Sort of.

High Sierra and the latest saw the removal of File Sharing from the stable of goodies that OS X Server had at its disposal, and there's no getting around the fact that this caused a lot of people in my line of work a lot of... discomfort. Okay, maybe discomfort isn't the word I'm looking for; it was more like this:



Exactly, Liam Neeson. Why?

File Sharing was something that OS X Server did. It was something that it was good at. Reliable. Solid. Secure. Dependable. A large part of the reason why people shelled out good money for nice servers and backups and quality storage. The years rolled by and changes came and went, but File Sharing was always there, always a constant. And now it was gone.

Well, not really. macOS has always been good about sharing and generally playing nice with other people, and one of the reasons that File Sharing was a thing at all was because essentially it was built into the OS and not just into the Server product. Sure, there were more tools available if you had the, but you could always duck into the Sharing prefpane on clients, check a few boxes and presto, you were sharing files (albeit in a basic way). That's still there, although now with some extra tricks up its sleeve (which is welcome), but it's moved out of the to get there (which isn't).

It annoys me, but on the other hand it's not much of an inconvenience. In the old you'd configure the shares you wanted to make in the File Sharing portion of Server and then - often as not - noodle on over to the Storage tab in the to tweak and fine tune, so in a very real sense you're still likely to want to go to two different places to set up and tweak your shares, so really all is well. 

Except that the Sharing prefpane is awful. It takes an eternity to make a share, longer to delete on, and if you want to use FTP or WebDAV then you might as well turn off your computer, open a window, take a deep breath of cleansing spring air, and then throw yourself out of it. Okay, that might be going a little far - particularly as there are solutions to cure a lot of those problems.

The first - and biggest - problem out of the gate is setting up shares. It is often abysmally slow, but thanks to the sharing command you can do a lot of the work very quickly and simply from the command line. It's super-simple - give the sharing command a protocol to work with (AFP, SMB and... wait for it... FTP), a path and a share name and you're off to the races. For example:

sharing -a /Volumes/MyServer/Shared\ Items/ -A My_New_AFP_Share

sharing -a /Volumes/MyServer/Shared\ Items/ -S My_New_SMB_Share

sharing -a /Volumes/MyServer/Shared\ Items/ -F My_New_FTP_Share

You can then tweak users, groups and permissions as needed through the Storage tab in the

Fixing WebDAV is a little trickier, and it's worth checking that your DNS/hostname setup are in good working order before going forward. Assuming that they are, then you can fire up the wfsctl command thus:

wfsctl start

...and add a share simply by feeding the command a path, like so:

wfsctl share /Volumes/MyServer/Shared\ Items My_WebDAV_Share

The real sin here is that there was - at least as far as I can see - no tangible reason for Apple to pull this functionality out of OS X Server. Sure, FTP and its assorted permutations are pretty dusty, but now and again you run into a circumstance that makes them suddenly very important. WebDAV is even more puzzling; as something that was a value-add to Apple's push to get iOS into the workplace it did stalwart service, and its sudden and unheralded removal from the has been a cause of head-scratching consternation. We can only hope that the new and improved Server product they've hinted at this Spring will cure some of what ails...

Saying Goodbye to the OS X Server Mail Service

Of all the services hosted by OS X Server that are apparently going away, none fills me with greater joy on the occasion of its demise than the Mail service. I mean, it was fine if you liked that sort of thing. If you liked your email basic IMAP and POP and you liked it flexible but slow, and if you enjoyed the delightful frisson of high-wire horror whenever hardware failure knocked a server out and rendered an enormous client dead in the water then this was your cup of tea.

Seth and I could probably sit down and talk for upwards of an hour solid about the nightmares this misbegotten monstrosity has foisted on us over the years. The time that we went in after hours on a Friday night to set up a server, and the brand spanking new mail server RAID died two hours into it's short life and turned the plan of being home by 9pm into being home at 4am. The time that a weird postfix error ate every user account the day before the company was due to present their multi-million dollar proposal to the Department of Agriculture. Its propensity of greylisting emails on the basis that timely communication was an aberration, or at least an amusing foible. I can feel my arteries scarring just writing these words.

Thankfully, hosted Exchange and Gsuite have quietly gone from strength to strength and recent release of iOS and macOS client have essentially become transparent platforms for those services, and most organizations have moved away from hosting mail internally to the point that the ones that do are anachronisms. Still, there are a few out there. Lurking.

But no more. On the off-chance that you are one of those holdouts (and if you are you should feel nothing but deep, abiding shame) or ever have to deal with one then you'll need a way to migrate those accounts to something new pretty sharpish. Enter imapsync - which you can download and install from the package manager of your choice. I like Homebrew, so if you don't have that on your Mac already then you can download it from or just paste the following into the Terminal:

/usr/bin/ruby -e "$(curl -fsSL"

Once that's installed, type the following into the Terminal:

brew install imapsync

...then sit back and wait a minute or two for it to install.

Once that's installed you'll need to figure out the mail domains and the accounts on the server. Luckily - if you've installed the on that Mac - you'll be able to use the serveradmin tool to figure that out for you thus:

sudo serveradmin settings mail:postfix:domains:_array_index:

Digging out the accounts is pretty straightforward too - just take a look at the virtual_users file here:

cat /Library/Server/Mail/Config/postfix/virtual_users

The next part can get a little tricky - particularly if you're moving domains - and requires establishing a good time to cut over mail to the new host. Change the MX records for the domain (let's call it over to point mail to the new server then use imapsync to push the old mail to the new account thus:

imapsync --host1 --user1 dave_ball --password1 myoldemailpassword --host2 --user2 dave_ball --password2 mynewemail password

This can take a long time. If you have a lot of accounts then it's worth exploring importing mail directly (both Gsuite and Exchange have assorted ways to accomplish that), but if you're just dealing with a small number of accounts then imapsync is pretty simple and easy.


