VPNs: A Good Practice

TW: This Post Has Political Content

A Summary of the Privacy Problem

Congress has decided, for whatever reason they have chosen to represent as to why they’re acting, and frankly, none of them are too well-explained, that your Internet Service Provider can continue building a file on every site that every device on your home and work internet connection visits.

Ostensibly this is for marketing purposes – i.e., to sell those results to third parties who want to buy them in bulk – and it means that the connection that you pay for each month isn’t entirely your own.

This is, as one might imagination, a frustrating betrayal of trust, more so when you consider that we are not blessed with robust competition in most residential marketplaces, and there are few rare ISPs that can afford to stand on moral grounds against this tactic.

It used to be that you could opt out of the “super cookieUnique Identification Headers (UIDH) that companies like Verizon are already appending to your HTTP Requests.

Yeah, that’s sleazy. They are trying to make you, their customer, more visible to advertising partners based on your existing actions.

One of the late actions of the Obama Administration was to pass through the Federal Communications Commission new rules that would protect your online privacy from prying eyes of third party marketing organizations. They were set to take effect late in 2017.

Thanks to aggressive lobbying of the Congress, and an abdication of any desire for an individual right to privacy on the part of Legislative and Executive branches, these communications giants are going to take a second turn at squeezing more revenue out of their networks, and they’re going to do it to their customers without so much as a discount for being their unwilling partners in marketing.

Okay, That Sucks, Now What?

So, what’s a person to do if they want to keep their surfing habits – which in many cases contain personally identifying and possibly embarrassing information – away from their ISP’s prying eyes?

There’s an easy way to help prevent their access, and that’s to use a Virtual Private Network, or a VPN. That’s a way of sending all your outbound internet traffic securely to a third party before it passes through to the internet as a whole.

What’s that look like? Think of it this way: imagine that you want to send a secret letter to a friend. You don’t want anyone in your local post office to know that you’re sending a note to John Smith in Des Moines, Iowa, so you pack up your sealed letter to John in a letter to another friend, Betty Johnson of Dubuque, Iowa, with a note to please mail this letter for you from her local post office. The post office sees that you sent a letter to Betty, but because there are rules against opening your mail, they can’t read it. Then, Betty receives your message, posts your letter to John, and no one’s the wiser.

That’s what a VPN does. It’s a secure way to send all your traffic to a third party to act on your behalf. You can securely wrap your traffic to the Internet to a third party before it gets out to the rest of the internet.

It’s not perfect, but it at least prevents some of the skeeviest trends in local ISPs. Drawbacks to using VPNs include weird results for Location searches, a performance hit to your internet speed, and perhaps the inability to view location-specific programming.

Personally, for a recommendation, I like Cloak. It uses multiple data centers around the world to route your traffic, and while they do keep user logs of data, it’s short-lived, and their privacy policy is quite strong. It costs $99/year for unlimited data, and they have both macOS and iOS applications that make this process very easy to adapt to and that’s a good thing.

I don’t make anything from a referral to them, but I do use their product and endorse it. It’s an easy VPN to setup. Give it a try if you spend a lot of time on unencrypted Wi-Fi, or if you don’t want your ISP to have access to your surfing history.

Techno Bots vol. 97: Your Imaging Workflow Is Probably On Fire

At least two MDM vendors are going to be supporting the `InstallApplication` verb in the MDM Specification for the Mac. Why does this matter? As Apple encourages the adoption of MDM and DEP together for configuring user machines, the Munki community (and for that matter, the Puppet and Chef community) saw a path forward that didn’t include our favorite open source software installation agent. No longer.

Techno Bits vol. 97: Your Imaging Workflow Is Probably On Fire

Also included: Rackmount refrigerators, why decrypting TLS traffic may make your users less secure, and the arrival of spring.

Munki Mistakes Made Right, a Mac AD UK Conference Presentation

Munki Mistakes Made Right, Tom Bridge, Technolutionary LLC
Munki Mistakes Made Right

Thanks very much to the folks at Amsys for having me out to London to present my talk this year at MacADUK, called Munki Mistakes Made Right. Over the last few years, I’ve done probably 25 munki installations, in groups as small as a few clients, or as many as a hundred. There are always challenges in implementing Munki well, especially as the product matures and grows and the ecosystem around it changes to add tools like autopkg, Jamf Pro, and other solutions that can be co-implemented with Munki.

