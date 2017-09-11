 
Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.
Macs & macOS | 11 Sep 2017 | Print Printer-Friendly Version of This Article | Comment (8)

Important High Sierra Changes for IT Admins

by Adam C. Engst Send Email to Author

For most individual users, upgrading to macOS 10.13 High Sierra won’t require much more than going through the steps in Joe Kissell’s “Take Control of Upgrading to High Sierra.” But for those of you who manage Macs for an organization (or are just interested in how things work behind the scenes), there are some important changes that you should know.

First, I want to reiterate that our recommendation for High Sierra is that most everyday Mac users don’t upgrade immediately, but instead wait for 10.13.1 or even 10.13.2. Although we’re not hearing of major software compatibility issues, the move to APFS is a very big deal, and it’s entirely possible that some problematic scenarios won’t have been anticipated by Apple or revealed by the public beta test. There’s no penalty for caution, and be absolutely certain that Macs are backed up before upgrading them once Apple’s initial bug fixes are out.

Firmware Updates via the Cloud -- With High Sierra, Apple is re-emphasizing how Macs get firmware updates over the Internet. The company claims you must be connected to the Internet when upgrading macOS, and the macOS Installer uses the model number of your Mac to identify and download a firmware update specific to that Mac to enable it to recognize APFS. This requirement has various implications:

  • Only the macOS Installer can download and install firmware updates. This isn’t new, but is more important because of APFS.

  • You cannot install High Sierra on a Mac that’s connected via Target Disk Mode.

  • Firmware updates can’t be done on external devices connected via Thunderbolt, USB, or Firewire.

You can install High Sierra via the macOS Installer, by creating a bootable installer, from within macOS Recovery, and via a NetInstall image created by System Image Utility (available with macOS Server).

More generally, this new approach to firmware updates means that you can’t use monolithic system imaging to upgrade a Mac to a new version of macOS.

Monolithic System Imaging Changes -- Historically, many organizations have long relied on imaging as a way of setting up new Macs. Imaging, or more specifically, monolithic system imaging, involves creating a disk image of the canonical Mac, complete with site-specific settings and apps, and then restoring that image onto the boot drive of a new Mac. Periodically, that monolithic image would be updated for new versions of macOS and apps, and then used going forward for new Macs and clean reinstalls.

Apple is now explicitly warning against using monolithic system imaging when upgrading or updating macOS High Sierra. Without the macOS Installer being able to download necessary firmware updates during installation, any given Mac could end up in an unsupported and potentially unstable state.


That said, you may still use monolithic system imaging to reinstall the same version of macOS on a particular Mac model. For instance, if you have a lab of identical 27-inch iMacs, there’s no problem with using a monolithic system image to restore them to a clean state after a workshop.

Of course, High Sierra also brings with it the new APFS file system, and Apple recommends using only Disk Utility, System Image Utility, or the diskutil command to create images of APFS containers. Also, if you’re using macOS Server to restore client computers with flash storage via a NetRestore image, Apple recommends creating the image source from a Mac running High Sierra connected via Target Disk Mode, rather than from the macOS Installer.

The recommended way to deploy new Macs and handle updates is via a Mobile Device Management (MDM) solution, such as Jamf Pro or Jamf Now. With a managed Mac, admins can issue MDM commands to download and install updates.

Speaking of Jamf Pro, Jamf tells me that the just-released version 9.101 has full compatibility with High Sierra, iOS 11, and tvOS 11 (as does Jamf Now), and it includes new features for Apple’s latest MDM capabilities on the Mac, including:

  • Zero-touch provisioning of Macs with APFS
  • Support for Cisco Fast Lane QoS support for apps
  • The capability to defer software updates for up to 90 days

APFS-related Changes -- Apple’s new APFS file system is a significant change for Macs, although the fact that it has been successfully installed on hundreds of millions of iOS devices (running iOS 10.3), Apple Watches, and Apple TVs suggests that Apple has the conversion process under control. Nevertheless, the Mac world is far more variable, and there are a few implications that IT admins should know:

  • The macOS Installer automatically converts the drives of SSD-based Macs to APFS during installation of High Sierra. You cannot opt out of APFS in this situation.

  • Macs with hard disk drives and Fusion Drives are not automatically converted to APFS during the High Sierra upgrade. I anticipate that will change at a later date. You can convert them manually using Edit > Convert to APFS in Disk Utility, although there’s no inherent reason to do so immediately.


  • Drives formatted as Mac OS Extended (HFS+) can be read from and written to by Macs whose drives are formatted as APFS.

  • Drives formatted as APFS can be read from and written to by Macs whose drives are formatted as APFS, or HFS+, if the Mac is running High Sierra in the latter case. However, APFS-formatted drives, such as external hard disks and USB flash drives, cannot be read by Macs running older versions of macOS, even 10.12 Sierra.

  • FileVault volumes are converted from HFS+ to APFS just like unencrypted volumes.

