Important High Sierra Changes for IT Admins
For most individual users, upgrading to macOS 10.13 High Sierra won’t require much more than going through the steps in Joe Kissell’s “Take Control of Upgrading to High Sierra.” But for those of you who manage Macs for an organization (or are just interested in how things work behind the scenes), there are some important changes that you should know.
First, I want to reiterate that our recommendation for High Sierra is that most everyday Mac users don’t upgrade immediately, but instead wait for 10.13.1 or even 10.13.2. Although we’re not hearing of major software compatibility issues, the move to APFS is a very big deal, and it’s entirely possible that some problematic scenarios won’t have been anticipated by Apple or revealed by the public beta test. There’s no penalty for caution, and be absolutely certain that Macs are backed up before upgrading them once Apple’s initial bug fixes are out.
Firmware Updates via the Cloud — With High Sierra, Apple is re-emphasizing how Macs get firmware updates over the Internet. The company claims you must be connected to the Internet when upgrading macOS, and the macOS Installer uses the model number of your Mac to identify and download a firmware update specific to that Mac to enable it to recognize APFS. This requirement has various implications:
- Only the macOS Installer can download and install firmware updates. This isn’t new, but is more important because of APFS.
- You cannot install High Sierra on a Mac that’s connected via Target Disk Mode.
Firmware updates can’t be done on external devices connected via Thunderbolt, USB, or Firewire.
You can install High Sierra via the macOS Installer, by creating a bootable installer, from within macOS Recovery, and via a NetInstall image created by System Image Utility (available with macOS Server).
More generally, this new approach to firmware updates means that you can’t use monolithic system imaging to upgrade a Mac to a new version of macOS.
Monolithic System Imaging Changes — Historically, many organizations have long relied on imaging as a way of setting up new Macs. Imaging, or more specifically, monolithic system imaging, involves creating a disk image of the canonical Mac, complete with site-specific settings and apps, and then restoring that image onto the boot drive of a new Mac. Periodically, that monolithic image would be updated for new versions of macOS and apps, and then used going forward for new Macs and clean reinstalls.
Apple is now explicitly warning against using monolithic system imaging when upgrading or updating macOS High Sierra. Without the macOS Installer being able to download necessary firmware updates during installation, any given Mac could end up in an unsupported and potentially unstable state.
That said, you may still use monolithic system imaging to reinstall the same version of macOS on a particular Mac model. For instance, if you have a lab of identical 27-inch iMacs, there’s no problem with using a monolithic system image to restore them to a clean state after a workshop.
Of course, High Sierra also brings with it the new APFS file system, and Apple recommends using only Disk Utility, System Image Utility, or the
diskutil command to create images of APFS containers. Also, if you’re using macOS Server to restore client computers with flash storage via a NetRestore image, Apple recommends creating the image source from a Mac running High Sierra connected via Target Disk Mode, rather than from the macOS Installer.
The recommended way to deploy new Macs and handle updates is via a Mobile Device Management (MDM) solution, such as Jamf Pro or Jamf Now. With a managed Mac, admins can issue MDM commands to download and install updates.
Speaking of Jamf Pro, Jamf tells me that the just-released version 9.101 has full compatibility with High Sierra, iOS 11, and tvOS 11 (as does Jamf Now), and it includes new features for Apple’s latest MDM capabilities on the Mac, including:
- Zero-touch provisioning of Macs with APFS
- Support for Cisco Fast Lane QoS support for apps
- The capability to defer software updates for up to 90 days
APFS-related Changes — Apple’s new APFS file system is a significant change for Macs, although the fact that it has been successfully installed on hundreds of millions of iOS devices (running iOS 10.3), Apple Watches, and Apple TVs suggests that Apple has the conversion process under control. Nevertheless, the Mac world is far more variable, and there are a few implications that IT admins should know:
- The macOS Installer automatically converts the drives of SSD-based Macs to APFS during installation of High Sierra. You cannot opt out of APFS in this situation.
