November 2022 Update from the Mac Admins Foundation

As the Northern Hemisphere’s Autumn arrives, my mind turns to my favorite holiday, Thanksgiving. A big table, as many people as we can fit around it, and everyone has brought something to share with their family and friends. As we prepare to set our own table this year, I want to reflect on the state of the Mac Admins Foundation, share some news about our current moment, and of our future plans.

There are five things we want to share as a board with the broader community:

Mac Admins Foundation Update, November 2022

The Mac Admins Foundation is one of my very favorite parts of 2022. Though it’s been a hard year — lots of growing, lots of learning, both of which can be very tiring — there have been massive highlights. In just the last 9 months, we’ve gotten major commits from 8 organizations, representing a massive financial commitment to the Mac Admins Community, and supporting commitments from 7 more.

We have shored up the hub of the community by arranging for our Slack instance to be paid for through next summer. We have cultivated a relationship with Apple and Pearson for our credential scholarship program. We have built the frameworks for future success, and laid the groundwork for some incredible 2023 programs.

I can’t say enough great things about the board that I work with, and the community I serve. Our amazing volunteers are taking time away from their day jobs, from their families and friends, to build a better world for all Mac Admins practicing today, and preparing for the future. I couldn’t be more proud of this community, and more honored to serve it.

May all your tables be full this Thanksgiving.

Software Update, macOS Ventura, and the Mac Admin

I think it’s fair to say that every Mac Admin I know has a nemesis and it’s softwareupdate. The command line binary that has lived in every Mac since Mac OS X was released has grown much like my cat: reliable, but deeply crotchety, and occasionally, vindictive.

Major Upgrades to macOS, that is to say, between major versions (11 to 12, 10.15 to 11) have traditionally been done with large installers contained in an app bundle. This is the traditional “Install macOS” that you can download from System Preferences, or the App Store. This installer is a specially-signed app bundle that allows for software updates to existing sealed system volumes through the inclusion of an Apple-only entitlement for updating the system.

These applications require admin rights to run, and the interactive process of downloading the large installer and running it puts the onus on the end-user of the device to complete the process. This is a roadblock for some organizations who want to keep their devices on the latest major version after a new version is released, but their users are not granted admin rights for security reasons.

What’s Different About Ventura?

During this year’s beta cycle, Apple released a new method of updating the operating system. You may have noticed it if you added your device to the beta of Ventura. On a Monterey device running macOS 12.3 and later, you were offered a 5-6GB install of Ventura directly in Software Update, instead of the full 11-12GB installer application.

Apple has adopted the newer mobile software update (MSU) process for macOS in macOS Ventura, from its origins on iOS. That allows for major and minor updates to be smaller, depending on the origin OS and the target OS.

As Admins inadvertently discovered — as Apple did not document this at WWDC or in the material that followed — during the beta period, macOS 12.3 – 12.6 see these “delta” updates as minor software updates, even if they would result in a major upgrade. That means the following things are true:

  • Delta updates do not require admin rights to install
  • Delta updates are substantially smaller
  • Delta updates install substantially faster

These are all great things for end users. No more 60 minute major upgrades that have to happen when the user can spare an hour! Standard users can upgrade on their own! Upgrades are much smaller!

But if you’re on macOS 12.3 – 12.6, all is not perfect.

Sturm und Drang

Late in the beta cycle when it became clear that macOS 12.3 – 12.6 would see these updates as a minor update, and not a major upgrade, admins had to make some hard choices. These updates could be delayed with a minor update delay, which was something, but that meant that you had a vanishingly small period of time to get a fixed version of the operating system in the hands of admins to get it on their fleet.

This was fixed in the 12.6.1 release of macOS, and it now respects the major version upgrade delay, which is awesome. But 12.6.1 didn’t come out before macOS Ventura’s release. It’s only out today, on Ventura’s release day.

