Special report A looming set of changes to the macOS has some administrators worried that the way they manage and configure Apple systems will need switching up.
Those changes, which have only been partly revealed by Apple, will see a new file system implemented in the OS and, in the process, a lockdown of key components of the operating system – away from attackers and admins alike.
Central to the idea is the Apple File System (APFS), a technology Cupertino already uses for iOS that is currently being offered for tests in preview versions of macOS Sierra, with plans for a bootable release next year.
When the shift does happen, some admins believe Apple will also institute a number of the security policies and protections being used for iOS devices – such as isolating and protecting core system files – that were described loosely by Apple in its 2016 Black Hat security talk (see video).
That move would likely include a shift in the way Apple devices are managed in the enterprise. Administrators would no longer be able to change basic system files – instead, permissions and policy would be instituted via the same Mobile Device Management (MDM) system used for managing iOS devices such as iPads and iPhones.
For most users, this change will have little to no effect on day-to-day use of their Mac desktops and notebooks, and the change-over will be little more than another annual macOS update. For administrators, however, it could present a number of challenges.
The idea of a shift to MDM was outlined by admin Michael Lynn earlier this fall in a blog post, and immediately gained a following. While Lynn stresses that his piece was merely speculation and not a prediction of Apple's plans, a number of other admins who manage Mac networks and spoke with The Register believe he is onto something, and that Apple is in fact looking to move toward an MDM model for managing macOS machines.
"It's reasonable to expect that at some point in the future, MDM becomes the standard means for managing macOS," said Kaitlin Shinkle, director of communications and content marketing for JAMF software. "There are a lot of good reasons to move in this direction, namely security and user convenience."
That shift would also bring about a number of challenges. In particular, admins worry that some tasks – such as setting up and managing printers or encryption key settings – could be more difficult or impossible with the tools they currently use.
"If Apple is going to lock [macOS] down like iOS, there are simply things that Mac admins need to do that they won't be able to, unless Apple extends the MDM functionality," said Robert Hammen, a Mac admin with the National Center for Biotechnology Information at the National Institutes of Health.
Hammen told El Reg that while switching to an MDM management system will hardly be a deal-breaker for companies running macOS, some will need to find new ways to manage their machines and enforce policies.
"Depending on how difficult Apple makes it to configure and install things, there may be some pushback on total cost of ownership and supportability," he said.
To that end, the companies that develop administration tools for developers could be key to the move.