Secure Boot restricts what the iMac Pro can boot from

The iMac Pro has a new feature called Secure Boot, that I’m presuming will be added to future Mac models as they are released.

Secure Boot makes sure that the startup disk is “a legitimate, trusted Mac operating system or Microsoft Windows operating system”.  Secure Boot can also prevent the Mac from booting from an external drive.

The setting for Secure Boot can only be changed while booted into Recovery mode, by clicking on Utilities, and selecting Startup Security Utility.

By default Secure Boot is set to “Full Security”, which restrict the Mac from only booting from its primary startup volume and Apple recovery volumes.  The “Disallow booting from external media” choice is also set by default.  Options include:

The Secure Boot feature is something that all Mac support professionals need to know about, because changes the game when it comes to booting from external service drives or cloned volumes.

Even if an iMac Pro has Secure Boot set to “No Security”, it can’t boot from a NetBoot, NetInstall, or NetRestore image.  Apple confirms that in this support article.  Rumor has it that the forthcoming macOS 10.13.4 update will remove this restriction, allowing Mac Pros to boot from network images.  It should be noted however that Apple is now saying that network imaging can only be used to re-install the OS, and that upgrading the OS via a network image isn’t recommend or supported.

Mac Server app won’t be serving much soon

Last October I reported that Apple Server app 5.4 removes the option to setup network file shares (yes, you read right, a server app that can’t provide basic file sharing).  They also removed FTP sharing, Caching server, Time Machine backup server, and Xcode Server from the Server app.

Apple recently announced that even more services will be retired from the forthcoming Server app update, due in Spring 2018.  They have posted a support article titled “Prepare for changes to macOS Server”, listing the following services that will be depreciated:

  • Calendar
  • Contacts
  • DHCP
  • DNS
  • Mail
  • Messages
  • NetInstall
  • VPN
  • Websites
  • Wiki

Unlike file sharing, Apple claims that if you already have an existing Server app setup with these services already enabled, the service will continue to work after the Spring 2018 update.  For new installs the services will be hidden, an Apple warns that these depreciated services will be completely removed in a future release.

So you may ask yourself, what good is a Server app that can’t provide any server features?  Apple’s answer is “macOS Server is changing to focus more on management of computers, devices, and storage on your network”.  My answer is they are fully committed to removing themselves from this segment of the Enterprise market.  Instead of retiring the Server app and improving their Configurator app, they’ve decided to rip out all the “server” bits but leave the name confusing the same.

Mac office apps now multi-user aware

Microsoft has released an update for Office 2016 for Mac (v16.9) that adds real-time multi-user editing to Word, Excel, and PowerPoint.  When more than one person is editing a document simultaneously, a thumbnail will show in the upper right corner of the app indicating someone else is working on the doc.

Microsoft describes this feature as “Edit with others in real time: Thumbnails in the upper-right corner of the window show who else is working with you in a shared document. Flag icons show where others are working and you can view changes as they type.”


Recipe for getting Sierra from the Mac App store

The Mac App Store allows you to view past purchases (Store->Purchased) linked to your Apple ID, and if you’ve upgraded the version of Mac OS in the past on any Mac, the free downloads for the OS installers are supposed to show here.  For example, when logging into the Mac App store using my Apple ID, in the purchased list I see downloads for things like OS X Mavericks, OS X Yosemite, and OS X El Capitan.

Curiously Apple decided to exclude the Sierra installer in the purchased list shortly after High Sierra came out.  I guess enough people wanting to revert from High Sierra to Sierra complained about this, because Apple has published this support article detailing how to download Sierra by clicking on a special link that opens in the Mac App Store.  This works even if the Apple ID you are logged in with has never downloaded Sierra.

On a related note, Apple also published a similar support article detailing how to download El Capitan by clicking on a special link that opens in the Mac App Store.  This also works if the Apple ID you are logged in with has never downloaded El Capitan.

High Sierra security flaw – Root password? Where we’re going we don’t need root password!

Versions 10.13 and 10.13.1 of Apple’s High Sierra Mac operating system have a major flaw that makes it possible to completely bypass all security features  This can be exploited from the login window or any authentication prompt, if “root” is entered for the username and the password is left blank.  After this has been done, the Mac can be accessed as root without a password either locally or remotely via the command line.