Fortunately, there was a change released at Apple that saved the day, and we’re all indebted to those who worked hard to make this happen.

Releases of macOS Ventura made between October 24th and November 23rd of 2022 will show differently to MDM-enrolled macOS devices. Any MDM-enrolled macOS device will see macOS Ventura as the full installer version of the operating system, same as in prior years. As with previous years, you can delay the appearance of these full installer versions by delaying major version upgrades. In addition, you can continue to block the process with a root agent, if you get the full installer version.

What this means, though, is you can’t permanently block macOS Ventura from being installed.

After 90 days – January 22, 2023 – all macOS systems that are eligible to run macOS Ventura will advertise it to the end user of the device. And, if they’re a disk owner on their computer, they will be able to upgrade to it with or without admin rights.

Enough. Tell Me How To Deal With This?

Okay fine. Here’s what you need to do:

  1. Get to macOS 12.6.1 within 30 days.
    If you want to block Ventura for as long as you can – 90 days – you need to get to 12.6.1 when it’s out. If you need a way to do this, I strongly recommend Nudge, written by Erik Gomez and released as Open Source.
  2. Use a Major Version Delay if you want to delay Ventura.
    Everyone’s got their own reasons for a delay. I’m not getting into that. If you want to delay Ventura, use a Major Version Delay policy that uses the enforcedSoftwareUpdateMajorOSDeferredInstallDelay key in the Restrictions payload, coupled with a forceDelayedMajorSoftwareUpdates key set to true.
  3. If you can’t get to 12.6.1 within 30 days…
    One, rethink your life choices. Once you’ve done that, add a Minor Version Delay policy to go with the Major Version Delay policy. Recognize that you are now no longer getting security updates for as long as you’re in this pickle. Maybe rethink those life choices again. You can still use MDM Software Update commands to update the OS to new versions of macOS Monterey in these circumstances, when they function.

If you have blockers for macOS Ventura, you need to get working to resolve them before 22 January 2023, because all of these solutions will stop working at that time. Non-admin users will be advertised upgrades at that time, and you’re not going to be able to rely on the process blockers to accomplish a block. If this is insufficient for your organization, I strongly recommend filing an AppleCare Enterprise ticket if that’s available to you, as well as a Feedback request to Apple.

My testing this summer has largely been positive, and now that Login Items have their own policies, I feel most of the things stopping orgs from adopting Ventura are largely about defeating the paperwork processes that admins are subject to.

I, for one, welcome our new Venturan overlords.

All At Once

My talk at this year’s MacSysAdmin was released this morning, and it concludes a three-talk series on viewing IT through the lens of popular culture. What began with Chidi, Ted and Jules at PSU in 2021, and continued with User Trust & IT Codes of Ethics concludes today with All At Once.

Mac Admins have been through a lot the last few years: whether it’s the removal of their favored scripting language from the operating system, to the meat grinder of an annual cycle for testing new versions, to an increased cadence of zero-day vulnerabilities, all while “doing more with less” to meet budgetary requirements. Some level of frustration and irritation with the situation is absolutely warranted.

This talk is about the choices that we have around these moments of stress, and how to balance them against the needs of our colleagues and friends.

Normally, I’d post the slides, but for this talk they make less sense than usual, if only due to the absurdist nature of the metaphor. There is no question that things have become absurd out there, and embracing what you’re capable of as a Mac Admin, and using those skills for empathy and understanding, indeed, for community, is what makes what we do more palatable and more possible.

I hope to see many of you in person at next year’s MacSysAdmin in Gothenburg, or at Penn State, recently announced to be in July of 2023, or at any of the other incredible Mac Admin conferences. Truly, in seeing each other, in the communion of the fellowship of Mac Admins, do we recognize what we all do for each other.

Thank you Patrik, for the opportunity, to talk about this important, albeit non-technical, subject.

