Egg Freckles
Notes from my Newton

Tue Sep/12 Prepare for High Sierra

Prepare for High Sierra

September is a busy time of year. Summer vacations are ending. Back-to-school season has begun, Apple is putting the finishing touches on Mac OS High Sierra, and system administrators are getting their first glimpse of the new documentation.

Mac OS High Sierra brings several exciting features to the Macintosh platform, but for System Administrators who image and maintain hundreds of Macs there are a few important features you need to know about.

Security

Mac OS High Sierra includes the following changes to TLS connections:

  • Removes support for TLS connections using SHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates.
  • Removes trust from certificates that use RSA key sizes smaller than 2048 bits across all TLS connections.
  • Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0.

These security restrictions should not be a problem for System Administrators who keep their fleet of Mac's system software up-to-date.

Filesystem

  • When you upgrade to macOS High Sierra, systems with all flash storage configurations are converted automatically.
  • Systems with hard disk drives (HDD) and Fusion drives won't be converted to APFS.
  • You can't opt-out of the transition to APFS.

Apple is making the migration to APFS mandatory for modern Macs with solid state storage. You can't opt-out of the transition, so make sure your clients have a good backup. Systems with hard disk drives and Fusion drives won't be migrated automatically. but could be converted to APFS later this year with a future update. Systems with custom partitions or secondary solid state storage are undocumented We will just have to wait an see how High Sierra deals with these edge cases.

Boot Camp is supported when upgrading to macOS High Sierra, unless the Boot Camp volume is greater than 3 TB and resides on a Fusion Drive. Boot Camp doesn't support Read/Write to APFS-formatted Mac volumes.

Apple is not providing a Boot Camp Windows driver for APFS like they did for HFS+. Boot Camp users will have to come up with their own solution for sharing files between their Mac and Windows desktops. Virtualization solutions like Parallels and VMWare, which rely on local networking to share files, will not be effected.

  • AFP can’t share files on Apple File System (APFS). If you need to share files, switch to SMB. If you have network home directories shared via AFP on an APFS volume, update the mount records and user records to use SMB.
AFP was depreciated years ago. If you need to share files on a APFS volume switch to SMB. No one should be using networked home directories in 2017.

Kernel Extensions

  • macOS High Sierra introduces a feature that requires user approval before loading new third-party kernel extensions. This feature requires changes to some apps and installers in order to preserve the desired user experience.

Your documentation may need to be updated to include an extra step when installing software that requires a kernel extension.

Directory Services

  • macOS High Sierra supports binding to Active Directory domains running with a domain functional level of 2008 or later. Windows Server 2003 isn’t supported.
  • macOS High Sierra removes support for NIS.

Make sure your Windows Active Directory is running a domain function level of 2008 or later. You would be surprised how many older domains are running on newer servers and operating systems. Who still uses NIS?

Software Deployment

You must be connected to the Internet when you upgrade your macOS. After your Mac confirms your connection, the Installer uses the model number of your Mac to locate and download a firmware update specific to only that Mac.

Only the macOS Installer can download and install the firmware update. Firmware updates can't be done on external devices, like those connected via Target Disk Mode, Thunderbolt, USB, or Firewire.

Monolithic system imaging can only be used to re-install macOS, not to upgrade to a new macOS version.

If you try to use a monolithic system image, required firmware updates will be missing from the installation. This causes the Mac to operate in an unsupported and unstable state. You can use system images to re-install the existing operating system on a Mac.

Monolithic imaging died years ago. If you are doing it now, you are doing it wrong. Installing the operating system on one Mac using the Target Disk Mode of used to be a neat trick, but it was never supported by Apple and can now only be used for reinstalling High Sierra.

Content Caching

  • You won't be able to run Content Caching on a virtual machine. This action has never been supported in previous versions of macOS, but is explicitly disallowed in macOS High Sierra.

Client-side content caching seems like a neat trick to save bandwidth, but the returns mostly benefit Apple servers. I have a hard time imagining any Macintosh System Admin deploying client-side Content Caching. Use a centralized Mac OS sever.

Configuration Profiles

  • In macOS High Sierra, /var/db/ConfigurationProfiles is now protected by SIP. Admins should now use the profiles(1) command to install startup configuration profiles. See the profiles(1) manual page for more information.

Just one more way Apple is protecting it's users' and the hard work of ever Macintosh System Admin out there.

Mac OS High Sierra looks like an exciting release. I look forward to seeing it on September 25th.