What’s new in managing macOS 10.13 High Sierra

James RidsdaleApple, Deployment, macOS, Management

Further to our update on what to expect from iOS 11 management, we turn our attention to Apple’s forthcoming update to macOS, 10.13 High Sierra.

As with all new versions of macOS, there are new features and changes to the way we in which we manage macOS.

Here are the highlights:


Apple have added the ability to provide a default configuration for network ports that do not have a specific 802.1x configuration. If you are not familiar with 802.1x, it provides an authentication method for wired or wireless networks.

Software Updates

High Sierra allows the administrator to delay software updates for up to 90 days, giving the option to specify a date on which the update can run. This will be really useful if you are in the middle of testing.

Firmware Passwords

Firmware passwords provide a means of preventing a Mac from starting up from any internal or external storage device other than the startup disk which has been selected, giving the Mac another layer of security. Until now, this had to be set manually on each computer, but with High Sierra, Firmware passwords can be managed via Mobile Device Management (MDM). New MDM commands allow administrators to set the Firmware password, query the password change and verify the status of the password. A reboot of the device is required for these changes to take effect.

Account Management

Many user management commands have been taken from iOS and applied to macOS. New MDM commands allow you to query a list of local user accounts on the Mac, and enable you to delete local users. It can also unlock a user account which has been locked-out.

Data Protection

Extensions on macOS are a great way of adding new features to the Mac. It allows an app to share some of its functionality to another app. For example, a cloud file sharing service could provide an extension to allow other apps to use its services. However, for some companies they prove a security risk, so Apple have added a new extensions payload that allows you to create either a white or blacklist. You can then check which extensions are still available to a user.

For FileVault, Apple’s disk encryptions mechanism, a new payload has been added to allow you to specify the private key that personal recovery keys should be encrypted with.

Apple has also added the ability to stop iCloud Desktop and Document sync.

As always, an update from your MDM provider will be required to make use of these new features.