I'm a relatively new mac admin, but since I've joined this community in 2018, it seems as if Apple is doing everything to prevent enterprise management. From PPPC, Notifications, Screen Sharing, and now M1 software updates...the list goes on. With every major macOS release, everyone on here goes into panic mode because Apple has either taken away vital MDM functionality or has a new user focused security feature. I honestly feel bad for the devs at Jamf.
Anyway, I know that this is just how things are, but completely changing workflows every year just gets frustrating. Can't wait to see what "surprise mechanics" we get with macOS Monterey. Keep fighting the good fight ladies and gents.
Apple does not hate us. They just don't think we should exist. They are striving to make their products so simple to manage that no technical expertise of any kind is required. Boffins can throw a lot of wrenches into that mix though so they are working hard to take away all our wrenches. We'll keep tilting at Apple's $2 Trillion windmill, but my experience for a decade now has been that every time they offer up a feature we want, they take away other control that is necessary to truly leverage the power of that feature, and usually in the name of "protecting the end user."
Honestly I just wish Apple would spin off an enterprise hardware company for managed devices that actually listens to the needs and requirements of organizational administrators.
A more appropriate question here might be why does Jamf hate us - the new Community is a substantial regression in usability... too many big buttons and the content text is too small, amongst a million other complaints.
I think you have to step back a bit and try to view the whole IT management space from a further distance. Sometimes, we call this the 10,000-foot view. If you do this, you may see that Apple has been doing some of the hard work to better secure and harden their hardware and software -- and this has caused some, if not much, of the pain you've been experiencing. In my opinion, this is going to put Apple in a much better place as the bad actors are getting more skilled and manipulative every day. Look at how many times Microsoft's lunch has been absolutely devoured just in the last 12 months. Yes, Windows 10 is more secure than previous Windows OSes, but that doesn't mean it's secure. Remember all the tearing of fabric and gnashing of teeth when the Windows 11 preview came out and it was learned that the vast majority of PCs would be rendered incompatible (because of TPM2 and other factors)? The Windows admin space is about to undergo some serious pain not all that unlike what we've been dealing with for the last few years, whether it be PPPC, TCC, SecureTokens, bootstrap tokens, T2 restores, secure enclaves, changes to FileVault 2, activation locks, and the rest). It cannot be denied that Apple's platform is more secure than it was. It has to be.
Look, I don't like it either. It's ridiculously difficult to keep up, with the OS changing so radically every year. But Apple has been telegraphing for us where they're going. Watch the WWDC videos. As many times as you need. Take a look at some of the changes that are coming. It's going to get better. Declarative Management is coming along with a whole new revamped MDM spec and it's going to be excellent. Not a panacea. And MacAdmins will have to adjust and learn, but in the end, it'll be a better, more secure, more trustworthy, and easier-to-manage platform. If you haven't installed the Monterey beta yet, do it. Right over the top of one your test Big Sur machines. Note what breaks. You can always wipe it and take it back to Big Sur.
Breathe. You got this.
this made my Monday morning. I will say as a windows user centric big org its a struggle to do things that in the outside world wouldn't matter (like network standards) but is very hard to gain traction to make things work for mac, or in some cases we just cant do as our mac numbers are dwarfed by our windows/*nix estates
I feel your pain. I really do. And then I was asked to team with my Windows-based counterpart as they "modernized" management starting 2ish years ago. And everything windows was trying to catch up on were things that Macs had been doing for a few years.
That being said, yes, Apple seems to hate us. I could excuse a number of things except that there are places where user interaction is still required. If I've met your criteria of a) ABM purchased/enrolled hardware and b) corporate MDM solution, why are some things still left to the user to control. Still makes no sense to me.
If I've met your criteria of a) ABM purchased/enrolled hardware and b) corporate MDM solution, why are some things still left to the user to control.
Because "privacy". Because they don't trust us. We aren't partners, we are enablers in an abusive relationship.
