So just to make sure I'm reading this correctly (this is not my area of speciality so bear with me):
This is Apple-hosted MDM, yes?
I took a brief spin through this world on a consulting project a few years ago and I found it SUPER weird that Apple didn't do this already. You had to do this weird dance between Apple Business Manager and the MDM solution (we ended up with SimpleMDM but looked at a bunch). I kept saying "Am I missing something? Why doesn't this service come directly from Apple?" and everyone was as puzzled about this as I was. So I guess they're finally closing the loop here.
Agree I manage 500+ Apple devices and have been in disbelief that Apple recommends using JAMF to manage their own devices.
I use profile manager included with the Server App of MacOS and it is functional but limited in scope. I have expressed for years frustration that Apple recommends using MDM/ profiles to manage their devices … and then doesn’t even really offer an enterprise version of the software.
Google by contrast offers a great admin console to manage chromebook and google devices. Surprised apple has dragged their feet here for so long.
We used JAMF at my last place of business, and it would occasionally kill apps with a 15 minute warning. Normally this was fine, but it really sucked to get JAMFed (as it came to be called) in the middle of a presentation.
At my current company, we use something that destroys CPU and battery (unused 2019 high end MBP hangs sporadically for tens of seconds on any file system syscall, computer gets uncomfortably hot, battery lasts ~1hour on a full charge—happens to everyone I’ve talked to). Not sure what it’s called, but this falcond process always seems to be the culprit. I know nothing about MDM, but I would love it if Apple Business Essentials would be a viable alternative (hard to imagine Apple shipping such miserable software, anyway).
Some piece of company malware on my MBP causes it to panic every two or three days. Before that it got mad fan disease and had to be wiped to get it back to 'normal'.
I have eight icons in the menu bar for installed malware/spyware/whatever on my company owned laptop. That's just the stuff that has an icon, I bet there's more (including JAMF, for sure). It's ridiculous.
The issues you experienced are squarely on the shoulders of your Jamf admins.
It doesn't have to suck, but it usually does because the people put in charge of it are incompetent, or at best, semi-competent. Most self-respecting engineers run fast from this sort of thing.
I moved from a company that gave us fresh off the store MacBooks to one that managed them using jamf and a host of other antiviruses and compliance software, and I tell this to all of my colleagues: the experience you're having with your MacBooks - the poor performance, stuttering and random beachballs aren't representative of what MacBooks are actually like.
This gives some services an opportunity to offer an even lower cost offering.
The thing I worry about though is that this first-party solution will have "special" features that are not possible via MDM using private APIs or some special entitlements.
For 500+ devices i would NEVER use a solution like JAMF and go with something like InTune or better MobileIron (MI). MI just works and is an absolute no brainer.
Apple gives every option possible for managing their devices via a third party software. They don't need to offer such a software themselves. And you really dont wanna deal with the Android clusterfuck in a BYOD enviroment. Android is such a pain in the ass when it comes to MDM. Even if the admin console is better, the amount of complaints and support tickets with Android is so high that we are just not support this anymore.
JAMF is the leader here, but I found it to be too expensive and unfriendly. I eventually settled on mosyle. When I originally learned about MDM I was quite surprised they had this third-party architecture.
Just go an look at WWDCs for the last 10-15 years. There have been regular MDM sessions to talk about featured added to iOS and MacOS for this.
This is also related to agreements made years ago between Apple and IBM to provide exactly this primarily because Apple has never wanted to compromise their customer connection (which in business is IT and NOT the end user), and IBM has needed the opportunity (despite IBM transitioning from Fail they are still not to a level of revenue expected for their stock price and heritage - so they are "hungry").
There’s a lot of effort that goes in to support and partner channels for enterprise offerings.
Making servers seemed easy enough? Look where that ended up.
It’s a completely different business.
Is it? Apple is the go to solution for all media types (photography, film making, design, architecture). The alignment with Adobe products has existed longer than either was cool.
They already have Fleetsmith. This is their response to Jumpcloud and what not who are offering lower per user plans, as fleetsmith was around $8/device/mo.
> This is their response to Jumpcloud and what not who are offering lower per user plans
They couldn't care less about a few dollars. This is about heading off business adoption of Chromebooks, and "winning" small-medium businesses as primarily Mac shops before they become big-enterprise.
I don't see how they really compete. Google has an array of business apps that far surpass anything Apple is offering here. They would need to partner with Microsoft in order to compete against Google.
Smart play to focus on businesses with fewer than 500 employees, as those are the most likely to grow in the next 3-7 years into larger accounts, and they don't have the 12-18mo sales cycle and shennanigans of an enterprise.
It's a strategic departure from being a consumer luxury product company, and the shift to enterprise suggests they're out of ideas, but at the rate they're losing consumer growth I'd say they've still got another 150 years.
Leveraging the apple store as a service point is a huge deal, as it may compensate for the additional hardware premium their products cost.
I've worked in a large number of organizations as a consultant and the microsoft ecosystem is basically unusuable to me now. Between performance issues and thoughtless design, I switch back to my apple devices to do simple things and get real feedback from actions while I'm waiting for the microsoft platform to respond. As a result, I manage client work on MSFT, and do real work on my mac. With Apple getting into this space, I can't see buying another microsoft product unless I actually hated the people I was hiring to use it.
The essence of the apple experience is that by their products being designed to be responsive no matter what, you are always engaged and working on them for the feedback, whereas some MSFT error message means I'm going to go do something else for 15-20m while I get past the gumption trap. Current one is having to reboot the machine to reset a VPN driver just to check client site email. MSFTs problem isn't from lack of a solution, it's that the problem exists at all and as a user I am even aware of it.
I have lots of issues with Apple's social decisions, and am switching out of their ecosystem because of it so I'm not an uncritical fan, however, this announcement means they aren't just getting into enterprise, they're getting upstream of it and in 10-20 years they will have replaced a lot of it. They're dropping in on a macro trend wave that is how work itself is going to be different.
Smart to focus on smaller businesses but foolish albeit expected to only include Apple products in the solution. I'd put money on the overwhelming majority of businesses that have any Apple devices also have non Apple devices. Very few will be purely Apple environments and those that are would hardly qualify as enterprise environments. The reason is simple, Apple has failed to provide the needed suite of enterprise solutions to allow a company to build themselves around their ecosystem. You can do it in the home but Apple doesn't sell servers anymore or allow anyone to develop server products for them.
> Smart to focus on smaller businesses but foolish albeit expected to only include Apple products in the solution.
Eh, it depends why you think they are doing it.
If you think they are offering this because they want to get into selling MDM software, then yeah, it's foolish.
If, on the other hand, you imagine that they are offering this because they want to encourage small businesses to go 'wall-to-wall' Apple, and for a benefit of this to be that if you go 'Apple' you effectively have some level of a technical support contract too with on-site hardware repairs (not really offered in a compelling way by any other hardware vendor), then it might not be so foolish from a commercial perspective.
I suspect it's the latter - make going 'all in' on Apple a super appealing proposition for small businesses.
The second thing is, Windows is very appealing for small businesses because, amongst other things, configuration and management of users, sign ins, security policies e.t.c. through AAD / Office 365 is brilliant, so this seems to close the gap a bit.
> Apple doesn't sell servers anymore or allow anyone to develop server products for them.
This seems to be more like an MDM/device management and user management/onboarding solution, not something you would install or use to manage servers.
It also seems like a progression for this product would go from "All Apple" to "Mixed Use". No need to lose the "All Apple" money while you're working on the "Mixed Use" software if you're going to take that road.
> Smart to focus on smaller businesses but foolish albeit expected to only include Apple products in the solution.
Apple isn't here to be end-all-be-all for their customers. They are there to sell products and services that make sense for their customers.
If others undercut them or provide more comprehensive service, then that's a market Apple has decided not to compete in now. Good for their competitors.
> When their app store faces anti-trust, and everyone already has an iphone and the next igadget is 5 years away, how do you generate growth?
