HT204899: About System Integrity Protection on your Mac
Learn about About System Integrity Protection on your Mac
Q: System Integrity Protection introduces more issues than it solves in large scale deployment
-
Jul 19, 2016 9:27 PMby etresoft,nomad_nyc wrote:
What is Apple's solution to this issue?
NetBoot. See NetBoot, NetInstall, and NetRestore requirements in OS X El Capitan - Apple Support
-
Jul 19, 2016 9:34 PMby stevejobsfan0123,I hear ya. I'm not a sysadmin but SIP can certainly get in the way of a number of things. The best you can do right now is what etresoft suggested. You might also consider leaving Apple feedback at http://apple.com/feedback/macosx.html.
-
by John Lockwood,Jul 20, 2016 2:34 AM
John Lockwood
Jul 20, 2016 2:34 AM
in response to nomad_nyc
Level 6
(9,250 points)
Servers EnterpriseIf your using a NetBoot based deployment system such as Apple's own, DeployStudio or JAMF's then I do not see there being a problem these all work with El Capitan. (I do note you say it is not an option for you.)
However you maybe still taking the wrong approach. I would suggest you consider something like the following.
It is possible to take the downloaded El Capitan installer from the Mac App Store and convert it to an Apple Installer Package, you can then push this installer package out to client Macs via a variety of mechanisms e.g. Munki, ARD, JAMF, etc. and this will install and upgrade the client Mac and auto-reboot as needed during the process, the Mac will not need separately 'blessing' the installer does this itself.
The only case that this is not completely feasible is if the client Mac is encrypted using FileVault2 or similar.
For the tool to convert the El Capitan installer in to an installer package see - https://www.munki.org/createOSXinstallPkg/
This does not need booting to an alternate partition, it is just like siting at the Mac, downloading the El Capitan installer, running it, and allowing it to upgrade the boot partition.
Note: This would upgrade the client Macs current boot drive. If you are trying to upgrade an alternative drive then this will not work and would require manual intervention.
-
Jul 20, 2016 7:26 AMby nomad_nyc,Thank you all for the input on this. None of the suggestions so far will work in our environment, however.
1. NetBoot: the reason this is out of question is because it is painfully slow and we would have to deploy a NetBoot server on each one of our 30+ subnets. We tried Mac OS X server as well as Dell Kace with the Remote Site Appliance (the latter at least attempting to resolve the multiple subnet issue) - both are too slow to be of any use, especially considering....
2. We deploy an 85GB monolithic image to each Mac - everything from user environment to individual app preferences (such as color profiles in Adobe CC suite for example) has a set of agreed upon preferences - if you used it 3 years ago, you'll have the same experience today. Installing each piece of software on each one of the 600 stations is out of question.
My point is OS X 10.5 / 10.6 was a perfect environment for this sort of customization (all the way to modifying NIB files to simplify some finder menus). Ever since then Mac OS X has become increasingly difficult to customize, while administrative tools have slowly been deprecated or given minimal attention (Server, ARD, etc).
What I am looking for is for Apple to provide tools / documentation to IT professionals to control these sorts of features in educational / corporate environments. System Integrity Protection is an extremely useless feature on an OS where 'root' account is disabled by default and in an environment, like mine, where none of the users have administrative privileges.
-
by John Lockwood,Jul 20, 2016 7:59 AM
John Lockwood
Jul 20, 2016 7:59 AM
in response to nomad_nyc
Level 6
(9,250 points)
Servers Enterprise
Monolithic images are very old school, hardly anyone uses that approach any more. Either people use thin images created using AutoDMG, or use the Apple installer converted in to an installer package.
Then after the OS has been installed you run further steps to enrol to an MDM platform, bind to directory services, push settings, push apps, etc.
Adobe Creative Suite can be packaged in a way that is compatible with this although further work would be needed to push settings out as well.
While root is and has always been disabled as default as an explicit login account root privileges have still been available via the sudo command. SIP is designed to add an extra layer of protection against this. Remember you need to protect not only against dumb *** users, but also more intelligent malware.
DeployStudio does have built-in support for having a master image server and replica image servers which would be in individual subnets with automatic syncing between them. So does JAMF Casper Suite.
In theory if you use DEP - Device Enrolment Protocol, a fresh out of the box Mac can be auto-enrolled to an MDM, which then auto binds to directory services and pushes profiles i.e. settings from the MDM to the client. The latest MDM tools including Profile Manager can also push apps and custom settings.
Using either thin imaging, or an installer package for OS X or DEP all require additional extra work to set things up but once done this is then pretty much automatic and repeatable for as many Macs as needed.
We have all had to accept things move on and we all need to move on our selves. Monolithic imaging is the way of the past. I used to use this approach myself.
The two most common choices these days for pushing apps and settings are either Munki or JAMF. You can either use DeployStudio or JAMF with AutoDMG and/or createOSXInstallPkg to do the initial OS X install.
As an example I have used DeployStudio with a thin image created by AutoDMG which is 'only' 8GB, DeployStudio then runs additional steps to enrol to Profile Manager, bind to OpenDirectory, push initial settings, push initial apps, install and connect to Munki. Munki then installs its own initial set of apps including anti-virus with settings, and when we used it I even had a fully automatic push of Acrobat Pro 9 with all updates. Acrobat Pro 9 is a far, far bigger task then you might think, each of 27 updates has to be individually run in the right order - there is no combo update. Newer versions of Adobe software are much easier to mass deploy.
See the following
https://github.com/munki/munki/wiki/Munki-And-Adobe-CC
https://helpx.adobe.com/creative-cloud/packager.html
https://www.munki.org/createOSXinstallPkg/
https://github.com/autopkg/autopkg
https://github.com/MagerValp/AutoDMG
https://github.com/MagerValp/CreateUserPkg
https://github.com/rtrouton/First-Boot-Package-Install
https://derflounder.wordpress.com/2014/04/17/first-boot-package-install-revisite d/
Note: Munki was written by Greg Neagle of Walt Disney Animation Studios and is used (obviously) by WDAS for thousands of Macs. Munki has also been used as the basis for Google's own Simian for tens of thousands of Macs.
And not forgetting - https://www.jamfsoftware.com/
