HIGH SIERRA IS COMING - WordPress.com · Apple Supported deployment mechanisms. Apple will only support the following deployment methods: -Using the macOS installer (e.g. the 'Install

A Brief Overview Of The Changes Coming In High Sierra For Mac Admins

HIGH SIERRA IS COMING...

High Sierra is coming! We're gonna go through an overview of changes relating to Mac Admins This talk will be an overview of these, and links for further reading

1


• Apple have released 6 new Knowledge Base (KB) Articles at the end of August.

• These outline upcoming compatibilities and changes with the upcoming OS's

• These cover the Pro Apps, macOS, iOS, APFS, Kernel Extensions, Caching content and Imaging (!)

In the last two weeks of August, Apple released 6 new KB articles. These cover the Pro Apps (Final Cut Pro, Logic Pro etc), macOS/iOS security, APFS, Kernel Extensions, caching of content for iOS and Imaging (yup imaging!). Links shown will be on a slide at the end. Also this deck will be available afterwards

2

About Apple Pro Apps and macOS High SierraHIGH SIERRA IS COMING...

• Released on 18th August 2017

• Link: https://support.apple.com/en-us/HT207888

• Covers: Final Cut Pro X, Motion, Compressor, Logic Pro X, and MainStage.

• App Store version should update at no cost

• Final Cut Pro Studio and Logic Studio are not compatible

First one: About Apple Pro Apps and macOS High Sierra Covers: Final Cut Pro X, Motion, Compressor, Logic Pro X. and MainStage. Minimum Versions: Final Cut Pro X (10.3.4), Motion (5.3.2), Compressor (4.3.2), Logic Pro X (10.3.1), and MainStage (3.3) Basically, if you're deploying these through the App Store or MDM, you should be fine (well, no additional license cost, but you may need to run those updates!) Anything * Studio is not compatible Next one...

3

Prepare your institution for iOS 11, macOS High Sierra, or macOS Server 5.4


• Released on 23rd August 2017

• Link: https://support.apple.com/en-gb/HT207828

• Covers: iOS / tvOS 11, macOS High Sierra and Server 5.4 (sort of)

• Changes to TLS certificates across the board

• APFS for macOS

• Kernel Extension on macOS

• And more!

Second: Prepare your institution for iOS 11, macOS High Sierra, or macOS Server 5.4 Covers: iOS / tvOS 11, macOS High Sierra and Server 5.4 (sort of) Changes to TLS certificates across the board APFS for macOS Kernel Extension on macOS Plus more!

4

Prepare your institution for iOS 11, macOS High Sierra, or macOS Server 5.4 - TLS Certif icates


• SHA-1 certificates are not supported

• RSA keys less-than 2048 bits are not supported

• EAP-TLS negotiations will default to TLS v1.2*

* - Can be overridden with a configuration profile. Older clients might still only support v1.0

TLS certificates. Any TLS connection utilising a SHA-1 certificate won't work. Any TLS connection utilising a RSA less than 2048-bit won't work. So check those internal Certs! EAP-TLS negotiations will default to TLS v1.2 For those using 802.1x / RADIUS amongst other options Can be overridden with a configuration profile, and older clients may only support v1.0 This should be treated as a sign that Apple is likely to drop support in the future, so identify affected systems and get them sorted.

5

Prepare your institution for iOS 11, macOS High Sierra, or macOS Server 5.4 - APFS


• All flash storage is upgraded automatically

• Cannot create share points over AFP

• You can connect to AFP shares from an APFS

• May need changes to home drive mounting port in your relevant directory system / user records

• More on this....later

APFS All flash storage is upgraded, no option to opt-out You cannot create a file share / share point from an APFS volume, shared over AFP SMB and NFS is fine If you're sharing Home Directories, make sure to update the home drive points in the user record / directory system! More on this later

6

Prepare your institution for iOS 11, macOS High Sierra, or macOS Server 5.4 - KEXTs


• From OS X Yosemite, KEXTs need to be signed

• As of macOS High Sierra, all new KEXTs require end-user acceptance to run

• More on this....later

Kernel Extensions or KEXTs From OS X Yosemite (10.10.x), all Kernel Extensions needed to be signed to be used. As of High Sierra, additionally the end-user will need to accept each new kernel extension for it to run More on this, later

7

Prepare your institution for iOS 11, macOS High Sierra, or macOS Server 5.4 - And more!


