Weekly News Summary for Admins — 2023-01-13

Happy New Year 2023!

Back after the winter holiday break and things are already going strong!


(Sponsor: SentinelOne)

7 Ways Threat Actors Deliver macOS Malware in the Enterprise

Learn how to build more resilient defenses by understanding the vectors threat actors use for initial compromise on macOS endpoints.

Continue Reading Here >>


Many of you seem to have taken the time to post a lot of interesting articles and tools. Many interesting posts and releases. Thanks to everyone!

MacDevOpsYVR 2023 is announced for June 21-22, 2023 in Vancouver, Canada! (Speaker Application form at bottom of that page)

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Highlights

News and Opinion

macOS Ventura and iOS 16

macOS and iOS Updates

Social Media

  • Andrew MacKenzie on Twitter: “Installomator is my new benchmarking tool. for everything in $(Installomator.sh) ; do Installomator.sh $everything ; done Also my new speedtest.”
  • Adam Tomczynski on LinkedIn: “To help you learn and prepare for the Apple Device Support exam, I created flashcards with the documentation provided by Apple.”

Security and Privacy

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

The Year 2022 for MacAdmins

It’s been quite a while since I last did a year-end review for MacAdmins. A lot has happened since then. Surprisingly, some things have not made much progress at all, while others have been quite dramatic. This post will be a mix of what has happened in the last four years, and mostly what has happened more recently this year.

Upgrade and update schedule

Apple’s calendar, and thus the year for MacAdmins (note: I am using this term to include admins that manage all Apple devices, even when you don’t manage Macs, specifically), is dominated by WWDC in June and the major platform OS releases which happen in September/October. The “Spring Updates” in the March/April time frames have become another marker in the year, as Apple often adds features specifically for education and enterprise to theses “minor” releases.

Apple has begun to defer major new features to releases from the main ‘dot-zero’ releases to later updates. SharePlay was added to Monterey and iOS in the December update and Universal Control (my favorite new feature to the Apple Platforms) had to wait until 12.3, where it was added as a beta. This year, iCloud Data security and the new Freeform app were released with macOS Ventura 13.1 and iOS 16.2. Other features promised at WWDC, such as Rapid Security Response updates, or using physical security keys with your Apple ID, are still outstanding but appeared in the 13.2 beta.

We can only guess at the motivations for this spread out feature release. It could be that pandemic logistics led to the delays, or maybe Apple has been planning it this way, all along. Overall, I think this is an improvement. Major, one-a-year releases are a relic of the past, when software companies had to pack lots of new features into releases to justify the price of the upgrade. Remember when Microsoft and Apple used to charge for major system updates?

Nowadays, we don’t pay for system updates anymore, at least not directly. As our devices are now “always on” and “always-connected” and store and connect to so much critical, personal, and sensitive data, keeping devices up-to-date protects from a vast number of bugs and security issues. This is consistently the number one advice to start improving your security stance, and rightly so. Free upgrades and updates remove a barrier for adoption. Spreading out relevant improvements and features across “minor” updates should also motivate users and organizations to adopt updates faster.

Apple’s productivity apps (formerly known as ‘iWork’ and what is left of ‘iLife’) and ‘Pro’ apps (Logic Pro, and Final Cut Pro) have mostly been disconnected from system updates. The latest versions run on both Ventura and Monterey, even though some features are only available on the latest version. Many third party apps are also supporting multiple versions of the host system.

I think Apple might benefit from de-coupling more ‘system’ apps from the OS release schedule and putting them in the App Store. Freeform could have been such an app, as well as Notes, Reminders, Books, Weather, Stocks, etc… This might force the developer teams to adapt the apps to the App Store, and “eat their own…” … “drink their own champagne.”

App Store Woes

In my review for 2018, I complained that, while Apple was pushing for developers to adopt subscriptions and in-App purchases, there was no means for organizations to purchase or subscribe these in bulk. Four years later, there still isn’t.

