Resizing a macOS VM’s APFS boot drive to use all available disk space

October 18, 2017 Leave a comment

A while back, I wrote a post on how to resize the boot drive of an existing virtual machine. However, that guidance only applies to a boot drive that uses HFS+ for its filesystem.

Now that Apple File System (APFS) is available and the default file system on macOS High Sierra, a different procedure must be used in order to resize the APFS-formatted boot drive of an existing virtual machine. For more details, see below the jump.

Read more…

Unlocking or decrypting using an institutional recovery key does not work with encrypted APFS boot drives on macOS High Sierra 10.13.0

October 10, 2017 6 comments

As part of Apple’s FileVault 2 encryption, Apple has provided for the use of recovery keys. These keys are a backup method to unlock FileVault 2’s encryption in the event that the usual method of logging using a user’s account password is not available.

There are two main types of recovery keys available:

1. Personal recovery keys (PRK) – These are recovery keys that are automatically generated at the time of encryption. These keys are generated as an alphanumeric string and are unique to the machine being encrypted. In the event that an encrypted Mac is decrypted and then re-encrypted, the existing personal recovery key would be invalidated and a new personal recovery key would be created as part of the encryption process.

Screen Shot 2017 10 10 at 5 24 11 PM

2. Institutional recovery keys (IRK) – These are pre-made recovery keys that can be installed on a system prior to encryption and most often used by a company, school or institution to have one common recovery key that can unlock their managed encrypted systems.

Screen Shot 2017 10 10 at 12 48 16 PM

This recovery key model has continued to be used on Apple File System (APFS), starting with macOS High Sierra 10.13.0, with one important difference:

  • You can encrypt an APFS boot drive using an IRK. 
  • You cannot unlock or decrypt an encrypted APFS boot drive using an IRK.

For more details, see below the jump.

Read more…

Using the macOS High Sierra OS installer’s startosinstall tool to install additional packages as post-upgrade tasks

September 26, 2017 1 comment

Starting with macOS 10.12.4, Apple locked down the macOS installer to make it impossible to add non-Apple installer packages directly to the macOS Install .app without using NetInstall. However, there is a way to configure the macOS High Sierra OS installer to install additional packages as a post-upgrade task. For more details, please see below the jump.

Read more…

Categories: Mac administration, macOS

Using the macOS High Sierra OS installer’s startosinstall tool to avoid APFS conversion

September 26, 2017 4 comments

As part of the upgrade process to macOS High Sierra, Apple has stated that certain drives will be converted from using the HFS+ filesystem to Apple’s new default filesystem, APFS. The conversion criteria is shown below:

Screen shot 2017 09 07 at 5 00 58 pm

For those Mac admins who don’t necessarily want to convert yet, there is a way to configure the macOS High Sierra OS installer to skip the APFS conversion. For more details, please see below the jump.

Read more…

Changing local account passwords may cause new login keychain to be silently generated on macOS High Sierra

September 25, 2017 7 comments

As part of my testing of macOS High Sierra, I’ve noticed that login behavior has changed for local accounts, in cases where the password of the login keychain is different from the password of the account logging in.

On macOS Sierra, the following behavior occurs when the password of the login keychain is different from the password of the local account logging in:

1. The login process pauses
2. You’re prompted to continue login, create a new keychain, or update the existing keychain password.

Screen Shot 2017 09 23 at 4 46 06 PM

3. If you choose to update the existing keychain password, you enter the keychain’s current password (which is usually the account’s former password.)

Screen Shot 2017 09 23 at 4 46 21 PM

4. The login process proceeds and the desktop comes up.

On macOS High Sierra, the following behavior occurs when the password of the login keychain is different from the password of the local account logging in:

1. The login keychain with the different password is renamed to login_renamed_number_goes_here.keychain-db and stored in ~/Library/Keychains.

Screen Shot 2017 09 23 at 8 01 46 PM

2. A new login keychain is created in ~/Library/Keychains. The new login keychain is named login.keychain-db and uses the password of the local account logging in.

Screen Shot 2017 09 23 at 8 01 50 PM

Note: This is behavior I’ve observed for local accounts only. I have not been able to test with network accounts, like Active Directory mobile accounts.

Update 9-26-2017: This behavior was addressed in the betas for Active Directory mobile accounts:

The reason why this behavior is problematic is that anything stored in the former login keychain is not transferred to the new login keychain. Saved passwords, certificates, and any other secrets stored in the now-former login keychain will not be present in the new login keychain. They will need to be manually copied, or re-saved into the new login keychain.

For more details, see below the jump.

Read more…

Categories: Mac administration, macOS

APFS preparation and macOS High Sierra

September 9, 2017 5 comments

As part of the pre-release announcements about macOS High Sierra, Apple released the following KBase article:

Apple makes a number of statements about APFS and its effects in this KBase article, but what do they all mean? I’m going to try to clarify while staying on the right side of Apple’s NDA. For more details, see below the jump.

Read more…

Building a Jamf Pro smart group containing High Sierra-incompatible Mac models

August 29, 2017 4 comments

As part of preparing for macOS Sierra in 2016, I prepared a smart group that listed Macs incompatible with macOS Sierra. Apple stated at WWDC 2017 that any Mac that can run macOS Sierra can also run macOS High Sierra, so that means that the list of incompatible Macs has not changed. For more details, see below the jump:

Read more…

%d bloggers like this: