Episode 292: New Apple Documentation

Meter is the easiest way for businesses to get internet, networking, and WiFi. Our full-stack approach combines hardware, software, and operations so that any company can seamlessly run on a reliable and modern network.

• Streamlined installation: We take on the complexities to make designing and deployments easy, fast, and stress-free. We manage the entire installation process, and provide ongoing maintenance and support.
• Network hardware, security & management: We design and build our own controllers, switches, and wireless access points. After the network is deployed, review your speed, usage, and security in one unified dashboard. No need to hire vendors in every location or have IT teams fiddle with manual configurations — everything is automated with our software.
• Simple pricing: Pay one monthly rate with no up-front costs for installation, configuration, or hardware.

---

James Smith:
This week’s episode of the Mac Admins Podcast is brought to you by Kandji. Automation in IT is a hot topic and for good reason. Automating repetitive tasks frees you to focus your skills on more strategic projects that move the needle for your organization. Kandji, the Apple device management and security platform, features over 150 pre-built automations to multiply your effectiveness and impact daily. To see how to take the repetition out of your to-do list, visit kandji.io, that’s K-A-N-D-J-I.io.

Tom Bridge:
Hello and welcome to the Mac Admin’s Podcast. I’m your host Tom Bridge. And, Charles, you’ve lost the battle against the leaves in previous weeks. You’ve now lost the battle against the ice and snow. How goes your Thanksgiving prep?

Charles Edge:
Oh, Thanksgiving prep goes great. Getting ready to bake all the things. How about you, Tom?

Tom Bridge:
We are getting ready to bake all of the things. We traditionally host for Thanksgiving and so we put out the call, see whoever we get. We did our test Turkey on Saturday.

Marcus Ransom:
I did see that.

Tom Bridge:
And it was a top five Turkey. Oh yeah. So we had a big Friendsgiving this weekend. And so I was voluntold that I had to do the Turkey by the organizer and so I went out and found a 24 pound Turkey and brined that that bad boy for a solid 14 hours and then baked it off and it was a champion Turkey. It was amazing. So I’m ready. But I think we’re going to have a dozen for Thanksgiving day, so it should be a pretty good time.

Charles Edge:
That is dedication. I’ve never…

Tom Bridge:
Yes.

Charles Edge:
Yeah, I’m way too lazy for that.

Tom Bridge:
Honestly. The thing I love about Turkey is it takes a long time, but it’s not active time. It’s a lot like waiting for your code to compile. That is 100% what happens you when you put your-

Charles Edge:
You’ve got to [inaudible 00:02:11] regularly.

Tom Bridge:
Well, I was going to say you don’t with a brine Turkey, it’s just in there and it’s just doing its thing and so you go and check on the temperature once in a while. But three and a half hours after I put it in, I went and just poked it with a stick and said, how you doing? And I had about an hour to go from there. So it-

Marcus Ransom:
It had stopped gobbling by that time had it, Tom?

Tom Bridge:
It had stopped gobbling at that point and had stopped moving, so that was good because it’s bad if they start to run away, so that’s Turkey on another scale. But how are things by you Marcus? How’s the springtime?

Marcus Ransom:
It’s very much feeling like winter at the moment. It’s currently 12 degrees. You may start hearing whistling in the background, which is a window that’s not quite ceiling properly because the wind is extreme, I would say, at the moment. So looking forward to summer where maybe I might be able to go outside without a coat on or something like that.

Tom Bridge:
Spectacular.

Charles Edge:
What’s your Turkey understanding or situation or how do you do Turkey?

Tom Bridge:
That’s a good point.

Marcus Ransom:
Well, we do Turkey for Christmas, which is-

Tom Bridge:
Okay.

Marcus Ransom:
… odd having the full baked dinner for Christmas when Christmas here in Australia is usually pretty hot.

Tom Bridge:
Midsummer?

Marcus Ransom:
Yeah. So a lot of families will also then substitute seafood, so you’ll have king prawns and lobster and things like that. But, no, Turkey in the oven, basted, really nice stuffing, lots of roast vegetables, is really my experience. I think I’ve done a Turkey for Christmas twice. I do recall my sister’s first attempt at a Turkey back when we were both in university and decided to have my grandfather down from the country to have a pre-Christmas dinner with us both. And she’d cooked a roast chicken and her theory was a turkey is just a big chicken really. And had not taken it out of the freezer, so it got two hours frozen in the oven.

Tom Bridge:
Oh no.

Marcus Ransom:
She did a really stellar effort of trying to carve it because it was still pretty much frozen. The meat was a luxurious bright pink and we all agreed not to eat it, that that would be the safest thing.

Charles Edge:
Safety first.

Marcus Ransom:
Exactly.

Charles Edge:
Yeah, safety first.

Marcus Ransom:
Her culinary skills have come along somewhat since then, but that was a good learning experience for us all in the days pre-internet that maybe reading or practicing beforehand as you clearly do, Tom.

Charles Edge:
Well, speaking of reading today’s episode, Tom, do you want to take us through the…?

Tom Bridge:
Yeah, well, Apple continues to get better and better at documenting not only APIs as a whole part of their documentation, but also the Apple platform deployment portal that contains plenty of information on how Apple intends for admins to centrally manage their devices. So in this episode we’re going to take you through a couple of new ways to peruse the Apple platform deployment guide as well as some of the insights around device management that can be had by looking at their change control system. Obviously, Apple has been through a lot of different mechanisms over the years for telling admins all about how their platform is supposed to run, how MDM is supposed to work, and all of those things. I particularly remember some very dark days where there was one PDF behind a paywall for the MDM specification. And I’m grateful that those times are long since gone.

Charles Edge:
Not only paywall, but invite wall, invitation wall.

Tom Bridge:
Oh yeah, I was going to say, it wasn’t that anybody could get their hands on the documentation at that point. I think we’ve Apple learned their lesson on that one and I’m glad they did.

Marcus Ransom:
I have to say, I remember the dark days before Apple had their enterprise networking document and working with network architects with customers and having to try with a straight face of pointing them to a phenomenal piece of community documentation by Richard Purvis called It Hurts When IP Address.

Charles Edge:
I remember that.

Marcus Ransom:
And having Richard’s heard me tell this story many times of no, no, honestly this is not a joke. No, this is really not a joke. We need you to follow this document please.