Quoted: iMessage and the Secret Service

The Secret Service has lately been in some hot water because they failed to backup the text message (and iMessage?) history of the devices issued to their staff during an MDM transition. I talked some with Jason Snell from Six Colors in a recent piece about what happened:

iMessage histories may be device specific and limited, and if they were not utilizing iCloud Backup (for Federal Government Cloud Reasons) it is possible that when the devices were wiped and setup anew with the MDM — so that the devices are supervised by the new MDM — the previous history was lost.

In short, I suspect they were prohibited from using any iCloud service because iCloud isn’t FedRAMP certified for security, and when they wiped the device to set them up with the new MDM service, they could not restore even a local on-disk backup, because those backups would’ve stored the supervision identity and the MDM enrollment from the previous MDM service.

iMessage and the Secret Service, Six Colors, Jason Snell

If this is what happened, I feel for the admins who planned this migration and made mistakes and poor choices.

If this isn’t what happened, and it was done with intent, I hope there are hearings and action.

On Independence Day

I love Independence Day. I have for a long time. That doesn’t mean I love who we are as a nation right now, or that we should stop trying to make it a better place, safer for all, more equitable, more loving.

I don’t have a ton of patriotism right now. Our democracy feels broken, wracked by backlash against progress, tearing at the seams of our institutions by appointees of a corrupt tyrant who couldn’t fathom his own illegitimacy.

Where I do have love for our nation is with all those who want to be here, who risk everything wanting to work here, wanting to live here, wanting to escape violence and tyranny. We spent the day y’day with a family of 3 who were bussed here from Arizona after arriving.

The two kids spoke little English, but soon fell in playing with our gaggle of neighborhood kids. Our Spanish-fluent neighbors helped their mom call home to tell their family they’d arrived, and helped them navigate some local resources. Another family is giving them shelter.

The values of our neighbors, caring for the newly-arrived, are our American values on display: charitable, loving, caring, welcoming. That’s what I love about our nation when we can display it. Selflessness and service, sharing and communitarian, that is America at its finest.

Those are the values I celebrate today, not the fascist worship of the modern GOP. Their part-time affinity for life — that is, when it cannot hold them accountable for their failings — is a failed vision of paternalistic authoritarianism, of homogeneity, of forced unity.

The only messages they have now are ones that they bring to bear at the point of a weapon, or of the deployment of force. They claim to be the true America, but instead, they’re the Britain that we revolted from in 1776. Their insistence of right by might is undemocratic.

There are things I love about the old GOP. There’s no question I’m a capitalist, and that I think having the freedom to start your own business is a critical freedom in America. I spent 15 years running one, and struggling sometimes to deal with the regulatory frameworks.

Lord knows there are tons of regs that have served their purposes that ought be retired, as well as others with unintended consequences. Of course, the old GOP also believed in taxes at much higher rates than we’re currently paying.

Eisenhower spoke about the dangers of the Military Industrial complex and how it might distort our servicemen and -women, and boy howdy has it. Sure, we’re the arsenal of democracy — Ukraine has appreciated that, to our credit — but at what cost for our Homefront?

My love for America is complicated. All relationships with love are complicated. We love in spite of failings, and because of foibles. We love for the idealism of loving something great. We love sometimes when we want to change it. I love America. Just not this one, right now.

So, for all my fellow Americans not feeling it today, I stand with you. Our nation’s once brilliant light is dim and tarnished, and the people responsible for its care are failing us on every level.

But I love it, still, for I know what it can be, and will be again, with work.

What’s new in the MDM Docs for macOS Ventura & iOS 16

Last week, Apple released beta versions of the macOS Ventura operating system for desktops and the iOS 16 mobile operating system for mobile devices. What does the iOS update mean for MDM?

That’s exactly what a friend in the Mac Admin community asked me recently. I thanked them for their candor and request as many of us have yet to dive into Apple’s MDM documentation.

So, I rolled up my sleeves and got to it. Keep reading for an overview of what types of changes you can expect and how to optimize your mobile device management strategy.