I’ve learned a lot from my implementations, and I want to share that with everyone, that, as the saying goes, that my mistakes may be avoided for future generations of admins. I’ve prepared a few sections of this presentation on various mistakes I’ve made (security mistakes, configuration mistakes, catastrophic mistakes) and how we addressed them in practice. This talk shouldn’t be seen as totally conclusive of all the mistakes that one can make – folks are always coming up with new and creative ways to break things, as well they should – but it’s a good place for me to talk about the ways we’ve been changing our existing environments to make them better, stronger, and faster.

There are some things that I’ve released recently, code-wise, that get callouts in this presentation, and I want to make sure they’re called out clearly here for ease of use:

Munki in a Box 1.5.1

I released Munki in a Box 1.5.1 last week, and it was largely a maintenance release. The following changes should have been expected: by default, Munki in a Box will now setup HTTP Basic Auth set on a password of your choosing. In addition, it’s designed to be used with an HTTPS-native server, which you should be using anyway. The old security branch, which 1.5.0 was based on was something that walked that line, but it was time to fold that branch back in. So I did. 

In addition, MIAB 1.5.1 now creates local overrides for all the autopkg recipes that are specified in the initial command variable, to better handle the trust package portion of autopkg.

Change Munki, Tell Slack

As part of the talk, I’m going to explain why a configuration manager or Mac-capable MDM is your best friend, but facing a lack of those for budgetary or administrative reasons, I’m going to give you a tool to deploy changes to your fleet in reportable ways.

If you just need to change one setting, there’s Change Munki, Tell Slack.

If you need to change an array of settings, there’s Change Munki, Tell Slack Many Things.

Both will handle a scripted change of your Munki preferences file and pass that information along to a Slack channel of your choosing via a webhook.

Slides & Notes

I’m making my slides and presenters notes available as a PDF for Download, in case you might enjoy it. If you have comments on the scripts above, please let me know, or suggestions for converting them to python, both are welcome.

A group of laptops, set aflame by bad profile,  cost money and time
Why Configuration Management Matters

Munki Mistakes Made Right (PDF)

The 2017 Daily Carry

When a consultant friend (Hi M!) asked what I carried with me every day, it was the first time that I’d stopped to think of everything I’ve collected over the years to carry with me on a day-to-day basis. Based on their challenge, I’ve catalogued what’s in my daily carry bag, and I present it here for you. 

First up, the bag itself. I have a 2013 Timbuk2 custom messenger bag. Timbuk2 bags have two specific problems: One, they’re gorgeously designed and Two, they last forever. I’ve had a total of four since 1996, and I’ve never needed to buy a new one, I just always wanted to change up my style before the bag gave out. Better still, they have lifetime warranties, so if a part gives out, you can ship back your bag and they’ll shine it up good as new. They’re not inexpensive, but the features of the bag are substantial, and the design is wonderful. My messenger has a flap organizer in the front fascia, as well as multiple zip pockets for business cards, baseball cards, your passport, and other flat goods. The flap organizer is my catchall for small tools and keychains that I tote with me all the time.

From a hardware perspective, I carry the following:

  • Late 2016 MacBook Pro 15” with TouchBar, 1TB, 16GB
  • iPad Pro 12.9” with Apple Pencil
  • iPhone 7 Plus (Matte Black)
  • AirPods

The MacBook Pro and iPad ride back to back in the padded laptop sleeve in the center of the bag, and the iPad behind in the protected position. 

Inside my bag itself I have a couple of organizers that serve as containers for primary work tasks, and they keep the contents protected and clearly identified and organized in case I need them. The bigger of the organizers is a Skooba Cable Stable DLX, with multiple mesh pockets to allow easy visibility into the contents, and elastic tension loops to hold the contents in place.