  • Although Apple’s Boot Camp Windows environment is compatible with High Sierra, it cannot read from or write to APFS-formatted volumes.

  • If you’re sharing a volume formatted as APFS over the network, you must use SMB or NFS, not the increasingly deprecated AFP. (SMB has been the preferred file sharing protocol for several versions of macOS now.) That applies to Time Machine share points as well.

Jamf offers a useful white paper that covers many of the APFS-related changes for admins.

Kernel Extension Changes -- To improve security, kernel extensions installed with or after the installation of High Sierra requires user consent to load, a system Apple calls User Approved Kernel Extension Loading. (Kernel extensions that were on the Mac before upgrading to High Sierra, or those that are replacing previously approved kernel extensions will not require user consent.)

Any user can approve a kernel extension — administrator privileges are not necessary — but the prompt could confuse a non-technical user.

If you want to disable User Approved Kernel Extension Loading, you can do so by booting into macOS Recovery, launching Terminal, and using the spctl command (run it by itself for instructions). That setting is stored in NVRAM, so resetting NVRAM will cause it to revert to the default prompting.

Also, enrolling a Mac in an MDM solution like Jamf Pro automatically disables User Approved Kernel Extension Loading. Apple says that a future update to High Sierra will expose MDM control of the setting and allow management of the list of kernel extensions that are allowed to load without user consent.

Content Caching Changes -- Previously, you needed macOS Server for caching services — the capability to serve software updates and other Apple-served content from a local server rather than every device going out to Apple’s server over the Internet. In High Sierra, Apple has moved content caching into the Sharing pane of System Preferences, so you can designate any Mac as a caching server and have other devices look to it for updates. The new Content Caching approach also works with iOS devices connected via a USB hub for use with classroom devices hosted on a cart.


Additional changes of interest to the IT community will no doubt be discovered after High Sierra ships, but even this collection should give you plenty to ponder as you develop your organization’s High Sierra upgrade policies.

 

Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <http://smle.us/smile-tb>
 

Comments about Important High Sierra Changes for IT Admins

To leave a comment, click Add a Comment and then enter the text, your name, and your email address (which won't be displayed). Your comment will appear after you follow a link in the one-time confirmation message we send to verify that you're a real person.
Receive comments via RSS
Jaffa  2017-09-11 13:31
Apparently, if you right-click on a folder share in the File Sharing part of System Preferences > Sharing, there’s an advanced options screen accessible that allows you to denote it as a network Time Machine volume. Between this and the built-in caching facility, this may well cover a lot of use cases traditionally served by macOS Server.
Reply
Adam Engst  An apple icon for a TidBITS Staffer 2017-09-11 15:43
That's not surprising — macOS Server has been a solution to problems most people didn't have apart from caching and Time Machine. We'll have to look into the Time Machine stuff further.
Reply
Brian  2017-09-11 13:54
So if we that have Fusion Drives installed on iMac's will not be forced into having the OS update the File System and just upgrade to HighSierra and once the coast is clear and most if not all the bugs have been squashed with APFS, then have an update rewrite the HFS + to APFS.

What about Time Machine backups that have been created with HFS+. Will APFS be able to read and write them and will it convert it over to the APFS File System?
Reply
Adam Engst  An apple icon for a TidBITS Staffer 2017-09-11 15:44
My understanding is that APFS-based Macs will have no trouble reading HFS+ drives of any sort, including Time Machine. I haven't heard anything about Time Machine drives being converted automatically and that would surprise me.
Reply
Greg  2017-09-11 14:19
Thank you. I was wondering about what could read what. I'll be keeping external dirves HFS+ for a while.

Will HfS+ external drives be slower reading and writing than APFS? And if so, how much?
Reply
Adam Engst  An apple icon for a TidBITS Staffer 2017-09-11 15:45
We'll have to do some formal benchmarking to see the difference. APFS will be a lot faster in certain tasks, like duplicating large files and getting info on a folder with many thousands of files in it. But for basic usage, I don't believe it will necessarily be all that different.
Reply
David Redfearn  An apple icon for a TidBITS Supporter 2017-09-11 14:30
My question would be: if you have a HD iMac updated to High Sierra is there any reason_not_ to update the boot drive to APFS? I red one blog that said that beta testing has revealed that APFS is not ready for HD or Fusion drives though I have not seen any confirmation of that.

David
Reply
Adam Engst  An apple icon for a TidBITS Staffer 2017-09-11 15:47
The fact that Apple is doing the conversion automatically for SSD and not doing it for hard disks or Fusion Drives says to me that you should only convert a hard disk or Fusion Drive to APFS if you have really good backups and are willing to live on the cutting edge. It should work — Apple shouldn't ship something that destroys data, but I worry they aren't certain about every imaginable scenario.
Reply
To leave a comment, click Add a Comment and then enter the text, your name, and your email address (which won't be displayed). Your comment will appear after you follow a link in the one-time confirmation message we send to verify that you're a real person.
Add a comment
 