JumpCloud Blog: Apple MDM: What’s New with macOS Ventura and iOS 16 Updates?

Handling Rough Economic Waters in IT

The most important consideration here is not just how to cut costs out of your team, which is usually a euphemism for getting rid of staff. Instead, the main goal should be how to understand business needs and priorities for the future. Should you keep the same model in place to deliver on those needs, or should you redesign your process to get the same result in a different way? What can make your budget go further and display more of a return on investment, either through more productivity or cutting costs elsewhere?

Heading for Stressful Times? Here’s How To Get Ahead of Them.

IDG picked up a piece by me on dealing with the current moment without cutting your staff to the bone. Now’s the time to figure out how to get more from all your tools, cut what you don’t need, and build platforms that work best for your environment, instead of depending on point solutions.

The Future

I’ve talked about Charlie here before. He’s a large part of my talks these days, as children are often the dominant part of their parents’ lives. Charlie’s 8, he’s in third grade at Capitol Hill Montessori, in a class of just shy of 30 first, second, and third graders. He loves to play with Lego, he loves to make puppets out of paper and play with them, he loves to draw and read books about Minecraft.

Charlie’s a big part of the future I’m working for constantly. He’s why I get up in the morning, so I can get him fed, dressed, and ready for school each day. His safety, and his needs, are a big part of what my wife and I do every day, like so many parents out there. Our children are our everything. Their smiles and hugs shine the bright lights on us. They can pick up a bad day, they can turn it all around. Their tears and their fears can just as easily remind us of our own fears and how we’ve overcome them.

Every day when I get up and take him to school I make sure that I tell him that I love him, that I hope he makes good choices and does good work. I always makes sure he knows that he’s loved unconditionally.

I make sure he hears that because I’m terrified that something like what happened in Sandy Hook, or what happened today in Uvalde, will happen here, too. That someone will bring loaded guns into his school and start shooting. And that just like that, the future I will have worked to build and craft, like so many parents who’ve lost everything, will be wiped out in an instant.

That is is my single greatest fear.

I think of all the families tonight who are grieving the loss of their future. I think of all the excuses that we’ve made as a society to keep guns in the hands of a whole bunch of people who have no business having a lethal weapon. We have to do better. For the future.

And all the futures we lost today.

Apple’s New Training & Exams (and, Announcing the Mac Admins Foundation)

Today, Apple announced a new pair of certification exams for Mac Admins. This is a new version of the standard Apple Certified Support Professional exam, that comes with a self-paced training course, as well as the completely new Apple Certified IT Professional exam, which also comes with a self-paced training course.

I can also say that I’ve taken and passed both exams. They’re serious efforts, and they show a broad range of knowledge that’s required by our professions as Mac Admins. Knowing how deployment works — not just how rote practices work but the theory behind it — is the hallmark of a solid Mac Admin, and there’s more required of Mac Admins every year. I’m excited to see Apple putting effort into this program.

In addition to the new exams, Apple’s announced a program working with the Mac Admins Foundation to make sure that those who can’t afford to take this exam, or whose employers won’t pay, can still get certified. The Mac Admins Foundation is a brand new 501(c)(3) non-profit whose mission is to support the people who manage Apple products, starting with the Mac Admins Slack, and moving onward to making conferences more approachable for people just starting out in this industry.

We’ll have more to say in the next few weeks, but it is the honor of a lifetime to be Co-Chair of this incredible organization.

In Appreciation of Friday Night Baseball

Last night, Friday Night Baseball debuted on AppleTV+. The Nationals and Mets faced off, and there was high drama between Max Scherzer starting against his former club, and some shenanigans about batters hit by pitches. When Apple announced that they were going to be showing Friday Night games during the season, I was a little skeptical. Last night cured that skepticism entirely. Let’s talk about why.