Contents, Left Side:

  • Mini DisplayPort to DVI Adapter
  • Wired EarPods
  • USB-C to Lightning cable – 2-meter
  • USB-C to USB-C charging cable – 2-meter
  • 27W USB-C Charger
  • Diskwarrior USB Drive
  • OWC Envoy Pro Mini USB Drive
  • LED Flashlight

Contents, Right Side:

  • Lightning to 3.5mm adapter
  • Paracord USB-A to Lightning Cable
  • Thunderbolt 2 to Gigabit Ethernet Adapters (2)
  • USB-A to USB Micro Cable – 6-inch
  • Netool Smart Network Terminal
  • USB-C to Lightning Cable – 2-meter
  • Belkin USB-C to Gigabit Ethernet Adapter (2)
  • Thunderbolt 3 to Thunderbolt 2 Adapter

Contents, Center Spine Loops:

  • USB-C to USB-A Adapters (2)

I don’t have a lot of notes on this set, except to say that extras are always welcome, especially when you think about all the times your clients need something, and you just supply it out of clean blue air, and replace it later. 

In addition to my primary organizer, I also keep a smaller Cable Stable Mini outfitted with my SpecAn gear. This includes a full Metageek set, including a WiSpy DBx for peeking at the 2.4 and 5 Ghz spectrum in their entirety, as well as a Linksys AE2500 USB WiFi stick for use with Channelyzer in my Windows VM (Windows VMs on the Mac can’t talk too the AirPort interfaces, we just get a raw network socket, so this is our workaround) as well as the USB-A to USB Mini interface. In the pocket I keep the antenna and hook. Sometimes I throw the Oscium Lightning-based SpecAn in this as well, but most times it’s loose in the pocket.

And then there’s everything else! This list starts at the upper left corner and works clockwise:

  • Thunderbolt 2 cable, 2-meter
  • Carmex
  • Field Notes notebook
  • Velcro Straps
  • USB 3 SANdisk Extreme
  • Code 42 branded microfiber cloth
  • Cleaning wipes
  • POE Injector
  • OLALA 13000mAh battery
  • PSUMA-branded 4000mAh backup battery
  • sticky-backed velcro strips
  • RJ-11 and RJ-45 jack ends
  • Zipties
  • Sugru moldable plastic
  • Pentalobe and Tri-wing screwdrivers
  • Gotenna bluetooth radio for texting when there’s no cell service
  • USB-A Voltimeter/Ammeter

That’s a look inside my daily carry. It’s pretty amazing how much stuff I tote around on a daily basis. 

UniFi CloudKey Basic Setup

After the last post, my friend Thomas Fuchs asked me if I might do a little service journalism:

So I toddled off to Amazon, and picked up a UniFi CloudKey ($79 or so), and a UniFi PRO AC access point ($130 or so) for delivery. I already have a router here at the house (Kerio Control Box, and a small POE Switch (Netgear GS110TP, $110 today). I won’t be covering the Ubiquiti Security Appliance ($110) or Ubiquiti 8-port UniFi Switch ($200) setup in this piece, though I’ll be ordering ones to play with for a future piece.

Ubiquiti CloudKey and UAC Pro
Ubiquiti CloudKey and UAC Pro

Why a CloudKey At All?

Ubiquiti Networks are designed to work with a controller of some kind. This can be a downloaded application that runs on a computer you already have, or be configured to run on an Amazon Web Services t2.micro instance (free for a year, $150/yr after that), but the easiest way to have a small dedicated appliance that’s ready to go at the first moment is the CloudKey, a small appliance, slightly longer, but slightly narrower, than a Raspberry Pi.

The CloudKey is your dedicated controller for your network, be it just an AP, or an AP and a switch, or a couple APs, a switch or two, and a security gateway.

What’s Included

Since Amazon is the world’s most efficient shipping operation, everything showed up in one medium-sized box. The Cloud Key and the PRO AC each come with (almost) everything you need to make this all go.


  • CloudKey Appliance
  • Ethernet Cable
  • Memory Card


  • UAC Pro AP
  • Mounting Kit
  • POE Injector
  • Cover

This is almost everything you need to make a go of it. What’s missing? Well, if you lack a POE switch, you need a 5V/1A Micro USB power source for the CloudKey. And, for the UAC Pro, you’re going to need one Ethernet cable if you have a POE switch, and two if you just have a standard switch. So, plan ahead, and if you’re not using a POE switch, stock your supply kit accordingly.

Setup is a two-part process: CloudKey first, then Network.

