With all due respect to our wonderful Apple Rep...thanks for nothing, Apple. #shakesFistAtApple

donmontalvo
Esteemed Contributor III

Apparently pushing a High Sierra combo updater is not possible, because someone at Apple decided the user needs to interact with the updater.

We went several rounds with Jamf and Apple, tickets here, tickets there, and when the dust settled, the determination is that High Sierra combo upders require user interaction.

This, from Apple enterprise support, confirmed by Jamf.

@dan.kubley of Jamf fame to the rescue as usual, provided a workflow, which is to push the Install macOS High Sierra.app full installer.

Tested. Works. #ourHero

To Apple, since we know you use Jamf Pro...

9973e530f17743b383196a97072b5d40

I feel bad for our Apple Rep, he gets an earful from us when we run into these kinds of bizarre complications...he is he best of the best, but getting an earful from us and other companies.

--
https://donmontalvo.com
27 REPLIES 27

gachowski
Valued Contributor II

@donmontalvo

Do you think this is related to the UDID changing? It's a different update but.......

https://www.jamf.com/jamf-nation/discussions/26985/security-update-2018-001-changing-udid-of-computers

donmontalvo
Esteemed Contributor III

@gachowski interesting, not sure to be honest. I posted on that thread to see if anyone found any correlation. Pushing the Full Installer as recommended by our Jamf buddy did the trick, but seems like a hack. If Apple is heading down the "gotta touch the computer" road, I wonder what that means for management tools. The KEXT fiasco has already gone down that road, where someone has to press a shiny button. Maybe Apple lost sight of enterprise deployment and management of their platform?

--
https://donmontalvo.com

dpertschi
Valued Contributor

@donmontalvo What user interaction are you seeing pop up? I fought for a week trying to figure out how to publish the combo update in Self Service and gave up only because there is a reboot script in the package now which pulls the rug out from under Self Service and the policy log never updates complete.

RANT: I call total BS on running the 5GB full installer to accomplish what the (bloated) 2GB combo update provides. Is Apple sub-contracting with Adobe engineers now!

Chris_Hafner
Valued Contributor II

@donmontalvo ... Agreed. Management of the platform is getting a little weird over what should be some pretty simple stuff to sort out on Apple's part.

easyedc
Valued Contributor II

@donmontalvo I've been after my TAM/SE/AppleCare for weeks about the

Apple is heading down the "gotta touch the computer" road

for various reasons. I recognize the inherit security built into the required physical access, but isn't that the point of Apple's default answer of DEP/MDM? I see it as Apple pivoting away from enterprise with consumer based features enforced down on us. I should be able to circumvent a good bit of that if enrolled, isn't that the point, users can't be trusted? My fave is the one one that requires connection/input of a physical KM instead of remote control to enable some of these "user acceptance" buttons to trust my JAMF Pro enrollment.

donmontalvo
Esteemed Contributor III

@gachowski, @dpertschi, @Chris_Hafner, @easyedc, just a wild guess, when Apple started offshoring their technical development in 2016, their quality took a serious nosedive, and if this isn't addressed soon, its only going to get worse.

Before the usual "OMG he is xenophobic" SJWs start jumping on their soap boxes, this is ENTIRELY about a nosediving trend in quality from Apple.

Although it wouldn't hurt if Apple onshore this work, maybe pay their fair share of taxes for once, and stop supporting slave labor. #oopsKicksSoapboxToTheSide

Publicly airing this dirty laundry might help Apple understand that there are issues that have to be addressed ASAP.

--
https://donmontalvo.com

easyedc
Valued Contributor II

How has this not made this thread yet? ^ :) 5817d64a64d047f4970aebf8a7741ada

donmontalvo
Esteemed Contributor III

@easyedc LOL

--
https://donmontalvo.com

gachowski
Valued Contributor II

@donmontalvo

I sort of agree that there is a quality issue... I would say that the quality has stayed just about the same and the documentation too.... with Apple resources($$$$) that isn't acceptable.

I also think that Apple is peacemealing changes to "secure the macOS" instead of just committing to date that the OS and hardware will be locked down like iOS. This peacemeal approach is not only a wast of time it's leading to more and more unknow/undocumented issues/changes... who knows what is what is going on ...

I can hear it NOW Apple Care is saying this is broken we have thousands "ticket/calls" and Engineering is saying nope by design ... or even better GUI Engineering is saying oh that is a fix for a change that is going to happen... and Secuity Engineering is saying oh no we pushed that back till the T3 chip is released ... and Hardware Engineering is saying no we did that change in the T1 chip and you didn't build the change in the OS so we removed and used the space for Animojis in the touchbar.

