We All Come From Somewhere

This photo, from the Davis Enterprise, circa 1986-ish?, shows me with my third grade teacher, my elementary school principal, my Dad, and an engineer from the University in the town I grew up in.

I am absolutely a product of growing up in a University town, with involved parents, with schools that saw the future early and had the connections to figure it all out.

The next generation of people that do what we do now are out there, and they have to be more representative of our world than our current community is.

We all come from somewhere. There’s a spark in everyone’s life that makes a job a career. We can be the principal, the engineer, the parent, the teacher. Who are we preparing for what comes next? That’s what Carole Franti, Mary Ellen Dolcini, Adam Bridge and Charles Soderquist taught me, starting with that Apple ][. That’s why I give talks and teach workshops now.

Complex is not a Pejorative

From Volume 100 of Techno Bits:

The existing complexity of DEP, though, gives us choices. There’s no reason we couldn’t setup multiple MDMs for multiple departments within an organization, allowing central management of assets, and separate management of devices at the department levels, allowing for good competition between MDM vendors in the mid-level of the environment. Having multiple options is good, because it gives us choice, and it avoids obvious anti-trust complaints.

Read the whole thing. Complex shouldn’t be immediately pejorative. Good management can, and almost should be considered a complex task.

VPNs: A Good Practice

TW: This Post Has Political Content

A Summary of the Privacy Problem

Congress has decided, for whatever reason they have chosen to represent as to why they’re acting, and frankly, none of them are too well-explained, that your Internet Service Provider can continue building a file on every site that every device on your home and work internet connection visits.

Ostensibly this is for marketing purposes – i.e., to sell those results to third parties who want to buy them in bulk – and it means that the connection that you pay for each month isn’t entirely your own.

This is, as one might imagination, a frustrating betrayal of trust, more so when you consider that we are not blessed with robust competition in most residential marketplaces, and there are few rare ISPs that can afford to stand on moral grounds against this tactic.

It used to be that you could opt out of the “super cookieUnique Identification Headers (UIDH) that companies like Verizon are already appending to your HTTP Requests.

Yeah, that’s sleazy. They are trying to make you, their customer, more visible to advertising partners based on your existing actions.

One of the late actions of the Obama Administration was to pass through the Federal Communications Commission new rules that would protect your online privacy from prying eyes of third party marketing organizations. They were set to take effect late in 2017.

Thanks to aggressive lobbying of the Congress, and an abdication of any desire for an individual right to privacy on the part of Legislative and Executive branches, these communications giants are going to take a second turn at squeezing more revenue out of their networks, and they’re going to do it to their customers without so much as a discount for being their unwilling partners in marketing.

Okay, That Sucks, Now What?

So, what’s a person to do if they want to keep their surfing habits – which in many cases contain personally identifying and possibly embarrassing information – away from their ISP’s prying eyes?

There’s an easy way to help prevent their access, and that’s to use a Virtual Private Network, or a VPN. That’s a way of sending all your outbound internet traffic securely to a third party before it passes through to the internet as a whole.

What’s that look like? Think of it this way: imagine that you want to send a secret letter to a friend. You don’t want anyone in your local post office to know that you’re sending a note to John Smith in Des Moines, Iowa, so you pack up your sealed letter to John in a letter to another friend, Betty Johnson of Dubuque, Iowa, with a note to please mail this letter for you from her local post office. The post office sees that you sent a letter to Betty, but because there are rules against opening your mail, they can’t read it. Then, Betty receives your message, posts your letter to John, and no one’s the wiser.

That’s what a VPN does. It’s a secure way to send all your traffic to a third party to act on your behalf. You can securely wrap your traffic to the Internet to a third party before it gets out to the rest of the internet.

It’s not perfect, but it at least prevents some of the skeeviest trends in local ISPs. Drawbacks to using VPNs include weird results for Location searches, a performance hit to your internet speed, and perhaps the inability to view location-specific programming.

Personally, for a recommendation, I like Cloak. It uses multiple data centers around the world to route your traffic, and while they do keep user logs of data, it’s short-lived, and their privacy policy is quite strong. It costs $99/year for unlimited data, and they have both macOS and iOS applications that make this process very easy to adapt to and that’s a good thing.

I don’t make anything from a referral to them, but I do use their product and endorse it. It’s an easy VPN to setup. Give it a try if you spend a lot of time on unencrypted Wi-Fi, or if you don’t want your ISP to have access to your surfing history.

