Jamf Nation Community

I think we all saw this coming when the Xserve was killed off in late 2010. I had just deployed two new ones right before that announcement came. It really pissed off my client who tried to claim I knew about it. The moment Apple killed off the Xserve, and then released their server product as an app in 2011, I knew the end would come. The last actual server OS that Apple released was Snow Leopard Server. Snow Leopard Server was awesome. Fortunately, I have spent the last several years getting to know Windows server, and Linux. My new employer recently introduced me to Hyper-V. I was working with VMware before this. I still like VMware a lot, but Hyper-V is really nice. For my smaller clients, I will suggest using Egnyte. For the larger ones who still need an onsite file server, I will push Windows servers, or Linux. Microsoft's desktop and consumer products are crap (in my opinion), but their enterprise products are really great.

We have moved almost all our server based services to either Linux, or Windows-Server, or NAS.

Netboot is perhaps the most useful remaining service for us…
But looks now like I need to implement one of the listed alternatives.

At least these 3rd parties are interested in maintaining their products…

@PeterClarke Unfortunately, the third party netinstall services don't really help you for iMac Pros and possibly (likely?) other new mac hardware that don't network boot.

Not at all surprised, they may as well rename it Profile Manager.

I thought about this more on the drive in and like most, my single Mac server isn't doing quite the level of work that it used to back in the day. I find myself wondering why we bought it 3 or so years ago. I'm probably not going to replace it at age-out time, but wouldn't it be cool if Apple would pull the macOS Server offering from the store altogether, rename it to Profile Manager for those who need that, but also publish Enterprise Connect on the App Store and provide general enterprise support on it. Like many of us on here, we have AppleCare Enterprise contracts. While I don't need an Apple server product, I do need enterprise-grade methods to connect to existing server infrastructures.

food for thought

@PeterClarke We moved most of ours to RedHat some time ago as well. I for one will be glad to see CalDav die a miserable death but the VPN service while not allowing very granular access controls was extremely easy to use and setup.

The approachable GUI for configuring OS X Server was its biggest advantage. For people lamenting that loss, take a look at Synology's DiskStation Manager (DSM) GUI for their NAS products. There's an online demo of the DSM 6.2 beta you can play with to actually see it in action: DSM 6.2 Beta Online Demo

(I'm not affiliated with Synology, just a happy user of their products)

A number of services will be deprecated, and will be hidden on new installations of an update to macOS Server coming in spring 2018.

It's interesting that they hid Software Update in the latest Server app, but it's not listed to be deprecated in the Spring. I'm assuming it eventually will however. Our firewall/proxy is pretty locked down and we haven't really been able to open up direct connections to apple. Being able to allow access for a handful of servers and then have our Macs look to them was nice.

@PhillyPhoto Apple deprecated Software Update in Sierra. It's still used however, but rather than using macOS Server to host it you'd be better off deploying a NetSUS which bundles the Reposado SUS clone. Note that if you do try this the recommended 500GB of storage space is no longer appropriate as caching all of the current updates requires around 450GB.

Hello Everyone,

With the future removal of NetBoot, I cannot imagine having to sit in front of each of 700+ lab Macs to manually boot to recovery drive, wipe the Mac and then reinstall the OS.

Do any of you have another workflow that is working for you? I would love to hear how others are getting around NetBoot so we can wipe, reinstall the OS and start fresh.

Thank you, Mick

At least Apple's giving some warning. the last year+ of having a lot of things change with little warning and leaving people to discover solutions/workarounds on their own has been a pain.

Caching isn't mentioned so I'm assuming it will continue to cache updates. I currently have a macOS Sierra Installer running off NetBoot so it looks like NetSUS would give me that function according to the support article.

More and more I've noticed the native features of macOS server and OS X server losing features in the course of updates. I've kinda seen this coming, its going to be a pain for most.

@mconners I'm interested in this as well. As of right now, my Mac Mini does 2 things: It runs the caching service, and runs netboot for my imaging. Now it's only going to do 1 thing: caching. And if Netboot is still going to be needed to image, I'm going to have to spin up a separate linux VM for NetSUS, just to host my 1 netboot image.