• Active Directory 2008 functional level minimum

• NIS is no longer supported

• Imaging has changed, more on this...later

• Content Caching is explicitly disallowed on Virtual Machines

• /var/db/ConfigurationProfiles is now protected by SIP

profiles -s -F /startupprofile.mobileconfig -f

And more! Directory Services The Active Directory support is a minimum functional level of 2008. No more 2003! NIS is no longer supported The Network Information Service, or NIS (originally called Yellow Pages or YP) is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Sun Microsystems developed the NIS; the technology is licensed to virtually all other Unix vendors. ⁃ from Wikipedia Software Deployment Imaging has changed, more on this, later Content caching Never supported on VMs. Is now explicitly disallowed Will this affect those using Mac ESXi VMs? Probably! Configuration Profiles /var/db/ConfigurationProfiles is now protected by SIP Possibly to stop local admins removing enforced MDM enrolments (via DEP)

8

Upgrade macOS on a Mac at your institutionHIGH SIERRA IS COMING...

• Released on 21st August 2017


• Firmware updates

• Supported deployment mechanisms

• Comments on 'Monolithic' imaging

• Options

Third: Upgrade macOS on a Mac at your institution This KB article goes over the importance of firmware updates, Apple supported deployment methods, and 'monolithic' imaging.

9

Upgrade macOS on a Mac at your institution - FirmwareHIGH SIERRA IS COMING...

• Firmware updates have stopped being a separate update / patch

• Installed by OS X / macOS updates and upgrades

• Deploying pre-built images doesn't deploy these updates

• Installing / deploying installs over Target Disk Mode also doesn't deploy these updates

Firmware For a while now (anyone know when?) these have not been deployed as separate installable updates Instead, these have been lumped into OS updates and upgrades (combos, deltas, Security Updates, Install macOS XXX applications). Deploying a pre-built image will not install these updates to deployed kit. Includes Monolithic and modular images, as well as AutoDMG built images Same deal if you use the installers and updates to a second device via Target Disk Mode

10

Upgrade macOS on a Mac at your institution - Supported deployment mechanisms


Apple only supports the following deployment methods:

• Using the macOS installer

• Using a bootable installer - https://support.apple.com/en-gb/HT201372

• Using the Recovery Partition

• Use a System Image Utility created NetInstall Image

Apple Supported deployment mechanisms. Apple will only support the following deployment methods: - Using the macOS installer (e.g. the 'Install macOS XXX' application) - Using a bootable installer (e.g. the `createinstallmedia` command - link above and at the end) - Using the Recovery Partition - Using a System Image Utility created NetInstall Image (basically runs the 2nd option from a NetInstall environment under

Apple's control)

11

Upgrade macOS on a Mac at your institution - Comments on 'Monolithic' imaging


•Deploying an OS from a disk image will not install these updates

•This will cause the Mac to be unstable and unsupportable

However!

•You can deploy an OS from a disk image if the Mac was already running an identical version of macOS

"Apple doesn't recommend or support monolithic system imaging when upgrading or updating macOS."

Comments on 'Monolithic' imaging Apple made some interesting comments here. Deploying the OS from a disk image will not install the firmware updates. As the OS will rely on these more in High Sierra, this will cause the Mac to be unstable and unsupportable. If the OS on the Mac is identical to the one you are to deploy, this is supported. One final note from Apple: "Apple doesn't recommend or support monolithic system imaging when upgrading or updating macOS."

12

Upgrade macOS on a Mac at your institution - OptionsHIGH SIERRA IS COMING...