I'd suggest this is the definition of being out of ideas, as the way they grew last time was they invented the iPhone, and then the iPod, and then the Airbook, Apple Watch, and AirPods. Then there was the mini tracking device to help you believe every other product wasn't already a tracking device.
Imo, the negative inflection point was the AppleTV launch where it was just a bunch of celebrities, and for Cook to stay at the helm, he needs to deliver a Jobs level win. Enterprise may be his "second envelope," as I think it's a safety play.
Reframing your question as, what can they re-invent next? That's hard to answer without being that level of design thinker. Cook's team is designing products for a very different world than the one Jobs did. The aesthetics, aspirations, and even power means different things now, as they say, what got us here doesn't get us where we need to go next. The enterprise product is going to be huge revenue wise, but innovation wise, I think it's treading water.
Maybe the smartest thing to do is to turn Apple into a company that doesn't need to run on genius anymore, and fork a design driven ventures division with a mission to get exposure to early stage brilliance instead. What Jobs did was bring artists to tech, but that whole play was predicated on a bohemian/creative class that doesn't matter the same way anymore because their rarity and scarcity was an artifact of geography that is no longer a factor. This bringing something from one place to another aspect of Jobs' vision (and cultural arbitrage) breaks down when that physical distance is no longer meaningful.
The distance to bridge with products now is intellectual, educational, cultural, political, etc, and maybe we don't want it bridged now, maybe what we desire is that distance again. The next iPhone level innovation won't be a signifier of joining the middle class of that time, it will be either a barrier to it, or an escape from it.
I think the ousting (quitting?) of Ives is a sign that apple as an aesthetic force is ending, and the return to "logical" macs instead is a sign that they're reverting going too far. Its an acknowledgement that they have to do more than make pretty devices.
I see a very similar path to luxury car brands for luxury electronics. A mix of status, comfort and performance. I wouldn't be surprised if the "pro"/"pro-sumer" line of devices diverges even more into the future so that we have $2k iPhones. Similar to how car companies have $200k+ cars, and $75k+ cars that effectively don't compete with each other and let them invest in more expensive efforts, that serve as flagships. Alternatively, go the racing-car route, and invest in high-end engineering efforts that way. This could be similar to your "forking" idea in that they get exposure without subjecting it to mass scale.
Smart. This raises an interesting question. Cars do one thing well, and we've turned them into extended rooms of our homes, so a $200k car can make sense. What is the thing personal computers/mobile devices do well for us as users that we can just dial it up and charge 10x for it?
I don't know. Mine cryptocurrency? A fancier and more flattering filter bubble? An AI named Cyrano that identifies people and gives us tips for manipulating and blackmailing them? Spitballing here.
> that we can just dial it up and charge 10x for it?
Maybe you don't get 10x but like cars we can use more expensive materials, more expensive parts (cameras, cpu cores, screen quality).
Materials:
Apple's base model apple watch is aluminum, while the higher tier is stainless steel. They also lock the neutral colors behind the higher price (which i think is annoying because color is not price dependent to make).
Performance:
Think about Apple's $5k monitor - the "Pro display XDR" from a few years ago. Today, apple sells the $1k iPad pro with a "XDR display" based on the same tech. They figured out how to build it, then later figured out how to scale down the price and scale up the process.
It could actually be a play for far bigger, the mountain of money that is now largely dominated by Microsoft in ALL establishment corporations and governments. Think of being able to run your whole network and equipment with a mere fraction of the IT and network personnel that it now takes to run a Windows based environment.
Well, yes and no. Some innovation in this space will be much welcomed and may well lead to the "mere fraction".
But right now in almost every IT office, if you could get rid of the right 50% of people, the remaining 50% would keep things running without missing a beat.
The trick is doing that.
Also, right now in the corporate space, virtual machines are popular for server and workstation environments. Apple hasn't dipped a toe in that space yet.
Maybe as more business software go towards web and BYODevice becomes a thing Apple could gain traction.
I think this is their obvious next move. They just launched iCloud email with custom domains for end users. That seems like an early battle-test for enterprise use cases.
They already have alternative software to google docs too, so it could be an easy business to set up.
Completely agree. I think they have been slowly making moves into this space over the last 4-5 years (probably longer, but slowly gaining momentum in that time).
I think my read on the new custom domain support is the same as yours. It's clearly a limited beta without the label.
They are moving at a snails pace, but a lot of the pieces are there.
Numbers is just garbage, though. If they want to seriously play in the docs space, they need to fix it. They also need a simple database solution. They've got Claris, and could bring that to the table if they wanted.
Apple also has a serious reputation problem when it comes to reliability in this space. Personally, as excited as I am about all this, I'm hesitant based on their track record.
> they need to fix it. They also need a simple database solution
I actually disagree. (improvements are always welcome though). There are so many different products in this space from MSFT to Google Docs, Quip, Confluence, Notion, etc. They're never going to actually make stuff for everyone.
Their move should just be to handle the licenses. My work buys all MSFT products, yet most people use quip docs instead. But we also pay for google docs, and confluence. Most places probs use more than one redundant tool, so you just need a "good enough" bundled-in tool.
If they can handle licenses and sales of the software, they can continue to collect their apple tax even if their app store gets trust-busted in the future. This can be a way to preserve app store revenue. Especially since businesses are whales compared to regular consumers.
They won, in america... for now. They have (a) a global business with other nations less inclined to side with them and (b) a likely chance of legislature targeted at them. The odds of a future decline in margins of the app store seem high. New laws in Korea and Japan are going to slowly erode the edges, and allow businesses to tests alternatives. The Epic trial may now allow link-out to payments with latest court docs. And EU is a big market that could easily turn against them with new laws.
> Through new devices
The best new devices can do now is replace existing ones people own, most people who want and can afford apple devices own them. New product catagories are a few years away.
> And most importantly through Services
Like the service they just launched, targeted at enterprise?
> You should look at Apples balance sheet. Far more diversified than most people realise.
I do financial analysis, and attend their earnings calls. You're right, it is very diverse, but the non-services revenues don't seem poised to see strong growth in next few years unless they launch a new (and successful) product category.
Once Apple stops doing 22 percent year over year growth is when there is a problem. This is just Tim Cook’s personal plan to move Apple into more of a service oriented company and this product should have existed a long time ago.
I cried a tear or two when they deprecated it. Apple can do enterprise hardware... just because Linux and x86 hardware became commoditized doesn't mean there isn't room for further innovation.
I think Apple should come out with an M1 Enterprise chip and a line of data center/server hardware to compete with Oxide. As for an OS, why not hire Hector Martin and adopt a particular flavor of Linux (maybe partner with Red Hat)?
An LDAP offering that competes with AD and integrates with OSX would be gigantic. I work in VFX where 95% of our hardware runs Linux, our laptops all Apple, and the only Windows machines being the accounting department, yet we still use AD for directory services because there's simply nobody else that offers a product even half as good, and OSX doesn't even like working with AD anyway.
A product that could even compete with half of what AD offers and could manage OSX devices would be pretty incredible.
Well, they won’t use Samba (which has a very well featured domain controller implementation), because of the GPL. The only other one going around is the one I wrote, but Novell bought that, not Apple. (Apple wasn’t so interested in the enterprise space circa 2006.)
But anyway, AD will become much less relevant in the future as everything moves to the cloud, a la Azure AD.
> the shift to enterprise suggests they're out of ideas
I would not say that. This is a long time coming for apple to finally acknowledge with actions that apple devices are used in an enterprise context for many, many companies and to start thinking about proper first class support for that use case. "Innovation" wise it's independent of their other efforts IMO.
> Current one is having to reboot the machine to reset a VPN driver just to check client site email.
These aren't Microsoft specific issues but vendor specific. My partner's last two employers have used Dell machines and they've each had serious problems with audio drivers. I've seen Dell bios updates completely mess up full disk encryption by losing keys and more recently switching SSDs from ACHI to ATA mode.
At the same time I've had comparatively few issues using my work issued Lenovo laptop. However I completely re-imaged my work issued Macbook because the Trend Micro software installed on it made it $3000 brick.
