For most individual users, upgrading to macOS 10.13 High Sierra won’t require much more than going through the steps in Joe Kissell’s “Take Control of Upgrading to High Sierra.” But for those of you who manage Macs for an organization (or are just interested in how things work behind the scenes), there are some important changes that you should know.
First, I want to reiterate that our recommendation for High Sierra is that most everyday Mac users don’t upgrade immediately, but instead wait for 10.13.1 or even 10.13.2. Although we’re not hearing of major software compatibility issues, the move to APFS is a very big deal, and it’s entirely possible that some problematic scenarios won’t have been anticipated by Apple or revealed by the public beta test. There’s no penalty for caution, and be absolutely certain that Macs are backed up before upgrading them once Apple’s initial bug fixes are out.
Firmware Updates via the Cloud -- With High Sierra, Apple is re-emphasizing how Macs get firmware updates over the Internet. The company claims you must be connected to the Internet when upgrading macOS, and the macOS Installer uses the model number of your Mac to identify and download a firmware update specific to that Mac to enable it to recognize APFS. This requirement has various implications:
Only the macOS Installer can download and install firmware updates. This isn’t new, but is more important because of APFS.
You cannot install High Sierra on a Mac that’s connected via Target Disk Mode.
Firmware updates can’t be done on external devices connected via Thunderbolt, USB, or Firewire.
You can install High Sierra via the macOS Installer, by creating a bootable installer, from within macOS Recovery, and via a NetInstall image created by System Image Utility (available with macOS Server).
More generally, this new approach to firmware updates means that you can’t use monolithic system imaging to upgrade a Mac to a new version of macOS.
Monolithic System Imaging Changes -- Historically, many organizations have long relied on imaging as a way of setting up new Macs. Imaging, or more specifically, monolithic system imaging, involves creating a disk image of the canonical Mac, complete with site-specific settings and apps, and then restoring that image onto the boot drive of a new Mac. Periodically, that monolithic image would be updated for new versions of macOS and apps, and then used going forward for new Macs and clean reinstalls.
Apple is now explicitly warning against using monolithic system imaging when upgrading or updating macOS High Sierra. Without the macOS Installer being able to download necessary firmware updates during installation, any given Mac could end up in an unsupported and potentially unstable state.
That said, you may still use monolithic system imaging to reinstall the same version of macOS on a particular Mac model. For instance, if you have a lab of identical 27-inch iMacs, there’s no problem with using a monolithic system image to restore them to a clean state after a workshop.
Of course, High Sierra also brings with it the new APFS file system, and Apple recommends using only Disk Utility, System Image Utility, or the
diskutil command to create images of APFS containers. Also, if you’re using macOS Server to restore client computers with flash storage via a NetRestore image, Apple recommends creating the image source from a Mac running High Sierra connected via Target Disk Mode, rather than from the macOS Installer.
The recommended way to deploy new Macs and handle updates is via a Mobile Device Management (MDM) solution, such as Jamf Pro or Jamf Now. With a managed Mac, admins can issue MDM commands to download and install updates.
Speaking of Jamf Pro, Jamf tells me that the just-released version 9.101 has full compatibility with High Sierra, iOS 11, and tvOS 11 (as does Jamf Now), and it includes new features for Apple’s latest MDM capabilities on the Mac, including:
- Zero-touch provisioning of Macs with APFS
- Support for Cisco Fast Lane QoS support for apps
- The capability to defer software updates for up to 90 days
APFS-related Changes -- Apple’s new APFS file system is a significant change for Macs, although the fact that it has been successfully installed on hundreds of millions of iOS devices (running iOS 10.3), Apple Watches, and Apple TVs suggests that Apple has the conversion process under control. Nevertheless, the Mac world is far more variable, and there are a few implications that IT admins should know:
The macOS Installer automatically converts the drives of SSD-based Macs to APFS during installation of High Sierra. You cannot opt out of APFS in this situation.
Macs with hard disk drives and Fusion Drives are not automatically converted to APFS during the High Sierra upgrade. I anticipate that will change at a later date. You can convert them manually using Edit > Convert to APFS in Disk Utility, although there’s no inherent reason to do so immediately.
Drives formatted as Mac OS Extended (HFS+) can be read from and written to by Macs whose drives are formatted as APFS.
Drives formatted as APFS can be read from and written to by Macs whose drives are formatted as APFS, or HFS+, if the Mac is running High Sierra in the latter case. However, APFS-formatted drives, such as external hard disks and USB flash drives, cannot be read by Macs running older versions of macOS, even 10.12 Sierra.
FileVault volumes are converted from HFS+ to APFS just like unencrypted volumes.
Although Apple’s Boot Camp Windows environment is compatible with High Sierra, it cannot read from or write to APFS-formatted volumes.
If you’re sharing a volume formatted as APFS over the network, you must use SMB or NFS, not the increasingly deprecated AFP. (SMB has been the preferred file sharing protocol for several versions of macOS now.) That applies to Time Machine share points as well.
Jamf offers a useful white paper that covers many of the APFS-related changes for admins.
Kernel Extension Changes -- To improve security, kernel extensions installed with or after the installation of High Sierra require user consent to load, a system Apple calls User Approved Kernel Extension Loading. (Kernel extensions that were on the Mac before upgrading to High Sierra, as well as those that are replacing previously approved kernel extensions will not require user consent.)
Any user can approve a kernel extension — administrator privileges are not necessary — but the prompt could confuse a non-technical user.
If you want to disable User Approved Kernel Extension Loading, you can do so by booting into macOS Recovery, launching Terminal, and using the
spctl command (run it by itself for instructions). That setting is stored in NVRAM, so resetting NVRAM will cause it to revert to the default prompting.
Also, enrolling a Mac in an MDM solution like Jamf Pro automatically disables User Approved Kernel Extension Loading. Apple says that a future update to High Sierra will expose MDM control of the setting and allow management of the list of kernel extensions that are allowed to load without user consent.
Content Caching Changes -- Previously, you needed macOS Server for caching services — the capability to serve software updates and other Apple-served content from a local server rather than every device going out to Apple’s server over the Internet. In High Sierra, Apple has moved content caching into the Sharing pane of System Preferences, so you can designate any Mac as a caching server and have other devices look to it for updates. The new Content Caching approach also works with iOS devices connected via a USB hub for use with classroom devices hosted on a cart.
Additional changes of interest to the IT community will no doubt be discovered after High Sierra ships, but even this collection should give you plenty to ponder as you develop your organization’s High Sierra upgrade policies.