
M(DM)acOS - bangonkeyboard
http://michaellynn.github.io/2016/10/04/mDMacOS/
======
dantiberian
This article makes an acrobatic leap from

1\. iOS devices are locked down.

2\. Current iOS devices have security features in HFS+ that aren't present in
macOS HFS+ (such as?).

3\. APFS has more security (encryption?) features that bring macOS in line
with iOS.

4\. macOS is going to become locked down.

This may be true, but I don't see it from the evidence provided. I may be
wrong, but I don't think that the file system on iOS is the reason that it is
locked down and the file system on macOS is why it is open? Disk encryption
has very little to do with cryptographically signing and protecting the OS.

Apple has been taking the good bits from iOS and moving them to macOS.
Deprecating software update in favour of the App Store and changing how the OS
is downloaded seems to be one of these cases.

Apple has repeatedly said that they aren't going to merge iOS and macOS.
They're two different systems with different contexts. Walling macOS off makes
little more sense than opening up iOS completely.

~~~
iainmerrick
_Apple has been taking the good bits from iOS and moving them to macOS.
Deprecating software update in favour of the App Store and changing how the OS
is downloaded seems to be one of these cases._

I personally see that as a _bad_ change for macOS -- the app store is really
not very good, and it's very slow and clunky at downloading and installing
system updates. The old built-in Software Update was much more reliable.

By "slow and clunky" I mean it'll tell you it has an update, but opening the
app first shows you a page of ads for the latest apps that you don't need
right now. Then when you click on the "updates" tab, you get the old spinning
beach ball for an inordinate amount of time before it finally tells you what
updates are available. Often it'll just be a massive iTunes update that
requires you to quit Safari(!?!) before installing.

iOS doesn't use the app store for system updates (did it ever?) -- it's in
Settings, which I think makes sense. It would be a good course correction if
macOS were to do the same.

 _(edit: typos)_

~~~
rsync
"I personally see that as a bad change for macOS -- the app store is really
not very good"

On multiple systems, using multiple versions of OSX[1], I have actually never
gotten the app store _to even launch properly_.

Luckily, system updates for SL came via the apple menu so it wasn't an issue.
In Mavericks, however, it took multiple (sometimes 8 or 10) tries just to fire
up the app store without an infinite beach ball in order to do simple OS
updates.

[1] Snow Leopard and Mavericks

~~~
LeoPanthera
The command-line software update tool is still available and seems to work OK.
"sudo softwareupdate --help"

------
i336_
> _Apple had an entire session on APFS (which you can watch without a
> Developer ID)._

[https://developer.apple.com/videos/play/wwdc2016/701/](https://developer.apple.com/videos/play/wwdc2016/701/)

That page: _Streaming is available in Safari, and through the WWDC app._

Me: "Right."

FFmpeg handles .m3u8 files just fine now, as does VLC and mplayer.

Here's the playlist hiding in the HTML of the above page:
[http://devstreaming.apple.com/videos/wwdc/2016/701q0pnn0ietc...](http://devstreaming.apple.com/videos/wwdc/2016/701q0pnn0ietcautcrv/701/hls_vod_mvp.m3u8)

That master playlist further references sub-playlist URLs for each resolution,
so you can pick the resolution you want manually if you like.

\- 1080p:
[http://devstreaming.apple.com/videos/wwdc/2016/701q0pnn0ietc...](http://devstreaming.apple.com/videos/wwdc/2016/701q0pnn0ietcautcrv/701/1920/1920.m3u8)

\- 960x540 (the one I grabbed; 718MB):
[http://devstreaming.apple.com/videos/wwdc/2016/701q0pnn0ietc...](http://devstreaming.apple.com/videos/wwdc/2016/701q0pnn0ietcautcrv/701/0960/0960.m3u8)

I downloaded it with

    
    
      ffmpeg -i <URL> -c copy apfs.ts

~~~
draw_down
Congratulations!