CloudKey Setup

Open the box, and you’ll see there’s three things in there, save the manual: The appliance itself, a stubby 6″ Ethernet cable, and a Micro SD card.

Slide the Micro SD card into the rear of the device, taking careful note of the pictogram on the device to line it up properly. Once you’ve got the card in place, plug in the ethernet cable to the device, then into your switch. If you’re flying without a POE switch, plug in the Micro USB cable.

This will boot the device, and you’ll see a white light on the center of the CloudKey as it starts up.

The next step requires access to your router, or the installation of their Device Discovery Tool. Once you’ve determined the IP address of your CloudKey, visit that address in a browser. They recommend Google Chrome, or Mozilla Firefox, but my experience says Safari for macOS and iOS both work just fine.

CloudKey Initial Login Screen
CloudKey Initial Login Screen

This is the initial screen for the CloudKey. We’re going to start on the bottom half, Configure Your UniFi CloudKey.

The CloudKey will walk you through initial setup. You login with the ubnt : root combination of username and password, and it will take you through the rest of the easy steps where you set your locality, an administrator password, and the rest. Once you’ve gotten to the main interface, you’ll want to check to make sure that your CloudKey is up to date. Mine shipped with 0.4.3, and 0.5.5 is current as of the authoring of this post.

UBNT CloudKey Interface
UBNT CloudKey Interface

I found that once I upgraded the firmware, I still got a “Hey, turn the device back on!” message, for the first two refreshes of the admin page. That did go away eventually.

Ubiquiti Network Setup

Once you’ve got a password for the CloudKey and it’s been setup and provisioned, it’s time to start working on the network itself. Plugin the UAC Pro if you haven’t already, and make sure the LED in the main ring activates.

Go back to the CloudKey address, and this time, instead of setting up the CloudKey, you’re going to want to setup the Network itself, the top option.

First up, Location & Timezone. This one’s easy.

Initial Ubiquiti Setup Screen
Initial Ubiquiti Setup Screen

You’ll now see the UAC Pro and you’ll want to continue. Check the box next to your AP, and click Next.

Ubiquiti Device Setup
Ubiquiti Device Setup

Here’s where you setup your initial network name (the Secure SSID) and password (the Security Key) for your Wi-Fi network.

Configure SSID
Configure SSID

Then setup your Controller username (different from the CloudKey admin!) and password.

Controller Access Setup
Controller Access Setup

Last up, you have to setup your Ubiquiti account. If you haven’t yet, you can setup a Ubiquiti account before starting, otherwise, it’ll guide you through that process as well. This is what you can tie your whole chain together with – Security Appliance, Switches, APs and CloudKey.

That’s the basics of the wireless network configuration. There’s more control available, though. By default, the UAC Pro uses 20MHz channels in 2.4GHz and 40MHz channels in 5GHz. The sidebar of the main controller view will let you alter the radio controls of the APs. Select the Device, and click the Configuration heading.

Device Configuration Detail
Device Configuration Detail

Here, you can select the channelization of each radio, as well as the channel width and broadcasting power. You can enforce Airtime Fairness, if you’re worried about device dominance, or use Band Steering to force your devices to use 5GHz as much as possible. You can also configure your device’s IP information here, give the AP a specific name.

You can also setup basic maps of your APs using the Maps section and blueprints of your space. This will, if you have multiple APs, let you triangulate the location of devices, as well as map coverage areas and guesstimate signal strengths based on readings from each location. While no substitute for a proper survey, it’s a pretty good guess for getting started.

Next time: Setting up the Security Appliance and integrating the two.

Whither Wi-Fi? Recommendations in an AirPort-less World

Today, Bloomberg Technology News released a story that heralded the death of one of my favorite products over the years, the AirPort. It is one of the few products currently available at Apple that predates my career as an Apple Admin(1). Over the years, we’ve seen a lot of features crammed into these little boxes, and I have a tremendous fondness for them overall.

