This article originally appeared in TidBITS on 2017-09-11 at 9:43 a.m.
The permanent URL for this article is: http://tidbits.com/article/17451
Include images: Off

Important High Sierra Changes for IT Admins

by Adam C. Engst

For most individual users, upgrading to macOS 10.13 High Sierra won’t require much more than going through the steps in Joe Kissell’s “Take Control of Upgrading to High Sierra [1].” But for those of you who manage Macs for an organization (or are just interested in how things work behind the scenes), there are some important changes that you should know.

First, I want to reiterate that our recommendation for High Sierra is that most everyday Mac users don’t upgrade immediately, but instead wait for 10.13.1 or even 10.13.2. Although we’re not hearing of major software compatibility issues, the move to APFS is a very big deal, and it’s entirely possible that some problematic scenarios won’t have been anticipated by Apple or revealed by the public beta test. There’s no penalty for caution, and be absolutely certain that Macs are backed up before upgrading them once Apple’s initial bug fixes are out.

Firmware Updates via the Cloud -- With High Sierra, Apple is re-emphasizing how Macs get firmware updates over the Internet [2]. The company claims you must be connected to the Internet when upgrading macOS, and the macOS Installer uses the model number of your Mac to identify and download a firmware update specific to that Mac to enable it to recognize APFS. This requirement has various implications:

You can install High Sierra via the macOS Installer, by creating a bootable installer [3], from within macOS Recovery [4], and via a NetInstall image created by System Image Utility (available with macOS Server).

More generally, this new approach to firmware updates means that you can’t use monolithic system imaging to upgrade a Mac to a new version of macOS.

Monolithic System Imaging Changes -- Historically, many organizations have long relied on imaging as a way of setting up new Macs. Imaging, or more specifically, monolithic system imaging, involves creating a disk image of the canonical Mac, complete with site-specific settings and apps, and then restoring that image onto the boot drive of a new Mac. Periodically, that monolithic image would be updated for new versions of macOS and apps, and then used going forward for new Macs and clean reinstalls.

Apple is now explicitly warning against using monolithic system imaging [5] when upgrading or updating macOS High Sierra. Without the macOS Installer being able to download necessary firmware updates during installation, any given Mac could end up in an unsupported and potentially unstable state.

[image link] [6]

That said, you may still use monolithic system imaging to reinstall the same version of macOS on a particular Mac model. For instance, if you have a lab of identical 27-inch iMacs, there’s no problem with using a monolithic system image to restore them to a clean state after a workshop.

Of course, High Sierra also brings with it the new APFS file system, and Apple recommends using only Disk Utility, System Image Utility, or the diskutil command to create images of APFS containers. Also, if you’re using macOS Server to restore client computers with flash storage via a NetRestore image, Apple recommends creating the image source from a Mac running High Sierra connected via Target Disk Mode, rather than from the macOS Installer.

The recommended way to deploy new Macs and handle updates is via a Mobile Device Management (MDM) solution, such as Jamf Pro [7] or Jamf Now [8]. With a managed Mac, admins can issue MDM commands to download and install updates.

Speaking of Jamf Pro, Jamf tells me that the just-released version 9.101 has full compatibility with High Sierra, iOS 11, and tvOS 11 (as does Jamf Now), and it includes new features for Apple’s latest MDM capabilities on the Mac, including:

APFS-related Changes -- Apple’s new APFS file system is a significant change for Macs, although the fact that it has been successfully installed on hundreds of millions of iOS devices (running iOS 10.3), Apple Watches, and Apple TVs suggests that Apple has the conversion process under control. Nevertheless, the Mac world is far more variable, and there are a few implications that IT admins should know [9]:

Jamf offers a useful white paper [11] that covers many of the APFS-related changes for admins.

Kernel Extension Changes -- To improve security, kernel extensions installed with or after the installation of High Sierra require user consent to load, a system Apple calls User Approved Kernel Extension Loading [12]. (Kernel extensions that were on the Mac before upgrading to High Sierra, as well as those that are replacing previously approved kernel extensions will not require user consent.)

Any user can approve a kernel extension — administrator privileges are not necessary — but the prompt could confuse a non-technical user.

If you want to disable User Approved Kernel Extension Loading, you can do so by booting into macOS Recovery, launching Terminal, and using the spctl command (run it by itself for instructions). That setting is stored in NVRAM, so resetting NVRAM will cause it to revert to the default prompting.

Also, enrolling a Mac in an MDM solution like Jamf Pro automatically disables User Approved Kernel Extension Loading. Apple says that a future update to High Sierra will expose MDM control of the setting and allow management of the list of kernel extensions that are allowed to load without user consent.

Content Caching Changes -- Previously, you needed macOS Server for caching services — the capability to serve software updates and other Apple-served content from a local server rather than every device going out to Apple’s server over the Internet. In High Sierra, Apple has moved content caching into the Sharing pane of System Preferences [13], so you can designate any Mac as a caching server and have other devices look to it for updates. The new Content Caching approach also works with iOS devices connected via a USB hub for use with classroom devices hosted on a cart.

[image link] [14]

Additional changes of interest to the IT community will no doubt be discovered after High Sierra ships, but even this collection should give you plenty to ponder as you develop your organization’s High Sierra upgrade policies.

[1]: https://www.takecontrolbooks.com/high-sierra-upgrading?pt=TIDBITS
[2]: https://support.apple.com/en-us/HT208020
[3]: https://support.apple.com/en-us/HT201372
[4]: https://support.apple.com/en-us/HT204904
[5]: https://support.apple.com/en-us/HT208020
[6]: http://tidbits.com/resources/2017-09/Apple-monolithic-imaging.png
[7]: https://www.jamf.com/products/jamf-pro/
[8]: https://www.jamf.com/products/jamf-now/
[9]: https://support.apple.com/en-us/HT208018
[10]: http://tidbits.com/resources/2017-09/Convert-to-APFS.png
[11]: https://www.jamf.com/resources/everything-you-need-to-know-about-apple-file-system-apfs/
[12]: https://support.apple.com/en-us/HT208019
[13]: https://support.apple.com/en-us/HT208025
[14]: http://tidbits.com/resources/2017-09/High-Sierra-Content-Caching.png