I wish they had a better MDM for kids... All I want to do is ensure that NextDNS is installed/forced and that they can't remove it. Somehow, if you block store, block adding apps and block removing apps and hide the icons, kids still figure out how to remove the damn thing and the only thing you can do to block it is set a 1 minute time limit (why can't you set 0 minutes? wtf apple?) and hope they don't stay up until midnight to click through in 1 minute and slide the slider to off (or figure out how to get into settings/network/dns and disable - which why can't the limits limit that??)
I figured, when my kids were a certain age, that if I took that route, they'd ALWAYS get around whatever control I put in front of them. Either at home, or at school or at a friends house.
Told them there was stuff on the internet that could harm them, that there was stuff they could NOT unsee.
They're 18 now, the results of the science experiment are still out, but they seem to have turned out okay.
As someone who grew up in an extremely religious (arguably "cult-ish") home. I can tell you that your approach to parenting leads to healthier children (at least mentally).
Hiding children from facts of life (sex, death, drugs, abuse, alcohol, etc) does not in fact help them, it helps you (the parent). It makes parents feel good, but leaves children scarred and unprepared for when they will inevitably face those facts later in life.
There are stages of life when children will (or should be) exposed to those things. The brain naturally regulates these things. If a child is exposed at the proper time, their brain regulates the amount of information they are capable of understanding. As they re-experience the same thing later in life, they will understand more and their progress towards understanding that concept is more gradual and healthy. By contrast, if you shelter a kid, they will still inevitably face reality later in life, but the experience will be more difficult because they have to face everything at once.
Parents should not be afraid to discuss or even introduce difficult concepts to children. The children will inevitably face these. It is better for them to face them in a controlled manner early in life so they can build healthier relationships with these hard ideas. It also gives parents better control over the introduction of these ideas. If you turn sex, alcohol, and drugs into a taboo in your house, you might think you are helping your children, but the reality is that you are actually setting them at higher risk to abuse these things later in life.
Back to the original comment. If your kids are going through all this effort to subvert your DNS and controls in order to see something on the internet. It would be better to allow the child to confront their curiosity in a controlled way. Their curiosity is clearly very strong if they are willing to go to this extreme to satisfy it. Letting the curiosity pent up, will ultimately have the reverse effect than you desire. It could lead to overindulgence of that curiosity, or potentially abuse of that curiosity later in life.
Oh believe me, NextDNS isn't because i'm trying to keep my kids safe from sex, death, drugs and alcohol, it's because the world is out to harm 13 year old girls and I want them to be protected. They watch horror movies and we've never been ashamed of nudity and sex is nothing to be ashamed of.
Ironically, its not porn, warez, hacking or any of that crap that concerns me - it's the dudes who pray on girls - it's the people with fake disorders building communities to cause people to have ticks and self diagnose with severe disorders. It's kids who don't sleep because they're addicted to tik tok and instagram.
Take away their phone to help break that addiction and they end up with friends phones or connecting on other devices...
I can't police all that, I can't talk my kids out of that and I certainly won't hide them from the internet - but i can block the URLS of places i know that shouldn't exist and i can set sane restrictions as any good parent should
Of course kids are gonna find porn and yeah, they're going to try and bypass controls. Clearly, they're figuring it out and clearly, they think we don't know so whose the clever one now?
Still think Apple should have MDM for families. When i was a kid we were stealing pornos from Circle K so it's not about that at all.
I think there are good cases to be made about pre-puberty vs post-puberty controls. Strong fences for the 4-8 age group is pretty different than than 9-11, 12-14 or 15+
Mate, your second paragraph is essentially reframing trauma. It's true that trauma can prepare one to face a bigger challenge later in life, but not always, and it can make facing other kinds of challenges more difficult and incentivize withdrawing from a number of wonderful parts of life.
There have been successful societies built around early trauma (Spartans, etc.) but we remember many of them as brutal by necessity of their surrounding environment.
>I figured, when my kids were a certain age, that if I took that route, they'd ALWAYS get around whatever control I put in front of them
My son is 14, and when my wife proposed blocks and access control, I made this very point. Even if we were able to perfectly lock down our home and his phone, we can't control every other place he can access the Internet. So, we also are in a talk about it, occasionally check on what he's been into, talk about anything "interesting" that comes up, but NEVER make a big deal of if. As long as we're able to discuss it (and no, he doesn't love talking about it), I'm OK. By keeping it low stress and low key, there's no incentive for him to hide.
You should still do some blocking to make sure he learns how to circumvent them. Those are valuable skills to have later in life, I still profit from the lessons I learned circumventing high school internet restrictions.
I'm confident he already has those skills. When he was in fourth grade, my wife and I were called into a meeting with the (private) school Principal because my son had "hacked all of the tablets used for class so kids could play games on them."
As it turns out, he merely figured out that flipping the Wi-Fi Off switch killed the network connection on the chrome-based tablets, which makes it easy to get to the chrome dino jumping game.
I was disappointed that he disrupted class, but equally impressed by his resourcefulness.
Through Norton's suite I had filtered out YouTube app from being installed. It took ~10 minutes for my 5 yo to figure out use it via Safari :-| Since then it's been education over enforcement as OPs have mentioned.
When I think back to when I was a kid, getting around school internet filters and helping my friends remove parental controls from their devices, I can't help but think the Streisand Effect was hard at work in my brain. The adults was determined that I wouldn't see a thing so I was determined to see it because what could they be hiding?
Now approaching the age where the thought of having a family and kids is on my mind more and more, I always wonder how I will approach this problem. I can't think I would do it any differently than you. For young children sure, throw up DNS filtering at the router level and the kiddos' will be none the wiser. But if my future kid ever turns out like me, that will probably only work until 7 or 8 (when I figured out how routers worked), at that point I would think it has to be an honest conversation about all the crap on the internet. Even when I was a kid I knew when the adults were feeding me a load of crap.
What do you think schools should do? I teach at a school (K-12), and there's definitely circumvention of technical controls at the high school level. But I can't help but think we're a whole better off because of the filtering.
You're obligated to block, because you're responsible for giving it to them and you have to deal with the population as a whole. I based my decisions on my kid's temperament. You don't have that luxury.
It doesn't mean you'll be in any way effective.
By the same token, we block this kind of traffic at work...all it ended up doing was pushing the negative traffic to employee's cellphones. Which is fine, because it makes the office network safer.
DNS filtering (pi-hole is great here), scheduled vLAN time of use shutoffs (no after school shenanigans), obvious blacklists and ip request logging + pop-up warning are probably good enough for 95% of kids.
We use Meraki (huge wireless deployment, so it makes a lot of sense to just use their gateway and call it good) with their blacklists. Biggest problem is it considers too many things "gaming" and needs exceptions-- e.g. lichess and chess.com are OK. Authentication and logging are pretty good.
Rateshaping students to have enough bandwidth to do schoolwork but not to have wonderful connectivity (campus has a 2gbps symmetric connection, but we only give students 4-5 megabits/sec over wifi most places on campus) is also a part of the picture.
Whitelists. It's kind of a pain, but might help reign in the teachers that send kids everywhere on the internet without much thought about the surveillance dangers.
MS and HS students are expected to be able to independently browse the internet to do research-- this doesn't work with whitelisting. (And in elementary, there's good human supervision of technology use).
This, not to mention it seems somewhat unproductive to lock off 99% of the internet because of information collection instead of teaching how to defeat those collectors. The kid's going to grow up and leave eventually and will have to contend with the full internet, it doesn't feel like a good idea to leave them without any experience of the kind of things you can run in to.
Kids don't get any "experience" contending with surveillance. It is all done behind your back, on purpose. Results are never deleted.
Certainly schools are not even attempting to teach countermeasures.
They tend to dabble in the "be aware of bullying and self-esteem" issues, but are completely outmatched in the security arena. Ignore at your peril.
- What else can be inferred about you from seemingly innocuous information, and potential misuse
- Durability of your digital footprint
- Security, file types, etc.
