usr/libexec/PlistBuddy -c "print :ProductVersion" "$3"/System/Library/CoreServices/SystemVersion.plist

Learn all about PlistBuddy and Property Lists in my book “Property Lists, Preferences and Profiles for Apple Administrators

macOS Installer applications have the version of macOS that will be installed in yet a different file. Tim Sutton has already documented this here.

Other Application’s versions

Obviously, you can use this approach on other version numbers as long as they follow the scheme of “numbers separated by dots.” (Not all applications do.)

To get the version of a macOS application you can read the CFBundleShortVersionString from the Info.plist file in the app bundle:

/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Xcode.app/Contents/Info.plist
9.1

Some applications do not have a CFBundleShortVersionString and then you should fall back to the CFBundleVersion key.

infoPath="/Applications/Xcode.app/Contents/Info.plist"
appVersion=$(/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" "$infoPath")
if [[ -z "$appVersion" ]]; then
    appVersion=$(/usr/libexec/PlistBuddy -c "print :CFBundleVersion" "$infoPath")
fi

Build Number

Note: update this section, because I got few things wrong. Thanks to the participants of this Slack discussion.

Aside from the numerical version number or product version, macOS also has a build number, which follows a different schema. The first part is a number which matches the “Darwin version” of macOS. Mac OS X 10.0 had a Darwin version of 4 and that number has increased with every version of Mac OS X. Currently, macOS High Sierra 10.13 has a Darwin version of 17. Then follows a single capital letter, with A being the first release of a version (i.e the 10.x.0 version), B is the first patch update (10.x.1) and so on.).

Finally the last number is the build number. The build number usually incremented during Apple internal development. You can see the build number increasing during beta releases.

However, sometimes Apple will release hardware specific versions of macOS which usually have four digit build numbers (usually starting with a 2). Also security updates and other “unexpected updates” can change the build number (usually to four digits starting with a 1) without changing the numerical version number.

Sometimes there might be an a appended to the build number. This means that there was an update to the installer, but not the code inside the installer. This frequently (but not exclusively) happens during the beta phase.

Thanks to Elliot Jordan we have a great info graphic!

Because of this it can also be useful to parse the build number out of the build version. Since the first two parts of the build version are directly mapped to the numerical version, we are only interested in the number:

build_ver=$(sw_vers -buildVersion)
if [[ "${ver[1]}" -le 5 ]]; then # 10.5 was darwin 9, 10.6 darwin 10
    build_number="${build_ver:3}" # ignore first two characters
else
    build_number="${build_ver:4}" # ignore first three characters
fi

if [[ ${build_number: -1} == 'a' ]]; then 
    build_number="${build_number:0:$((${#build_number}-1))}"
fi

echo "build number: $build_number"

You can get all this code in a sample script I posted on gist.

Weekly News Summary for Admins — 2017-11-17

Another productive week. If you have to no time to read anything else, at least take a moment to bookmark Charles Edges list of tools for Apple Administrators.

Also, greetings to everyone at MacTech Conference this year! And the JNUC sessions are available on YouTube. Much to read/watch/listen and catch up to!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

#! On Scripting OS X

📰News and Opinion

🔨Support and HowTos

🍏Apple Support

♻️Updates and Releases

MacTech Conference Session Notes

📺To Watch

🎧To Listen

📚Support

To support Scripting OS X, consider buying one (or both) of my books. Thank you!

If you have already bought and read the books, please leave a review on the iBooks Store. Reviews are important to help new potential readers make the purchase decision. Thank you (again)!