IT and Business Insights for SMB Solution Providers

How Apple Has Reshaped Mac Management

A rundown of how advanced security and other features in macOS have changed administration and management. By Tim Malm

AFTER MORE THAN 20 YEARS, the basics of Mac management have fundamentally changed. Advanced security features of macOS on Macs with Apple’s M1, M2 (pictured below), and T2 chips have made obsolete the key management methods that Mac IT administrators have relied on for years.

Today, the operating system boots and runs from a read-only image of macOS, installed from a read-only volume that can only be modified by the Apple software update process. This means that every instance of any given version of macOS is installed and running precisely as written by Apple.

macOS System Integrity Protection (SIP) safeguards the computer by preventing execution of unauthorized software.
Apps downloaded from the App Store are automatically authorized to install and run. Apps that a developer notarizes and distributes directly to users are also authorized. Unauthorized apps may be launched after manually configuring a security exception.

Let’s take a look at how things have changed.

Clone Copies

Then: On a scheduled basis, Mac admins would make a bootable “clone” copy of an active system at least once a day. Clone copies could be useful for troubleshooting, and as an aspect of a backup plan.

Now: Admins still make clone copies containing all files and settings, but not the operating system. The macOS resides on a write-protected volume that’s separate from the data volume where all other files reside, including settings and extensions.

Which means: Restoring a system to a bootable state from a clone copy has become a two-step process: First the operating system is installed on the new volume, then the data is migrated from the clone to the new volume using Apple Migration Assistant.

Important Fact: Internal storage of an Apple M1 or M2 Mac computer is linked uniquely to the computer hardware in which it is installed. Storage from one computer cannot be removed and used with any another computer.

Backup and restore are essential.

Rules of SIP

SIP restricts components of the file system to read-only in specific critical locations to help prevent malicious code from modifying them. With an Intel-based Mac, disabling SIP removes protection for all partitions on the physical storage device and process running on the system, regardless of whether the code is running sandboxed or with administrative privileges.

Single-User Mode is a good example of a feature no longer supported because it violates the rules of SIP. A Mac booted into Single-User Mode exposes the system kernel and file system to potential modification from the terminal console as super user.

Then: Using Disk Utility, Mac admins would make an image copy of a volume containing the operating system and data. A disk image might be used to restore a computer to a bootable state after replacing or erasing a hard drive, or for reference when troubleshooting. A prudent administrator would typically make offline clone and image copies of a disk, prior to making significant changes to a system.

Now: The Disk Utility User Guide for Mac states, “You can’t create images of individual APFS [Apple File System] volumes. You can’t create images of APFS containers on Mac computers with Apple silicon or an Apple T2 Security Chip.”

Which Means: The disk image feature exists today for making disk images of groups of files and folders, but not APFS volumes or containers.

Important Fact: If the storage in your M1 Mac has failed, the computer won’t boot. If the computer has failed, the storage becomes inaccessible.

Backup and restore are essential.

ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.