Education doesn't fix these issues, though. Even well-educated developers would often give up and click 'Allow' on a modal privilege escalation box that pops up repeatedly in research. And if I need to get something done and it doesn't work I'm pretty quick to re-enable scripts and tracking.
Knowing these thing exist is a great first step, and glad to hear you are helping out.
But, it doesn't become a concrete, visceral thing until you inspect a no-script menu while browsing a news site. Or run Little Snitch on a freshly unboxed Mac. Or going to a "white pages" site and see the last four addresses of your family members. Salary info, current whereabouts, criminal history, are a fee away.
Yes, but the whole world won't be developers. And many in the know just don't care.
You're talking about a population of 12 to 18 year olds. Even among the most responsible and least-easily influenced of them, social pressures absolutely dwarf any abstract concerns about corporations knowing a bit more about broke-ass you to try and sell you things.
Most of this population will take a short term gain for an uncertain consequence a few minutes later. You're talking about short term gain versus consequences that they may view as inevitable and occurring decades away.
I can only affect my kingdom, what others do is mostly not my concern. Reminds me of the corporate garbage “food” products most people consume. I speak out but not going to steal their doritos.
These are exactly the population that should be protected. If you wanted to give them agency, which I support, let them manage their own whitelists instead of throwing up hands in defeat.
The future is already here, trends are not reversing:
This is the right way to go. Teach, don't block. You fuck up your relationship to your kids if you force them to keep secrets from you and constantly "fight" against you. Because trust me, that's how it'll end up.
It doesn't. I have a whitelisting transparent proxy for my primary school-age kids. It's not controversial and they don't attempt to get round it or rail against it. If they want something they ask. If I say no (and explain why) they accept it. They're interested in internet safety and we discuss it frequently. Teaching vs blocking is a false dichotomy.
As they get older I'll remove it in stages: blacklist, logging only, then direct access with no proxy. The opening up will be done when it seems appropriate and in full discussion with them. I don't have a schedule for it.
When they're old enough to have phones I can initially give them managed devices with always-on wireguard and the same transparent proxy. (I've tested this setup and it's not circumventible without wiping the device.)
The claims often made on hn about this stuff, that:
* Kids will resent any attempt to limit their access, and
* Kids are NSA-level hackers who will circumvent any attempt at limiting their access.
are empirically false, at least in my experience so far. I expect they become more true in the teenage years but that's when things can start to open up.
Even if the restrictions have to be entirely dropped or become irrelevant the second they enter senior school, they've already benefited a lot from this over the years.
The other argument, that other kids will have phones etc so there's no point, is just an abdication of responsibility. I feel like I should do my best here, whatever everyone else is doing.
The one thing that is true is that it's quite technically demanding. A managed phone with an always-on wireguard connection to a network with a transparent ssl-bump mitm proxy and a domain-based whitelist with an admin UI to browse logs and block/unblock domains is not an easy thing to set up.
It's possible, though, and it has value. It should be much easier.
> * Kids will resent any attempt to limit their access, and
> * Kids are NSA-level hackers who will circumvent any attempt at limiting their access.
There's plenty of people in their mid-20s now on HN who have been the kids, either working around their parents restrictions or their friends parents restrictions. I had an internet enabled phone as a 12 year old in 2004, so it's not a post-iPhone kid experience only.
And yes, parental control software has got smarter to not just be a matter of changing your DNS or using an alternative browser, but tunneling over SSH still defeats much of it, and yes the audience here is more tech savvy, but there's a hundred new web based proxies that open up every day that your chosen solution may not be up to date on blocking - whitelists avoid that but it's something a lot of people here are opposed to on moral grounds once kids reach a certain age. Certainly if you let them go out unsupervised that's not enforcable, and honestly you should be able to let a 12 year old go out unsupervised.
To what extent this applies to 12 year olds is to be determined in my case. My kids are younger than that
I think a lot of the "try and restrict and you'll just harm your relationship" stuff comes from 20 somethings whose memories are primarily of their teenage years. There's 12 years before you get to twelve, and we're in a situation where clueless parents are allowing (knowingly or not) their preteen kids to have their own youtube channels and watch Squid Game. (And much worse besides no doubt, those are just a couple of things I know particular kids have been doing.)
We teach and re-enforce. Blocking is the result of failing to respect the established terms and losing the privilege until we have re-established them.
It's really that simple.
In the case of NextDNS its less controlling what they see, we're not naive about that - but more about ensuring their safety and well being.
I don't understand why it's healthy to provide one click access to the hardest core pornography to a 12 year old. Putting some restrictions in place are better than nothing in my book.
I still have a lot of resentment for the internet restrictions my parents put on my devices. They didn't usually work, but made whatever i was doing significantly more annoying.
I still remember discovering a bug in the iphone parental controls where i could go to the amazon app, leave a comment for google.com, click it and open that in a webview, then open that into safari with restrictions disabled. How i discovered that, i have no idea. But there's always a way.
Later i just wasted my money on a crappy android phone and forced their hand.
Edit: please, please, parents do not do this to your child. Learn trust, have conversations, and let them explore. If you trust your child (truly trust them) and they know it (believe you, not just hear you say it) then they will mostly try to make good decisions. Controls will just be bad for your child in the long run, even if it makes parents job easier in short run. Once a child isn't in eg. middle school, you have to start letting them access tech on their own.
You do realize, that often times controls are put in place when the communications and trust has been violated right? Most people want to not give a shit, it's the kid forcing the response.
Beyond that, The internet for a boy, is much different than the internet for a girl - your experience isn't the same as everyone elses and neither are the filters.
We home school so some of the controls are just in place so they actually do some school and they're only in place because they choose NOT to do school.
The running joke in my country is that pastors’ children always round up to be delinquent in their teens. You won’t be able to completely control the environment of your child. The re will be a moment, when he/she will realize you do not know everything and your word, while important will be just a voice in many. It is very hard to resist temptation when you see people your age doing them without restrictions. I would say teach them values, not enforce them.
It's never been about complete control - or even control at all. It's about safety, health and wellbeing. As i mentioned to others - this isn't about blocking HBO max, youtube, twitch or steam. It's about safety against people praying on 13 year old girls and general computer safety blocking threats that nextdns blocks that every one should block.
The thing is, when kids grow up - they're gong to work at places that have blocks to ensure employee safety too and they're going to have to realize what they need to do to keep their kids safe
and the kids will hate it, as they have always hated it.
> controls are put in place when the communications and trust has been violated right?
Oh yes, i certainly broke trust of my parents, but mostly by bypassing controls they put. That deteriorated trust (and encouraged more trust-breaking) much faster than if the controls werent there.
So you're mad your parents blocked rape websites? Child Porn? Incest? Or are we talking about you're mad that they blocked youtube and twitch?? Which we don't? And i'm not talking about kids being interested in those, but sites where people try and perpetuate them and bait young girls with.
All blocks are not created equal here.
There are 10s of thousands of girls going through therapy, rehab, mental hospitals and such because of some of what is going around right now and much of the blocking is learning from parents who didn't and lost their kids to suicide or sex trade.
It all starts with a supposed nice 14 year old kid on discord who buys you a gift and turns out to be a grown ass man praying on girls who are susceptible to social issues - they're the ones boosting the servers and writing free advice and coming off as being helpful to teen issues but its all a big con... and that's just one channel of the absurdity. THe other is social pressures on tiktok and insta and their addictive properties - especially for young women. Unchecked/unbound you're asking for trouble for you and your kids.
So I haven't completely thought this through as my kids are still too young, but I'm leaning towards doing both.
Some level of controls feels like a way to encourage exploration and learning and the "hacker" mindset. If they escape the controls, great! We also have the conversations about what's out there, how to handle it, etc.
A quick thanks here for making me feel hideously old by mentioning your experience of parental controls being on an iPhone, a device that didn’t even exist until well after I’d moved away from home and was paying for my own internet connection.
All you are doing is teaching your kids to hack into their own device (speaking from experence) . Try a different strategy than attempting to lock down a device . When your are dealing with an individual who has a large payout if they succeed in getting around security and a long amount of time to circumvent it’s an extremely lost cause.