Macs with hard disk drives and Fusion Drives are not automatically converted to APFS during the High Sierra upgrade. I anticipate that will change at a later date. You can convert them manually using Edit > Convert to APFS in Disk Utility, although there’s no inherent reason to do so immediately.
Drives formatted as Mac OS Extended (HFS+) can be read from and written to by Macs whose drives are formatted as APFS.
Drives formatted as APFS can be read from and written to by Macs whose drives are formatted as APFS, or HFS+, if the Mac is running High Sierra in the latter case. However, APFS-formatted drives, such as external hard disks and USB flash drives, cannot be read by Macs running older versions of macOS, even 10.12 Sierra.
FileVault volumes are converted from HFS+ to APFS just like unencrypted volumes.
Although Apple’s Boot Camp Windows environment is compatible with High Sierra, it cannot read from or write to APFS-formatted volumes.
If you’re sharing a volume formatted as APFS over the network, you must use SMB or NFS, not the increasingly deprecated AFP. (SMB has been the preferred file sharing protocol for several versions of macOS now.) That applies to Time Machine share points as well.
Jamf offers a useful white paper that covers many of the APFS-related changes for admins.
Kernel Extension Changes — To improve security, kernel extensions installed with or after the installation of High Sierra require user consent to load, a system Apple calls User Approved Kernel Extension Loading. (Kernel extensions that were on the Mac before upgrading to High Sierra, as well as those that are replacing previously approved kernel extensions will not require user consent.)
Any user can approve a kernel extension — administrator privileges are not necessary — but the prompt could confuse a non-technical user.
If you want to disable User Approved Kernel Extension Loading, you can do so by booting into macOS Recovery, launching Terminal, and using the
spctl command (run it by itself for instructions). That setting is stored in NVRAM, so resetting NVRAM will cause it to revert to the default prompting.
Also, enrolling a Mac in an MDM solution like Jamf Pro automatically disables User Approved Kernel Extension Loading. Apple says that a future update to High Sierra will expose MDM control of the setting and allow management of the list of kernel extensions that are allowed to load without user consent.
Content Caching Changes — Previously, you needed macOS Server for caching services — the capability to serve software updates and other Apple-served content from a local server rather than every device going out to Apple’s server over the Internet. In High Sierra, Apple has moved content caching into the Sharing pane of System Preferences, so you can designate any Mac as a caching server and have other devices look to it for updates. The new Content Caching approach also works with iOS devices connected via a USB hub for use with classroom devices hosted on a cart.
Additional changes of interest to the IT community will no doubt be discovered after High Sierra ships, but even this collection should give you plenty to ponder as you develop your organization’s High Sierra upgrade policies.
Apparently, if you right-click on a folder share in the File Sharing part of System Preferences > Sharing, there’s an advanced options screen accessible that allows you to denote it as a network Time Machine volume. Between this and the built-in caching facility, this may well cover a lot of use cases traditionally served by macOS Server.
That's not surprising — macOS Server has been a solution to problems most people didn't have apart from caching and Time Machine. We'll have to look into the Time Machine stuff further.
So if we that have Fusion Drives installed on iMac's will not be forced into having the OS update the File System and just upgrade to HighSierra and once the coast is clear and most if not all the bugs have been squashed with APFS, then have an update rewrite the HFS + to APFS.
What about Time Machine backups that have been created with HFS+. Will APFS be able to read and write them and will it convert it over to the APFS File System?
My understanding is that APFS-based Macs will have no trouble reading HFS+ drives of any sort, including Time Machine. I haven't heard anything about Time Machine drives being converted automatically and that would surprise me.
Time machine backup needs to be rebuilt, previous one on hfs+ get lost.
At least that's what happens with previous betas when APFS was introduced.
What does 'previous one on hfs+ get lost' mean?
I am assuming your old TM backups only 'get lost' if you manually change from HFS+ to APFS on the actual TM drive itself.
If your High Sierra Mac with internal SSD (using APFS) is backed up by TM to a HDD with HFS+, why should any old backups be affected? Can anybody confirm?