Charles Edge:
And in Apple defense, I think that when it was behind that, not paywall, but invite wall or whatever, when only the cool kids could play, I feel it had more to do with the reaction to the security issues that had come out of profiles before that. Remember when there were websites, and I’m sure there’s still there because nothing ever disappears from the web, but remember when there were websites where it said, click here to download this thing and then all of a sudden all your traffic was going through a proxy because it installed that profile payload. I get, why? And then I think it was awesome timing to open it up. And I feel we’ve seen a lot of innovation to maybe hopefully not use a buzzword. In this space, since it was opened up, the level of understanding the new entrance into the market, et cetera. So all’s well ends well. But what we’re going to be talking-

Tom Bridge:
Indeed.

Charles Edge:
… about is the new updates to the Apple platform deployment portal, right?

Tom Bridge:
Yes. And it’s really exciting to see the changes that have happened this year because one of the big changes that we got this year is a new revision history page. And it lets us see what got added, when it got added, or more importantly also what’s changed over time. These revision history moments are a great way to see, hey, what got changed? You can see that on October 24th this year we got a brand new update and I was psyched to see, if nothing else, but for Marcus’s sake, that the new name for the release of the platformed deployment guide is not fall 2022, but October 2022 because it’s not fall everywhere.

Marcus Ransom:
And also as we keep saying here in Australia, the only fall we do is when we fall over as well. So we don’t even actually call it fall, but allow us to give a document a date in time, not introduce more ambiguity. So very much appreciate a simple language change there that makes it a lot easier to know whether you’ve got the right document or not.

Charles Edge:
And one of the things that I really like, there were some projects to look at differences between APIs and differences between documentation before, but getting it straight from the horse’s mouth is so much less work and…

Tom Bridge:
Oh God, yes.

Charles Edge:
And it saves so much time because you just look at what’s changed and you jump into those articles and look around for what the latest OS version number is. Because normally it’s like some text that maybe preexisted and then all of a sudden this OS version and when you find that OS version you’re like, oh I see. So this is what they added that they’re talking about for X.X. So I think that one feature is the most news worthy piece even though we’ll go through, I guess, a whole bunch of stuff, right?

Marcus Ransom:
Yeah. Certainly being able to very quickly understand what you need to focus on, but also the breadth of it. Like, okay, am I going to have to put aside three weeks to actually get to the bottom of this or is this going to be a couple of nights of reading rather than reading the whole guide, but also to be able to quickly understand are there any topics in here that are calling out to things I’m about to implement that maybe I need to jump right on straight away rather than discovering after the fact that there were some important changes buried in a document? So what were some of the changes that we saw in there?

Charles Edge:
To me, one of the first things that jumps out is how to use MDM to manage background tasks because that was such a big… I guess, before we get into any specific ones, we can actually just say there’s calendar contacts, declarative management changes, eSIM, and a lot of language cleanup. But to me, one of the biggest changes is going from system preferences to system settings and then some of those new panels in there. I don’t actually know what the right word is. So hopefully no one at Apple’s going to message me and say, “You got it wrong.” But the ability to see and disable or enable those background tasks and then Apple making it explicit and laying out the nomenclature for the attributes and system library private frameworks, background task management framework, versions A, resources was a bit of an eye opener, if that makes sense.

Tom Bridge:
Well, yeah. And as we went through the beta cycle this year and we started to see these alerts come out for the very first time and start to see them get persistent, for example. When items were updated when they were not managed, you would frequently get another round of notification updates, not just during the beta cycle now, but with 13.0 and 13.0.1 starting to see and understanding how to control the notifications that are specified to your end users as well as the behavior of those items is so important. And so to be able to not just get instructions from Apple on how to properly identify those background task management items, but to fill in the MDM profile that you need to deliver whether or not your MDM supports it as a standalone profile type.

Charles Edge:
Yeah, I think the one interesting thing is “helper apps”. The things that are in there, once upon a time you had texts and you had startup items. And now, so in security and privacy, sorry it took me a second to remember what that looks like.

Tom Bridge:
It’s the other way around now. It’s privacy and security in Mac OS 13.

Charles Edge:
Well, in there we can enable and disable all of the different types of extensions that can load from different apps. And when I say all, I don’t really mean all, I mean some. But then those helper apps and using MDM to manage that, it’s just a whole new paradigm. I wish it looked a little bit more like OS 9s extension manager and worked a little bit like that. I wrote an article last week digging into how these things dynamically load from the various places that they get dropped. And it’s a teeny bit of the wild west but not at all. But it is per extension type, different for different extensions. So it’s interesting to see it laid out for MDM. But also on the developer side, having written a couple of these extensions, it’s totally not using the same nomenclaturing. It’s totally not the same.

Marcus Ransom:
But I think given the amount of work we saw during the beta cycle with this functionality, seeing how much has gone into the documentation around it, I don’t know, not having any insight into what Apple’s doing and where things are going, but to me this seems to me like this is going to be an area we’re all going to need to pay a lot of attention to ongoing. This may not have taken its finished form yet and there’s a lot to happen here based on what we’ve seen happen with manually installing configuration profiles, all sorts of other privacy and security functionality. Preventing bad people from doing bad things to devices or preventing users from seeing what’s going on in their devices is clearly going to be something we’re going to be looking to.

Tom Bridge:
I did like seeing a little bit more information about things like rapid security response. As of the release of this episode, there’s been some interesting developments in the Apple SEED portal around the release of the first rounds of test updates for rapid security response so that you can try it out, see what’s in the feeds for iOS devices. Obviously not yet available for Mac OS devices, but it’s sounding like we’re going to get some RSR updates in the future here. We do get some control over that [inaudible 00:16:32] and there’s a pair of keys in the restrictions payload that seem to me, if one then not the other. But then if the other one then maybe this one also, which is to say you can control whether or not an RSR update is automatically applied to systems. You could say, “Hey, you know what? I really don’t want any RSR updates as an admin.” I don’t know why you might say that except in certain circumstances where your key three tools that are maybe not certified for rapid support response or rapid security response updates.
So those are the things where you think about movie studios and other major network things. You might want to just say, “Hey look, I’ll just wait for the next minor.” Alternatively, you also get the control to, as an admin, say, “Hey, you know what? I really do want that rapid security response update to be installed and I don’t want my users to be able to remove them.”

Charles Edge:
“And I want this control without Rapsodo.”

Tom Bridge:
Yeah. Right?

