This will still work in high sierra

#!/bin/bash
NTPSERVER="ntp.internaldomain.com";

if [ "$4" != "" ]; then
    NTPSERVER=$4;
fi

/usr/sbin/systemsetup -setusingnetworktime off

#Set specific time server
/usr/sbin/systemsetup -setnetworktimeserver "$NTPSERVER"
sleep 5
echo "server time.asia.apple.com" >> /etc/ntp.conf
echo "server time.euro.apple.com" >> /etc/ntp.conf
echo "server pool.ntp.org" >> /etc/ntp.conf
sleep 5

/usr/sbin/systemsetup -setusingnetworktime on

Can anyone post confirmation if this script still works as of 10.13.6? We have a local office NTP server set as the primary and the secondary server being time.apple.com. However even after running this script on remote computers if the battery drains on said computers they are not checking time.apple.com for the time.

I have a computer up and running that I'm testing this with and was able to reproduce this issue. If anyone has any ideas it would be much appreciated. What's odd is the argument -getnetworktimeserver only shows 1 server in the response, but ntp.conf does show the additional server entry for time.apple.com.

Thanks!

I use a modified version of that script the sets the time zone and sets up location services, I just rolled it out to 10.13.6 machines. I am OOO today but can start a test tomorrow.

Thanks Nix, really appreciate the help!

I ended up running the script on a Sierra computer, capture the file that gets changed and then create a package of it then deploy that to new computers. This way I can make sure they get the correct info.

I haven't tried on a Sierra computer for reference yet. But from what I gather with my research, there's no reason it won't work because it used ntpd as opposed to timed. I'll see if I can find one to test with for comparison. But I'm really looking for a solution geared for High Sierra.

Confirmed. The script works in Sierra but not High Sierra.

Will continue to test but looking forward to the other responses. Thanks!

EDIT: Something is definitely "odd" about /etc/ntp.conf now, but in theory it is still used so I've edited my original post. See Has anyone got the time? for more info on High Sierra time changes. It doesn't offer a solution however.

OK, so I updated the Sierra computer that I just tested on to High Sierra. And the script no longer works.

So I just confirmed that timed fails to check for additional time servers if the primary server cannot be reached. I've submitted this bug to Apple on the dev site, hopefully they get it resolved with Mojave.

On that note, anyone have any ideas for a work around? I know I can either manually edit the hosts file or change the DNS record on the router, however that will then cause other security issues with the setup here (it's complicated to explain, but in short I'm not in complete control over here).

I just confirmed what @cdegaeta reported, High Sierra only uses a primary server. In a previous organization, I had the internal DNS redirect time.apple.com to an internal time server so no modification to the server list was necessary. That might not fly with your network group, but it is an effective solution, and I would argue the simplest since it's a change on just your DNS rather than on every Mac.

If you edit the /etc/ntp.conf on a seirra mac then package and install on a high sierra, it will let you use both. Some companies are really strict about editing DNS and this was the workaround i had to use.

@rdagel Can you confirm your Macs are using the secondary time server if the primary isn't accessible? I did a manual edit and kicked the network time service but it did not try my internal server when time.apple.com didn't respond. I know the manual edit worked as making my internal time server the primary did result in time being synchronized.

I second @sdagley's response. Can you provide more details @rdagel about how you packaged it up? Thanks!

Hi Guys,

Okay I too, was able to confirm the findings with 10.13.6. So I read the link and did a bit of digging on the interwebs. I was able to get a hint here.

" With SIP enabled you can just copy the file: sudo cp /System/Library/LaunchDaemons/org.ntp.ntpd-legacy.plist /Library/LaunchDaemons/ and modify it to be 'Enabled' then run it: sudo launchctl load -w /Library/LaunchDaemons/org.ntp.ntpd-legacy.plist – Pierz Jun 21 at 21:25"

I ran ntpq -p and saw all timeservers listed, with "usqas2-ntp-001(time.apple.us)". I waited a few minutes and ran ntpq -p again, but this time only "usqas2-ntp-001(time.apple.us)" was shown and my system had synced. lastly if I ran systemsetup -getnetworktimeserver it still returned my 1st internal time server, which the system is initially set for. Still grinding

the even simpler way to fix this is to create internal dns records for time.apple.com etc and point them to your internal ntp servers. That way no changes are required at all.

Thanks for your help @Nix4Life! So I've actually decided to submit this as a bug to Apple. I'm sure they just brought over timed from iOS as is and since you cannot specify a time server in iOS they probably didn't think to add support for multiple servers. I'm hoping I'm right about this hunch but we'll see.

@marklamont While that quick fix may work some some, it won't work for my situation. Per organization security, the local time server has to be set as the primary server. I can adjust the DNS records for remote offices to re-direct to time.apple.com, but this will not help me for telecommuters.

I think you have may my idea the wrong way round, you redirect the apple time server names to your local time servers. Then if internal you get time internal and if external from apple.
Then create host records in the domain pointing to your time servers. That way the local server is the primary server, assuming your clients dns queries your local dns servers.
You can even block ntp on the firewall then.

Right, but that would require setting the computers to time.apple.com as the primary which goes against the security rules (even though it is being re-directed to the internal server). I know it sounds dumb, but these are the constraints I'm stuck working behind.

FYI, Apple closed off the bug report with this response:

We don’t plan on supporting multiple NTP servers. If the network admin for your network wants to dns hijack time-*.apple.com on your network, you can (it’ll even cover phones on your network), but timed is single-DNS. If you’re using a DNS address that is also possible outside of your network, then you can expose it externally, and resolve a different list of IPs inside and outside.

@cdegaeta mind sharing that bug report number? I've been fighting this for a crazy amount of time and I'm starting to suspect my skews are affecting other services (like authentication).