Instead you should limit the amount of time for device access or even just take the device away.
> All you are doing is teaching your kids to hack into their own device
Ha! Lock down everything and casually leave a printout on the kitchen table titled "How to bypass home network security" with a bunch of Python exercises that lead up to disabling the filters. Presto, now they know Python :-)
The ScreenTime feature for family members on iOS is an absolute car-crash. Not only is it almost impossible to find (it's not in Settings -> ScreenTime), but I'm endlessly impressed with the ways around it my daughter is able to find. I've recently noticed that she can use WhatsApp without limits just by launching it from the share sheet in Photos.
I've done this. This is when you find out that they can get online with their switch, their ipad, the long lost android tablet you didn't know you had or the one they bought from 7-11 because they sell 49 dollar kindle fires there. They also have friends phones and buy sims and all sorts of crap.. it's hilarous the lengths kids go to get online...
If your kids are intelligent enough to bypass locks... give it up. Seriously.
Better, prepare them for the worst of what they will experience on the Internet: violence, pornography, abuse of all kind, and guide them in their use of the Internet. Place yourself as the person your kids can come for help instead of the person they have to be afraid of. That is an incredibly easy and common thing for groomers to exploit.
Not sure that "kids" is well defined here. But it seems completely normal that "kids" would be watched by their parents.
I realize that the appropriate nature of "watching" is going to change with the age of the "kid", but oversight and watchfulness by a parent shouldn't be viewed as inherently problematic.
They already are though. Usually by tech companies without the kid's best interests at heart.
Tailor it to the kid. Certain amounts of anxiety in developing minors around surveillance seem healthy, especially given the risks associated with unfettered access to the dangerous fire-hose that is the internet which itself has tracking at every corner.
Still, lying to your kids is not ok.
If you don’t have software on your router that tracks everything they do, don’t pretend that you have.
Being surveilled is a feeling that sticks. Being tricked, too. Don’t assume your kids will forget eventually.
Unless you're running a MITM proxy for SSL traffic with root certificates installed on the home devices, this statement can not be true. And if you're running such a proxy, you would need to have a guest WiFi for people coming into the house who would like to use internet without installing the certificate. At that point, circumventing the tracking is the matter of connecting to the guest WiFi.
Did you try setting the device up with the MDM app from a Mac? It's called Apple Configurator or so, can't remember now. But as far as I remember it came with many options.
The challenge for Apple is going to be their unwillingness to integrate with others. Business Manager only integrates with MS Azure Active Directory for IAM. The vast majority of small business do not have Azure Active Directory. They either have nothing, or they have Google Workspace.
Apple needs to not just launch a competitor for AD. They need to properly support integrated directory services with a broader range of systems.
Aside from that, they don't have an endpoint security solution, which is a necessary part of this package, ultimately, if they care going to replace JAMF, who is the real target/loser here.
If Apple can do those two things... well... I'd switch in a heartbeat. Why? Well, their support story is going to be way better than JAMF. Also, I hate having multiple vendors when I can have just one.
For those saying that Apple has no room left to grow... I expect this isn't the end of this for Apple going after business users. They need to roll Claris into the mix, stop acting like Numbers is a spreadsheet, and finally launch a cloud platform.
> vast majority of small business do not have Azure Active Directory
Where are you from? On the east coast of the US, I find it uncommon to find small businesses who aren't still all in on Office, which if you've bought it in the last five years, was probably via a subscription that gives you Azure AD (and Exchange, Teams, etc). GSuite is still very uncommon in my experience outside of schools.
At the MSP I work at every single customer we have uses Azure AD. G Suite isn't a proper business e-mail solution for a business with any more than 3 users - Exchange and Azure AD are the gold standard for cloud based office for SMB.
You can't possibly know what you are talking about if you are going to say that G Suite "isn't a proper business e-mail solution".
Sorry, I know tons of highly effective organizations, large and small, that enjoy the benefits of using Workspace for email, calendaring, and the whole rest of the lot.
Back in 2007, I was supporting massive educational organizations, with hundreds of thousands of users, to move their entire email and calendaring operations to the then-called GSuite. That was 14 years ago.
Google created the cloud-based office solution. MS has been playing catch-up, trying to lovingly recreate the experience of managing an on-prem Windows/AD/Exchange stack for the metaverse equivalent of self flagellation.
There are dozens of companies on g suite (ad others, like Zoho), I work with some that have 100,000+ seats. The idea that the only solution for businesses is MS products was never right before and isn't today.
This is such a wild take to read on here. I kind of get where you’re coming from, but I just can’t make it line up with my reality. For reference, I hate Outlook and all its descendants, and I won’t work anywhere that uses them - but it’s never been a problem because everyone uses Google.
Yet Google and thousands of other enterprise companies seem to run just fine with Workspace in 100k+ user environments https://workspace.google.com/customers/
So they advertise AppleCare+ features (24/7 support, on-site repair) but they don't currently offer that nor do the prices reflect those services. Page seems deceiving (have to read the small print to really understand the offering).
With those two removed, you're paying for an MDM solution and cloud storage.
Ah! I thought it was way too cheap for the AppleCare part. I was about to sign up for just my devices at home just for that, because it seemed like a really cheap way to get iCloud and AppleCare!
On-site repairs sounds interesting, although their computers are all glued together and every component is soldered to the board so I have no idea how they'll manage that.
True but how often is the battery the issue in an enterprise environment? In my experience devices are seldom in circulation long enough that they require a battery swap.
Port damage and clumsy or messy employees are far more likely to cause issues.
>True but how often is the battery the issue in an enterprise environment?
Biggest issue by far. We have a fleet of 100+ MacBooks in my office and expanded batteries are probably the only thing we have that goes wrong with them. They're rock solid otherwise. The new replaceable batteries is a huge deal.
Your parent commenter mentioned connector as well. What else couldn't be repaired on-site that could be repaired off-site? I'm pretty sure anything that for anything that couldn't be repaired on-site they're just going to replace the whole computer.
Good luck getting an appointment within 4 hours at Apple stores near here. The three nearest me have no appointments until November 19.
Dell laptops I can get serviced with an onsite tech within 4 hours if I want that level of service.
Experience 1: MBA wouldn't charge battery. Machine functioned just fine on AC power. Expected maybe $300 in parts and labor, out of warranty. No, "this will be $870. Maybe we can look at getting you into a new Mac today?".
Experience 2: reproducible kernel panics on demand from GPU (later acknowledged as an issue by Apple, over a year later). Despite the tech being able to cause the panic too, "our diagnostic tool says there's no problem, nothing we can do".
Experience 3: screen adhesive delamination. "Within normal limits, expected/not abnormal behavior". That one was belatedly acknowledged by Apple, too.
My daughter's Alienware laptop had a keyboard problem. Contacted support over phone and it went nowhere. Contacted support via Twitter and after a bit of back-and-forth they scheduled a next-day on site repair in Toronto even though we live in Texas (where the computer was purchased).
I can't speak to the Apple store, but I do have years of experience with on-site repairs for both Dell and HP.
Both Dell and HP business on-site repair service is really good (though I prefer Dell to HP). Depot warranties for consumers are horrible, no matter the company. I've been advising friends and family to purchase business-oriented equipment and pay for on-site warranties (for the intended duration of the lifetime of the product). It makes life ridiculously easier.
Consumer warranties on PCs are universally awful in my experience.
If you have a more serious issue the default procedure is to just wipe the device and replace the logic board for the flat rate repair fee. I have a macbook that just shuts off randomly and turns on with CPU1 halt error messages. I bring it to the apple store and they told me flat out they don't know what is going on with the device, gotta replace. Also had macbooks with gpu issues, same deal send away wipe the device and replace the logic board and hope that fixes it. I had a macbook where the flex cable to the screen was going and same thing, wipe and send away. All they do in the store is software based solutions, they scan for hardware issues and they send it away to be repaired.