•Munki and Jamf Pro have some built-in support to use the 'Install macOS' application to upgrade devices

•System Image Utility's NetInstall Image

•Stop deploying Monolithic / modular images

•Possible: Deploy OS image as now, plus latest Combo-update

•Any others?

Options, in light of this: - Both Jamf Pro and Munki (and others likley!) have some built in support to upgrade devices in-place - As detailed earlier, Apple's SIU Netinstall image - Stop using Monolithic / Modular image deployment with OS replacements Use DEP or image-less workflows to enrol your device into your required management solution. - Possibly: Deploy your OS image as you do currently, then lay down the latest combo-update to ensure any firmware updates are

applied. This would need to be a first boot / on reboot package! - Any others?

13

Prepare for APFS in macOS High SierraHIGH SIERRA IS COMING...



• APFS will be the default file system for all High Sierra devices with flash storage

• Devices with flash storage will be converted automatically

• Devices with Fusion Drives, or (spinning) Hard Drives will not

Number four: Prepare for APFS in macOS High Sierra APFS! If you're running Flash storage, you will be converted to APFS. No opt out! If you're running a fusion drive or a spinning rust Hard Drive, no automatic conversion

14

Prepare for APFS in macOS High Sierra - Compatibil ityHIGH SIERRA IS COMING...

• APFS devices can read/write to HFS+. HFS+ devices will need 10.12.6 or later

• FileVault volumes will be converted in the same way as non-FileVault volumes

• Boot camp is supported, except for volumes over 3TB on Fusion Drives

• APFS volumes cannot share over AFP, but APFS devices can connect to AFP shares

• Time Machine will continue to work, just not over AFP

Compatibility APFS devices can read and write to HFS+ storage APFS devices can read and write to APFS storage (durr) HFS+ devices can read and write to APFS Storage if running 10.12.6 or newer FileVault volumes will be converted the same as non-FV Boot Camp partitions over 3TB and on Fusion Drive are not supported, otherwise, all good APFS volumes cannot be shared over AFP, but SMB and NFS is fine. APFS devices can connect to AFP shares (contra to a typo in a Jamf Nation KB article ;) ) Time Machine should work fine, but will need to be switched to SMB if to a network volume

15

Prepare for changes to kernel extensions in macOS High SierraHIGH SIERRA IS COMING...

• Released on 23rd August 2017


• Been covered a lot

• Biggest change since the original announcement is the ability to disable the new Secure Kernel Extension Loading (SKEL)!

Number five, nearly there: Prepare for changes to kernel extensions in macOS High Sierra Been covered a lot by many people - blog links at the end! Biggest change is that we can now return the behaviour to the current Sierra behaviour!

16

Prepare for changes to kernel extensions in macOS High Sierra - Basic points


• New KEXTs will prompt the user

• User has 30 minutes to accept / allow the KEXT

• May cause the app to display errors or even crash

• Most likely to affect AntiMalware and Data Loss Prevention (DLP) solutions

• Some concerns over the UI to end users ('dialog fatigue')

• Can 'manage' a white list from the Recovery Partition, but wiped out by a NVRAM reset

A quick refresher ⁃ Any new Kernel Extensions installed on High Sierra will prompt the user to be enabled/loaded ⁃ They'll have 30-minutes to accept/allow ⁃ Depending on how the developer has prepared for this could cause crashing / issues with the App if it requires that extension ⁃ Most likely to affect AV / Data Loss Prevention solutions! ⁃ Users will be able to ignore the message and not be protected / compliant! ⁃ Also concerns over the UI training users to just do things (much like the SSL cert warnings) - 'dialog fatigue' ⁃ Can use recovery mode to specify an allowed list, much like the NetBoot whitelist ⁃ But wiped out by NVRAM reset

17

Prepare for changes to kernel extensions in macOS High Sierra - The Good stuff


• Pre-existing KEXTs are trusted when a device is upgraded to High Sierra

• Updated trusted KEXTs remain trusted

• 'Currently' If a High Sierra Mac has "a" MDM profile installed, the SKEL behaviour is the same as Sierra