I've been advocating to Apple for a decade now for better enterprise administration and automation capabilities. Instead Apple continues to consciously subvert our capabilities as independent actors. The single best piece of evidence for this is that so much of what has challenged Mac admins in this timeframe is interfaced through the Security & Privacy preference pane.
So do you want better privacy and security in Apple's OS or not? I think you're missing the bigger picture here. Of course MacAdmins will be spending time in the Security & Privacy pane and learning how to implement the new security frameworks.
I also want better Enterprise administration and automation capabilities and have also been lobbying Apple for more than 20 years for these tools. And when those tools didn't exist, people wrote them: Macintosh Manager, Radmind, Repasado, DeployStudio, Netboot-Across-Subnets, Carbon Copy Cloner, SuperDuper, InstaDMG, even the original Jamf (Casper).
Better security in the hardware and OS has required Apple to make some radical changes. Our pain points are mostly related to these changes. And it sucks. I get it. And it's easy to complain and gripe at Apple. I'm not immune. For a long time, I was an outspoken advocate for trying to get Apple to let us have more than 90 days deferral for OS (and iOS) updates. Their new security model of forcing the latest (and more secure) OS on all users was in severe conflict with how I'd built my management structure at $OldJob. And while I still believe Apple should give us MacAdmins more than 90 days, I have a different view on it now. $NewJob (which is much more security-focused) had given me a new lens to view it through. Now I see that Apple has to make these changes. It is becoming a bigger and bigger target by the bad actors, the malware writers, the corporate and nation-state espionage actors, and more.
I disagree that we are "enablers in an abusive relationship." We are, instead, bystanders caught in the various information warfare conflicts.
It's telling, isn't it, that all those tools created by diligent Mac admins to fill the copious gaps that Apple left in their intermittently implemented enterprise support strategy have almost all been entirely deprecated, not because there was no longer a purpose in managing Macs that way, but that Apple simply took away the ability to do those things anymore and implemented something that gave Apple more control. Disk imaging is dead! Long live the expectation your device will connect to the cloud and pull down the latest available content always! Netbooting is dead! Long live super slow internet recoveries because Apple won't trust you to not compromise their OS installers. Being practically unable to brick a Mac is dead! Long live several discrete failure modes across multiple hardware iterations that enable either total device loss or at least an effectively wide open internet connection back to Apple and that aforementioned slow internet recovery. Granular OS software/security updates are dead! Long live downloading the entire monolithic OS installer every time a 500k component needs to change for a security update. Discrete preference panes that serve a single purpose are dead! Long live Security & Privacy - because it would be too easy and accommodating to our administrator base to break these up into two sepate panes that actually allowed management the way admins might want to manage things.
And yes, while there are a bunch of new tools to fill in the gaps Apple's left behind their current implementation, it's getting harder to slip into the spaces between Apple's all-encompassing and deliberately obtuse Security/Privacy model.
Look, it's not that I fear change or don't want to change, it's that the control I transfer to Apple for the benefit of Apple's protection feels more and more like a racket every time there's an update.
I think we're all worried that with the release of a future macOS "Death Valley" that'll be the end of our ability to manage anything on a fleet of Macs anymore, that you'll need an up-to-date, fully paid organizational account authenticating with a biometrically imprinted Apple ID to managemydevices.apple.com to be able to set your preferred Declarative Management template for the 7 customizations that Apple continues to allow.
For me it ultimately boils down to the fact that if you or I walked into an Apple Store and purchased a computer, I could do whatever I wanted with it. But in the enterprise sphere, that doesn't play. My .org purchases the hardware and provides it to an end-user. As the purchaser, and true owner, of the computer, I'm still at the mercy of what the user choses to do in some situations, and (like the 90 day OS update issue) can't truly control certain things. I've been victim of security agents which just-don't-work-with-current-releases in the past, and being forced to update was just not an option. Apple doesn't distinguish between owner and user in the enterprise space, all while preaching "we're pro-enterprise!"