Marcus Ransom:
But look, this is getting organizations to position they want where they’re saying we might want to test this where we know that our organization potentially has some precarious dependencies. We may be going into a really busy weekend where there’s a huge major event that the organization is supporting. And the decision is made over potential security risk versus catastrophic downtime that this is not happening until Thursday. And organizations now at least have the ability to do that. Or they may just want to say, “You what what? We’re putting on in these five devices first and once we’re comfortable.” So it may only be deferring it for a day or half a day, but at least organizations have that ability to be able to do that. And then maybe after six months, 12 months, however many OS cycles of these rapid security updates, they actually just go, ‘You know what? These are pretty good now, we can be done with it.”

Charles Edge:
And I love the fact that the software update section also includes information about GDMF.

Tom Bridge:
Yes.

Charles Edge:
I feel like I’m going to end up making some bad KMFDM or some acronym FOPAS.

Marcus Ransom:
KLF [inaudible 00:19:13].

Charles Edge:
Exactly. But laying out, I think, the specific keys and the exact chase on that’s required in each place that it might be required in order to set the deferrals, configure public assets, all the things. But those deferral keys that you mentioned, like Apple has a table in the documentation that lays all that out. And I can say as a developer, you semi-hate documents like this because now you are beholden to what it is knowing that this document is going to have to get translated into how many languages, and every time there’s a change, it’s going to take months to roll out and potentially end up being liability if you get sued because something wasn’t in the right place or in the right language. So more power to them for biting this bullet because it’s a lot of work and it’s very much appreciated.

Marcus Ransom:
Speaking of localization as well, when this document first came out, there was a lot of gnashing of teeth from those of us who didn’t live in the United States because we weren’t able to access this document because the localized versions were not yet available. And so, no matter where you were, it would revert back to-

Charles Edge:
So you’re saying you need me to put a VPN at my house for you?

Marcus Ransom:
Well, we tried VPNs and it wasn’t working. It turned out it was the locale of the machine that was setting it. Some browsers, some didn’t. But fortunately Canada came to the rescue and if you browse the Canadian version of the document, you got the right one. Having said that, whilst that was not great, I think it was less than three weeks later we got the localized versions. Now that’s something that’s unprecedented in getting localized versions that quickly. So tip of the hat to the team at Apple for getting those out the door so quickly because it’s important to be able to read the right documentation, be able to give customers the right documentation and to not have to-

Tom Bridge:
Not to mention the right documentation with the right number of yous in it.

Marcus Ransom:
Exactly. We don’t want any Zs, they’re all zeds, those sorts of things, but…

Tom Bridge:
That’s right, they should be Ss.

Marcus Ransom:
We can often-

Tom Bridge:
To many Ls in enroll.

Marcus Ransom:
Exactly. It’s very easy to criticize when things are not available, but understanding the work that’s required to actually deliver this, when you see what’s involved in ensuring that this document is still correctly interpreted in the language that’s used, wherever that may be being read. So I very much enjoy being able to just browse to the latest documentation here and not being confronted with words that are spelt incorrectly.

Charles Edge:
So who wants to unpack the ACME acronym?

Tom Bridge:
Well, I Was not aware there was going to be complicated math today. But no, no, no, dive right in, Marcus. You jump in here.

Marcus Ransom:
Well, this documentation, despite having read about ACME so many times since managed device attestation was announced at WWDC, this documentation is literally the first time I have noticed what ACME actually stands for. So automated certificate management environment, which makes sense. I’m just wondering why Wiley Coyote needed so much of this over the years or I don’t recall seeing a single certificate in any of those episodes. But this is great to see the documentation because this is also something that I imagine I look forward to this being a priority for MDM and this being implemented in MDM to be able to use for, say, identifying the devices you’re managing, other devices they’re managing. But where I’m really excited is being able to use this for protecting access to infrastructure, which is going to require other vendors to get on board and understand it and having great documentation so that they can understand why they should trust this far better than whatever hair brain ideas they’re using at the moment.

Tom Bridge:
Well SCEP.

Charles Edge:
SCEP we had since iOS 4 or whatever it was.

Tom Bridge:
Yeah, well, and we’ve had SCEP as a concept going back into the ’90s.

Charles Edge:
Oh yeah.

Tom Bridge:
It is an ancient protocol that predates a lot of the security features and functions that we’ve had for all these times. And SCEP, I think the phrase I think that goes around is, “It’s secure enough.” That doesn’t mean it is secure, but it’s secure enough.

Marcus Ransom:
Well, it’s better than not using anything.

Tom Bridge:
Yeah, correct.

Charles Edge:
I can’t crack it. So it’s pretty secure.

Marcus Ransom:
It’s safe from Charles.

Charles Edge:
Not that that’s saying anything because I’m not very bright. But it is worth mentioning that the long term replacement for SCEP is ACME, correct?

Tom Bridge:
Yeah. Yes, that’s right.

Charles Edge:
It’s a potentially a lot of technical debt for various MDM providers, although you get a lot for free in terms of API endpoints. So it’s not-

Tom Bridge:
Oh, for sure.

Charles Edge:
… as big deal.

Tom Bridge:
And there’s tons of good libraries out there if you’re looking to do it on the back end. So it does not appear to be a huge and heavy lift. And no one’s going to say deprecate your SCEP endpoint in favor of an ACME endpoint. This would be adding an ACME endpoint to your environment to see, hey, what can I do with this? But ACME does some really, really cool things with the hardware bound key. Now, it’s not supported yet on Mac OS, this is iOS and iPad OS only.

Charles Edge:
And 16 and up.

Tom Bridge:
Yeah, iOS 16 and up. So recognize that you’re limiting your audience there a little bit. But, hey, if you’re going to be specifying an elliptic curve private key and public key, there’s also the possibility for you to be able to say, hey, store the private key for the SERT in the secure enclave. And so essentially there you get a really hardened identity that can be essentially not extracted by attackers at that point to really give you the kind of certs that you can trust for device set tested and knowability.

Charles Edge:
TPM management or TPM integration to validate that a device is a genuine Apple device and the specific Apple device that you want to be communicating with, is, as far as modern cryptography goes, the best way to block true man in the middle attacks.

Tom Bridge:
Exactly.

Charles Edge:
It would be hard to imagine, no matter how good a state sponsor is to break into that communication paradigm that is really feasible given just the strength of those keys and the validation that can occur on the device to say only do this when this happens.

