Headphone jack!?
You had me there... right up until the last paragraph? Remind me again, what exactly are the benefits of removing the iPhone headphone jack (for the consumer)?
A bad analogy.
A looming set of changes to the macOS has some administrators worried that the way they manage and configure Apple systems will need switching up. Those changes, which have only been partly revealed by Apple, will see a new file system implemented in the OS and, in the process, a lockdown of key components of the operating …
Seconded. I understand *some* people are happy to *only* use BT Headsets (I do when at the gym). But the vast majority of people I see have their headphones plugged in and I never heard anyone ever say "I really like my phone but I wish it didn't have this normal headphone jack."
In fact, I remember the times when people demanded that phone makers moved away from their proprietary headphone jacks to the 'proper' one.
I love my Moto G4 because I can plug in Sennheiser PX 100-II foldaways while I am out and about and then swap them for bulkier Grados Labs SR60i headphones when I'm at home. I hate earbuds, wired or bluetoothed, they hurt my ears, distract me due to the discomfort and sound rubbish when I compare them to a decent set of wired on-ear cans. If I want to listen to music wirelessly at home I can stream music to my ancient NAD 3020 and Rogers LS2a speakers via the wifi on my Arcam rDAC.
Equipment that attached to me has to be comfortable to use and easy to replace. Take away my freedom of choice and I will not choose your product. Simple.
comments about the walled garden getting higher walls.
Sometimes this might actually be a good thing. The hackers are getting smarter and smarter and IMHO it is beholden to the likes of Apple, Google and Microsoft to try to keep one step ahead of them.
Lets hope that Apple listens to the Sysadmins comments (unlikely though)
As for the Headphone jack, Apple did (for the time being at least) include a Lightning to Phone Jack adaper with the new iDevice. How long this is shipped for remains to be seen.
The side effect may well be to spur the development of Lighning Phones and speakers.
Apple might not be innovating but they are sure making other companies not sit back on their laurels.
The jury is out as to wether this a good or bad thing.
Managing iOS devices is an absolutely breeze with MDM. There are some hoops to jump through, but whilst they sometimes have a negative effect on the UX, they are there for good reason.
The Mac's implementation of MDM, however, isn't as good. This would be a fantastic move forward.
System Admins would freak, however, as they love a good bit of custom code. Yes, this would tighten what you can / can't do, but if you have issues with this, you need to take a step back and ask yourself if it's truly necessary.
To quote Ian Malcolm: "were so preoccupied with whether or not they could that they didn't stop to think if they should."
System Admins would freak, however, as they love a good bit of custom code. Yes, this would tighten what you can / can't do, but if you have issues with this, you need to take a step back and ask yourself if it's truly necessary.
That's a pithy little toothsome morsel, which indicates that you are not an admin. Yes, it may be true that some admins like to do touchy-feely things that are unnecessary and are primarily for the purpose of member-measuring. But one thing that you can be assured of (and that overarching tech firms need to be constantly reminded of) is that the user knows what s/he needs to do better than you do, and that said user is also smarter than you. Stated another way, as I constantly yell at my machine, "Stop helping! You're not smart enough to help!"
""Sometimes this might actually be a good thing. The hackers are getting smarter and smarter and IMHO it is beholden to the likes of Apple, Google and Microsoft to try to keep one step ahead of them.""
Doing so at the expense of sacrificing control over one's own computer is not how to keep a steep ahead of "them hackers", quite the contrary.
The hackers are not that smart, you're confusing the fact that there is a lot of clever people part of the hive-mind (interwebs) with all hackers being that smart.
Usually the vast majority of hacks are either bad defaults, laziness, sheer incompetence or user error.
Good luck fixing those with double root and a complicated permission-policy model, these have been proven time and time again to prevent hacking.
Complexity... complexity is not going away, it is increasing...
The problems with walled gardens and locked down systems designed to be controllable only by the manufacturer are that
a) you have no way of harden them yourself (eg. custom mitigations)
and
b) it might be harder to compromise them, but once it happens you are screwed - no way to detect it, and possibly not even any way to fix it. Atleast not without hacking it yourself, in which case you end up with a open non-walled-garden device.
So if your threat model actually includes sophisticated attacks (state sponsored attackers or whatever todays definition of sophisticated attackers is) then it's a useless concept.
