Notes from WWDC 2017 Deployment Lab Part Two

These questions are community-driven. I am also not the original questioner, I'm just posting them with permission. Thank you to the anonymous folks who helped gather this information.



Software Update Server related:



- This product is officially deprecated (which we all knew). It has no future, guaranteed.

- They were surprised, however, that the ability to set a custom CatalogURL as an argument to /usr/sbin/softwareupdate (client) disappeared at some point.

1. See github dot com / munki / munki / issues / 511 as an example of this issue.

2. They rely on that internally, obviously.

- This functionality should exist at all times; file a bug report at any point we don't see this happening (and maybe this something Munki can go back to using?)

- They weren't aware of Reposado, but I showed it to them and they like the idea. I asked if they had any plans to obstruct or otherwise change how it works in a way that would break this functionality, and they didn't seem to be cagey about it. Sounds like Software Update has no intended architectural changes in the future, so we likely don't have to worry about Reposado not working anytime soon, even if they officially deprecate SUS as a feature of Server.app.

- It still exists in a contextual menu in Server.app; it's just hidden in the UI.



File Sharing / Sharing server features related:



- Only one person knew that “/usr/bin/sharing” existed. That kinda explains why it's awful.

- FILE AN ENHANCEMENT REQUEST: Again, sharing has terrible output. File a request for a -plist output option (as well as a separate request for a -plist input option).

- “sharing” is now the only way to manage file sharing programmatically, and it is bad at it

- The inability to delete file shares in the System Preferences in 10.13b1 is a bug and fixed in seed 2



Profile related:



- They are actively working on making Profile Manager not require turning on OpenDirectory. Like, very soon.

- Combining profiles / profile compositing results in officially 'undefined' behavior; that is not expected to change any time soon.

- I told them about how com.apple.ScreenSaver profiles result in a broken / lying UI in the System Preferences and they were surprised; they hadn't heard that bug.

- FILE A BUG REPORT, obviously, but they took notes

- FILE AN ENHANCEMENT REQUEST: Gatekeeper for profiles, basically. The ability to restrict unsigned profiles from being installed; the ability to control which CAs are allowed to sign profiles and install them; etc.

- FILE AN ENHANCEMENT REQUEST: 802.1x profiles resulting in untrusted certificate chains.





Security (the CLI command) related:


- The new (lack of) trust behavior with the security command requiring user password input was a surprise to them;

- FILE AN ENHANCEMENT REQUEST: a command line argument to pass in user credentials as stdin, so it won't be stored in the process list.


See complete list of session and lab notes here:

https://forums.developer.apple.com/message/234797

Replies

Thanks again Rich! This information is invaluable!

"I told them about how com.apple.ScreenSaver profiles result in a broken / lying UI in the System Preferences and they were surprised; they hadn't heard that bug."


Heh - I have an open bug for this since August 2015.

Not sure I understand this. Are you saying that when you try to manage screensaver, it does not work? the only screensaver preference pane item I seem to be able to manage is the screensaver start time. And my requirement of 15 minutes shows up as 20 but works as expected? If we believe that we should be able to manage the screensaver settings, I will go file a bug too because that has become a recent requirement for me.

Thanks Rich! Did they talk at all about why they stripped the key features from Server.app? Time Machine Server has no feedback data at all and not being able to see who is connected, how, and for how long in File Sharing is a huge step backward. The upcoming death of AFP is really bad for us because we can't use SMB with Adobe and Microsoft file formats. ACL inheritance has never worked for us over SMB. The Server 5.3.51 "Server 5.4" beta really hurt my trust for Apple in the Enterprise.