------
Sophistifunk
This would be a lot more sensible if there was an explanation of what MDM
stands for.

~~~
lloeki
For the record: Mobile Device Management

------
matt4077
This is a restatement of a conspiracy theory that was bullshit when it first
appeared three or four years ago, and it hasn't improved.

The convoluted way he uses to get there should one day make him President.
Basically it's "they're unifying file systems across iOS and macOS" -> "they
must be unifying something else" -> "They must be getting rid of root".

Never mind that they could effectively do that today, without a filesystem
switch, with System Integrity Protection. Yes, you can boot into the rescue
system and deactivate it but nobody does, and those that do don't make a
difference. Because (assuming Apple's goal is revenue), SIP in /Applications
would be enough to destroy the market for independently distributed
applications.

"For some, this will feel like a bleak story.

Or even a scary one.

In the name of security."

Or maybe... In the name of love.

Or strangely important(ish) sounding short paragraphs.

Encryption in this context is about native support for full-disk encryption.
It's completely removed from the iOS mechanisms that stop you from accessing
the file system, which is based on signatures.

------
brazzledazzle
If Apple does this they'll throw away so much good will from the developer
community. Kind of makes me wonder if laying off the macOS automation guy is
related.

------
zalmoxes
A few of us are working on a open source alternative to Mobile Device
Management vendors.

[https://github.com/micromdm](https://github.com/micromdm)
[https://micromdm.io/community/](https://micromdm.io/community/)

Also, Apple has finally released the protocol, which previously was behind the
Enterprise Developer portal.

[https://developer.apple.com/library/content/documentation/Mi...](https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/3-MDM_Protocol/MDM_Protocol.html)

~~~
walterbell
Great news about the release of MDM docs.

Will this also support iOS, e.g. per-app VPN profiles, VPN certs?

~~~
zalmoxes
Not all, but most MDM Commands in the spec are already supported. You can see
all the supported commands you can issue to devices here
[https://github.com/micromdm/mdm/blob/master/command.go#L233](https://github.com/micromdm/mdm/blob/master/command.go#L233)

There's a lot of work that needs to be done for micromdm to be a usable
replacement in the enterprise though. Right now it's still a experiment -- the
focus(at least for me) is to try to create a tool which is extensible(API
driven) and one that will be acceptable in environments where people today use
configuration management everyday.

~~~
walterbell
Since that list can deliver profiles, could Apple Configurator be used to
create the profile, then deliver them with the MDM tool? I recall that
registration was needed for Apple's servers to push profiles to managed
devices. How would that work with an OSS MDM? Does the MDM need a certificate
from Apple?

~~~
zalmoxes
You need to be an enterprise Dev and get a special APNS cert from apple. (It
only costs $300/year, which any company should afford). MDM certs are still a
pain, and it's hard to get involved with the project if you don't have one.
Luckily, if you install Server.app from the App store and enables Device
management, Apple issues you a push cert you can use. You just have to export
it from Keychain access as a .p12 file.

~~~
zalmoxes
Someone is also working on an alternative to Apple Configurator(which is
already nicer than the original)
[https://github.com/erikberglund/ProfileCreator](https://github.com/erikberglund/ProfileCreator)

~~~
walterbell
Thanks for the pointers, this was not discoverable from web searching.

------
iainmerrick
What would the impact of this be on the average power user? i.e. not someone
managing a fleet of devices, but someone who needs to install and use a bunch
of low-level tools to get stuff done.

If there comes a time when I can't just "brew install" the stuff I need, the
Mac becomes useless (to me) as a development platform. If I were simply forced
to install stuff in my home directory, I guess that would be okay.

I wonder what the story would be for things that (currently) need root or
kernel access, though, like FUSE or VMware.

I agree with other comments that this particular article seems a bit
speculative and overblown, but the Mac has been increasingly locked down for
several years now so it's worth thinking about.

------
pier25
Apple has denied merging macOS and iOS, but IMO a universal OS that works on
all your devices is inevitable.

Mobile devices are now powerful enough that they could connect to a screen and
display a desktop environment to perform everyday tasks. I'm almost certain
Apple isn't doing this because it would canibalise its products.

If the rumoured Andromeda OS by Google is what I'm describing, macOS and
Windows will become the trucks of desktop OSs.

------
TazeTSchnitzel
MDM doesn't interest me, but storing the OS and user data separately? That is
interesting.

OS X and now macOS already has System Integrity Protection, where a large
portion of the filesystem cannot be touched even by root.

Maybe they'll eventually move that to its own partition?

------
marssaxman
What is "MDM"? I'm not familiar with such an acronym, and the author of this
piece never defines it.

------
_pmf_
I don't think Apple still cares enough about MacBooks to go to such lengths.