On the other hand, if your threat model is run of the mill malware (adware, ransomware, etc) then it doesn't actually need to modify the underlying operating system in any way to do its business (and if it currently does, then the business model can easily be adjusted to not need it anymore), and thus is a useless concept.
So that leaves ... what, exactly?
Am I to understand we're supposed to get excited about a management solution for shiny non-maintainable non-upgradable devices?
I'm not talking about iDevices but what Macs have become. They made a concious decision to glue up and limit the hardware in 2012. Four years later they're unsuitable for corporates.
Quote
Four years later they're unsuitable for corporates.
This seems to be opposite to what the likes of IBM are finding.
Perhaps a device that can't be meddled with is just what 'corporate' IT Departments want?
Your guess is as good as mine.
However, the jury is very much hung when it comes to the new MacBooks.
As someone who manages Macs and hundreds of iPads and has Mac servers...
Any kind of useful administration tool is welcome.
MDM is a start, but it's bog-useless for anything compared to its rivals (Chromebook management is a breeze, iPad management is a pain in the arse and some things you JUST CANNOT MANAGE).
But Macs have next to nothing. Hodge-podge, this-and-that, scripted-together junk if you want to do anything vaguely interesting and authenticating against LDAP properly has only been available for a few years. Before that, it needed all kinds of Mac servers playing go-between.
I'd quite like Macs to just log you in (from any authenticated source), create a default profile, give the user mapped drives and printers, and configure settings to turn stuff on and off without having to jump through ENORMOUS hoops and then again for each time you deploy it. To do so takes approximately 10 times as long to set up from scratch as a Windows server to do the same for Windows clients.
"I'd quite like Macs to just log you in (from any authenticated source), create a default profile, give the user mapped drives and printers, and configure settings to turn stuff on and off without having to jump through ENORMOUS hoops and then again for each time you deploy it. To do so takes approximately 10 times as long to set up from scratch as a Windows server to do the same for Windows clients."
Basically Windows equivalent of GPO but better and less chaotic? Although, I remember a Mac-managed network not being as difficult as you describe back in 2008/2009. Yes, the Mac OS X Server being a requirement to bridge a Win-AD domain back then to work to some degree for user integration etc. I've seen native LDAP/AD getting better, but the beauty of a Mac is that the "lack of management" to some degree worked quite well in SMB because they just "worked" rather than needing lots of startup scripts in the Windows AD world plus GPO.
I don't get why big corporates haven't moved on to something such as Chef/Puppet to do centralised config management of desktops/laptops. Especially for Mac/Unix.
Agree with your comments here.
I would also add that Apple has been moving more and more away from decent software over the last few years. OS X Server is a pile of utter crap (I tried to use it for two years and gave up), its too expensive at £15 or whatever it is now. We could manage around 400 Linux servers with less hassle than one Mac OS X Server.
Every decent piece of Apple software has had little effort to upgrade it,
Aperture gone.
OS X Server - Steaming pile of junk
FCP X - Small interface changes in latest build. Still can't use three fucking monitors on a professional video editing system.
Pages - My seven year old daughter thinks its limited for her
Numbers - My ten year old daughter thinks its limited for her
Apple Remote Desktop - Nothing new for two to three years
Quick Time Pro - Abandoned
Apple iTunes - Possible the most bug ridden cess pool of software from Apple. Each new 'upgrade' brings more and more problems. The latest is the complete loss of Album covers. Utterly, utterly fucking useless.
Apple Xcode - More and more complicated as they try and shovel more stuff into it. Sometimes the automatic key signing doesn't work and you have to keep doing the software equivalent of ctlr-alt-del. The iPhone simulators are nice for testing your screen design but can't handle payments, simulate moving (rather than static) GPS, handle any notifications at all.
Photos - The replacement of iPhotos and Aperture. Well they took all the nice advanced features of Aperture and looked at iPhoto and thought, 'nah, fuck the users, we'll add in a couple of trivial features to iPhotos, dump all the nice things Aperture could do and tell them its great and just what they've always needed'. As a bonus, we'll randomly choose one in a hundred people and throw all their photos away.
