User profile for user: nomad_nyc
nomad_nyc Author
User level: Level 1
4 points

System Integrity Protection introduces more issues than it solves in large scale deployment

I administer 600+ Macs and need to use "bless" command to boot to alternate partition when updating the OS on the main partition. (NetBoot is out of question in our environment). For years I was able to do this through ARD without getting up from my desk. Thanks to SIP I will now have to touch every Mac, every time we update Mac OS.

Being that the root account is not enabled by default on Mac OS the introduction of SIP seems like a pointless jab at systems administrators. What is Apple's solution to this issue?

Posted on Jul 19, 2016 12:34 PM

Reply
7 replies
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Jul 20, 2016 2:34 AM in response to nomad_nyc

If your using a NetBoot based deployment system such as Apple's own, DeployStudio or JAMF's then I do not see there being a problem these all work with El Capitan. (I do note you say it is not an option for you.)


However you maybe still taking the wrong approach. I would suggest you consider something like the following.


It is possible to take the downloaded El Capitan installer from the Mac App Store and convert it to an Apple Installer Package, you can then push this installer package out to client Macs via a variety of mechanisms e.g. Munki, ARD, JAMF, etc. and this will install and upgrade the client Mac and auto-reboot as needed during the process, the Mac will not need separately 'blessing' the installer does this itself.


The only case that this is not completely feasible is if the client Mac is encrypted using FileVault2 or similar.


For the tool to convert the El Capitan installer in to an installer package see - https://www.munki.org/createOSXinstallPkg/


This does not need booting to an alternate partition, it is just like siting at the Mac, downloading the El Capitan installer, running it, and allowing it to upgrade the boot partition.


Note: This would upgrade the client Macs current boot drive. If you are trying to upgrade an alternative drive then this will not work and would require manual intervention.

Reply
User profile for user: nomad_nyc
nomad_nyc Author
User level: Level 1
4 points

Jul 20, 2016 7:26 AM in response to nomad_nyc

Thank you all for the input on this. None of the suggestions so far will work in our environment, however.

1. NetBoot: the reason this is out of question is because it is painfully slow and we would have to deploy a NetBoot server on each one of our 30+ subnets. We tried Mac OS X server as well as Dell Kace with the Remote Site Appliance (the latter at least attempting to resolve the multiple subnet issue) - both are too slow to be of any use, especially considering....

2. We deploy an 85GB monolithic image to each Mac - everything from user environment to individual app preferences (such as color profiles in Adobe CC suite for example) has a set of agreed upon preferences - if you used it 3 years ago, you'll have the same experience today. Installing each piece of software on each one of the 600 stations is out of question.


My point is OS X 10.5 / 10.6 was a perfect environment for this sort of customization (all the way to modifying NIB files to simplify some finder menus). Ever since then Mac OS X has become increasingly difficult to customize, while administrative tools have slowly been deprecated or given minimal attention (Server, ARD, etc).

What I am looking for is for Apple to provide tools / documentation to IT professionals to control these sorts of features in educational / corporate environments. System Integrity Protection is an extremely useless feature on an OS where 'root' account is disabled by default and in an environment, like mine, where none of the users have administrative privileges.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Jul 20, 2016 7:59 AM in response to nomad_nyc

Monolithic images are very old school, hardly anyone uses that approach any more. Either people use thin images created using AutoDMG, or use the Apple installer converted in to an installer package.


Then after the OS has been installed you run further steps to enrol to an MDM platform, bind to directory services, push settings, push apps, etc.


Adobe Creative Suite can be packaged in a way that is compatible with this although further work would be needed to push settings out as well.


While root is and has always been disabled as default as an explicit login account root privileges have still been available via the sudo command. SIP is designed to add an extra layer of protection against this. Remember you need to protect not only against dumb *** users, but also more intelligent malware.


DeployStudio does have built-in support for having a master image server and replica image servers which would be in individual subnets with automatic syncing between them. So does JAMF Casper Suite.


In theory if you use DEP - Device Enrolment Protocol, a fresh out of the box Mac can be auto-enrolled to an MDM, which then auto binds to directory services and pushes profiles i.e. settings from the MDM to the client. The latest MDM tools including Profile Manager can also push apps and custom settings.


Using either thin imaging, or an installer package for OS X or DEP all require additional extra work to set things up but once done this is then pretty much automatic and repeatable for as many Macs as needed.


We have all had to accept things move on and we all need to move on our selves. Monolithic imaging is the way of the past. I used to use this approach myself.


The two most common choices these days for pushing apps and settings are either Munki or JAMF. You can either use DeployStudio or JAMF with AutoDMG and/or createOSXInstallPkg to do the initial OS X install.


As an example I have used DeployStudio with a thin image created by AutoDMG which is 'only' 8GB, DeployStudio then runs additional steps to enrol to Profile Manager, bind to OpenDirectory, push initial settings, push initial apps, install and connect to Munki. Munki then installs its own initial set of apps including anti-virus with settings, and when we used it I even had a fully automatic push of Acrobat Pro 9 with all updates. Acrobat Pro 9 is a far, far bigger task then you might think, each of 27 updates has to be individually run in the right order - there is no combo update. Newer versions of Adobe software are much easier to mass deploy.


See the following

http://www.deploystudio.com/

https://www.munki.org/munki/

https://github.com/munki/munki/wiki/Munki-And-Adobe-CC

https://helpx.adobe.com/creative-cloud/packager.html

https://www.munki.org/createOSXinstallPkg/

https://github.com/autopkg/autopkg

https://github.com/MagerValp/AutoDMG

https://github.com/MagerValp/CreateUserPkg

https://github.com/rtrouton/First-Boot-Package-Install

https://derflounder.wordpress.com/2014/04/17/first-boot-package-install-revisite d/


Note: Munki was written by Greg Neagle of Walt Disney Animation Studios and is used (obviously) by WDAS for thousands of Macs. Munki has also been used as the basis for Google's own Simian for tens of thousands of Macs.


And not forgetting - https://www.jamfsoftware.com/

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

System Integrity Protection introduces more issues than it solves in large scale deployment

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up