Marcus Ransom:
So if I’m right in understanding how this works, it’s not just that the private key is stored in the secure enclave, it’s also generated there in the first place. So that’s-

Charles Edge:
Correct. Yeah.

Marcus Ransom:
… really beneficial.

Charles Edge:
The secure enclave can only ever store things it generates. So you get an API endpoint as a developer and you can generate certificates all day long or keys for certificates all day long that are stored in there and then you have something that can unlock that. So…

Marcus Ransom:
Things can go out of there but not in there.

Charles Edge:
Yeah, nothing ever goes in there.

Marcus Ransom:
Yeah.

Charles Edge:
It’s a PROM so to speak.

Marcus Ransom:
And I think that’s to simplify things.

Charles Edge:
And I’m ducking because that’s a gross oversimplification.

Marcus Ransom:
But the idea where security conscious organizations keep saying we want to store something in the secure enclave to protect it. And it’s really flipping that the other way around where it’s saying, rather than you create a secret and you store it in there, it’s like just let the secure enclave create the secret, it knows. That’s the only way we can know that this is only this device. We can mix that secret with other secrets to institutionalize it.

Charles Edge:
And that’s cross platform. Every TPM chip works this… Including the little USB drives that we all used to put our fingerprint on pretending that was secure back in the…

Marcus Ransom:
Yeah. So plenty of documentation here to nerd out over, to understand how Apple is letting us leverage this mechanism to be able to do things. So lots of fun bedtime reading here on ACME.

Charles Edge:
And there’s a really funny note and we’ll include links to all of these in the shownotes, but there’s a really funny note in the ACME page that says, “The secure enclave has very strong protections against key extraction, even in the case of a compromised application processor.” I can totally see the guy that wrote that giggling. Like, “He-he-he. I wrote an awesome sentence, I’m going to call that out as a note and put it in italic,” except there’s no italics because it’s Apple.

Tom Bridge:
We just talked about the ACME protocol, but that didn’t really touch on the managed device attestation side of the house, which is something that’s new and available for iPad OS and iOS devices, whereby essentially you can… I’m trying to figure out exactly the best way to describe this other than to send people right to the video from Worldwide Developers Conference. Because essentially it’s not just enough to say, “Hey, I have a new more secure way of generating security certificates and building and doing key exchange,” but it’s also the ability to essentially know that a device is a valid Apple device that has its system integrity attached. And that’s the kind of thing that you can submit directly to Apple, it’s an ACME certificate exchange. But it goes through this process of making sure that the device that is talking to Apple is actually a real iOS device and not some virtualized equivalent someplace.

Marcus Ransom:
This is going to be really fascinating with testing workflows in Mac OS using VMs. So when this eventually, as we all hope, comes to Mac OS, the idea of having Mac OS VM that’s supposedly using a model identifier of iMac 76,12 or something like that, so that it doesn’t collide with any of your other model groups or anything like that, this will not be able to get a managed device attestation because it will be validating what it gets from the secure enclave with Apple to say, prove it.

Charles Edge:
And not just anyone at Apple, it’s not your local SE, it is Apple’s attestation servers, which I can assume are pretty locked down Bastian hosts.

Tom Bridge:
Oh yes. Well, and it’s also a place where your MDM, when you send a device information query from your MDM out to the iOS or iPad OS device, you can request a device properties attestation property at that point that basically says, hey… At that point the MDM can even send back a nonce, a number used once, with that key to which will force a fresh authentic error attestation. And at that point it’s going to report back and say, I’m good, or I’m not so sure about that. And then you, as the admin, can decide whether or not that means freak out and erase the device or freak out and remove the device from your environment or even summon the constabulary and figure out what to… Don’t actually summon the constabulary if you end up with a counterfeited device. I think that that is probably a gross misuse of resource.

Charles Edge:
And I can-

Marcus Ransom:
At least forward them this articles so they know what to do and what some of the words you’re using are when you’ve explained to them.

Tom Bridge:
Your security department might have a lot of feelings about it.

Charles Edge:
And I can say that this is a huge upgrade over the token refresh in iOS 15/Mac OS and below, that whole process, it never felt problematic at all until I saw a better process. It felt like a tax to be paid. And as an example, if you built an MDM and you didn’t provide the correct token refresh endpoints, then at some point the devices would just fall out of management because their state would be all out of whack. But now it’s not really possible anymore. So again, it’s part of the Apple tax to be a current MDM provider to have to build this stuff, but it is tech debt for anybody who’s on the code side of that.

Marcus Ransom:
But it’d be interesting to… We talk about Apple’s security and secrecy around what they’ve done and what they’ve seen as well. Would love to know whether was this built in reaction to things that they’ve seen or was this built, as you were saying, in terms of looking at what there was currently and going, well, hey, someone’s got this great idea, we can do a much better job of this. So it hopefully never has to be something we need to worry about. Attackers will move on to a different way of trying to exploit the users or the devices because this is just not worth their investment in resources, money, time, whatever, to try and circumvent this process.

Charles Edge:
And we’ll put two links in the section on ACME. The first will be a link to this document and the second will be a link to the developer documentation. And it’s worth saying that this document is so much more approachable, even if you don’t know anything about cryptography, than the developer document or Swift or whatever. When you see the developer document it’s eye opening why something like this was needed, but then you wouldn’t really know that it was there in some cases unless someone mentioned it on Slack or someone told you about it if it wasn’t in the recent changes. So again, kudos on that recent changes. It makes it a lot easier to parse and find and all that fun stuff.

Marcus Ransom:
So eSIMs-

Tom Bridge:
We also.

Marcus Ransom:
So eSIMs is-

Tom Bridge:
Sorry Marcus.

Marcus Ransom:
Sorry James. Not sorry James.

Charles Edge:
You should totally leave [inaudible 00:35:02].

Marcus Ransom:
Do your job. He’s probably going to it now. If you can hear this, I’ve been shamed by James.

James Smith:
Deploying, managing and protecting Apple devices at work shouldn’t be difficult to require several solutions. Mosyle is the only Apple unified platform for business. By combining enhanced device management, endpoint security, internet privacy and security, single sign-on and enhanced apps management into a single Apple only platform. Businesses can now easily and automatically deploy, manage and protect their Apple devices with one solution and at an affordable price. With a solution for every business size and the best support in the market request your free account today and see firsthand why Mosyle is more than an Apple MDM. Mosyle is everything you need to work with Apple. To learn more visit business.mosyle.com, that’s business.M-O-S-Y-L-E.com.