I wonder what sort of issues you had that could have been fixed in 30 minutes or what sort of replacements you've been given? That's not been my experience at all at apple stores and I've been bringing them screwed up laptops to fix for ten years. I've never been just handed a replacement laptop that day, its always been send away the computer for at least a week and they try gutting it and putting in all new parts vs troubleshooting the underlying issue and replacing the perhaps one bad component that is the root cause.
That's been my experience also. In my case the replacement wasn't even done in the same region of the country, or by Apple employees, although the turnaround was pretty quick when you take that into account.
I dumped a glass of water on a MacBook Pro keyboard earlier this year, and took it to the local Apple Store (in DC) under AppleCare+. After verifying that it in fact wouldn't boot, they told me to leave it for repair and they'd update me. I picked it up about a week later repaired.
Based on the PDF documentation I got with the pickup, they shipped it to a third-party repair shop in Houston (CSAT Solutions), which removed every part that had tripped the liquid sensor, and replaced them with new parts (logic board, touch ID board, I/O board, and "top case with battery"). The repair shop then shipped the resulting mostly-new laptop back to the Apple Store in DC, where I picked it up.
I'm not some kind of power-customer - just a normal consumer. They always say 'sorry we'll fix that' and fix it then and there or they say 'sorry can't fix it immediately we'll swap it' and I walk out with a new one in minutes. If they wanted to keep it over night I'd be extremely surprised.
You are getting macbooks swapped out at apple? I'm not a power customer either, they just take the laptop away and tell me its ready next friday. Sounds like the fixes they do then and there aren't hardware issues in your case.
I've definitely had at least a battery swapped then and there. If it's anything more than that yeah I guess they're defaulting to swapping it. I'm not complaining about the policy!
You only need a normal consumer heat gun to detach them. It's a big hair dryer. It's not the rocket science people make it out to be. I guess they have one in the back.
Dell business support is pretty awesome in my experience, had to fix something 3 times in the past 4 years with my work precision laptop and it took less than 24h to got a technician to my house to do the swap.
Depending on the size of your business, it's easier just to have a few (or even one if you're really small) spare machines for when one breaks or is having issues. Just turn it on, restore from the latest backup and give it to the user. Then send the old one off for repair if needed.
Google One is a consumer product for sharing holiday pics with your family mate. The closest offer in the same target market from Apple is iCloud+, with same services for same price! Or as part of Apple One which is slightly pricier but includes a an array of additional consumer entertainment services.
Apple Business Essentials is a set of business services with guaranteed SLA’s.
Will it let me use icloud like dropbox? Would be good if those groups they show that can be added also provision an icloud synced shared folder in a predictable location. I love drawing on ipad, but there’s always a bit of friction getting stuff on and off. This would make working with ipad much smoother.
There is a product I have been wanting to make, there is demand (customers have been asking for it), but would never work with the distributed personal iCloud accounts before. This will allow to consolidate all of it under businesses accounts.
Interesting enough, have other people in my circles that also have wanting to port somethings to be native like this and haven't due to being business apps and the 'individual accounts' being a show stopper to share licenses.
Wow, what a change! Apple spent many years holding the corporate market in mild contempt. Given the dominance of Windows, I totally get that; Apple was right to focus on the niches where they were successful. But it's amazing how much circumstances have changed to make this plausible.
I don't know why it's the case, but it is very frustrating to me. I have 3 kids and 3 iPads, not assigned per kid, just a pool they all and my wife use. Current implementation is a common "family" account logged in as a "child" on all 3 iPads with app purchase approval going to me and my wife (we both have iPhones).
This "works" just kind of OK. But it would work MUCH MUCH better if my wife could have her iCloud account sign in from the unlock screen when she wants to use it and have the kids sign in from the unlock screen on the shared kids account. The way it is now my wife ends up signing into various services she wants to use on random iPads, which isn't really ideal.
Apple's solution to my family's problem would be to buy my wife her own iPad. But we don't have a shortage of iPads, there's almost never a time when someone doesn't have an iPad available to them when they need/want it. We have enough hardware, just the software doesn't provide a way to share that hardware in a nice way.
I think they have this for school iPads, with special management software, but not available on the consumer side.
I suspect they're pushing for you to buy a device per user. But even for a household without kids, I could see some utility in being able to pick up the nearest iPad and having your personal state on it. (I think ChromeOS does this, but I haven't used it.)
Sounds like a huge upgrade to Apple Business Manager. Two big complaints here:
1. Apple Business Manager refuses to work in Firefox due to an arbitrary user agent block, and they apparently still haven't fixed this.
2. "If accepted, your existing Apple Business Manager account will be upgraded with additional functionality that cannot be undone." - This is a really good way to ensure we don't try this. What if it causes our organization new problems? Why would your beta product be impossible to roll back out of?
It works entirely fine if you set Firefox to lie about the user agent. It's probably one of those cases where someone just didn't want to have to take the 'risk' they had a browser issue with a browser they don't directly support.
After seeing what happened after the Fleetsmith acquisition, it is unlikely. They made several questionable decisions after the acquisition and as far as I can tell haven't really made any significant updates since.
Even roll your own apps to your employees, bypassing the AppStore review?
Upd: the video suggests that there are 'collections' which distribute apps to users, but it is not clear if own apps can be included in these using Enterprise certificates.
You can sign apps without Apple being "in the loop" and distribute them via the web with an enterprise cert. As far as pushing out updates I think you have to build your own system for that. My company uses enterprise certs and our app will notify the user when there is an update, redirect them to a web portal where they click a link, are prompted to install the app, and then the app is installed.
Though the whole setting has changed, this harkens back to NeXT's stated mission prior to merging with Apple: To be the preferred business alternative to Microsoft.
I see a lot of comments where people are saying this is a killer blow to JAMF but almost every single org has a heterogeneous set of devices (PCs, Macs, iPhones, Androids, etc), so how will this work with that?
Unless they support all types of devices why have yet another tool?
I thought JAMF was Apple Only Ecosystem as well. So it's a lateral movement from the perspective of heterogeneous set of devices, but if you had to go with Apple or third party, given the same features and limitations, most would go first party.
Not necessarily true, if a small business wants to keep MDM simple, they could adopt Apple's Business Essentials to get a lot of value quickly. These small businesses may like paying for apple care and MDM in a single payment rather than paying two separate companies.
You're correct in that large businesses have heterogeneous devices and JAMF will still be relevant there.
This is what you get when part of Apple's Services Revenue is at risk . Finally doing something that it should have been since Day 1. Along with AppleCare+ Monthly option. Instead it took them the whole 2019 and 2020 before they act. I would imagine similar play will be made for Education market as well. As they are battling with Chromebook and now Windows 11 SE.
This is easily another billion dollar ARR.
Oh I would not be suspired if Johnson & Johnson are switching to using Mac sometimes in the future.
Edit: I would bet the on site repair is the only good thing ever came out of Butterfly keyboard fiasco.
Looks great. I recall Apple held out for a long time to play ball with enterprise IT, focusing on consumer. It seems like they've fully embraced the massive enterprise market.
There’s a few headlines talking about backups - does apple finally have a cloud based time machine replacement? I’d be so excited to see that as a general consumer too.
I think that's unlikely to be a thing they're working on. You can get that from storing your files in iCloud already, and these days is there any good reason to back up the rest of your system? If I had to rebuild a system due to hardware failure the absolute last thing I'd want to do would be restore all the accumulated system cruft!
Storing files in iCloud Drive is very different from a backup I would argue.
What a business would want in this case is Backblaze like functionality with versioning / restore. iCloud drive also doesn't really help you with restoring a full system like it is possible on iOS where all your settings, passwords and apps are just like you left them.
I use Backblaze, and aside from the cost, it's great. It's fine for 1 computer, but oof, there's no multi-computer discount. Most of my machines aren't backing up terabytes of storage either. We're talking like ~100gb a machine and there's two of them.
Businesses like to talk up "unlimited" but it's a pain when you're using less storage but have to subsidize those using a ton of storage.
It probably very much depends on what you are using your computer for. If you are just living in Chrome and use Google Docs and Mail there this will work just fine.