My previous backup was on a NAS, sorry, not on HFS+ partition. But, even so, TM required to create a new one on that same NAS partition. In fact I did not check it, maybe the previous backup was still usable in spite of above request, or it might even have been overwritten by the new one (sorry it’s not clear here and no further explanation were given. Today I have no more access to past data, it starts from the ‘rebuild’).
In my case, with a fusion, I agreed switching to APFS... for the internal drive (fusion).
I see no direct reason for that, but I imagine TM has been updated too and probably the backup format changed somehow. We can hope/expect the update from Sierra to official High Sierra will be smoother for users, maybe betas versions only had this side effect.
Still related to the TM, it’s to be noted that one or two betas after the switch to APFS, when required to rebuild a new backup, TM was unable to create it. That got solved soon after anyway.
Lots of changes there...
Thank you. I was wondering about what could read what. I'll be keeping external dirves HFS+ for a while.
Will HfS+ external drives be slower reading and writing than APFS? And if so, how much?
We'll have to do some formal benchmarking to see the difference. APFS will be a lot faster in certain tasks, like duplicating large files and getting info on a folder with many thousands of files in it. But for basic usage, I don't believe it will necessarily be all that different.
My question would be: if you have a HD iMac updated to High Sierra is there any reason_not_ to update the boot drive to APFS? I red one blog that said that beta testing has revealed that APFS is not ready for HD or Fusion drives though I have not seen any confirmation of that.
The fact that Apple is doing the conversion automatically for SSD and not doing it for hard disks or Fusion Drives says to me that you should only convert a hard disk or Fusion Drive to APFS if you have really good backups and are willing to live on the cutting edge. It should work — Apple shouldn't ship something that destroys data, but I worry they aren't certain about every imaginable scenario.
uhm, Jamf Pro 9.101 is still in beta... have you accidentally let slip an imminent update?
Hi Richard, Jamf Pro 9.101 is now generally available: http://docs.jamf.com/9.101.0/casper-suite/release-notes/What's_New_in_This_Release.html
And the answer to my comment was yes, he had.
So booting another Mac or cloning another Mac from a disk will no longer "just work"? It always seemed as if one of the aspects demonstrating how smart an environment the Mac was, was that you could boot a Mac from another Mac's volume (assuming the former wasn't too new or the latter too old).
Sounds like this will soon be gone and instead we should now use (buy) a third-party tool to do that. Can't help but notice this sounds like the solution for that problem under Windows or Linux.
It might work, or it might not, depending on firmware updates that will be, as far as I know, invisible to the user.
For instance, let's say you have a MacBook Pro whose drive dies, but you have a bootable duplicate on an external SSD that's formatted as APFS. That should work fine. But if your MacBook Pro itself dies, and you borrow an older MacBook Air temporarily, the MacBook Air might be able to boot from your bootable duplicate. If it had been running High Sierra before, and received the necessary APFS firmware update, it's more likely that it would work. But without that firmware update, no, it very well might not work.
I wish Apple would be more clear about the extent. Is this online-only firmware update a one time thing per mac? Is it going to happen with each major new OS version? Minor versions? Randomly until APFS is stable? Randomly for other things too? If it's a one-time thing, or even several times but normality will return, it's only annoying. But if it's a new Apple habit, it's going to be a real pain unless you have enough similarly configured Macs to justify an MDM.
Very good questions, and we'll just have to see if Apple will ever answer.
So looks like it really was a good idea for my organization to get rid of Mac desktops a couple years ago. We operate in a classified environment and it was already getting hard to manage the machines without a direct internet connection. This pretty much puts the last nail in the coffin. We already had issues with NFS and interoperability with the Linux computers running our simulations. Sadly, we now have Windows on our desks in order to have Office, which is mandatory for producing the reports for the program office.
Alright, this is very interesting. When I saved this link to Instapaper nine days ago, it said APFS external volumes would work with 10.12.6+. Now it says High Sierra only. Adam, any ideas why this changed?