My thanks to Apple for building a good, solid little box that did so much. I’ve got some recommendations that I’ve been thinking about for some time, along a couple different lines of thought:

Budget Performance

I have yet to find a device that I like more than the current AirPort Express, just in terms of what it does: Home Router, Home Wi-Fi, AirPlay speaker, remotely managed. There isn’t anything I’ve found that is as easily-managed as the AirPort line is. But there are some good options:

  • Archer C7 (<$99) – 802.11ac, 3×3:3, USB Port for basic NAS

* The UI doesn’t totally blow
* Good performance for throughput
* Good coverage for 5GHz for single-floor, drywall construction dwellings

* Not great at density
* Not very useful just as an access point
* NAS performance very limited.

* Synology UI that you like from your NAS
* Beamforming Support to alter coverage areas
* Good performance for throughput

* No USB for direct storage, meant to be used with an existing Synology NAS

Mesh Networking

In the early days of Wi-Fi, Wireless Distribution System (WDS) was an extension of 802.11g that would allow you to use Wi-Fi access points as wireless relays to expand coverage. I wrote a piece for an early edition of Make Magazine on how it works, and it’s been something we’ve used various places over the years, but mostly only when we’ve had to. Each wireless link in the chain can halve your bandwidth, and clog the airwaves. It’s a last ditch effort.

Or, it was, until some new players like eero and Luma started to dip their toe in the proprietary Wi-Fi world, and brought legacy companies like Netgear to the fight. Neither eero nor Luma carry Wi-Fi Alliance certification, but I don’t think that should be the end-all, be-all of the world. I’ve recommended both eero and Luma to clients, and some have adopted it. There are some interesting choices that they’ve made, and there are some consequences to that. Overall, these technologies share the same Pros & Cons:

* No wires required!
* iOS App Setup
* Interesting features not found in other platforms
* Works as a Router solution

* less configurable radios
* proprietary is harder to troubleshoot
* wireless backhaul is still problematic for throughput

eero 3-pack – $499
Luma 3-pack – $296
Netgear Orbi 2-pack – $397

Prosumer Wi-Fi

There are a couple of good options from the big providers of Wi-Fi for home use, too. They’re a step up in cost, but they come with a good step up in performance, too. These are all pure access points, though, they’re not routers, and they don’t have router-like options. This is all about the best Wi-Fi you can build, not AirPlay, not Routing, not remote management.

UniFi and Xclaim are the two that I see most often, and both represent good values. Xclaim is the budget line from Ruckus, and is meant to be cloud-controlled. It is equivalent to the R300 and R500, but without the 6dB of interference mitigation or any of the beamforming that make their APs my go-to on the Pro side. The UniFi APs from Ubiquiti are solid performers, but don’t carry the interference mitigation a large urban environment may require.

  • Xclaim Xi-3 ($249) – 802.11ac, 2×2:2, Made by Ruckus
  • Xclaim Xi-2 ($220) – 802.11n, 2×2:2, Made by Ruckus

* Free cloud dashboard
* Includes POE Injector
* Supports multiple SSIDs and controls
* iOS/Web configuration tools

* No beamforming or interference mitigation
* Only 2×2:2

* Good value APs
* Works with a local Cloud Key controller or AWS t1 micro instance
* Supports multiple SSIDs and controls

* Interference mitigation is a problem in dense environments
* 802.11n AP susceptible to hardware failure after 2 years
* UAP-PRO is only 2×2:2
* UAP-AC is almost $300.
* Needs either a Cloud Key or an AWS instance for best management.

Final Thoughts

The end of the AirPort is a sad day for me, I’ve probably managed close to 100 of them for clients in the last ten years, and I know we are currently supporting 25 of them in daily use. I don’t think there’s a good AirPlay option out there to replace them, sadly, so if that’s your current favorite streaming audio technology, now would be a good time to stock up on extras.

AirPort was a groundbreaking technology when it was released, and the first AirPort-capable Macs were magical in a way that we take for granted now. When people ask me what my favorite miracle of modern technology is, I reply without hesitation: Wi-Fi. Apple lead the way for a long time, focusing on building consumer-friendly products that did a lot. None of the solutions above carry with it the user-friendly function-focus of the AirPort, and that makes me sad. But, new companies like eero and Luma are making wireless do things that Apple has decided not to do, and so the future lives with them, or with the professional access point manufacturers who work down market like UniFi and Xclaim (Ruckus). I think we’re in good hands, even if they’re not Apple’s.


