While reading the revision for TN2459, the part regarding Enterprise App Distribution left me troubled.
I'm definitely not an expert on enterprise deployments using Recovery OS or NetBoot/NetInstall/NetRestore disk images but I have some notions about how things work when you deploy applications using Apple Remote Desktop (ARD) on a limited number of computers.
I'm not sure to understand how the proposed solution in TN2459 could work in a case where applications are deployed by remote installations using ARD or another equivalent solution.
It seems (to me) that this would still require the person in charge to go to each computer and spend some time either going through the "spctl kext-consent" procedure or going to the System Preferences > Security & Privacy pane to "Allow" the kernel extensions.
Question:
How are you supposed to efficiently allow the kernel extensions when you deploy your application through ARD?
Side note
Could it be that this new protection layer is wrong when it comes its default state? It looks like to be an interesting feature for managed computers but a UX issue for end users. So would'nt it be better for it to be turned off by default and that system administrators can enable it via spctl kext-consent?. i.e. be it an opt-in feature and not an opt-out (at least in High Sierra). Considering that from the look of the seeds, this feature is still being developed as we speak, it moght be a good idea to have a less ambitious goal for the first version of this feature.