There have been some changes. Apple has given the developers the option of adding ‘unlisted’ apps to the App Store. These are not visible to the general public, but an organizational customer can access and purchase these apps in the “App & Books” section of Apple Business/School Manager. This can be a useful approach for some business models, such as custom branded or entirely custom built apps. But it might also create an huge logistical overhead for the developer and the customer. If Apple were to add subscriptions and in-App purchases to the “Apps & Books” section of the Apple Business/School Manager, it would simplify a lot.

Sidenite: Apple renamed the Volume Purchase Program (VPP) to the “Apps & Books” section in Apple Business/School Manager. When you refer to just “Apps & Books” it is always very awkward and confusing and specifying that you mean the “Apps & Books section in Apple Business/School Manager” is quite cumbersome. Can we please have VPP back?

One change that the App Stores did see this year is increasing ads in the store. Apple, who has been creating record profits over the past years, keeps insisting that they deserve a significant share of everything sold through their App Stores and also believes developers could pay them even more to be featured in ads in the App Store. When they don’t, a user searching for your app, might just get a competitor ad in front of the search results. The new ad strategy was further soured by the fact that gambling and similar dubious ads were quite prevalent during the initial roll-out of the new ad system.

I understand that Apple didn’t get to aforementioned record profits by being generous and leaving money on the table. However, intrusive ads for suspect apps and services do not improve the user experience. On top of that, the App Stores are filled with scammy, quickly and shoddily created apps that are optimized for search, implementing dark (and sometimes evil) UI patterns, often outright rip-offs of legit apps or otherwise fraudulent. On the other hand, we still regularly hear from legit developers who are having bizarre interactions getting their apps through the approval process.

All of these pieces together give the impression that Apple is trying to milk the App Stores for every possible cent of service revenue, rather than improving the experience for users, developers, and admins. This is probably not a fair accusation, but I really believe Apple has to put more effort into conveying what their challenges are and what they are doing to address the concerns of users, developers, and admins.

The EU commission, after regulating charging ports for phones and other electronic devices, seems to have gotten a taste for regulating tech giants and this might be motivating Apple to allow non-App store means of installing software on iOS. Note that Apple already has non-App Store installation on macOS, but still has some security measures (signed and notarized apps and installers) for security. This could be transferred to iOS.

Maybe Device Management

Apple has continuously added management features for devices enrolled into an MDM. While there used to be confusing differences between manually enrolled devices and devices using automated enrollment (formerly known as DEP), now every enrolled device is considered “supervised.” There are more commands you can send to your devices, such as to enable Remote Management for Macs and tell the device to download and (eventually, maybe) install a particular software update.

You, dear reader, may be rolling your eyes right now, as the use of these commands is infamously buggy and unreliable. The one-sided nature of the communication between the MDM server and the device is the problem. To put it simply, the MDM protocol blasts out a command to the client and that is where, as far as the traditional MDM protocol is concerned, the interaction ends. The MDM client doesn’t report executing the command and its success back to the server. Many management systems attempt to close this loop with reporting through a local agent on macOS, with varying success.

In 2021, Apple introduced a new version of the MDM protocol, which indicates a plan to close this loop. Declarative Device Management (DDM) was very limited in scope in its first version that shipped with iOS 15 and iPadOS 15 for user-driven enrollment. With iOS 16, iPadOS 16 and macOS Ventura 13, declarative device management is now available for all types of enrollment. While the scope of data reported back by the MDM client is still quite limited, this does seem very intriguing for future workflows.

I don’t blame Apple at all for introducing a major refactoring of a protocol used to manage millions of devices slowly and carefully. Moving cautiously and not breaking stuff (or more than is absolutely necessary) is the correct approach here, even though MacAdmins have been suffering the unreliability of the old protocol and are impatient for fixes.

But here’s an update… so install me, maybe…

One area, where we can see the effects of moving with less caution is managed software updates on macOS. In macOS Catalina Apple split the system and data volumes of macOS, further increasing the security in Big Sur by cryptographically sealing the system volume. The security benefits are enormous, but this made the update process much more cumbersome. Along the way, the softwareupdate command line lost its ability to ‘ignore’ certain updates, and the replacement feature, an configuration profile with deferral durations is limited to 90 days.