(1) The portables have all changed names, the mini, iPod, iPhone and iPad didn’t exist, the PowerMacs became the Mac Pro, only the AirPort and the iMac carry their original monikers. Crazy, right?

Tech Tips for a Hostile World

I’m not all the way through Kubler Ross just yet, but I’m starting to think about how to respond in a way that’s productive, engaged, and focused on reality.

I’m a tech person, so I’m gonna talk about tech things. There are people that are going to be able to talk to you about effective protest tips, effective lobbying, good organizations to send money to, and all those things. This isn’t about that.

One of the most important things in a hostile world is the ability to protect yourself, and your communications. I’m going to tackle this in a couple different pieces:

Encrypt Your Mac

In a world where the central authorities are scary, and where you might want to protect your data, it’s really important to have some level of data protection. I strongly recommend the Filevault 2 technology that’s built into macOS and Mac OS X 10.9 and later. If you have a laptop with fast storage (an SSD), you won’t notice a difference. If you have an older machine with a spinning drive, this will cause a 20% performance hit.

Your computer may have helped you turn this on already. Open System Preferences, go to Security & Privacy, and click on the FileVault tab.

You will see a message that is unequivocal about the status of your computer’s drive. If FileVault is off, turn it on.

When you turn on FileVault, as part of the encryption process, it will generate a key that can unlock your computer that is separate from your computer password. This is a failsafe key designed to get you back in if everything else has gone to hell. Your computer will offer to escrow the key with your iCloud account with security questions protecting it. You can provide security questions there, but know that any answers you give are case sensitive and will need to be provided to Apple exactly as they are written in order to recover that key.

I wouldn’t recommend this if you’re really concerned with security, though. I would strongly recommend you print a copy of that key and give it to someone you trust, or someone that is bound by contract to store it without turning it over, like your lawyer if you have one. You could probably talk to a trusted IT professional who would keep that key safe.

Use iOS’ Built-in Security

While the Black Jeopardy skit makes fun of using your fingerprint on your phone, saying “that’s how they get you,” the TouchID sensor on iOS devices – and coming soon to a laptop near you – is a remarkably secure technology. The TouchID sensor has a direct connection to the Secure Enclave co-processor on the device, which uses encryption techniques that even the FBI and NSA will have trouble working against. Your fingerprint is tied to your passcode, and without your passcode, on boot your phone will not accept your fingerprint as proof of identity.

That means if you’re in trouble, shut your phone off.

All of this advice applies only to personally owned phones. If you’re using a phone that work gave you, do not expect privacy on that device, and don’t sign into your secured services on a work-owned device. Work-related devices will often be enrolled in a Mobile Device Manager that your employer can use to clear your passcode and provide access to third parties. This is the end-around for the San Bernardino situation that saw Apple in court with the FBI. If the device isn’t 100% yours, it’s not something you should trust your privacy on.

Use Only End-to-End Encrypted Messaging

If you’re part of the overall iOS/macOS ecosystem now, iMessage is a technology that is encrypted from device to device, which means no one in the middle can decrypt those communications. When your device connects to the iMessage servers for the first time, it creates a set of encryption keys that are used in all future communications, and those keys are what keeps your communications secure. Every message is individually encrypted using those keys, and the public keys of the person you are talking with. No third party can read them. This is called end-to-end encrypted messaging.

Facebook’s WhatsApp also uses end-to-end encryption. Please be aware that Google’s Allo and Google Talk products do not use end-to-end encryption, nor does AOL’s Instant Messenger, nor is standard SMS encrypted. These are all technologies that can be warranted and searched, and shouldn’t be considered private communications.

Use a VPN

There are a lot of great options you have to protect your traffic from prying eyes at your internet service provider, or the ISPs of your favorite coffee shop or any other public place. I recommend Cloak which is $120/yr for unlimited data, and shunts your data traffic securely out to an Amazon instance. Their privacy policy isn’t perfect, but take solace in the fact that, at least for now, the FBI won’t be knocking on their door until well after the 16 day window for records expires.

There are other options for this, and I would encourage looking around. I’ll update this post with other suggestions.

