Posted on 10-25-2018 08:55 AM
After rolling out High Sierra to our Faculty this summer, we were using
tmutil to take a local snapshot as way to rollback the machine to a known good state in the event this was ever needed. We intentionally don't use Time Machine for backing up our Macs. However, for VIPs we were planning on using regular local snapshots to keep an I.C.E backup.
However, it appears that despite manually taking local snapshots on machines via
tmutil localsnapshot that these snapshots don't persist.
Does anyone know why this is, and if there's a way to achieve our desired result so that we can more easily rollback machines to their "just after deployment" state?
Posted on 10-25-2018 09:35 AM
As far as I am aware. Local snapshots are removed after the following
Local time machine backup via USB
OS X update - so every time Apple updates 10.13.4 > 10.13.5 you would need to take a snapshot again
Posted on 10-25-2018 09:51 AM
@rickgmac that's not been my experience after recently testing. I took a snapshot on a MacBook Air yesterday and confirmed it existed after taking it. Today I run
tmutil listlocalsnapshots / and no snapshots are present.
Posted on 10-25-2018 10:14 AM
in my initial testing earlier this year with HI-C, the snapshots on lasted for 24hrs. I was toying with an idea to touch the file every hour to see if it would persist, but never followed through.
Posted on 10-25-2018 12:11 PM
I've heard Apple has a way to make them persist. Like gigantically large orders of thousands of machines, you can request a snapshot to easily roll back.
They just don't share that information. Which sucks for us.
Posted on 10-27-2018 12:26 PM
I reached out to Apple Enterprise Support in the hopes of getting more info.
Posted on 10-27-2018 03:43 PM
There is a support article from Apple that talks about this.
About Time Machine local snapshots
Posted on 10-28-2018 02:17 PM
I believe that a local snapshot taken by the 'tmutil' command manually lasts 24 hours only.
Posted on 10-29-2018 05:21 AM
If you are running macOS 10.14 Mojave the tmutil command is not functional until you make changes in System Preferences/Security&Privacy - Privacy tab / Accessibility - add Terminal to applications allowed to control the computer.
Posted on 04-03-2019 08:44 AM
We'd like to do something similar, keep one local snapshot as a way to revert short term loaner computers back to their initial state. So far as I can tell, there doesn't seem to be a way to keep a local snapshot longer than 24 hours. Was anyone successful in finding a way to preserve the local snapshot?
Posted on 04-03-2019 09:59 AM
@sturnbull et all, I haven't found a way to do this. Calls to Apple Enterprise Support got me nowhere. They "understand" the need and why we want it, but this currently isn't implemented and from what I can tell, they have no plans of changing this.
Posted on 11-20-2019 01:17 PM
Its a pity to see everyone's response and that Apple hasn't found a solution for a simple rollback. I'm very much in the same boat as @sturnbull (short term loaner machines being rolled back to a clean state).
I have partitioned the APFS hard drive and time machined the drive from one partition to another. This allows us to easily clean off the loaner machines with a few clicks each time but its so slow. The recovery of snapshot within 24 hours is so super fast, has anyone toyed with the terminal commands to force the system to retain the snapshot?
Is this the first steps of apple not wanting to be apart of enterprise? Forced MFA on the appstore is also an indicator of this for us.
Posted on 12-04-2019 01:09 PM
Just note that Secure Tokens are not assigned to any users by design if you restore a local snapshot.
Posted on 12-04-2019 01:37 PM
@takayuki Thanks for that tidbit. That probably explains why when trying to edit the Startup Security settings on my T2 test Mac (which is often restored from a tmutil snapshot) I ran into the error that I didn't have an account with the required access. Luckily going through a cycle of disabling and re-enabling FileVault seems to have resolved the problem as after I did that my account was allowed to edit the Startup Security settings.
Posted on 12-05-2019 10:21 AM
Thanks for that. Is there any documentation for taking an APFS snapshot on one machine and transferring it to another? I'm imagining a scenario where a user is migrating laptops and we can't simply open the machine up and swap SSDs.
Posted on 12-05-2019 10:42 AM
Posted on 12-06-2019 09:15 AM
great ... can't wait to talk to "enterprise" support again about this ...