Marcus Ransom:
So there was a big change in the latest iPhones that Apple released, at least in the United States, them no longer containing physical SIM trays. So eSIMs is something that certainly, you are all over there in the states, having to deal with now, but I’m guessing very soon globally-

Tom Bridge:
I hope.

Marcus Ransom:
… it’s the direction we’re going to head in having to deal exclusively with eSIMs and devices. So we’ve got some documentation about how MDM can get involved in that.

Charles Edge:
Yeah, and I do think it’s important to mention, at first, a few years ago when, I feel like it was Blake, there was someone who was telling me about how great eSIM was and I was like, “Whatever.” And it took me a while to figure out that he was totally right. And he’s always been right about everything, I’ve heard him say. But in this case it’s more about, for me, the security of the transaction. You can’t just call the local insert carriers here, store, and swap a SIM with someone. It’s locked and it’s a much more secured transaction. So it mitigates that issue of being worried about… And granted I’m not sitting here saying, oh yeah, texting a code is perfectly secure, more secure than Microsoft authenticated.
That’s obviously the standard for the future, but there are a lot of sites that still text you a six digit code, you type the six digit code in. And it’s always been a concern that if someone SIM jacks you then that’s not as secure a transaction anymore. But the eSIM, there were two things about it that really stuck out as I got to know it more that and then the ability to have two sims, one for business and one for home. So the MDM payload, do you want to go into what that’s about?

Tom Bridge:
Well, sure, there are two links in here that are really, really fantastic because they describe a lot about how this program works in its entirety. The first thing that you really need to understand is that you don’t need the MDM to install the eSIM during initial device setup. That part is not required, your carrier’s going to do their job. And so as a result you’re going to be able to do what you need to do in that circumstance to get those things done. There’s also a way to deploy out eSIMs using your MDM, but you don’t have to do it that way. There’s now a command that is specific to an individual device so that you can send the MDM command down to the device and it provides the address of the carriers eSIM server, so that you can say, “Hey look, I know we always use this one service,” and so then the device at that point downloads and installs and activates the eSIM. It can take up to three minutes for installation and activation to occur, but you’ve got a pretty good idea of what that’s actually supposed to look like.
And at that point you can use another MDM command at that point to get the latest information back from the iOS 16 device. So there are a lot of really good things there. Your MDM solution can also help you do a bunch of things here like restrict modifying eSIM settings on the device, or restrict modifying cellular app data on the device, or restrict modifying the cellular plan settings for non-U.S. carriers. So you get some opportunities to execute here with some different settings that are associated with the process. The eSIM modification restriction is also quite interesting. And so essentially you could just say, hey look, this plan is locked in, this is the company plan, it belongs in your phone. To prevent users from adding or removing eSIMs you can, with your MDM, essentially say, no, I will not allow you to modify the eSIM lines on this individual device, which is good because it puts you up some guardrails.

Marcus Ransom:
Yeah, so this is really fascinating, two different areas. One, having a secure device where it’s only allowed to work on the network that your organization has deployed it to work on, that they can’t just simply pull out another SIM, swap that in, and potentially circumvent any network protections. I know there are certain, at least here in Australia, Police Force, Defense Force, some of those areas, that actually have their own particular cellular network that they operate on and the ability to ensure that somebody isn’t able to either inadvertently or maliciously be able to modify that. But then the other side of it that’s really exciting is the idea of separating personal and work on the one device, the organizations that are really starting to embrace Apple’s user initiated personal device enrollment where people can install corporate information onto their personal device and not have to have two phones.
I remember 2013 starting a new job and being given a work phone alongside my personal phone and it was just a nightmare, especially traveling internationally and just having to tether my personal phone off the work phone that had the travel SIM and am I going to get messages? Am I not going to get messages? What’s going to work? But the ability to let somebody have their own personal device with their personal cell carrier on it and then deploy the corporate information with the corporate SIM deployed automatically and be able to revoke that the same time, I think this is really interesting to see where this is going to go. It’s really just the early days of it. But the missing parts of deployment in mobile devices are really starting to come into place here as well. Also, fascinated to see if we ever see a Mac with eSIM capabilities in it as well.

Tom Bridge:
Yes, please.

Marcus Ransom:
Yeah.

Tom Bridge:
Sign me up. Would like. I think that there are a lot of reasons that that’s been a challenge, and I think a lot of it comes down to obscure licensing arrangements with Qualcomm and some other folks like that. But if Apple gets into the business of building their own radios for these things, and it’s clear that they have been an are. I feel they would be doing us all a massive disservice to leave that only as an iOS or iPad OS device. That takes us back to two other quick points that I wanted to make, which is iPad OS now supports private 5G and LTE networks. So I know that their IBM runs their own for their big campuses. I know that there are a ton of places who are off the grid who maybe don’t have other cell providers nearby.
And of course the CBRS standards that are out there for Wi-Fi access points allow you to add cellular radios to your Wi-Fi access points and maintain some action there. It’s exciting that we get these opportunities to do more with these Apple devices when we’re smart enough to use an MDM associated with them so that you can do those things. And of course, the other point that I wanted to make is that there’s been some really interesting things going on with eSIM networks. Like CloudFlare has their own eSIM network now. And so you could sign up from their program and essentially route all of your company data out over a cloud flare eSIM that is tunneled back through your corporate VPN without your knowledge, which is amazing.

Charles Edge:
Yeah, that is their take on ZTNA, which I thought was an interesting take and, I don’t want to say super early to market because it’s not new technology. But the ability to do that stuff to quote you, “without your knowledge” is, I think, a little bit the opposite of what Apple’s trained to do with putting the word privacy in front of the word security in the system setting panel.

Tom Bridge:
Yep, 100%.

Charles Edge:
And speaking of Wi-Fi and eSIM using Wi-Fi to bootstrap eSIM or whatever, but there are updated Wi-Fi specs, right, Tom?

Tom Bridge:
There are updated Wi-Fi specs. I was thrilled to see a page just for iPad Wi-Fi.

Charles Edge:
You would be.

Tom Bridge:
I would be. I’m that kind of nerd. That’s my jam.

Charles Edge:
Love it.

