Archive
Creating Privacy Preferences Policy Control profiles for macOS
As part of the pre-release announcements about macOS Mojave, Apple released the following KBase article:
Prepare your institution for iOS 12 or macOS Mojave:
https://support.apple.com/HT209028
As part of the KBase article, Apple included a Changes introduced in macOS Mojave section which featured this note:
You can allow apps to access certain files used for system administration, and to allow access to application data. For example, if an app requests access to your Calendar data, you can allow or deny the request. MDM administrators can manage these requests using the Privacy Preferences Policy Control payload, as documented in the Configuration Profile Reference.
What’s all this mean? For more details, see below the jump.
Using directory membership to manage Apple Remote Desktop permissions
Apple Remote Desktop (ARD) is a screen sharing and remote administration tool that just about every Mac admin uses at some point. Configuring access permissions for it can be done in several ways:
- Using System Preferences’ Sharing preference pane to configure the Remote Management settings.
- Using the kickstart command line utility to grant permissions to all or specified users
- Using the kickstart command line utility to grant permissions to members of specified directories.
The last item may be the least-known method of assigning permissions, but it can be the most powerful because it allows ARD’s management agent to be configured once then use group membership to assign ARD permissions. For more details, please see below the jump.
The T2 Macs, the end of NetBoot and deploying from macOS Recovery
In late 2017, Apple released the iMac Pro. Along with the new Secure Enclave protection provided by Apple’s T2 chip, the iMac Pro brought another notable development: It did not support booting from a network volume, otherwise known as NetBoot.
The one exception was Apple’s Internet Recovery, where Apple is providing a NetBoot-like service to provide access to macOS Recovery. The iMac Pro is still able to boot to Internet Recovery, which provides a way to repair the Mac or reinstall the operating system in situations where the Mac’s own Recovery volume is missing or not working properly.
With NetBoot not being available for the iMac Pro but still available for other models, it wasn’t yet clear if NetBoot-based workflows for setting up new Macs or rebuilding existing ones were on the way out. However, Apple’s release of of T2-equipped MacBook Pros in July 2018 which also could not use NetBoot has made Apple’s direction clear. As Apple releases new Mac models equipped with T2 chips and Secure Enclave, it is unlikely that these future Mac releases will be supporting NetBoot.
For Mac admins using NetBoot-based workflows to set up their Macs, what are the alternatives? Apple has been encouraging the use of Apple’s Device Enrollment Program, which leverages a company, school or institutions’ mobile device management (MDM) service. In this case, you would need to arrange with Apple or an Apple reseller to purchase Macs that are enrolled in your organization’s DEP.
When a DEP-enrolled Mac is started for the first time (or started after an OS reinstall), it is automatically configured to use your organizations’ MDM service and the device checks in with the MDM service. The MDM service then configures the Mac as desired with your organization’s software and configuration settings. A good example of what this process may look like can be seen here.
What if you don’t have DEP, or you don’t have MDM? In that case, you may still be able to leverage Recovery-based deployment methods, which would allow you install the desired software and configuration settings onto the Mac’s existing OS, or install a new OS along with software and configuration settings. For more details on these methods, please see below the jump.
Staying notified about Apple developer software releases
Keeping up on Apple developer betas and other developer software releases is a necessary part of many Mac admins’ regular routine. It’s especially important during the period between WWDC in June and the annual OS release in the fall. Fortunately, Apple provides a way to help tracking developer releases easier by publishing a notification to the following address:
https://developer.apple.com/news/releases/
This publicly-accessible notification doesn’t discuss what’s included in the newly-released software and you will still need an Apple Developer Connection account in order to get the details. For many Mac admins though, having an easy and quick way to track if the latest developer beta has been released is valuable information in itself.
To make it even more convenient, Apple also offers a RSS feed for the Developer Releases page:
https://developer.apple.com/news/releases/rss/releases.rss
You can add this feed into your RSS reader and it’ll keep you up to date. If you use Slack, another approach is to use Slack’s ability to post content from an RSS feed to a Slack channel. For more details, please see below the jump:
Der Flounder 
Recent Comments