On Apple silicon Macs, the update process requires user interaction to enter the password to unlock the volume. The MDM commands providing new functionality around software updates and upgrades, are unreliable and impossible to enforce. Some of this comes from MDM’s one-way-communication, but much of it is because the daemons and processes are buggy.

The improvements made to the software update system are useful. One of the new features is that Macs with macOS Monterey 12.3 and higher can install a ‘delta’ upgrade to upgrade to Ventura. This has been an option for minor updates for a while, and will speed up the upgrade process and require less free disk space. However, in 12.3 through 12.6 the system would evaluate the minor update deferral to this, instead of the major upgrade deferral. This was discovered late in the Ventura beta phase, after 12.6, the final, non-security update for Monterey was already published.

Apple reacted by fixing the bug in 12.6.1 and deferring the incremental upgrade for MDM-enrolled Macs until 13.1. They documented the problem and the solution in a support article.

The Good News

I have listed quite a number of challenges and problems, and there are probably more that I have not mentioned. But this is where I do want change tone. Because, as frustrating and challenging this bug is, it was discovered because Apple made the new functionality available to MacAdmins through AppleSeed for IT and once it was reported and confirmed Apple moved quickly to address it.

MacAdmins also communicated that a new feature in macOS Ventura which notifies users of background and login items would need to have management options for managed deployments. Apple added a configuration profile that could lock certain items away from user interaction. In macOS Monterey, Apple added ‘Erase all Contents and Settings’ to macOS, which is wonderfully useful to MacAdmins testing enrollment workflows. It also came with configuration profile settings to restrict the feature in managed settings.

AppleSeed for IT is a great program that allows MacAdmins to test early betas. Access to AppleSeed for IT requires a Managed Apple ID. That also means the feedback can be attached to the organisation and tracked and weighted accordingly within Apple. The past years have shown that concerns from MacAdmins can be addressed, sometimes during the beta phase (another reason to test betas early and provide feedback).

One improvement that stems from this feedback is that Apple now regularly provides full installers and IPSWs of beta releases and security updates, even for the previous two versions of macOS.

As my list of problems earlier in the post shows, not all is perfect yet. Some problems, like the App Store, are connected to larger strategic decisions, and others linger for a time, because they are very complex (move to declarative device management) or, well, laden with other bugs (software update). Nevertheless, the impression that Apple is providing a dedicate channel for large-scale organizations, and listening and addressing concerns is, for MacAdmins who have been doing this for a while, quite surprisingly novel.

I welcome and applaud the efforts being made here. I can only imagine the internal friction some of these policies and ideas have to overcome. Many thanks to everyone inside Apple who is representing the MacAdmin community!

Over the past years, Apple has hired several members of the MacAdmin community to work on their Enterprise software and strategy. In 2020, Apple acquired the management software developer company Fleetsmith and all of their talent.

Apple has also provided a lot of new documentation for MacAdmins, most prominently the Apple Platform Deployment and Apple Platform Security guides, as well as a number of support articles that are regularly updated. These are excellent documents, which provide a lot of valuable information.

There are still some aspects that are woefully under-documented, such as creating installer packages, providing privacy exemptions to shell scripts, and how certain aspects of the configuration profile/preferences system work. In general the MacAdmin community will step up to reverse engineer those and share their findings. it would be great to see even more engagement from Apple in these areas.

Apple also re-introduced new deployment and support training programs and certifications.

Essentials

After years of slowly reducing its feature set, Apple completely retired macOS Server and Profile Manager. Some of the services such as file sharing and content caching can still be enabled on ‘standard’ macOS.

Apple introduced Apple Business Essentials, which is a cloud hosted management system, aimed at small organizations with relatively simple requirements.

Business Essentials is, for now, only available in the US. When you have set it up, it appears in the Apple Business Manager interface. Its feature set for management is still quite rudimentary, even when you consider the target market. However it does include the option of adding increased iCloud storage and Apple care to the license, which is very intriguing. Hopefully, these options will be available to large orgs that are using other management systems through some other channel.

The most intriguing aspect of Apple Business Essentials is that now Apple is both the provider and a user of the MDM protocol. The limitations and restrictions of the protocol that challenge the Business Essentials team, should (hopefully) be reflected in updates to the MDM protocol. This is obviously speculation, but I believe that declarative device management and Apple Business Essentials being introduced at more or less the same time is not a coincidence. I also believe that going forward, we will see Business Essentials and DDM gain features together.

Cloud Migration

With the decline of a Apple-native server, MacAdmins need to integrate with other platforms for enterprise services, such as identity management, file sharing and syncing, VPN and other security tools. If your organization’s reaction to this is to start integrating the Macs into the Active Directory environment, then you are missing out on another important change in the industry: the move to cloud services and zero-trust network access.

When setup and managed correctly cloud services and a zero trust strategy allow secure access to the organization’s resource from any managed and secured device, where it may be. While the move to the new cloud-based model has been present for at least a decade, the pandemic definitely forced many organizations to re-assess and accelerate its adoption.

Adopting new security and deployment workflows also opens the door to new options, such as using tablets and phones and employee platform choice models.

Apple’s market share rises

The pandemic did not just accelerate adoption of remote work technologies, but also gave Apple and especially the Mac platform a huge boost in sales. The reasons for all of this are complex, but might be explained by a combination of the introduction of the Apple silicon Macs, and Apple managing the world-wide supply chain issues better than the competition. With the cloud/zero trust migration and interest in the “employee choice programs” in organizations we get a wave of interest in Apple in the Enterprise, something which Apple and the various Apple management server developers are happy to encourage.

Sidenote: it is still astounding to me that we now have not just one or two management systems that focus on managing Apple platforms, but a long list with some healthy competition.

In the most recent quarterly earnings call Apple has warned that the ongoing supply chain issues might be finally catching up with then, as well. We will see how that works out, but keep in mind even if Apple does sell less devices than in previous years, they will still gain market share if the competitors are affected even worse.

Apple silicon

It had been rumored for a long time, but in 2020, in their first online WWDC keynote, Apple announced they would transition the Mac platform to CPUs based on the A-series used in iPhones and iPads. The first Macs to switch where the MacBook Air, MacBook Pro 13″, and the Mac mini. Even though Apple started at the low-end of the Macs, they impressed with the performance, but most with the energy usage.

When I attended and presented at JamfNation User Conference in San Diego, earlier this year, I noticed that the venue lacked the formerly ubiquitous chains of power strips running through the audience areas. Attendees didn’t seem to care. No-one was crowded around power outlets in the hallways either. Nevertheless, when I was presenting I faced the usual sea of MacBooks, presumably people taking notes and still paying attention, right? With Apple silicon MacBooks, battery anxiety isn’t really a thing anymore.

The Apple Studio, the first new Mac model since the introduction of the MacBook Air, also showed that the Apple Silicon can scale to really high performance requirements, as well. The one Mac model that has not transitioned to Apple silicon is the Mac Pro. It’ll be interesting to see how Apple addresses the challenge of building an expandable Apple silicon Mac Pro. I would also like to see Mac minis and iMacs based on the ‘Pro’ chip series rather than the base M1 models that we have now.

The Apple silicon transition was very smooth from a software perspective. Apple used their experience and technologies from the PowerPC to Intel transition. Rosetta 2 was surprisingly efficient, even though the decision to make it an additional installation still seems odd.

The most frustrating part (at least for me) was that several developers didn’t (and still don’t) provide universal apps and/or installers. This seems to be mostly affecting electron-based apps, which doesn’t improve my general disposition to this developer platform.

Mac Admins Open Source Projects

Incidentally, I had started an open source project in early 2020 which was happened to be a solution for this particular problem. Installomator is a script that can download, verify, and install a large number of software titles. When the first Apple silicon Macs started, Installomator was ready to download the proper installer for the platform it is running on, even with non-universal apps and installers.

Installomator has turned out to be my most successful open source project, yet. Many thanks to all the co-maintainers and contributors who have helped expand and build the project, far beyond what I could have done on my own.

But it is just one of a plethora of popular and useful open source projects in the MacAdmins community. Some, like Munki and AutoPkg have been around for long time (at least in computer years) and are still going strong, while others have emerged just recently.