Use a Password Manager

Lastpass, 1Password, the iCloud Keychain, these are all examples of password managers, designed to help you use unique and complex passwords to access your online accounts. It’s good practice to have a unique password for every service you use. Embrace this, and use a good password manager with a strong master password you can remember.

Use Two-Factor Authentication

Much as your ATM card is useless without the PIN you have memorized, if you’re using two-factor authentication (2FA), just having your password won’t be enough to get access. Your Google, Dropbox, Facebook, Twitter and other accounts can support 2FA, and if you want a step-by-side guide, there’s a good one at Turn on 2FA, and you can use that to help you. I’ve been using Authy on my iPhone, and it’s been pretty great so far.

Join Organizations That Will Fight For Your Privacy And Rights

We’re all just individuals, but when we band together, our powers for good can magnify. I strongly recommend picking some organizations to join and be part of to help fight the battle on your behalf. Here are some organizations I’ll be donating to:

You can pick your own, or join me with these three. Suggest more in the comments!

Never Surrender, Never Give Up

I’m pretty exhausted right now, and I’m not sleeping well, but I figured it might help to outline some things people can do to help improve their privacy in the face of a government that is increasingly hostile.

Because of, and in Spite of, Cupertino

After Saturday’s piece, I stopped to think more about the state of the Mac, the state of Mac IT, and the state of Apple, generally. I am left with even more confusion than I had hoped.

First, let me be upfront: I am, to borrow a title from my friend Marcus Ransom, a consulting Apple engineer. I don’t work for Apple, but I work around Apple, sometimes hand-in-hand with Apple (often their local Retail stores who have been excellent partners for us and for our mutual clients.) We’re the parties responsible for the continued operation of these machines after they leave the factory, and until they are put out to pasture. In short, I’m the guy that makes sense of how these machines are used every day, and I’ve been doing it for fifteen years.

Second, let me be clear: I have been an Mac user since I was 5. I have used a Fat Mac, Mac Plus, Mac SE/30, Mac II, PowerMac 6100/60, PowerMac 8500/120, Blue & White G3, Lombard PowerBook G3, Titanium PowerBook G4, iMac G5 and then a series of MacBook Pros, from 2010 to 2014, and Mac minis from 2009 through 2014. My bona fides here are a lifetime of machines from Apple, and probably close to $20,000 in personal dollars, and in the last four years, probably closer to 400 machines for clients, representing more than half a million dollars.

The last five years have brought incredible leaps forward in the management and development of Macs. A lot of that work came behind the scenes from Cupertino, as Apple built technologies like FileVault 2, System Integrity Protection, the MDM Specification, better Active Directory plugins, and better user tools like Photos, and expanding services (which some don’t yet trust, understandably) like iCloud. You can couple that with good, reliable, affordable hardware, that carries good extensibility, even if good expandability is no longer on the table.

But, a lot of that work came out of the community, as tools like munki, autopkg, AutoPKGR, AutoDMG, and Deploy Studio have created an ecosystem out of the gaps and hooks left by Cupertino. Other providers like Jamf, Filewave and Lanrev have built their own ecosystems out of that space, as well. Those are the pieces that are holding together the Mac in the field, those are the implementation details that Apple lacks in their complete entirety.(1) Those are the pieces that make a Mac up to $500 cheaper to support over its life.

In many ways, Apple is succeeding because the community and the marketplace are driving them to success, and the community is doing it in spite of the obstacles that Apple is placing in its path, be those increased security requirements, or be those new, less effective hardware and core software opportunities. In many ways, the community exists because they love what Apple has done in their past, the hardware, the innovation, the entire package. I don’t expect that there will be a wholesale migration to Windows, or to Desktop Linux (as funny as that might be), I can see a community that’s less enthusiastic create less imaginative tools. Less useful tools. Less functional tools.

We are where we are because of Cupertino, no question. The Macs of my youth, of your youths, represented the pirate spirit we all champion now.

We are where we are in spite of Cupertino, also. The tools we are making ourselves, or buying in the marketplace, are every bit the equal – perhaps more – of the Mac itself.

For all of my career, I have been a Mac person because of personal affinity. That affinity remains. But realizing that we are now the engine of how the Mac works instead of Cupertino, that’s the biggest shock I’ve had in ages.

The bigger shock is that it’s been true for longer than I thought. But what’s that mean?