It's 100% obvious that the lockdown is going to upset many many poeple and none of them realy care about the secuity of the platfom... when the change is done, part of me wants to count all the wasted ticket I have opened, but then I would count up the number of hours wasted and just cry....I've said this a few times ..four years to get a secure enclave on the Mac is just plain unacceptable and irresponsible.

C

I'll reuse/repost one of my "older" rants... : ) : )

While I am always up for a great rant!!! I don't think any place is a good place ...

Phil and Craig have both said publicly that Apple software is better than ever, and that they have the numbers to prove it. No way they are going to lie or mislead the public... So the issue is what is it going to take to convince Tim's staff that their numbers are not correct? Maybe their number are correct are and we are just getting upset about smaller number of issues.

I do know that opening tickets and public ranting isn't rally going to influence Tim, anybody have any good ideas?

CasperSally
Valued Contributor II

@donmontalvo how are you attempting to install the combo update? Are you caching it locally or installing it via software update command? I'd like to try to reproduce and also report to Apple. If you're willing to share your Enterprise support case number, I'd like to piggy back on to it.

easyedc
Valued Contributor II

@gachowski Regarding Tim et.al. stating that the macOS is "better than ever" is probably just a generic statement. If you compare overall support request reported, the consumer side will always dwarf the enterprise side, so as a whole, sure it's probably "better" but for our purposes, it's not necessarily true. Over the last 2+ years, I feel there's been an extreme shift in consumerization of the functionality of both the hardware and software platforms, but consumer options don't work in the enterprise.

donmontalvo
Esteemed Contributor III

@gachowski good points! @CasperSally cache the Install macOS High Sierra.app, then installed cached installer.

@easyedc I love the macOS/iOS/watchOS platforms, but something isn't right there at Apple these past couple years.

Apple would do well to hire @milesleacy to help right the ship, so they don't keep misstepping and derailing enterprise.

Until then, I might have to sell my 1 share of Apple stock if this keeps up. LOL

--
https://donmontalvo.com

CAJensen01
Contributor

I think we're looking at the same issue, but I've got an AppleCare Enterprise ticket (100432963470) open as well, related to this thread: 10.13.3 combo update

milesleacy
Valued Contributor

@donmontalvo Aww, shucks.
To be frank though, I don't think Apple are doing all that badly except in the case of communication and documentation.

Re:

Apple is heading down the "gotta touch the computer" road

From the administration/management/support perspective, I don't believe that's true. I think the reality is rather the opposite and the subtext in Apple's actions and product/feature releases are saying "admins/managers/support, keep your hands off the computer".

For decades, a significant amount of time, money, effort, and human resources have been spent by IT teams to handle "operations to modify and prepare a computer before the intended user touches it'" Like imaging, which has historically been a big part of these operations, the operations and concepts themselves are dead or dying. But, having been "the way we've always done it" for half a century, give or take, the organization, professional, and cognitive inertia is strong.

Today, however, by making proper and effective use of current Apple and 3rd-party tools, an IT team can drop-ship a Mac computer from the vendor directly to the end user, and be confident in the experience that user will have when they unwrap and power that Mac on.

The last few years of my life have been dedicated to making that happen in a world predisposed against such innovations, and I'm happy to say that progress has been great. If I was ever to move on (and I don't see that happening soon), barring giving up on computers altogether and becoming a professional obstacle course runner, it will be to help another environment "see the light", so to speak.

gachowski
Valued Contributor II

@easyandreas

Phil and Craig made the comments after WWDC in the daringfireball interviews answering specific questions about software quality. I feel that their comments and statements were honest, genuine and reflect Apple as whole.

My main point is that "Apple" feels/knows their software is better than ever so "us" opening tickets isn't going to change anything. I would guess that most of us have been "opening tickets" for years and "opening tickets" in multiple Apple programs. (dev/seed/AC) and we really are not seeing any improvement .. It's time for a change if we keep behaving in the same way with Apple we are going to get the same results.

Lets look at how this move to drop netboot/lockdown has happened... you haven't been able to modify netinstaller for over a year... but no communication about about it being EOL until last week and months after the surprise "take out the trash" hidden documentation in the iMacPro. This is the same comms and documentation that was used when the last CEO was in charge, however now Apple is an "Enterprise Company" so shouldn't Apple communicate and act like one?

C

gachowski
Valued Contributor II

@milesleacy

While I agree big time with your general premise .. I think you are painting a little better pix than what is happening in real life..

My org is not "confident" that DEP will work every-time every place and Apple as refused to secure the macOS while having the technology and know how.

C

milesleacy
Valued Contributor

@gachowski I don't know where your org falls on this, so I'm not speaking specifically about you/them, but in general terms...