The point I"m making is that Apple no longer makes decent software, they have zero understanding of the corporate management area as they can't even make a decent fucking word processor anymore. I will note that OS X is pretty good, but christ the default Apple File System is creaking at the seams and has been for the last 15 years. I honestly don't think Apple has the internal smarts anymore to write enterprise software, this stuff is hard. It may well be that Apple is cozing up to IBM to get their hands on IBM's management software, but I have no idea what that might be, Tivoli something or other, christ, I'd rather poke my eyes out with a sharp stick, smother the bloody holes in honey and push my head in an anthill of Mexican fire ants than use that rubbisg again.
I'll believe Apple writes decent management software when I see it and can try it, until then its just vapourware.
>I honestly don't think Apple has the internal smarts anymore to write enterprise software
Sadly, I agree. This move has epic disaster written all over it. Apple not only can't write good software, it can't imagine good software. It's trajectory is entirely in the wrong direction.
OS X Server used to be okay - not great, but solid enough for its target market. Then they gutted it, replaced its features with some colouring-book control panels, and failed to make its internals actually work consistently and reliably.
The end result is that if you want a web server on your Mac, you have to install and configure a stack manually from the command line - which is far beyond the skills of a typical Server user - or patch together a collection of third-party apps like MAMP.
Server shouldn't be a difficult product to get right. In fact Apple from 2006 more or less managed it.
But the Apple of 2016 can't. So the odds of getting an enterprise upgrade right are literally zero.
That's exactly how they already work already when bound to Microsoft AD and enrolled in Apple Profile Manager with suitable settings applied for AD users, AD groups, PM computer groups etc...
"I'd quite like Macs to just log you in (from any authenticated source), create a default profile, give the user mapped drives and printers,"
Since I haven't seen an enterprise that upgrades ANYTHING in a computer other than software once it is provided to a user in over a decade, I don't think it matters at all if RAM is soldered in and stuff like that. No one is upgrading RAM or hard drives in the field. To the extent that matters, it's taken care of via their 3-5 year replacement cycle.
No RAM/SSD swap or upgrade ever in five years? You must work in one of those places where they have money to burn.
LOL, you wouldn't think so if you talked to our accountant, but you do indeed touch an important point: money. It is exactly because we calculated the costs of hardware and the realities that surround it that lead us to using MacBooks. Because of what we do, we have very strict requirements for data protection and confidentiality, as well as a need to be fully auditable (no, it's not as big a conflict as you'd think :) ) and those needs are far easier to satisfy within a sensible budget with MacBooks than with any other platform.
If you look at the TCO of a MacBook over time, it's a big (huge, massive, etc) spike at the beginning, followed by a crawl along the very bottom of the curve afterwards. We rotate out MacBooks every 4 years (which also allows us to benefit from the payback from Apple for old machines, thus freeing us from any disposal costs and environmental issues), and in our experience they perform well in that time. We tend to spec the machines quite well too, so we do not NEED to upgrade anything - which means we don't have to keep loose spares either - we just have a few backup machines.
Software for Macs is cheap if you avoid Microsoft and Adobe, and as those tend to be unsafe too we found other alternatives. Decent crypto is part of the OS so you don't have to spend lots of money on adding that either, and keeping it patched is again not much work. We thus have decent, safe machines we can use worldwide (within limits - we have machines in the US so nothing needs to be carried across that lawless place called US Customs, and that applies to a few other countries as well), and that are supported wherever there are Apple shops without having to take out the sort of worldwide contracts we had to use when using Thinkpads.
From our specific IT use, burning money would be using Windows. We couldn't afford the waste of time and resources to keep that anywhere near as safe and usable than we have almost by default with MacBooks.
Note, however, that I say MacBOOKs. We only have a few desktop machines - most of our use is MacBook plus PC screen (not Mac). I personally have an Ultrawide screen on my desk which has only set us back for £300 or so (it's a 2560 x 1080 29" LG thing) - I prefer that over the Apple screens and it's *FAR* cheaper. We use Apple where it makes sense, but for desktop use we use PC screens and Logitech Anywhere MX mice because they work better for us (I'm happy with that, I never got on with the Apple mouse).
As I said before, it's about intelligent use of your funds. The shiny is nice, but less relevant :).
You say that you are freed from disposal costs of the old equipment, but then you say you have "very strict requirements for data protection and confidentiality" and "a need to be fully auditable" . I presume you remove and destroy the storage devices before returning to the OEM? Or do you trust the OEM to do the right thing, and generate an audit report that says "A OK!" Yes, the data on those devices is encrypted, but once you have the key at any time in the future, you can view the data.