• In a 'Future update' we can manage this with a profile, including on/off and a whitelist

Now the good stuff ⁃ If the Kext were already present pre-High Sierra upgrade they'll be automatically trusted. ⁃ If a Kext is trusted, it can be replaced and remain trusted (e.g. allowing a kext to be updated) ⁃ In the 'current' version of High Sierra, if you have an MDM profile installed, this new behaviour is reverted back to what it is now! ⁃ In a 'future update', there will be an MDM payload (profile) to turn this behaviour on and off, and to manage a whitelist without asking the user

18

Prepare for changes to Content Caching in macOS High SierraHIGH SIERRA IS COMING...



• Tethered Caching for iOS devices

• Tiered Caching with Parent / Child relationships

The last one - Number Six: Prepare for changes to Content Caching in macOS High Sierra Tethered caching in the GUI for deploying to iOS Tiered caching with configurations for Child and Parent relationships

19

Prepare for changes to Content Caching in macOS High Sierra - Tethered Caching


• System Preferences -> Sharing pane -> Content Caching

• Allows a Mac to share it's internet connection to USB iOS devices

• Allows you to specify which Mac will be your parent caching Mac

• Parents can also be children of other parents

• iOS devices must be on iOS 10.3 or newer

• Host Mac must be on Ethernet and power*

* Tethered caching prevents system sleep so make sure to use chargers

Tethered caching ⁃ Allows a Mac to share it's internet connection to any iOS devices connected over USB ⁃ Also caches some content installed on each device 'Parents' ⁃ Allows you to select a Mac that will serve all it's caching content to your Mac ⁃ 'Parents' can also be children of other 'parents' allowing tiered caching Setup ⁃ iOS 10.3 or later ⁃ Host Mac must be on Ethernet ⁃ Tethered Caching prevents system sleep so get some power in there

20

Links - AppleHIGH SIERRA IS COMING...

• About Apple Pro Apps and macOS High Sierra - https://support.apple.com/en-us/HT207888

• Prepare your institution for iOS 11, macOS High Sierra, or macOS Server 5.4 - https://support.apple.com/en-gb/HT207828

• Upgrade macOS on a Mac at your institution - https://support.apple.com/en-gb/HT208020

• Prepare for APFS in macOS High Sierra - https://support.apple.com/en-gb/HT208018

• Prepare for changes to kernel extensions in macOS High Sierra - https://support.apple.com/en-gb/HT208019

• Prepare for changes to Content Caching in macOS High Sierra - https://support.apple.com/en-gb/HT208025

• Create a bootable installer for macOS - https://support.apple.com/en-gb/HT201372

Links - All the Apple Links discussed

21

Links - Further ReadingAPFS:

• Rich Trouton! - https://derflounder.wordpress.com/category/apple-file-system/

Kernel Extensions (SKEL)

• https://derflounder.wordpress.com/2017/08/24/kernel-extensions-and-macos-high-sierra/

• https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/

• https://grahamgilbert.com/blog/2017/09/11/enabling-kernel-extensions-in-high-sierra/

General:

• https://soundmacguy.wordpress.com/2017/08/21/apple-when-it-rains-it-pours/

• http://scriptingosx.com/2017/08/new-support-articles-for-high-sierra/

• http://www.modtitan.com/2017/08/three-big-things.html


Links - Some other 'further reading' links - Rich Trouton - I've used his APFS blog tag as he's be doing a few talks (with more to come) on APFS - SKEL - Rich again and Pike's interesting take - That last one actually came in as I was writing this General - Neil Martin! - Scripting OSX - Dr Emily K

22

THANKS

Thanks

23

Documents

HIGH SIERRA IS COMING - WordPress.com · Apple Supported deployment mechanisms. Apple will only support the following deployment methods: -Using the macOS installer (e.g. the 'Install