Because of, and in Spite of, Cupertino

After Saturday’s piece, I stopped to think more about the state of the Mac, the state of Mac IT, and the state of Apple, generally. I am left with even more confusion than I had hoped.

First, let me be upfront: I am, to borrow a title from my friend Marcus Ransom, a consulting Apple engineer. I don’t work for Apple, but I work around Apple, sometimes hand-in-hand with Apple (often their local Retail stores who have been excellent partners for us and for our mutual clients.) We’re the parties responsible for the continued operation of these machines after they leave the factory, and until they are put out to pasture. In short, I’m the guy that makes sense of how these machines are used every day, and I’ve been doing it for fifteen years.

Second, let me be clear: I have been an Mac user since I was 5. I have used a Fat Mac, Mac Plus, Mac SE/30, Mac II, PowerMac 6100/60, PowerMac 8500/120, Blue & White G3, Lombard PowerBook G3, Titanium PowerBook G4, iMac G5 and then a series of MacBook Pros, from 2010 to 2014, and Mac minis from 2009 through 2014. My bona fides here are a lifetime of machines from Apple, and probably close to $20,000 in personal dollars, and in the last four years, probably closer to 400 machines for clients, representing more than half a million dollars.

The last five years have brought incredible leaps forward in the management and development of Macs. A lot of that work came behind the scenes from Cupertino, as Apple built technologies like FileVault 2, System Integrity Protection, the MDM Specification, better Active Directory plugins, and better user tools like Photos, and expanding services (which some don’t yet trust, understandably) like iCloud. You can couple that with good, reliable, affordable hardware, that carries good extensibility, even if good expandability is no longer on the table.

But, a lot of that work came out of the community, as tools like munki, autopkg, AutoPKGR, AutoDMG, and Deploy Studio have created an ecosystem out of the gaps and hooks left by Cupertino. Other providers like Jamf, Filewave and Lanrev have built their own ecosystems out of that space, as well. Those are the pieces that are holding together the Mac in the field, those are the implementation details that Apple lacks in their complete entirety.(1) Those are the pieces that make a Mac up to $500 cheaper to support over its life.

In many ways, Apple is succeeding because the community and the marketplace are driving them to success, and the community is doing it in spite of the obstacles that Apple is placing in its path, be those increased security requirements, or be those new, less effective hardware and core software opportunities. In many ways, the community exists because they love what Apple has done in their past, the hardware, the innovation, the entire package. I don’t expect that there will be a wholesale migration to Windows, or to Desktop Linux (as funny as that might be), I can see a community that’s less enthusiastic create less imaginative tools. Less useful tools. Less functional tools.

We are where we are because of Cupertino, no question. The Macs of my youth, of your youths, represented the pirate spirit we all champion now.

We are where we are in spite of Cupertino, also. The tools we are making ourselves, or buying in the marketplace, are every bit the equal – perhaps more – of the Mac itself.

For all of my career, I have been a Mac person because of personal affinity. That affinity remains. But realizing that we are now the engine of how the Mac works instead of Cupertino, that’s the biggest shock I’ve had in ages.

The bigger shock is that it’s been true for longer than I thought. But what’s that mean?

Reading The Tea Leaves

There’s a change to the management of Macs that is coming soon, if my reading of the tea leaves is correct, that makes community-based Mac management tools and workflows much, much harder to use. If you haven’t yet, stop and read Mike Lynn’s m(DM)acOS, which lays out a lot of the ground work for the reading we’re all doing. The push toward an MDM-only future has three problems that I can see:

1) Currently, Community-based MDMs are an implementation nightmare

Right now if you want to spin your own MDM, you’re in for a world of hurt, and Apple isn’t making that process easy for you. In some part, this may represent a push toward commercial solutions like Jamf Now, Airwatch, Meraki Systems Manager, which have had the MDM Spec for a number of years. That would be fine, but for the fact that we’re now attached to two separate organizations who aren’t responsible to us.

2) Apple is then the only Gatekeeper for management

In a world where the only install commands come from mdmclient commands, you’re stuck using an MDM of some kind, and that’s going to eat into that $534 savings that Apple will be so keen to advertise at CIO/CTO forums for the next few years. Couple that with Apple’s aggressive stance toward deprecation, and the cautious admin, or the one who needs customization, is faced with a difficult or impossible future.