Tom Bridge:
We do get things like full support for 802.11K, 802.11R, which is for roaming, and 802.11V, it’s part of the Holy Trinity of Wi-Fi roaming standards that are out there. All iPad Pro models, iPad Air third gen or later, iPad fifth gen or later, iPad Mini second gen or later, all have support for also the adaptive 802.11R standard that, say, Meraki is using as part of Cisco Fast Lane. And then you also get the ability to cash your Pairwise master key identifier. So this is another way of handling some of the roaming details that are associated with moving devices from point to point.
The Pairwise master key is all about how you keep an authentication when you’re on an 8020.11X network, that Pairwise master key is what allows you to do a lot of those things without moving around. It also has the full set of Wi-fi specifications for the various and sundry versions of iPad os, including which one of these devices support like Wi-Fi six and which is also known as 802. 11AX, which one of these supports Wi-Fi 6E, which is 802.11AX in the six gigahertz spectrum. Still, these are the very first devices, the iPad Air fourth gen, and it’s really exciting to see those opportunities to get out there so that you can support a lot of these frequencies in new and different ways because 6E gives us the ability to, if they’re only 22 odd channels in all of the five gigahertz range, this more than triples the number of available channels and gives you all sorts of free air to be working with so that you can always have wider channels.
You can go all the way out to 160 megahertz, which will allow you to push that maximum PHI all the way out to around 2.4 gigabits per second. Not that you’re ever going to get all of that because Wi-Fi is still, to this day, a half duplex medium. So you’re probably only going to ever get about little less than half of that. But you still get a lot of that information that’s out there and gives you things in good and necessary ways. So it’s exciting to see all of these things written down for the first time, not just iPad OS but also for things like the MacBook Pro so that you can see that anything with an Apple silicon chip now fully supports 802.11RK, and V, that you could also do that Pairwise master key identifier caching there between the environment. So lots of good stuff.

Marcus Ransom:
And much like the documentation around network endpoints, having this written down here in this much detail is fantastic for those scenarios where you’re either trying to design a network and make sure that what you’re designing is supported or to be able to troubleshoot why devices are maybe not working in line with assumptions and expectations that were made when the network was being designed and to be able to see, oh, I see that’s going to work on these particular devices, but these ones are not going to support that. So we need to mitigate that. We need to build in functionality to allow these to work. So there’s been a number of occasions where I’ve had to go head to head with a network engineer wanting something to work in a certain way and being sent Mac Rumors forum articles and the like, which are written with the best intent, but they’re not from right from the source.
So getting this level of documentation on those really complex areas where maybe a Wi-Fi hardware vendor has sold you this fantastic new system that’s going to do all of these amazing things that unfortunately is not yet supported by any of the devices you have or any of the operating systems you run. So this will get you to understand whether that’s a wise investment. It’s probably a wise investment for the future, but whether you’re going to make the most of it now or not.

Tom Bridge:
We also get a bunch of new information about Migration Assistant, which is tremendous. There’s an article here just on configuring your network for MDM. But it’s got a section here on how to use Migration Assistant in a smart way to… This is great, this is one of those things that they called out at WWDC this summer, but is now a document. And in fact, to allow a Mac to be migrated properly and re-enrolled in a MDM solution, MDM computers using Mac OS 13 and enrolled in an MDM solution no longer allow the transfer of the following settings, system, network, and printer. So for these settings to be skipped during migration, both MAC computers must be enrolled in the MDM solution. So essentially you’ve got to be able to be enrolled in the same MDM as well, so essentially you need to have the same common element there. And so as long as the certs line up, you should be able to handle that migration without gnashing of teeth.

Charles Edge:
Remember when you had to go RM the by-host-

Tom Bridge:
Oh God.

Charles Edge:
… by preference files?

Tom Bridge:
You’re triggering me here, Charles.

Charles Edge:
Sorry.

Tom Bridge:
I don’t have any whiskey with me right now.

Marcus Ransom:
My responsible for so many of those things was this is nature’s way of telling us not to do what we’re about to do.

Tom Bridge:
Not to use Migration Assistant, right?

Charles Edge:
Yeah. It’s so much better now. I can’t think of the last time that I personally saw a problem. I’ve read about some on forums and whatever, but I know for my daily driver, I’ve been bouncing around for four or five years now, which is a record. I do a lot of horrible things to computers, but…

Marcus Ransom:
Look, really where I’ve seen problems, it’s not so much a Mac admin who understands that they just need to move across setting,. We’re not going to be taking any of the system details. But it’s when it’s the CFO who, rightly or wrongly, assumes that the system is just going to look after that and is not going to allow you to make a poor choice. And I know that’s what a lot of feedback I’ve lodged around this is, help us prevent users from making the wrong choice here when they click the Migration Assistant button because certainly, as you were describing, it really reminded me of building golden images of whatever ancient operating system where we had to go back in and remove any of that system specific information. And no one should ever have to do that again. We left those days well behind.

Charles Edge:
I feel the idea was good. It was like, okay, let’s have this piece be item potent, so it’s not going to change. Then we can have this bi-host stuff over here that changes,. But then you get bootstrap tokens. Then you get escrowed keys of different types that you can’t obfuscate that stuff away properly. Or at least you maybe could’ve, but as they re-architected around these new things, they were like, you don’t want to. So it all feels much more stable. And there was definitely a period of a couple years there where I was like, man, this stuff doesn’t feel that stable anymore. And these days, with the exception of my car connecting to Bluetooth, I feel like it’s all really stable. And that might be my car.

Marcus Ransom:
That two or three minutes at the start of every call where one or both of the occupants are like, hang on, sorry, sorry, sorry.

Charles Edge:
So it’s not just me? Okay.

Marcus Ransom:
No, it’s especially great when it’s people from Apple and they just go, look, I’m sorry. And it’s like, you don’t need to be sorry, we totally get it.

Charles Edge:
I’ve never felt so heard.

Marcus Ransom:
Speaking about feeling heard, when we get very complex documents about very highly technical pieces of information and subjects that help us really understand the directions things are going in, but then we also get some documents that are just like, wow, this is going to save me time or making mistakes. So there’s a document that illustrates the bundle identifiers for native Apple apps.

Tom Bridge:
Oh yes.

Charles Edge:
Yeah.

Marcus Ransom:
So what would this one be good for, Tom?