If you are someone who has tools set up, apps not from the app store, come custom dot files, your shell history and environment variables this will not help you at all and getting up and running after a device got lost / destroyed will take you a day. Even if it's just simple things like your system theme / Dock positions of your apps.
You could probably fiddle and symlink things and hope everything works but it's not a "log in and have your device be in the same condition as before" like you'd get from an iOS "Restore from iCloud" functionality.
> these days is there any good reason to back up the rest of your system
From experience, there is definite need. I spilled some water on my work laptop and it died. I was able to get a replacement in maybe 3 hours, but setting everything up again was a major pain.
A Time Machine backup would have let me continue more or less where I left off in a matter of an hour or two, vs. many hours/days (and some lost work). (not that Time Machine is perfect either, but much better than just iCloud)
I agree that getting rid of system cruft can be good, but it's better handled proactively than on machine failure IMO.
iOS devices do full backups to iCloud†, restorable onto a new device just like macOS full Time Machine backups are.
So why not macOS backups in iCloud? If anything, you'd expect it to be the other way around—in iOS devices, you/apps can't litter your homedir with random garbage, while in macOS you can. So it's more useful to back up macOS.
† You can also make an iOS backup onto a local macOS computer running iTunes, which is, I believe, what they do for you when transferring your data to a new device in store. I haven't looked at them lately, but if they're just plain-old Time Machine backups, that's even more damning, as that would imply that iCloud is already perfectly set up for receiving Time Machine backups.
> So why not macOS backups in iCloud? If anything, you'd expect it to be the other way around—in iOS devices, you/apps can't litter your homedir with random garbage, while in macOS you can. So it's more useful to back up macOS.
This is somewhat the reason why no full macOS backup to the cloud. iOS naturally normalizes the content due to its use of iTunes Store content (apps, movies, television shows, books, music).
On macOS, you can't necessarily just ignore apps and say you'll download from the store - not only can you move applications around, you can delete parts of them and _many_ devices have apps which were not downloaded from the store.
So a 1TB Mac backup will take 1TB of iCloud Data and require 1TB of data to be uploaded/downloaded to their storage account.
This also affects the speed of restores on higher-speed connections - a lot of the iTunes content winds up being cached by CDNs.
Apple's solution so far has been to back up just the user's Documents and Desktop folders to iCloud, since these are the two most important "general purpose" locations on the Mac.
> On macOS, you can't necessarily just ignore apps and say you'll download from the store - not only can you move applications around, you can delete parts of them and _many_ devices have apps which were not downloaded from the store.
Sure, but they're by-and-large the same apps. You can delete parts, but the parts that are there will inevitably be parts someone else also uploaded before. Apps are a highly backend de-dup-able kind of data.
As such, couldn't Apple just treat .app bundles (and a few other bundle types, e.g. .framework, .kext, .plugin, etc.) specially for purposes of iCloud backup, by e.g. content-hashing all the files in each bundle, shoving those files into an object store keyed by content hash (i.e. a Content-Addressable Store), CDN-mirroring that CAS, and then saving the .app bundle in your backup as a BOM for reconstructing the bundle from the CAS CDN?
Keep in mind, Apple have never promised E2E encryption for iCloud backups, only "encryption in flight" and "encryption at rest." (See https://support.apple.com/en-ca/HT202303). And even then, that's never included an implied encryption of your applications, only of "your data" (since, as you say, the apps are being turned into symbolic references to ITMS CDN objects.)
So they could have an explicit policy that certain filetypes that aren't "user-generated" would be "backed up in the open, to the commons"; while all other filetypes would get individual treatment. And presumably you could also set some Finder xattr to override that policy one way or the other, if e.g. you had some proprietary binaries you were under NDA to not release.
> As such, couldn't Apple just treat .app bundles (and a few other bundle types, e.g. .framework, .kext, .plugin, etc.) specially for purposes of iCloud backup, by e.g. content-hashing all the files in each bundle, shoving those files into an object store keyed by content hash (i.e. a Content-Addressable Store), CDN-mirroring that CAS, and then saving the .app bundle in your backup as a BOM for reconstructing the bundle from the CAS CDN?
Many macOS apps are not sandboxed. Even apps which have native iOS ports litter crap all over the macOS filesystem. Of course, the primary offender is apps which have their own always-running autoupdater services.
My money Apple will eventually do a devteam-bound overlay filesystem for apps which have not adopted sandboxing.
> Keep in mind, Apple have never promised E2E encryption for iCloud backups, only "encryption in flight" and "encryption at rest." (See https://support.apple.com/en-ca/HT202303). And even then, that's never included an implied encryption of your applications, only of "your data" (since, as you say, the apps are being turned into symbolic references to ITMS CDN objects.)
I don't know if Apple wants to have more caveats to their privacy story at this point.
I suspect the best system would be the hash-encrypt-hash of Freenet, at which point the privacy leak would be in the downloading/leasing of blocks of identified material - e.g. if someone was upset about a particular app being pirated they could still court-order ask apple for information on which devices were backing that object up.
> Apps are a highly backend de-dup-able kind of data.
AFAIK Apple's backup systems do not de-dup data. Backup data is encrypted and that key never touches the data center.
Instead, they:
1. de-dup data at the local application layer, such as sharing a common link to an image for photo albums along with the encryption key.
2. de-dup the environment by scripting the reinstallation from their controlled sources (stable CDN links to immutable/integrity protected packages with privilege-reduced installation)
Right but that functionality dates back quite a few years now, back from iTunes and before cloud computing. I'm not sure they'd build that functionality today.
Exactly as you say - what is the point of a full phone backup when you don't normally store any files on your phone? They could back up the metadata of what apps you have installed and where you've put them on your home screen. I'm not sure it's worth doing much else?
It’s worth it for the device migration functionality alone. If I switch/upgrade iOS devices, I can perform iCloud or device-to-device recovery, which is much more useful to me than simply restoring which apps I had installed and their data.
As a developer, I’ve modified quite a few system files and would like those things backed up. It’s one reason I don’t use Backblaze – they refuse to backup system files.
As an employer, I can imagine a situation in which those “cruft” files contain information about the actions of an employee that might be valuable in legal proceedings, or just providing they were terminated for cause.
But 98% of the time you’re totally right about not needing to backup every little config file.
>As a developer, I’ve modified quite a few system files
I do as well. Given that such things tend to be more fragile between OS releases though and easy to forget I usually prefer to recreate them for upgrades or reinstalls anyway. Also provides an opportunity to reevaluate them. So these days I think the better way to go about it is with automation as much as possible rather than backups. That said:
>It’s one reason I don’t use Backblaze – they refuse to backup system files.
Well, you can use something like CCC to image your startup disk to a file somewhere else, and regular BB will cheerfully take care of that. Makes restores mildly more work but not much given that a failure which nukes the system files means having to do some level of reinstall/recover anyway.
I use Backblaze B2 though, which has maintained decent pricing vs S3 and is much more natively flexible. Having local systems backup to TrueNAS (or have data folders that just live there) then that go to B2 is another way to handle things. With Apple making custom restores ever more difficult though all that might need some reevaluation too :(. I miss how powerful and pleasant their tools were at one point with no subscriptions or WAN required, and will always be a bit bummed things didn't go the way of adding your own signing to the system image utility, Net Boot/Net Install etc they already had going. Macs were really great to run heavily off a LAN back around 10.5.
I used to have a repo with scripts that "encodes" those change. Stuff like "setup-zsh.sh" and so on. On a new computer, I could just install git, clone the repo then run the scripts.
I stopped doing that because I don't use new systems often enough to be worth it, and as someone else said it's also a good time to examine and improve your workflow.
I agree and disagree. For my gaming desktop, I'd just reinstall apps to get a fresh start.
I started my own software consulting/contracting thing this summer and if my machine crashed, every hour I'm not working is costing me money. So setting up all my apps again to get a fresh start isn't worth it. With TimeMachine on my NAS, I just get the replacement computer and let it restore while I sleep. Then I'm good to go the next morning.
It depends on one's preferences and circumstances. I got a new M1 MacBook recently and I took my time setting it up from scratch.