Picture Quality Matters

I was absolutely astonished at how great the game looked on my Apple TV. I’m an subscriber, and I’m used to a highly compressed image, with a fair amount of color mutes. You’re watching because this is the only way you can watch, not because it’s a joy to watch. They must have been shipping 4K video last night with a proper color gamut, because the game just looked crisp and beautiful.

In addition, they were working what felt like twice as many camera angles as I’m used to seeing on a MASN broadcast here in DC. It was a playoff-quality broadcast in terms of direction and angle work, and that’s a hard thing to pull off. The shallow shots from near the dugouts gave it a very human feel to go with the long glass shots from the outfield. I was definitely smitten with how great it looked, which takes us to…

Apple Does Chyrons Right

I didn’t realize that the word “chyron” wasn’t a commonly known word, but it comes from the Chyron company that produces many of the video overlays that we see on our TVs. I have seen a lot of truly terrible chyron work on various RSNs over the last decade, most of which were gimmicky and ugly, trading for gaudiness what they should have invested in information architecture.

Apple did a banger of a job:

Player information cards used the familiar rounded rect that is a lingua franca for Apple aficionados, simple but good use of color, clear information stated clearly. This is great IA.
The score block in the upper left is super simple. Team logos in color, score in large digits, standard runner/outs imagery plus the count and a pitch count. The batter card at the bottom gives you solid clarity on who this is, and what their stats are like for last season (since it’s the first week of the season!)

Imagery here was captured by Brandon Costa and included from a tweet. I tried to take some screenshots, but Apple frowns on that in their TV app! Just captures a black frame instead, sadly.

The most controversial for me was the information stat in the lower right corner. Sometimes, it’s helpful info (probabilities for reaching base, scoring runs, etc), and sometimes it’s a load of useless shit (like gambling odds). I loved that they identified the batters’ walk-up tunes with Apple Music icons, that was a lot of fun. They also advertised that they have some Apple Music Playlists like this one for the Nats.

The graphics overall were inviting and inobtrusive, and not once did I get crypto advertised in a dancing add inside the chyron. Wins galore here.

A Younger Announcing Team

Look, I’ll be the first to say that I cannot stand Bob Carpenter and his Grandpa Simpson act. There’s no question that the average age of a baseball broadcasting team is probably something closer to 60 than my 43. Actually getting some younger broadcasters on the scene is fantastic, and I loved the more youthful feel of the broadcasting crew for the Mets/Nats game.

There’s been some pushback from the largely white, largely old, definitely largely dudebro audience on the Twitter machine, and given how hostile fans can be to anything new involved in this sport, it’s no surprise some people were upset. I, however, was really appreciative of Melanie Newman’s play-by-play, and Chris Young and Hannah Keyser did a fine job on color commentary. They were erring a little bit to the “saying more” part of the job, and I think they overindexed on talking. But, what they did say was fun, and this was a crew that was clearly having a good time, even if Keyser’s own mom wasn’t onboard:

You did good, Hannah, your mom should be proud.

I want to see what this crew sounds like when they’ve been working together for months, because I suspect that’s going to be a really fine broadcast. Keep it up.

It Wasn’t All Roses

I had a few times where the stream locked up, and I couldn’t get it started again. These are volume issues, and I’m sympathetic. They’ll get it figured out. They need to.

Sometimes the announcers kept going on something unrelated — well, tangentially related — and it turned into a gag that I just didn’t find funny. Sure, Juan Soto asked for AppleTVs for his teammates, and sure Apple came through for them, but that didn’t need to be a multi-inning gag.

Overall? Pretty Solid

I’m here for what happens next. Count me on the regular watchers’ list. I loved how great the game looked, I loved how well-presented the information was, I loved that it was just the right balance of stats and situational data, all without too much pretention. I loved the younger announcing team, and I can’t wait to see what they can do!

Tune in, Friday nights, on Apple TV+ on your Mac, iPhone, or Apple TV app. It’s worth it.