While this is an unprecedented Apple security bug, this risk is minimal for most Mac users.  Here’s my need-to-know assessment:

  • Physical access to the Mac is required to “activate” this vulnerability*
  • News of this bug went viral on 11/28/17
  • In less than 24 hours Apple released a patch to fix it: Security Update 2017-001

*The ability to access the Mac as root without a password is one that requires “activation”, and by activation I mean someone with physical access to the Mac would first need to actually enter “root” for the username at the login window or authentication prompt, click into the blank password field, and attempt to continue multiple times (the first few will fail).  If this hasn’t previously been done, the Mac is safe from this bug.

Now that this flaw is public knowledge, Macs running High Sierra 10.13 or 10.13.1 should have the Security Update 2017-001 update applied ASAP.  While the threat is limited in scope, it makes publicly accessible unpatched Macs a prime target.  Once macOS 10.13.2 is released this will all be water under the bridge, because Apple rolls previous security patches into macOS updates.

A few additional items of note:

  • This can only potentially affect Macs that have never had the root user enabled.
  • The Security Update 2017-001 will disable the root user if it has been enabled in the past.  Apple’s instructions for enabling/re-enabling the root user are posted here.
  • There are reports of the Security Update 2017-001 breaking file sharing.  This is limited to Macs running High Sierra 10.13.1, sharing out files via SMB to other Macs. 12/1/17 UPDATE: Apple has posted a fix for this problem.
  • This flaw is not limited to root, it also extents to other faceless user accounts like guest, _applepay, and _uucp.  See this Objective-See blog post for more details on the underlying cause, including what Apple did wrong.
  • Apple has released a followup statement that includes: “We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”

OWC Aura High Sierra firmware install workaround

If a Mac has been upgraded with an OWC Aura SSD, it may fail to install to High Sierra, erroring out with: “macOS could not be installed on your computer.  An error occurred while verifying firmware.”

OWC claims this is limited to certain model MacBook Airs and Mac Pros, but owners of MacBook Pros have also reported the problem.  See this OWC blog post for more information.  They are working with Apple towards a fix.

If you have an OWC Aura SSD and are dead set on installing High Sierra, there is a confirmed workaround.  Temporarily replace the Aura SSD with the original Apple storage, boot from the Apple storage, then install High Sierra.  The High Sierra install will automatically apply the needed firmware update.  Afterwards, replace the original Apple storage with the Aura SSD, boot from the Aura SSD, then install High Sierra.

Supporting High Sierra – the APFS Entanglement

Things have suddenly become more complex when supporting Macs, thanks to High Sierra’s semi-adoption of the new Apple File System, otherwise known as APFS.

For over 30 years all Macs have used Apple’s HFS file system, which last underwent changes in 1998 when HFS+ was introduced (a.k.a. Mac OS Extended).  A file system is the behind-the-scenes mechanism controlling how a volume is formatted, and how the operating system stores or retrieves data.  HFS+ was also the base file system for iOS, tvOS, and watchOS.

APFS is Apple’s replacement for the aging HFS+ file system.  APFS offers many long-awaited improvements including: Support for snapshots, native full disk encryption, delta based file copy (copies of files don’t occupy additional storage space), advanced crash protection, and shared space across multiple volumes.

HFS+ volumes can be converted to APFS, but they can’t be converted back.  Any iPhone or iPad running iOS 10.3 or later has already had its storage converted to APFS.  The same is true with any recently updated Apple TV or Apple Watch.

I believe APFS will ultimately improve all things Apple, but mark my words… From a Mac troubleshooting and support perspective, APFS is the biggest change Apple has made since switching from PowerPC to Intel processors.  It adds a layer of complexity to supporting Macs unlike no other.

Mac savvy engineers should know the following about APFS:

  1. High Sierra only converts SSD boot volume to APFS, HDD and Fusion Drives are not converted… more
  2. Because High Sierra can run on either APFS or HFS+, determining the file system has become an important troubleshooting step… more
  3. APFS volumes cannot be used for Time Machine backups… more
  4. AFP file shares cannot be created on an APFS volume… more
  5. External drives formatted as APFS cannot be mounted on Macs running Mac OS 10.11 or older

Warning: Apple Server 5.4 removes file sharing

Server 5.4 was recently released, which requires Mac OS 10.13 or later.  Older versions of the Server app won’t run on High Sierra, so if you upgrade a Mac “server” to 10.13, you must additionally upgrade the Server app to 5.4.