A few years ago, I had my MacBook stolen. I was up and running within a few hours after getting a new Mac and restoring from my Time Capsule. Dealing with the aftermath of a car break-in (thanks San Francisco!) and a new computer at the same time was going to be a bit much for me.
"There’s a few headlines talking about backups - does apple finally have a cloud based time machine replacement?"
Apple doesn't, but we do.
You simply do a "dumb" 1:1 mirror to an rsync.net account with 'rsync', which you already have.
Then you set up an arbitrary snapshot schedule in your account. rsync.net will then create, and rotate, immutable snapshots of your dataset. [1]
The only difference is that our ZFS snapshots are bit-wise efficient whereas the time machine snapshots are still (I think) file-wise efficient ... which is to say they are less efficient.
We used to advertise this ... the notion that you could clone your time machine config to rsync.net ... but we came to the conclusion that there's a pretty insular hackers-on-osx bubble and, in reality, 99% of mac users don't drop to the command line for any reason.
Would you say that this is the most time machine-esque way of using your service? I’d imagine using borg (pulled from macports/homebrew) and using MacFUSE to local mount would seem pretty time machine like whilst offering other benefits over rsync such as client side encryption, compression and deduplication (the dedupe might be irrelevant since you’re using zfs)
It's also the simplest method - again, just a dumb rsync command that you re-run every day.
If you are using borg you would probably handle the retention and versioning yourself with the borg tool and perhaps set just one or two daily snapshots at rsync.net. These would not be for your backup schema, but rather, for safety in case of mistakes/ransomware/mallory.
There are already plenty of Configuration Management and MDM solutions that can handle MacOS and iOS. This is targeted at small businesses that don't have an existing MDM solution.
It makes sense given that this is both an area where they've historically had to deal with the competitive disadvantage of Windows having a large “built-in” market and one where they've made huge inroads with iOS.
For a small business this is especially interesting since an iPad / ChromeOS device is a better call for an awful lot of workers and this makes that switch even easier.
Given the pricing, this strikes me more as “we’re confident enough that we’re going to grow the Mac business, that we need to offer something to enterprise to check a box so we don’t artificially limit sales.”
This certainly seems like a direct attack on something like JAMF, which Apple has basically blessed to be the Enterprise management tool for Apple Devices. (Ok I guess since it's less than 500 users, maybe not quite in the same ballpark as JAMF, but I'm JAMF has plenty of customers with less than 500 installed devices, and this service offers more than just management)
You just wait, I am sure that after Apple tests this plan, knows it works reasonably well and can make money, they will start crippling JAMFs' capabilities and slowly take over the market.
I work as a freelancer and together with a few colleagues we are essentially a "small product studio". We all have "business only" devices and we are definitely going to try this Business Essentials thing. It kind of reminds me of how easy it is to setup a macOS Server. Very cool!
All I want from Apple is a separate environment for corpware and all of its associated baggage to run. I’d love for that profile to even acquire its own EPS bearers so that its traffic is distinct from personal traffic.
This is really cool, and a very necessary offering from Apple. But dear god their promo video (at the end of the page) is unwatchable. Is it just me or have these videos gotten worse? For example, despite being impressed with the new MacBook Pro announcement (which I have purchased), I had to mute their live Apple event because of all the cringe over-edited script. Maybe I've just become allergic after working for a corporation for years. Sorry for the rant.
I can’t tell exactly but this seems to be going down the compete with Active Directory route.
Which honestly, isn’t a bad thing. AD is getting long in the tooth and AAD is a mess, we can absolutely use a few clever apple innovations to this space.
Yeah I guess for "business" users who are only storing office documents 2 TB is plenty, but as a home user, I bought into iCloud Photo Library and I'm about to pass the max 2.2TB storage limit of iCloud and will have to switch to Synology Photos or something
Slightly off topic, check out the HTML code next to the "Onsite repairs" box; the formatting uses strikethrough, but there is a hidden element with "Not" text before each crossed out line. I assume this is for accessibility or copy-paste compatibility; as a result the raw text still reads:
> Onsite repairs: Not someday Not next week Not soon
ASAP.
I find this kind of attention to detail very cool.
(Too bad "ASAP" is not very specific either and can mean "someday", "next week", or "soon" too...)
The trouble is, I think, that typefaces vary so much that some could appear to have a strike through when they don't.
Or take for example the number 0 which sometimes has a fairly horizontal slash through it. Do you program the screen reader to check if the struck letter is a 0, and if so, consider it not to be struck? But... What if it actually is, and that typeface doesn't have a slashed 0?
Do you only check perfectly horizontal strikes? How thick? At which height in the type? How much overhead is it to parse all of this? etc.
This also requires rendering the document and inspecting the image with object detection, I would think? Someone correct me if I'm wrong, I'm only trying to imagine potential problems.
The issue is not with detecting the strike through. The issue is that the CSS of the hidden "not" element obviously makes the element invisible, but a screen reader still reads it.
Obviously, Apple is abusing that fact here in order to insert elements that only screen readers would see. Definitely feels like a hack.
There is a text-decoration: line-through csv styling available, which I would hope a screen reader would convey properly. Apple isn't using that here though, for whatever reason.
An AI could probably get pretty good at detecting and interpreting stuff like the ::after as a strikethrough. The general problem of extracting semantics from a hacked up html / css / js web page feels like it would require a human level AGI. There are a ton of ways to make text appear with a line through it, and in some cases it may not even have been intended as a strikethrough.
Looks like they are using the hidden "not" and the weird :after CSS pseudo element to draw a line over text instead of "text-decoration: line-through;" probably because screen readers don't recognize the proper strike-trough styling:
The downvotes are coming because this has nothing to do with the topic at hand and you are both blatantly trying to start a flame war. You both have form on Apple threads. If they bother you that much, stop reading articles about them.
Clicking through your comments, I think you're setting a double standard. I'm not trying to start a flame war, I'm holding a trillion-plus-dollar company accountable for a claim they made on the webpage this thread was based on. You're welcome to refute these claims or ignore them altogether, but arguing that people shouldn't post about Apple's history of privacy abuse only makes you look bad. Tanking the downvotes is just the cost of making a subversive claim on Hacker News.
It is curious that on this page, Apple says "Watch the film to learn more" and "Watch the announcement film" whereas they always use the term "video" (or "movie" where appropriate) everywhere else in all their messaging, as far as I've noticed. I wonder what they're thinking?
1. I was paying for iCloud and apple service for *YEARS* but then suddenly when I lost my phone, iCloud had no record of it.
2. I have had multiple employers in Silicon Valley who had the BYOD (Bring you own device) policy implemented but then they attached a SECONDARY DEVICE to my iCloud account and were slurping all personal records from that.
3. Show me a way to FUCKING MANAGE WHO IS ACCESSING MY DATA.
4. I have too many more issues at level 4 that @dang will get mad if I share (and FB and others will sue me again if I dare)... think paul stamets on the secrets of mushrooms -- If you have any sort of work phone, know they are slurping ALL the deets..
Never take a personal phone/device into a workplace environment.
In my case - I was going through a verry messy divorce, and my employer had been surveilling my texts and everything because when I joined I made the mistake of adding my apple ID -- and then the employer added a fucking device to my account and was surveilling everything.
Yeah - if you get a job in tech these days, the ironic thing is to be an off-grid person.
> 2. I have had multiple employers in Silicon Valley who had the BYOD (Bring you own device) policy implemented but then they attached a SECONDARY DEVICE to my iCloud account and were slurping all personal records from that.
I don't think MDM allow the admin to hijack your icloud account.
Are you sure it's your employer, not some other?
This is Apple-hosted MDM, yes?
I took a brief spin through this world on a consulting project a few years ago and I found it SUPER weird that Apple didn't do this already. You had to do this weird dance between Apple Business Manager and the MDM solution (we ended up with SimpleMDM but looked at a bunch). I kept saying "Am I missing something? Why doesn't this service come directly from Apple?" and everyone was as puzzled about this as I was. So I guess they're finally closing the loop here.