Sierra was launched with a pre-release version of APFS that allowed using APFS only on non-boot drives. Therefore Sierra _was_ able to read APFS volumes.
I suspect that in the time since a change to APFS has been made to improve it which required a format change or simply to prevent Sierra from supporting it.
Since obviously the version included with Sierra was early and pre-release and likely contained issues subsequently discovered even the later issue of deliberately stopping Sierra from now supporting it has some justification to prevent Sierra causing problems to APFS drives.
Perhaps there will be a 10.12.7 that will bring back APFS support to Sierra.
Disk utilities are not going to work initially on macOS 10.13 High Sierra. They are all going to have to be updated. This is most specifically because Apple has not provided developers with a finished standard for Apple File System, APFS. I've provided some elaboration about the situation here:
Disk Utilities vs macOS 10.13 High Sierra: Updates Required (+ Addendum)
This is the chief reason why I won't be upgrading to High Sierra immediately. I cannot comprehend why Apple has not officially finished APFS and provided it to developers. More information is available at Apple here:
It looks like someone who wants to put High Sierra on an SSD but wants to keep the ability to read/write to that disk with earlier OS versions is going to have to be careful to keep the SSD in HFS+, presumably by installing High Sierra on a non-SSD drive and cloning from there. Is that a correct interpretation?
I presume you're talking about an SSD in an external case. I believe your interpretation is correct, but I'd recommend testing first.
Thanks Adam for this information. I'm not an IT admin but I do some Mac tech support. So I need to know about these issues with APFS. In particular I use external drives with various versions of OS X/macOS on them to support the variety of Macs I encounter in my work. It's not clear from what you say whether I will be able to instal High Sierra on an external drive, even if I'm booted from it ("Firmware updates can’t be done on external devices connected via Thunderbolt, USB, or Firewire."). For practical purposes I won't use APSF on such a drive given the lack of backwards compatibility which would make the updating of non-system applications, like web browsers, more difficult. Apparently, at this point, High Sierra on an HFS+ volume will still be accessible from an HFS+ boot volume.
What I usually do with an OS upgrade is instal in on an external drive for testing purposes. It's not clear at the moment if this will even be possible. That said, I will have no immediate need to use High Sierra, aside from natural curiosity. Sooner or later, though, I'll have to take the plunge. At a minimum I'll wait for the disk utilities I use to be updated for High Sierra, updates that will apparently be delayed for some time. The utilities I use include DiskWarrior, TechTool Pro, iDefrag, Cocktail and Carbon Copy Cloner, among others. All of these are usually updated before a new version of the Mac OS is released. But you indicate that such third-party utility developers have not had access to a stable testing platform. If so this will delay their work significantly.
One way or another it seems I'll be waiting longer than usual to do this OS upgrade. And even when I do I'll avoid APFS as I wouldn't be able to access my computer from a non-APSF system, as I might need to do for maintenance purposes. Without High Sierra on an external drive my iMac will effectively be invisible.
Unfortunately your article does not address my use situation. Which is just one more reason to wait till I can find more complete information before venturing into the High Sierras.
Re-reading the Apple article that's drawn from, https://support.apple.com/en-us/HT208020, "external devices" refers to other Macs that are running in Target Disk Mode, it does not refer to all external drives. If you run the High Sierra installer on Mac A and try to install it on Mac B's volume attached in Target Disk Mode, Mac B's firmware can't get updated.
Installing High Sierra on an external drive shouldn't be a problem; if it's a magnetic drive it won't be converted to APFS. Now if you tried to boot a different Mac from that volume and that Mac has never had the High Sierra installer run on it, then you could have a problem because its firmware will not have been updated (my hunch is it would be okay because it would still be HFS+ but this is what Apple is saying).
Disk utilities will definitely need major updates to support APFS may not to operate on High Sierra installed on an HFS+ volume.
Does anyone have any suggestions on how to get reporting insights into how Content Caching is being used, i.e. what clients/devices, what is used/downloaded, being cached, etc?
Well...10.13.2 flips the switch again...#facepalm