It's official, Apple is killing OSX Server

@mconners Basically what I wrote there was an combination of buzz heard from various people at Apple when groaning about the idiosyncrasies of NetInstall. I have zero idea if it will come to fruition, but if it does it would just "fit" into the workflow I'm designing for us. bottom line is that we need something if NetInstall is going away.

That being said, I am going to promote Greg Neagle's challenge (though I don't have an iMac Pro to try on)....instead of us bellyaching about the demise of NetInstall, lets try things until we find something that works. https://managingosx.wordpress.com/2018/01/25/early-notes-on-deploying-images-to-imac-pro/#more-1522

@StoneMagnet : I agree, Synology has one of the nicest GUI's (I own a DS412+ for home use) and you get all the major services any small business would need. If you add a community package library, you also get a CrashPlan Pro client that can be run headless! How cool is that??

@blackholemac : We're getting an iMac Pro next week. It will be interesting to see how it works in our environment: we have no default route to the Internet, no DNS forwarding, and an explicit proxy. Thankfully we're not dependent on NetBoot, NetSUS, or Casper Imaging. We just enroll and go. We're about to get a Wi-Fi network up that will allow us to do DEP as well.

@milesleacy : I wonder what that means for Apple Service Toolkit at the Genius Bar. Do all Macs have sufficient on-board diagnostics now? Will Geniuses and AASP's have to plug the newer computers into another computer to perform full diagnostics?

What Apple managers are facing with the no netboot/secure boot, 64 bit only apps, DEP/VPP, Internet restore, etc is Apple's enforcement of their vision for security. As pointed out on #jamfnation slack because this security vision does not align with ours does not mean it is bad. There is always change and change always means work. Honestly I can go into my JSS now and pick several machines and send a push command to them to wipe the boot volume(I can even lock them and require a pass code to get back in for recovery). If these machines are DEP they can boot to Recovery, run internet recovery and then re-DEP/VPP from combo of MDM profiles/policies and Apple Store apps. Could it work better, be faster, and be more consistent? Yes. The conversation I have with my manager is about where we should spend resources ($&people). Seems clear that better, faster networks (wireless esp) is a good place to start. Also time solving the issues around getting these mechanisms (InetRestore, DEP, VPP) to work with restricted networks and political InfoSec Policies will be very well spent. For a lot of us, working on those issues have not been in our job descriptions and we will need to partner, train, and learn. I have deployments now where the stakeholders can't release the devices (learning spaces, design studios) long enough for traditional imaging to finish a run. So I am searching for workflows that use continuous improvement with incremental updates. I would sure welcome Apple to present solid reliable and repeatable methods and tools to help.

@ega : I'm in such a position at our company, having added volumes of technical expertise and projects to my CV just from trying to find a solution for deploying Macs that would also appease our security and network teams. They know that changes have to be made—very quickly, in fact—and we've been trying to nudge them in that direction for a couple of years.

I predict that Apple will separate /System, /Library/, /Applications, and /Users into their own partitions and add the "Erase" functions that have been part of iOS since Day 1. Since the APFS partitions are dynamically resizable, it doesn't matter how much they contain. Imagine a future where you press one button and restore a Mac to a previous state, even an arbitrary state. You can try this right now with the "Restore Snapshot" feature, which can be accessed from Recovery OS on High Sierra. This function can be triggered from the running OS.

Apple already uses /usr/libexec/mdmclient to trigger the lock & wipe actions from a push notification. The daemon writes information into the Recovery partition, not NVRAM (otherwise you could bypass a passcode lock by simply resetting PRAM). It isn't a stretch to imagine that they can update the MDM protocol and the mdmclient daemon to respond to commands like "Erase All Settings" or "Erase All Content and Settings," or perhaps "Restore to Previous Snapshot."

Take note: Faronics had better figure out a way to make Deep Freeze work with APFS, or their product is dead.

@bradtchapman To be frankly blunt, I don't care about hardware service. That's not an in-house discipline for me.

I expect that when I send a broken Mac off to be fixed, that Apple will figure it out.

When I can reconfigure a new Mac for the affected user in ~10 minutes and their data is available in a cloud backup tool, I don't have to care.

@demaioj: Caching as of High Sierra is now built into the OS anyway so caching isn't a feature so to speak anymore in Server.app