How Apple Has Reshaped Mac Management
By: Tim Malm
After more than 20 years, the basics of Mac management have fundamentally changed. Advanced security features of macOS run on Macs with Apple’s M1 M2 and T2 chips have made obsolete key management methods that Mac IT administrators have relied on for years.
Today, the operating system boots and runs from a read only image of macOS, installed from a read only volume, which can only be modified by the Apple software update process. Which means that every instance of any given version of macOS is installed and running precisely as written by Apple.
macOS System Integrity Protection (SIP) safeguards the computer by preventing execution of unauthorized software. Apps downloaded from the App Store are automatically authorized to install and run. Apps that a developer notarizes and distributes directly to users are also be authorized. Unauthorized apps may be launched, with intentional intervention from the user.
Then: On a scheduled basis, Mac admins used to make a bootable ‘clone’ copy of an active system at least once a day. Clone copies could be useful for troubleshooting, and as an aspect of a backup plan.
Now: Admins still make clone copies containing all files and settings, but not the operating system. The macOS operating system resides on a write protected volume that’s separate from the data volume where all other files reside, including settings and extensions.
Which means: That restoring a system to a bootable state from a clone copy has become a two-step process. Where first the operating system is installed on the new volume, then the data is migrated from the clone to the new volume using Apple Migration Assistant.
Important Fact: Internal storage of an Apple M1 or M2 Mac computer is linked uniquely to the computer hardware in which it is installed. Storage from one computer cannot be removed and used with any another computer.
Backup and restore are essential.
SIP also restricts components of the file system to read-only in specific critical locations to help prevent malicious code from modifying them. With an Intel-based Mac, disabling SIP removes protection for all partitions on the physical storage device and process running on the system, regardless of whether the code is running sandboxed, or with administrative privileges.
Single User Mode is a good example of a feature no longer supported because it violates the rules of SIP. A Mac booted into Single User Mode exposes the system kernel and file system to potential modification from the terminal console as super user.
Then: Using Apple Disk Utility, Mac admins would make an image copy of a volume containing the operating system and data. A disk image might be used to restore a computer to a bootable state after replacing or erasing a hard drive, or for reference when troubleshooting. A prudent administrator would typically make offline clone and image copies of a disk, prior making significant changes to a system.
Now: The Apple Disk Utility User Guide states that “You can’t create images of individual APFS [Apple File System] volumes. You can’t create images of APFS containers on M1 Mac computers with Apple silicon or an Apple T2 Security Chip”.
Which Means: The disk image feature exists today for making disk images of groups of files and folders, but not APFS volumes or containers. Important Fact: If the storage in your M1 or M2 Mac has failed, the computer won’t boot. If the computer has failed, the storage becomes inaccessible.
Backup and restore are essential.
The flexibility of the Apple security framework built into every Apple device, enables organizations of any size to easily design and apply configuration templates via Mobile Device Management for securely managing both personal and business applications and data on a single device. Securing both personal, and company apps and data are equally important in the Apple framework. To simplify regulatory compliance, some MDM platforms include security management controls mapped directly to recognized NIST, HIPAA, PCI and other security frameworks.
Using Apple Business Manager in conjunction with a Mobile Device Management [MDM] platform, Macs and application software are deployed, managed, and secured using policy templates to configure various features and settings.
Apple Business Manager supports federated authentication using both Google Workspace and Microsoft Azure Active Directory, which automatically sets up Managed Apple IDs in Apple Business Manager when users log in with their Google Workspace or Azure AD user credentials.
Recently Apple began offering their own MDM called Apple Business Essentials, which is a subscription service intended to be paired with AppleCare+ support, to provide device management, 24/7 software support, and cloud storage for the small office.
Then: Target Disk Mode, enabled at boot-up by invoking a keyboard command, enabled a computer to function as a hard drive which could be connected to another Mac for troubleshooting and repair, imaging and cloning, or even to boot another computer.
Now: Apple M1 & M2 Macs can boot into Shared Disk Mode, which in ways is functionally equivalent to Target Disk Mode. Computers in Target Disk Mode and Shared Disk Mode can be connected to another computer as a hard drive for the purpose of copying files directly between computers. Which could be very useful for quickly copying a large volume of data.
Which Means: Admins can no longer troubleshoot hardware and software issues by testing the ability of a system in Target Disk Mode to boot another similar Mac.
macOS Monterey recently added a feature that makes it easy to quickly erase everything on your Mac except the operating system. Good news? Bad news? Got a backup? Introduction of this feature further aligns macOS with the iPadOS and iOS feature set. The Erase All Content feature is useful for immediately and securely removing all user data from a managed device. Users of macOS Monterey will find the new feature under the System Preferences menu. Use this feature wisely since there’s not a way to undo Erase All Content.
Backup and restore are essential.
Many basics of Mac administration and management are fundamentally changed or have even been eliminated. Don’t expect to boot a new Apple silicon Mac using a flash drive containing current versions of your favorite repair utilities. Also gone are the days of wondering whether the operating system or system volume are corrupt. System software is installed from an immutable volume, which can only be modified by Apple Software Update. Your new M1 or M 2Mac can’t boot or run from an unverified or corrupted copy of macOS.
Many essential management strategies and tactics prevail. Such as multi-destination data backup, verification and test restore of backup files, securing the network environment and endpoints, internet connection hardening and redundancy. It seems that the more things change, the more things remain the same. ◼︎