I enjoy working for an organisation that does physically destroy storage devices on site. I like destroying stuff. It sounds nice.
I'm not talking about iDevices but what Macs have become. They made a concious decision to glue up and limit the hardware in 2012. Four years later they're unsuitable for corporates.
Quite the opposite. In our setup, anyone who handles anything remotely confidential now has these machines mandated. If you set a boot password, enable FileVault and set a decent user password it becomes impossible to bypass the device security. The result is that theft becomes pointless from both a value and a data leak perspective as it's impossible to access the device, or to reformat it - that works its way back in insurance (we still Smartwater them, though, the insurance makes us) and lower data loss risks - and a chance to get them back when lost (ours all have "reward when returned whole" messages on them).
The lack of user changeable parts also means you don't need to keep/manage stock and by normalising connections to 4x the same port it also finally gets rid of the connector game. You know what one end has to look like, the other end is determined by what you need (although I've already seem boxes with multiple I/O like screen, LAN and audio). If one port breaks or wears out, you have 3 more.
Last but not least is the fact that an honest ROI is not just determined by the machine, but also by the effort and resources to keep the machine safe, the cost of software and the stability of its user interface as change slows down users. Well, that's the real pain point for Microsoft users: Mac software is generally much better priced, so even if we leave aside that the usability also makes people more productive you tend to come out on the plus side for Macs.
Some private banks we work with worked this out years ago, and believe me that they count every penny when it comes to IT. The cost of a Mac is its initial outlay, not its life. Its attraction for corporates doesn't come from being shiny or some cult status, it comes from simple cost metrics.
I cannot say for your experience or others... but in the enterprise levels (and below as well) that I have been directly involved with... we have service contracts with the OEM and simply just ship off the bad and provide a replacement to the user. This speeds up the process for us as well as limiting the number of employees we need to manage the support process.
With this in mind... then who really cares if you can repair yourself... who really wants that overhead and expense?
I never buy Applecare or take my machines in for service. I fix them myself, so far have been fortunate not to have to redo any SMD issues. I do have a board to reflow someday when my nerves are of steel. If I take my MBP back to Apple because of a not-quite-dead hard drive, they essentially have my data. Yes, Filevault *may* not have a back door and so it would be perfectly safe to return a drive so encrypted.
So now there is no choice other than purchasing a new machine. If your company feels fine with returning the machine complete with data to Apple that's fine, but I won't do it with my mere personal data. Apple is building lots of data silos just like all the other farmers.
Best thing to do with a new mac is remove all the Apple crapware first thing. I have a feeling that scheisse like iTunes will now be considered integral system software if MDM is fully implemented. Mr. Cook is starting to resemble a certain character in a notorious commercial aired in the 1980's by a fledgling computer company that was going to change the rules for the good.
There is no one at Apple who has the vision required to make the changes they are making, it is mere blind striking out and technical frustration that lead to the monoport idea.
I'll miss being able to test the MacOS built-in VPN client, I guess we'll have to stop supporting Macs.
We've been using Viscosity for *years*. There are 2 things that could be better with Mac connectivity, and VPN support is one of them - once we started using Viscosity at least VPNs are no longer an issue.
The other thing is webdav, that's very slow on a Mac. Installed MacFuse, licensed Mountain Duck and presto, we moved fro a problem to a pushbutton-simple solution.
MacOS is quite a *good* environment, but I'd be lying if I'd say it was *perfect* :).
"Those who aren't making enough money to afford a real Mac aren't developing apps that anyone will miss."
I hope you didn't intend that to read as offhandedly as it does. Truth is, there are many popular free apps, and the "Store" model makes it very hard to secure an income from what is by now a static user-base.
Lots of apps actually lose money for their developer if you do a proper financial analysis; no big deal if it's a hobby, but if it's a hobby it can be abandoned if the dev gets sick of buying so much hardware just to do proper testing (Apple are most guilty of this). Also, some apparently successful products are actually burning through past revenues to mask declining sales. The lack of a credible "upgrade pricing" mechanism in Google and Apple's app stores is the cause here - a customer who pays the couple of dollars once gets the app, and support, forever.