Reading The Tea Leaves

There’s a change to the management of Macs that is coming soon, if my reading of the tea leaves is correct, that makes community-based Mac management tools and workflows much, much harder to use. If you haven’t yet, stop and read Mike Lynn’s m(DM)acOS, which lays out a lot of the ground work for the reading we’re all doing. The push toward an MDM-only future has three problems that I can see:

1) Currently, Community-based MDMs are an implementation nightmare

Right now if you want to spin your own MDM, you’re in for a world of hurt, and Apple isn’t making that process easy for you. In some part, this may represent a push toward commercial solutions like Jamf Now, Airwatch, Meraki Systems Manager, which have had the MDM Spec for a number of years. That would be fine, but for the fact that we’re now attached to two separate organizations who aren’t responsible to us.

2) Apple is then the only Gatekeeper for management

In a world where the only install commands come from mdmclient commands, you’re stuck using an MDM of some kind, and that’s going to eat into that $534 savings that Apple will be so keen to advertise at CIO/CTO forums for the next few years. Couple that with Apple’s aggressive stance toward deprecation, and the cautious admin, or the one who needs customization, is faced with a difficult or impossible future.

3) Device Management still isn’t a solved problem for the Mac

There are a lot of things you can’t set with config profiles as it stands, and there are a lot of things that admins need to deploy that can’t come in that pathway. We’re hopeful that Apple is listening to our coversation, and will respond to our Radars, but that’s far from a given.

These three problems represent the biggest challenge for the community in a generation. While IT Admin Generations are much shorter than People Generations, this is the biggest step for us since the end of fat images. It’s actually a bigger challenge, because it may involve us leaving our LaunchDaemon-based solutions behind, in favor of mdmclient commands that don’t yet exist. We’re faced looking at the edge of the known world not knowing there’s a map of any kind at the horizon.

That is both wonderfully freeing, and terribly scary. We’re about to all be explorers again.

So, What Should Happen Next?

I am just one member of the Apple Consultants Network supporting 400+ Macs. There are organizations far more likely to get responses from Apple than I, and they’re actually far more capable to determine the effective future of management, because they have whole members of their team who can be tasked to think about it.

But, if this post happens to find itself at Infinite Loop, and you wanted my advice, this is what I’d ask for:

1) Bring Back the Admin Track at WWDC. If this is the goal, take the time to enframe the vision for those of us who will be tasked to implement it. Right now there aren’t a lot of compelling reasons to go MDM-only for the Mac. DEP is a good start, but it doesn’t represent the entire spectrum of management needs. Let’s do this together, discuss it together, and bring the engineers to meet the implementors. It will be critical to your success.

2) Build Your Path With Signposts. I am very grateful to those wise voices within the Apple ecosystem who have been leaving breadcrumbs along the path. Breadcrumbs aren’t enough. Build signs, and let us help show you the sections of the path where we’re walking in the grass because it’s more efficient.

3) Focus on Building Great Software and Hardware. I’m not going to retread Marco Arment’s “Functional High Ground” argument, because I didn’t totally agree then, or now, but I will say that the number of users who have pushed back against software changes for change’s sake has been substantial, and it’s leading to questions like “What is going on over there?!” from a lot of corners I never would have expected. I know so many Apple employees who just want to build amazing things, please help them find the way toward building things that we can all use and love, even if it means slowing your pace to get them right. I don’t think I’m the first person to say this, I won’t be the last, but this isn’t iterate or die season unless you’re iterating badly.

I’ve spent ten years building our practice to support the Mac, and the last four years to programmatically support the iPad and the iPhone. I am all-in on this, and I know so, so, so many other admins and consultants and technicians who are right there on the front lines with me. We just want to make this all work, and more importantly, work well, so that we’re not stumbling about in the dark.

I know this runs against the grain of Apple’s longterm goal of producing incredible products in secrecy, showing them only when the time is right. I understand that the stock market is a weird thing that makes disclosures subject to regulation. There must be a way to innovate around these restrictions and provide good guidance toward the future without speaking in vagueries and platitudes. Please help us see this. Thursday didn’t help.

(1) Please don’t bring up Profile Manager. I still have scars. It doesn’t count.