Tom Bridge:
Well, if you wanted to, for example, set up an iPad and just have it locked in a GarageBand. The bundle ID could be really useful for setting an autonomous single app mode or a single app mode payload at that point. Also, if maybe you never wanted to hear GarageBand, it would also be a great way to unsupervised iOS devices or iPad OS devices, prevent that app from ever Showing.

Charles Edge:
And what’s great about having it in a list with the icons and the way that it’s laid out in this document, is it’s not exact… Com.apple.news, com.apple.pages, these seem really consistent. Com.apple.mobile slideshow for photos, that doesn’t seem quite as consistent. Or com.apple mobile safari, not just safari, but mobile safari. I feel it takes the guessing game if you’ve got someone… For you, not just… Because com.apple.store.jolly for the Apple Store app. .jolly, where did that come from?

Marcus Ransom:
We’ve all been in that position where you’re trying to build up a kiosk iPad or set a restrictions profile and there’s an icon sitting there on the home screen staring at you and you’re like, I want you gone. And then you can just look down, look at the icon you’re looking at and go, oh, I see Code Scanner is com.apple.barcode scanner. But for me it’s two words, selectable text.

Tom Bridge:
Selectable text comes down to… And let’s talk about that because there’s another one of these pages that I think is absolutely clutch, which is the review MDM Payloads for Apple devices table. This table should be a bookmark on every MAC admin’s browser. If you’re like me, you remember most of it, but you may not remember all of it. Every time, I always have to remind myself, which one of these payloads is available for user versus device enrollment versus automated device enrollment? Which one of these objects supports multiple payloads as opposed to a single payload? Accessibility is one of those great things that, or airplay security, supports one payload as opposed to all of these other payloads which can be composed together.

Marcus Ransom:
And then that correlates to the developer documentation, which also says, which version of the OS did this payload become available as well? Where you can be building out a deployment and having a look at it and going, why is this not working on that iOS 13 device that is still hanging around and just won’t go away? And oh, that’s right. And can be a really good argument for why we do not want devices using older versions of the OS than X is because our workflow doesn’t work back that far, and here’s the documentation that says so.

James Smith:
Here at the Mac Admins Podcast, we want to say a special thank you to all of our patreon backers. The following people are to be recognized for their incredible generosity. Stew Baki, thank you. Adam Selby, thank you. Nate Walk, thank you. Michael Sigh, thank you. Rick Goody, thank you. Mike Boylan, you know it, thank you. Melvin Vives, thank you. Bill Stites, thank you. Anush Norville, thank you. Jeffrey Compton, M. Marsh, Stew McDonald, Hamlin Cruisin, Adam Berg, thank you. A.J. Petrepka, thank you. James Stracy, Tim Perfit of Two Canoes, thank you. Nate Sonal, Will O’Neill, Seb Nash, the folks at Command Control Power, Steven Weinstein, Chad Swarthoud, Daniel McClothlin, Justin Holt, Bill Smith and Weldon Dod, thank you all so much. And remember that you can back us if you just saw head down out to patreon.com/macadmpodcast. Thanks everybody.

Charles Edge:
One thing I saw, I just loved seeing the term MCX, it just makes me happy to see that acronym because, even if we don’t use Work Group Manager to edit, it still underpins a lot of things. And they did lay out the file vault payload settings and how those MCX are expanded, right?

Tom Bridge:
Yes. And you do see a lot of those things. I think that it’s very interesting to see the legacy term hanging out here still. But once it’s inscribed into an identifier, you’ve got to keep it that way until maybe a change to something like declarative device management.

Charles Edge:
Yeah, I don’t know if there’s something in the file vault binary that looks for com.apple.mcx.file vault, too. But one of the things that I really liked is, for all the settings they, laid out what was required, what wasn’t, and the specific keys and in some cases the UUID to use for various operations. So to me that was a cool addition. Another addition that I really liked, again, looking at just the structure of being able to see what changed and historically what changed, because I don’t know that it’s obvious that there’s two major updates to those coming in to the industry.
There’s the fall and spring updates for all the MDM stuff. So being able to see the frequency of the updates is interesting because you see October 2022, June 2022, April 2022, December 2021, which I think was a bit more about the documentation than about the settings. But then October 2021, so you see this spring fall-

Tom Bridge:
Cadence?

Charles Edge:
Cadence. Thank you. Why did I struggle with the word cadence? Holy buckets, I was in Marching Band for two years. But seeing that it’s like I feel that cadence in long hours worked those years. You know what I mean? So…

Marcus Ransom:
Yeah. This is great for planning for organizations as well.

Charles Edge:
Yes.

Marcus Ransom:
Okay, well, we’re going to see, especially now in the days of really only being able to restrict operating system upgrades for 90 days, this can allow resource and time planning for organizations saying, we’re going to need a bunch of work to do at these times in the year or things are going to catch on fire. And being able to look back historically at how often the documentation changes and people saying we don’t get roadmaps and we don’t get Ford announcements. Well, this is as close to it as we get where there’s a real indication historically that this is when the cheese gets moved. And this is where we find out what kind of cheese it is that they’ve moved there.

Charles Edge:
But some of these big cheese moving things like device attestation, we heard about it two years, a year and a half ago, and we’re just starting to see it with a couple of MDMs with iOS 16, but it will probably be another year or three before it’s super pertinent to every single admin. And I like having more time to ingest some of this stuff. I think, when other organizations are beholden on you to produce quality code, a little extra time is really nice to have.

Marcus Ransom:
And I think something that’s really illustrated this for me is a rapid security response where during the WWDC beta period, we’ll call that June, because even trying to work out in my head what season that is where? I can’t work it out. We’ve got these MDM keys for rapid security response, but we haven’t seen any workflows or how to change things. Some little whispers here, no. We were focusing on the things that we’re actually going to hit in the first release of those, and now we’re starting to see, in the beta channels, indications of rapid security response, we’re seeing test plans, we’re starting to get the coloring in of this functionality to see how this works. And I hope it continues to stay that way, that we get an indication of things at WW that aren’t necessarily going to be short term things to work on, but they will be already in production by the time we’re around to next year’s WW.
But it’d be great to get an indication of which things we’re focusing on now, which things we’re just it FYI but this will come soon. But I also understand that maybe that’s determined by what particular dumpster fires rear their head in the first rounds of beaters, things that were maybe planned. It’s like, you know what? We’re going to park this and we’re going to leave this for next time because we need to fix this, this, this, and this, I’m looking at software update and get those sorts of things working, which is a good way of doing things.