But apparently, making money is optional these days: if you get right down to it, Twitter, Inc. "can't afford a real Mac" either, and I guess people would miss it if it disappeared.
Makes me wonder how much of this is targeted at the steadily growing (especially after the latest MacBook Pro announcement) Hackintosh community?
I don't think so. That community may be growing, but it would not be worth the effort both in numbers and impact. You could say that a Hackintosh is a lost sale, but I personally think that a Hackitosh is more likely a pre-sales state that eventually may lead to a sale, pretty much like a Youtube music clip tends to lead to sales after people first just use the rip. It's free marketing, not a threat.
However, Apple is undeniably on a path that leads it to cross the same organisations that also should use their kit to finally bring some security into their operations: agencies. Unlike other organisations who use their marketing teams to push out pretend security efforts, Apple actually *does* something in real life, and for very simple reasons: it makes money doing so.
The money making aspect is what matters (after all, it IS a US company), Apple has seen quite earl;y on that protecting customers will benefit the company. How that will play out in Trumpland has yet to be seen, I suspect there will be a fair amount of conflict ahead.
I expect this won't affect them much as long as you are doing things in user space. What may well go away is any kind of root access to core system files.
Won't be a big problem for most people until Apple does something deeply unpopular and it's impossible to tweak your way round it (think of the planned obsolecence of older mac hardware via dropping support in macOS that can at present be bypassed fairly easily with a few modified system files)
Sierra already has /bin, /sbin, /usr locked by default, even for root. (This is the "System Integrity Protection" feature.) However you can disable that from Recovery mode.
It's uncommon to need to change something under these directories manually, but it does happen. Last time was when the Bash Shellshock bug was published and Apple took its bl**dy time for providing the fix. I ended up compiling the patched code myself and installing under /bin/bash .
Most of the UNIX tools like brew install their own binaries and modify the path to make them accessible, I suspect that won't change much. I can see challenges where software tries to install resident services or push crontab entries, I suspect there will be some form of permission model that only makes that possible with admin rights.
That said, in a corporate environment I'd be happy if I could make sure that nobody installed anything without permission, trojans are a problem irrespective of what platform you use. We've had a few situations in companies where we had to clean up after staff were given too many rights and ended up with copies of Open Source software from less trusty places which came with all sorts of "features".
One of the fun benefits of Mac platforms is that you can get a heck of a lot of functionality in play without spending much on software, which means that you can create a default build that most people are happy with, and license management is also simpler (and less costly). The result is that you have much simpler and thus usually faster processes to get authorisation for something extra.
Unfortunately, Mac management is (IMHO) a bit immature compared to corporate PC environments, but we're presently evaluating products from an outfit called Snow software after we came across them at a client which look promising in more ways than one as it also simplifies MDM for iPhones and the like. What makes it attractive for us is that it's a non-US company, but the problem is that the control servers are Windows based. Given that the platform would exercise control over all our hardware, there is no way we would ever put that on a Windows platform, not even in a VM...
As I understand the process, it is quite optional. One can (follow instructions) revert back to a more "open" system.
I just don't know if this is how shops will do this function, but it is an alternate path. I suspect that the reason is to dry up malicious software so it can do little harm. At least the company is trying to make things "secure". I can't speak for the company up north.
I'm more interested in the improvement to the Apple File System. My (limited) experience with Apple Servers and Clients at a print shop had the interesting experience where the clients would (apparently) constantly attempt to rebuild the resource fork on the server shares resulting in the browser taking 30+ seconds to generate a file list of the 1,000's of graphic files in the share.
Meanwhile the Windows ( mixture of XP and 7) clients connected to the same Mac Servers would show the list in Explorer in a second or two, making them faster in general to use. Which seemed pretty stupid to me that Windows worked better with Mac Server than Macs did.
Will this fix it? (Asking purely out of idle curiosity as I no longer have to look after printing company's TYJ).
This post has been deleted by its author
When was the last time Apple cared about any Customer Concerns, much less Apple Network Admins? Seriously, how many companies are actually running Mac Networks? I'm not referring to Macs connecting to Windows Networks. Apple stopped selling Mac Server Blades and chassis how many years ago? Oh wait, "Mac Mini Servers" are supposed to be running networks? LOL!!!! Doesn't seem like Apple is really interested in gaining any foothold in the Enterprise for Macs. IOS is another discussion, entirely.