I find most orgs that lack trust or confidence in Apple's technologies or processes have never tried them, according to all published requirements, specs, and best practices.
It's hard for one to fault Apple for a failed process if one does not follow Apple's directions when implementing said process.

That said, is Apple perfect? No. Will there be some percentage of failure? Absolutely, that's how life works and why we all have jobs.
I can say from experience though, when you follow Apple directions, you have fewer failures than when you second-guess or refuse to follow them.

donmontalvo
Esteemed Contributor III

@gachowski wrote:

While I agree big time with your general premise .. I think you are painting a little better pix than what is happening in real life..

I agree with the premise too. I look at a forum like I look at an everything bagel.

You look at the bagel, flick off what you don't want or like, and eat the rest.

Even if someone at the next table yells "What are you doing, that's the best part!"

In a public forum its easy to get caught up on the "why" when most come here for the "how".

--
https://donmontalvo.com

PhillyPhoto
Valued Contributor

@milesleacy The biggest obstacle I face specifically where I am, is that there is a built-in system proxy at the network connection. Yet, that proxy is not universally used across the OS. In Windows, you set the proxy once and it "just works". Apple's answer to bypass the proxy for the entire 17 IP range to get Apple services working is just not feasible for regulated industries that can't just open things up willy-nilly.

milesleacy
Valued Contributor

@PhillyPhoto I see this all the time. The answer is to address the point of view of the evaluation of feasibility.

Opening up communication to *.apple.com, 17/8, etc., is not "opening things willy-nilly".

It is "configuring our systems and networks to operate within vendor-defined parameters that support our ability to manage, configure, and secure our Apple devices using Apple's industry-leading security features when the alternative is to lose the ability to consistently and reliably configure the security features of the device."

Presented this way, the truth of the matter becomes obvious - that it is a greater risk not to open the communication with Apple per spec.

donmontalvo
Esteemed Contributor III

@milesleacy wrote:

it is a greater risk not to open the communication with Apple per spec.

Very important point indeed.

Most Security teams just need to be brought up to speed on not only what the real ask is for, but they need context to vet risk.

Some banks push back because they need to understand the package being transmitted. What size? What is the content?

A few years ago we set up a call between our Mac team, the company's Security team, Jamf, and Apple, to table all concerns and questions. At the time the APNS packet was max 256 bytes, containing instructions but no confidential information...I think the packet size went up to 4096 bytes a while back...more info here:

APNs Overview

and

Creating the Remote Notification Payload

Get the stakeholders engaged, get them talking, that's usually what's needed.

But try not to throw the Apple Holy Book in their face - that can get annoying and they don't care, they may shut the door in your face.

Just give them the facts they need to do their job.

--
https://donmontalvo.com

CasperSally
Valued Contributor II

@donmontalvo would you share your enterprise support ticket? The ticket I have in so far isn't going anywhere.

donmontalvo
Esteemed Contributor III

@CasperSally sorry for the very late response. 100396685492

--
https://donmontalvo.com

CasperSally
Valued Contributor II

@donmontalvo

In JSS, I navigated to settings, computer management, packages, clicked on macOSUpdCombo10.13.3.pkg and checked box for "requires restart."

Then created 2 policies, 1 for self service to install all cached packages, and one that installs all cached packages via login trigger.

Both updated ok to 10.13.3. Let me know if I'm missing something? The install took 20 minutes which means we'll have a hard time really deploying this in our few thousand macbook airs in laptop carts, but that's another story.

I did vote up the FR to add update inventory option on restart. Seems like if Jamf could offer a checkbox that also says to update inventory on install/restart that would make sense.

Matt
Valued Contributor

After working for a bank the last 4 years I can tell you it doesn't matter who tells them how safe opening up the port ranges are they won't listen. The way most of these companies work is by sealing everyone in and only letting a trickle of data through. It took 3 years to implement APNS and it only was for 1 part of the bank the other entities were basically told no. Managing the environment becomes impossible in situations where the red tape not only calls the shots but pays the bills. At some point Apple needs to understand that they may make the technology but the trends dictate the rest. Apple needs to either go all in with enterprise or get out of the game all together because its so fractured at this point. I am now at a start up and its going to be easy as cake to manage the environment but what happens when we triple in size? What happens when audit comes to play? At some point Apple needs to realize one size does not fit all in the enterprise market and thats why Microsoft is so successful. They will let you play with their shovel in any sandbox.

donmontalvo
Esteemed Contributor III

@Matt give me a shout offline, happy to introduce you to bank environments that engaged the right teams/vendors to get the necessary traffic to flow.

--
https://donmontalvo.com

Matt
Valued Contributor

I'm done with banks Don! :) I'm at a good place right now and am really happy. I'll hit you up though we haven't caught up in a while.