@mconners

I almost have a workflow that has solved this but am not 100 percent there yet. Essentially what I am working toward is using DEP for enrollment and some custom scripts I wrote (tied to the relevant Jamf triggers) to get the provisioning of software the exact way I want it and have pretty much gotten through these scripts, the machine how I want it. My scripts even kick the machine into the right JSS groups and handle AD binding.

What I have not yet solved is what you are seeking to know...how do you get the hard drive wiped and the OS back on there (using the standard installer) in an automated manner. Pre-iMac Pro days, I would have said to use a NetInstall with automator configuration actions and I tested that and it worked. Given that we lose NetBoot, the only way I can see to clean the hard drive is to boot up to Internet Recovery. (I would love for someone to prove me wrong on this using tools other than NetBooting or thumb drives.)

I don't have an iMac Pro to play with so I can't really test whether thumb drives created with the installer on them using the createinstallmedia switch. If I can solve the seemingly simple, yet incredibly vexing problem of how to get the Vanilla OS on a DEP-assigned machine, I would feel great.

I believe Apple may be planning to throw us a bone on that though...especially given the move to APFS. If they had some tool to snapshot a clean virgin OS on a machine and give us some means of reverting the hard drive back to a snapshot that would help. I would also love some sort of way to have a clean snapshot of say a new OS and get it out to the fleet. That way it is as simple as it is to wipe an iPad. I've heard that they are working on something in this regard, but I'm not them or that close to them so their actions will speak louder than any words I know of.

To be honest if Apple had an actual OS agnostic enterprise caching solution so that Internet Recovery could easily be made really fast for a large number of devices spread across a large network there isn't much we else would miss. If they then allowed MDM providers to have a little bit of control over update release to clients while still using said caching server infrastructure the circle would be complete and we would be happy.

China is an issue for Apple DEP dependance plan.

C

Hello @blackholemac I had an interesting conversation with an Apple support engineer a week or two ago. We were attempting to get remote NetBoot/NetInstall to work. We went through everything including whitelisting the IP address of our netboot server. Bottom line was this.

He told me that Apple is actively working on solutions for all of this. I suspect you might be onto something with relation to the APFS and remotely wiping. He couldn't confirm it would ever come to light, but said he hoped we would hear more by summer.

This got me thinking, perhaps at WWDC this year, we will hear more about management tools that will assist us. If we could remotely wipe and reset our Macs using APFS, this would be very much like wiping an iPad and off it goes back to the original state and new stuff flowing to it.

Let's hope Apple is working on things and we will see things by summer. Sad thing is, we in education need to know about the tools now and not later. Our entire workflow is based on what we currently know. I can't imagine changing things up in July for an August deployment window.

Ironic that that should release a new beta version on the Apple Seed channels yesterday...

@mconners....

The solution is lock down the macOS just like iOS... it's not rocket science... The big question is why has it taken 4 year to get an secure enclave on Mac hardware?

C

We use NetBoot for hosting AST to run diagnostics. I wonder what Apple plans to do with this service in the future.

I work for a K-12 private school and we use NetInstall all the time. Unless they're replacing all of this functionality with something better, then more and more schools, including mine, will be moving to Chromebooks. It's sad but most schools need more functionality than an iPad. And preparing these devices in an easy and efficient manner is paramount.

Keep in mind @nkuhl30, if we can simply wipe or reset a Mac to out of the box with a remote command, then that would be ideal. Once the computer checks back in, then the apps and settings all come streaming down again. Without seeing and knowing the tools that may come out, we are all kind of left in the dark. We will see how 2018 proceeds. Here's hoping for an optimistic change for us.

Apple should hang it up on the server/service side, RHEL is more than capable and widespread in enterprise (RHEL) and EDU (CentOS).

Nothing has been as bullet proof for us as RHEL has been over the years...macOS Server.app blows chunks (cold day in hell before I ever recommend it for anything important) when it comes to services...and while Windows might be convoluted and vulnerable, there are TONS of folks who manage/support the platform so from a business perspective it makes sense in a lot of scenarios (where RHEL isn't an option due to staffing limitations, etc.).