Tom Bridge:
It’s a very nice segue there to our favorite dumpster fire, which is software update.

Charles Edge:
I didn’t even see that in the shownotes.

Marcus Ransom:
To those people contemplating applying for the open positions in software update, it’s not a dumpster fire, it’s a fantastic, rewarding place to work and we look forward to you signing on.

Charles Edge:
You sound like the head hunter for the iCloud team right after Steve Jobs fired them the first time.

Tom Bridge:
Yes. Yeah. Well, I was going to say, honestly, if you come in and make a difference for Mac Admins… There’s no question that the single best improvement in admin life has come out of that same team, which is erase all contents and settings. So we know the caliber of work they’re capable of and when they turn their collective attention on these things. So I’m really excited to see what they can produce. We did get an updated note in the page called Use MDM to Deploy Software Updates on Apple Devices, which we’ll have a link to in the shownotes. But I thought it was really, really interesting because they call out specifically two things. This is the only place I’ve seen these documented that say upgrades to Macs 13 or later benefit from the following enhancements. And you can do available install…
Install actions include install, force restart, install later, notify only, and download only, which is great because essentially, hey, we got more controls in Mac OS 12.3 than we’ve ever had before. Then we get the key item, upgrades are now incremental package patches, which result in smaller downloads, install faster, require a sealed system volume, and can be performed by any user. Mac OS 12.6.1 or later can defer this new upgrade path using MDM delay setting. So it’s thrilling to see this get called out, that these new updates are called over the air updates. They match very similarly the trend of smaller updates that we’ve seen with iOS for the last several years. And so there are a lot of good options here for Mac admins to understand the world that you’re in right there. It’s all going to allow you to differentiate those OTA updates, which are nice and small from the full installer UMA updates or Universal Mac assistant updates that we’ve had as part of the full binary for the last few years. So kudos to Apple to get this in the documentation where people can understand it, which is really exciting.

Charles Edge:
Yeah, absolutely.

Tom Bridge:
So if you haven’t had a chance, go take a look at the updated Apple documentation that’s out there as part of the platform deployment guide. The PDG is one of the best technically written, human understandable documents that Apple ever produces. And so, if this is not part of your regular reading rotation, it should be.

Charles Edge:
And I have to say it, sometimes when we don’t have something, it’s easy to poke around at why we don’t have it. But there are real humans writing these and the caliber of work is pretty top notch.

Tom Bridge:
Agreed.

Charles Edge:
And so huge thanks to those humans and the robots that they deploy to do some of their work as well. And outsourcers because they’re not robots.

Marcus Ransom:
Look, and especially the kind of language that’s in it, like the emphasis on human readable. We’ve all read documentation-

Tom Bridge:
Yes.

Marcus Ransom:
… where I heard someone once describe it as being gaslit by documentation before, where you find the document, you read it, and then you start questioning whether you ever knew anything at all. And you feel like the things that you thought you understood at the start, you now no longer understand. And this is not like this. I either read something in here and go, all right, I need to understand more about this because this is critical, and go and find more information. Or it just very clearly stipulates how something works and what’s required. And you go, all right, well, okay, we are good now. There’s no ambiguity here. This is pretty clear of the direction Apples going in this and how we should be using this, why this is working, why this is not working, what it’s supposed to do. It’s not telling a story. It’s really hard writing this kind of documentation to make it clear for the person who’s reading it, not necessarily the person who wrote the documentation.

Charles Edge:
And thankless. So thanks.

Marcus Ransom:
Yeah. Yes. Thank you.

Tom Bridge:
To all of the wonderful tech writers who have, one… It’s funny, when we have a new tech writer start with my team or one of my teams, I frequently send them this documentation to be like, all right, this is the gold standard, let’s get to here. And it is wonderful to have such an incredible example of writing that is human approachable and technical and gets the concept across without having to spell it all out. Except where you need to spell it all out, where they do with tables and documentation. And it’s amazing that it all backs up against a GitHub repo.

Marcus Ransom:
Yeah. And selectable text. Selectable text, yes. No screenshots of important strings of text that you’re going to need to try and enter in without any typos.

Charles Edge:
Good luck with that.

Tom Bridge:
Yep. Well, thank you guys so much for spending the hour talking about all of these things. So obviously with the current state and time of the moment, I don’t want to devolve into talking about Twitter because I feel like we’ve all heard that talk to death. But if you were looking for me on Twitter, you won’t find me there. So find me instead, I’m now tbridge@theinternet.social. So if you’re looking for me on the social medias, that’s where I’ve moved.

Marcus Ransom:
And at the moment I’m too old to embrace another social networks. So I’ll see what happens. If somebody wants to squat my name, good luck with that. You touch it, you own it. I’ll forward everything else to you as well. I may change my mind once I discover that I’m missing out on something FOMO will set in and then I need to be MarcusRansom432, whatever it is.

Tom Bridge:
Well, the nice thing is with Mastodon, you just go stand up your own server. It doesn’t take all that much. Digital Ocean has a droplet for a Mastodon server, which is wild because it means you can set one up in like five minutes. All you need is a domain name. So…

Marcus Ransom:
That all sounds too hard. Too complicated.

Tom Bridge:
Fair. Fair.

Marcus Ransom:
I just want to see cat pictures on the internet.

Tom Bridge:
Right?

Marcus Ransom:
Exactly.

Tom Bridge:
Cat pictures are pretty amazing. So, cool. Well, thanks so much for our wonderful sponsors this week. That’s our friends at Kandji and our friends at Mosyle. And of course, thanks to all of our wonderful patreon backers. I am incredibly thankful for you, just as we get into the Thanksgiving spirit of all. And thanks everybody. We’ll see you next time.

Charles Edge:
See you next time.

Marcus Ransom:
See you later.

Tom Bridge:
The Mac Admins Podcast is a production of Mac Admins Podcast LLC. Our producer is Tom Bridge. Our sound editor in Mixing engineer is James Smith. Our theme music was produced by Adam Koodiga the first time he opened GarageBand. Sponsorship for the Mac Admins Podcast is provided by the macadmins.org/slack, where you can join thousands of mac admins in a free Slack instance. Visit macadmins.org and also by Technolutionary LLC. Technically we can help. For more information about this podcast and other broadcasts like it, please visit podcast.macadmins.org. Since we’ve converted this podcast to APFS, the funny metadata joke is at the end.