As crazy as it may sound, Apple has removed many core features in Server 5.4, including: File sharing, Caching server, Time Machine backup server, FTP sharing, and Xcode Server.

Yes, you heard me right, Server 5.4 no longer provides the option to setup network file shares!

Furthermore, if you had previously setup the Server app to serve out these features that were removed, then upgrade to High Sierra and Server 5.4… too bad, you lose!

Apple is downplaying this change, dismissing most of it as a sidenote saying “Caching Server, Time Machine Server, and File Sharing advanced options are now built directly into macOS”.  This translates to the Sharing system preference pane in High Sierra has few new features.  It now includes an option for enabling a Content Caching service, plus a non-intuitive process* has been added for configuring a network Time Machine destination or advanced file sharing.

So that’s it for me, Macs are officially out of the game when it comes to file servers.  Apple has further pushed themselves away from this segment of the Enterprise market. The Server app has become a tool targeted at Profile Management (pushing configuration profiles to iOS devices).

*I’m not recommending a Mac running High Sierra be utilized as a file server or network Time Machine destination, but the process for accessing these configuration options is worth sharing.  From within the Sharing system preference pane, enable file sharing and add a shared folder.  Now control-click on that shared folder and, select Advanced Options from the contextual menu.

History lesson
Apple’s last server operating system was Mac OS X Server 10.6.  Back in the late 2000s this was a robust server offering, and it came with a price tag of $999 for an unlimited license (then you had to spend 2-4k for an Xserve to run it on!).

In 2012 Apple introduced their $19.99 Server app, which can be installed on any Apple hardware including Mac minis.  The capabilities of the Server app were diminished, and it was clear that Apple had removed themselves from the Enterprise server market.

Apple’s $19.99 Server app has been upgraded over the years, and some features were dropped along the way (like Workgroup Manager support in Server 4).  Even so, if properly configured the Server app could do one thing well… share files out over the AFP protocol to a small group of Macs.

The Server app could also perform a lot of other “server” functions too, like mail or DHCP services, but personally I rarely recommended these capabilities because I felt they were afterthoughts and not well supported by Apple.  My mentality was “you get what you pay for”, so getting a solid Mac file server for less than $20 was pushing things anyway.

R.I.P. Office for Mac 2011 – No High Sierra Support from Microsoft

Microsoft Office for Mac 2011 has officially reached end of life, and Microsoft is no longer supporting or updating it.

Furthermore, Microsoft has stated that Office 2011 apps have not been tested with Mac OS 10.13, and that users should upgrade to Office 2016 for High Sierra compatibility.  While Office 2011 apps may appear functional to one degree or another after upgrading to Mac OS 10.13, it is not a supported configuration, and should be considered use-at-your-own-risk.

High Sierra APFS conversion formula

Upon installing High Sierra, if the boot volume is a SSD it will be automatically converted to the APFS format.  If the boot volume is a HDD or Apple Fusion Drive, it will not be converted and remain formatted as HFS+ (Mac OS Extended).

SSD is any solid-state drive (a.k.a. flash based storage), HDD is a traditional spinning hard drive, and Apple Fusion Drives are a combination of the two.

This means that depending on the Mac’s hardware configuration, High Sierra may be running on either APFS or HFS+.

There is no way to opt-out of 10.13’s APFS conversion of SSD boot volumes, and both Apple OEM and internal after-market SSDs are treated the same.  If everything goes smoothly, no data is lost during this conversion.

If the Mac has additional internal or external volumes, they will not be converted to APFS during the High Sierra install, even if they are SSD.

Apple has also committed to making APFS work with Fusion Drives in the near future.  When this happens a High Sierra update will likely also convert them.

HDDs can manually be converted to APFS, but beta testers have reported poor speed and boot volumes stability.  It is unknown if Apple will be able to address this in the future.

« Older posts

© 2018 ATS Blog

Theme by Anders NorenUp ↑