So to Apple Server.app...#byeFelicia

@donmontalvo Amen

@mconners Basically what I wrote there was an combination of buzz heard from various people at Apple when groaning about the idiosyncrasies of NetInstall. I have zero idea if it will come to fruition, but if it does it would just "fit" into the workflow I'm designing for us. bottom line is that we need something if NetInstall is going away.

That being said, I am going to promote Greg Neagle's challenge (though I don't have an iMac Pro to try on)....instead of us bellyaching about the demise of NetInstall, lets try things until we find something that works. https://managingosx.wordpress.com/2018/01/25/early-notes-on-deploying-images-to-imac-pro/#more-1522

@StoneMagnet : I agree, Synology has one of the nicest GUI's (I own a DS412+ for home use) and you get all the major services any small business would need. If you add a community package library, you also get a CrashPlan Pro client that can be run headless! How cool is that??

@blackholemac : We're getting an iMac Pro next week. It will be interesting to see how it works in our environment: we have no default route to the Internet, no DNS forwarding, and an explicit proxy. Thankfully we're not dependent on NetBoot, NetSUS, or Casper Imaging. We just enroll and go. We're about to get a Wi-Fi network up that will allow us to do DEP as well.

@milesleacy : I wonder what that means for Apple Service Toolkit at the Genius Bar. Do all Macs have sufficient on-board diagnostics now? Will Geniuses and AASP's have to plug the newer computers into another computer to perform full diagnostics?

What Apple managers are facing with the no netboot/secure boot, 64 bit only apps, DEP/VPP, Internet restore, etc is Apple's enforcement of their vision for security. As pointed out on #jamfnation slack because this security vision does not align with ours does not mean it is bad. There is always change and change always means work. Honestly I can go into my JSS now and pick several machines and send a push command to them to wipe the boot volume(I can even lock them and require a pass code to get back in for recovery). If these machines are DEP they can boot to Recovery, run internet recovery and then re-DEP/VPP from combo of MDM profiles/policies and Apple Store apps. Could it work better, be faster, and be more consistent? Yes. The conversation I have with my manager is about where we should spend resources ($&people). Seems clear that better, faster networks (wireless esp) is a good place to start. Also time solving the issues around getting these mechanisms (InetRestore, DEP, VPP) to work with restricted networks and political InfoSec Policies will be very well spent. For a lot of us, working on those issues have not been in our job descriptions and we will need to partner, train, and learn. I have deployments now where the stakeholders can't release the devices (learning spaces, design studios) long enough for traditional imaging to finish a run. So I am searching for workflows that use continuous improvement with incremental updates. I would sure welcome Apple to present solid reliable and repeatable methods and tools to help.

@ega : I'm in such a position at our company, having added volumes of technical expertise and projects to my CV just from trying to find a solution for deploying Macs that would also appease our security and network teams. They know that changes have to be made—very quickly, in fact—and we've been trying to nudge them in that direction for a couple of years.

I predict that Apple will separate /System, /Library/, /Applications, and /Users into their own partitions and add the "Erase" functions that have been part of iOS since Day 1. Since the APFS partitions are dynamically resizable, it doesn't matter how much they contain. Imagine a future where you press one button and restore a Mac to a previous state, even an arbitrary state. You can try this right now with the "Restore Snapshot" feature, which can be accessed from Recovery OS on High Sierra. This function can be triggered from the running OS.

Apple already uses /usr/libexec/mdmclient to trigger the lock & wipe actions from a push notification. The daemon writes information into the Recovery partition, not NVRAM (otherwise you could bypass a passcode lock by simply resetting PRAM). It isn't a stretch to imagine that they can update the MDM protocol and the mdmclient daemon to respond to commands like "Erase All Settings" or "Erase All Content and Settings," or perhaps "Restore to Previous Snapshot."

Take note: Faronics had better figure out a way to make Deep Freeze work with APFS, or their product is dead.

@bradtchapman To be frankly blunt, I don't care about hardware service. That's not an in-house discipline for me.

I expect that when I send a broken Mac off to be fixed, that Apple will figure it out.

When I can reconfigure a new Mac for the affected user in ~10 minutes and their data is available in a cloud backup tool, I don't have to care.

@demaioj: Caching as of High Sierra is now built into the OS anyway so caching isn't a feature so to speak anymore in Server.app