3) Device Management still isn’t a solved problem for the Mac

There are a lot of things you can’t set with config profiles as it stands, and there are a lot of things that admins need to deploy that can’t come in that pathway. We’re hopeful that Apple is listening to our coversation, and will respond to our Radars, but that’s far from a given.

These three problems represent the biggest challenge for the community in a generation. While IT Admin Generations are much shorter than People Generations, this is the biggest step for us since the end of fat images. It’s actually a bigger challenge, because it may involve us leaving our LaunchDaemon-based solutions behind, in favor of mdmclient commands that don’t yet exist. We’re faced looking at the edge of the known world not knowing there’s a map of any kind at the horizon.

That is both wonderfully freeing, and terribly scary. We’re about to all be explorers again.

So, What Should Happen Next?

I am just one member of the Apple Consultants Network supporting 400+ Macs. There are organizations far more likely to get responses from Apple than I, and they’re actually far more capable to determine the effective future of management, because they have whole members of their team who can be tasked to think about it.

But, if this post happens to find itself at Infinite Loop, and you wanted my advice, this is what I’d ask for:

1) Bring Back the Admin Track at WWDC. If this is the goal, take the time to enframe the vision for those of us who will be tasked to implement it. Right now there aren’t a lot of compelling reasons to go MDM-only for the Mac. DEP is a good start, but it doesn’t represent the entire spectrum of management needs. Let’s do this together, discuss it together, and bring the engineers to meet the implementors. It will be critical to your success.

2) Build Your Path With Signposts. I am very grateful to those wise voices within the Apple ecosystem who have been leaving breadcrumbs along the path. Breadcrumbs aren’t enough. Build signs, and let us help show you the sections of the path where we’re walking in the grass because it’s more efficient.

3) Focus on Building Great Software and Hardware. I’m not going to retread Marco Arment’s “Functional High Ground” argument, because I didn’t totally agree then, or now, but I will say that the number of users who have pushed back against software changes for change’s sake has been substantial, and it’s leading to questions like “What is going on over there?!” from a lot of corners I never would have expected. I know so many Apple employees who just want to build amazing things, please help them find the way toward building things that we can all use and love, even if it means slowing your pace to get them right. I don’t think I’m the first person to say this, I won’t be the last, but this isn’t iterate or die season unless you’re iterating badly.

I’ve spent ten years building our practice to support the Mac, and the last four years to programmatically support the iPad and the iPhone. I am all-in on this, and I know so, so, so many other admins and consultants and technicians who are right there on the front lines with me. We just want to make this all work, and more importantly, work well, so that we’re not stumbling about in the dark.

I know this runs against the grain of Apple’s longterm goal of producing incredible products in secrecy, showing them only when the time is right. I understand that the stock market is a weird thing that makes disclosures subject to regulation. There must be a way to innovate around these restrictions and provide good guidance toward the future without speaking in vagueries and platitudes. Please help us see this. Thursday didn’t help.

(1) Please don’t bring up Profile Manager. I still have scars. It doesn’t count.

Port Confusion

This video showed up in my Twitter timeline today:

The video is short, and the juxtaposition with Apple this week is almost painful. Apple is not the underdog it once was – and it hasn’t been for some time – and the marketing machine that was so critical to its success is now, I believe, running the show in ways that are holding back the products that it’s creating.

I no longer believe the design team at Apple is innovating to make the best product experience, rather they’re deep in “pure math” territory, exploring the boundaries of innovation itself. I feel like this can go one of two ways. One of these is a future where Apple is a pillar of the desktop and laptop community, one of these is a future where the Mac is both expensive and underperforms.

I fear that we’re heading toward the second future.

The cost equation for the Mac got a shot in the arm last week at the Jamf Nation User Conference, where IBM revealed that the Mac is substantially cheaper to support. 48 hours ago, Apple essentially raised prices on everything in the field. While the MacBook Air remains on sale, Apple is instead pushing a machine $500 more expensive as a “replacement” to that model.

Couple that with a machine that can only handle 16GB of RAM for “battery and performance reasons”, and a total dearth of desktop updates, I’m left with more questions than answers. The first one is: “Why is thinner and lighter always better?” and I can’t come up with an answer that leaves me satisfied.

In the meantime, I’ll likely line up and replace my MacBook pro, maybe buying another cable case from Skooba to hold all the extra dongles I’ll need. Don’t count me as mourning the Mac just yet, but like any friend who’s started to veer off from the path you’re taking together, I’m starting to wonder what’s up over there, and I hope I’m shown to be foolishly wrong sooner rather than later.