What follows is a list of projects that I have been using myself in some form or another in the last year. It is by far not even attempting to to be complete list of worthy MacAdmin open source projects.

Erik Gomez’s Nudge and Kevin White’s super, both address the challenges in managing software updates on macOS. They have slightly different approaches and configurability. If you are thinking that you need a workflow to, well, ‘nudge’ or force users to apply updates, look at these before you re-invent the wheel.

Graham R. Pugh’s inadequately named eraseinstall.sh can be used to automate the process of non-destructively upgrading and updating macOS. Erasing and re-installing is just one of the options. This is especially interesting as a workflow to upgrade Macs from older versions of macOS to a more current one.

Bart Reardon’s swiftDialog is an app that allows providing a user interface from shell scripts. It has found fast adoption among MacAdmins. Mostly because Bart is very responsive to issues and feature requests. There are some scripts, like Dan Snelson’s excellent Setup Your Mac script which uses swiftDialog for user interaction and progress display. Installomator can interact with swiftDialog to display download and installation progress.

JamfUpload (also from Graham R. Pugh) is a set of processors for AutoPkg which allows to upload and manage installers in Jamf Pro. JamfUpload is a replacement for the older, now deprecated JSSImporter.

iMazing Profile Editor is not open source, but still worth mentioning here, as this free tool to create configuration profiles, gets the descriptions for third party software from the open source ProfileManifests repo. This repo was originally started for the now retired ProfileCreator app from Erik Berglund, and it lives on in being iMazing Profile Editor. (Note: iMazing is a sponsor of the Scripting OS X Weekly News Summary for Admins, but I have been happily using and recommend iMazing Profile Editor long before.)

There are many more open projects and scripts available. Many thanks to everyone in the MacAdmins community who is sharing their work, experience and time!

MacAdmins Foundation

The amazing nature of the MacAdmins community is worth preserving and nurturing. The MacAdmins Foundation was created for this purpose. One immediate goal is to ensure that platforms such as the MacAdmins Slack stay available for everyone. The Foundation was announced a bit prematurely when Apple announced the new training modules and a partnership with the MacAdmins Foundation to provide access to scholarships.

This is a most welcome formalization of the community of MacAdmins and I looking forward to the other projects and plans coming to fruition! So far, the MAF is US-based and quite US-centric. While I understand the necessity to start somewhere, I am a bit impatient for more global representation.

Please join in supporting the MacAdmins Foundations going forward. If you haven’t yet, join the MacAdmins Slack to see what this all is about. If nothing else, the merchandise is amazing!

Happy New Year, 2023!

This covered a lot, but I still probably forgot to mention some things…

If you stuck with me through this long review of 2022 (and a few things that happened before), you will not be surprised to hear that I see the future of Apple in organizations and the MacAdmins community very positively. I am looking forward to seeing what 2023 brings for us and when it happens, you will read about it in the Weekly News Summary!

See you next year!

Weekly News Summary for Admins — 2022-12-09

Even though Apple did not release macOS 13.1 and iOS 16.2 this week, we did get release candidates for all the platforms. That means a release next week is very probable.


(Sponsor: iMazing)

Your favorite tool for configuring & provisioning fleets of Apple mobile devices

Automatically back up devices, restore, wipe, set up, supervise, and enroll with your MDM provider—locally and easily with iMazing Configurator.

And don’t miss iMazing Profile Editor, our free and well-loved utility for composing comprehensive configuration profiles for iPhones, iPads, and Macs.


Even so, Apple already published a press release describing new privacy and security features of the new updates. Users will be able to enable end-to-end encryption on more information that Apple devices store in iCloud, use physical security keys as an extra authentication factor for Apple IDs, and get warnings when a contact in iMessage might be compromised. The details on the ‘Advanced Data Protection for iCloud’ were Apple worth a new section in the updated Apple Platform Security guide.

With the release of 13.1, the special treatment of macOS 13 updates for managed Macs is likely to end, as well. You might see 13.1 as an update (rather than a full upgrade) on Macs running 12.3 through 12.6. We won’t know for sure until the update is released, but you still have a few days to get devices on 12.6.1.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS Ventura and iOS 16

Security and Privacy

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!