Changes to macOS Server

macOS Server has - for the past few years - increasingly become the least-favored child in the Apple lineup. In the last half-dozen or so releases Mac admins have seen the finer points of granular control over services and users stripped away. We gnashed our teeth when they took Server Admin and Workgroup Manager from our cold, dead hands, and screamed defiantly at the angry, stormy night when other services became deprecated or disappeared completely (I'm looking at you, FTP and WebDAV).

And now, to add insult to injury, Apple blithely announced that they're removing the following from Calendar, Contacts, DHCP, DNS, Mail, Messages, NetInstall, VPN, Websites and Wiki. And I couldn't be happier.

Let's face it; OS X Server has - for the great bulk of users and admins (and for a long time) - been kind of a relic. Sure, if you jump in your Time Machine (and incidentally, the Time Machine service has also been dumped in its most meaningful sense) back a decade or so then it seemed like a very good idea to be hosting your own email, websites and collaborative services on your own server. External web hosting was a thing, but if you polled businesses and organizations then a decent chunk of them hosted their own email rather than negotiate with (usually dreadful and restrictive) email hosts, and hosted their own contacts and calendars simply because there was no other option.

Network-centric services (DNS, DHCP, VPN) were handy to have too; the appeal of having your own dedicated toolbox was compelling once you considered that you were hosting your own mail, web, and contacts - if only because OS X Server made those things easy and quick to configure. In a world where you often had to make a phone call and sit on hold for twenty minutes in order to dictate a DNS entry to the nice lady at your ISP, this was a critical advantage. (Side note: the nice lady I'm thinking of was Kristin at SeaNet. I had to call her so often that we ended up trading Christmas cards for a couple of years.)

But it's the nature of things that they change, and almost everything on that list of disappearing services is hopelessly underpowered and outdated, and easily available in a better form in the cloud. Mail/Contacts/Calendar? Hello, Gsuite. DHCP/DNS/VPN? Lots of inexpensive and good quality routers and appliances out there. Messages? Slack, or Discord. Some people will mourn the passage of Wikis, but let's face it - Wiki Server was never exactly what you'd call full-featured or easily/fully customizable, and there are third party options if you really need to go that route.


So, what does that leave? Pretty much just Profile managements, file sharing and Open Directory. Apple has doubled down hard on iOS and profile management, and it's a move that is either puzzling or has yet to pay off. Sure, the Device Enrollment Program is super neat (after all there's nothing quite like having your devices set up automatically the moment you take them out of the box), but for ongoing management third party solutions like Jamf do a better job and offer cross platform options to boot. File Sharing has been rolled into the client OS, and I get that - it's a fairly simple thing to set up and being able to set up your Mac to share files dates all the way back to the System 6/7 days - but there's still value in being able to do granular configuration from the command line or the

All in all then? There's a lot of smoke but very little fire in this new position. Open Directory is still an incredibly flexible and powerful way of handling authentication and services on a Mac network and there are excellent third party solutions that you can bolt into macOS server that are as good (or in many cases better) than the aging built in ones.  There's already a certain amount of vitriol being bandied about the Mac admin community about this upcoming change, but IT admin is a constantly changing pursuit; sometimes you have to throw away your old tools if they don't work and just learn to use new ones that do.

SSL, TLS and Alarmism.

Excerpt from an email I received this morning from Harbortouch, entitled "POS Systems Are Now Useless":

"Considerable changes are being made to PCI requirements in order to address a vulnerability with SSL encryption called POODLE. In short, SSL encryption, which has been the standard encryption method for decades, is no longer PCI compliant due to vulnerabilities in this protocol."

Ugh. The one thing more damaging to security than a breach is the perception of a breach. Now while that might seem a naive way of thinking about it, I'll make arguments to my dying day that it is, nonetheless, accurate. Fear-mongering in IT (where the stakes are often high) is a fast way to make a buck out of folks who are bent on staving off incursions. It's akin to yelling "Fire" in a crowded movie house and then trying to sell people buckets of water on their way out to the lobby. Yes, breaches happen from time to time and nobody is downplaying that or saying that they're a good thing, but nothing good ever comes of spamming out something designed to deliberately misinform and panic both vendors and end users.

Here's the real scoop. SSLv.2 & 3 and early versions of TLS (SSL's successor) are vulnerable to POODLE. This issue was discovered in 2015 and most reputable POS vendors looked at it, upgraded to TLS 1.2, and never looked back. End of story. But wait; there's more:

"SSL has been the standard encryption protocol for decades, so virtually every POS system older than a few months will likely require a costly security upgrade no later than June 2018 (with some deadlines as soon as this summer) or face a complete shutdown of credit card processing capabilities."

Yes, SSL has been the standard protocol since the mid-nineties, but the versions that are vulnerable to POODLE have been largely deprecated. They were outdated in 2015, and even further back responsible folks in the IT field were moving away from SSL and toward TLS 1.2. None of this is in anyway new news. The PCI bit is true as far as it goes; a few years ago PCI 3.1 was subsetted, with PCI 3.2 rolling up in June of 2018, but there's no "costly upgrade" involved at all; your POS vendor will simply implement TLS 1.2, which is functionally interchangeable with the older SSL technology. They both use certificates, and you don't need new or special certificates to use TLS.

Here's the most telling bit: "That means that this is the time for you to go on the offensive and capture more business!"

Pft. And there we have it, ladies and gentlemen. It never hurts to stay up-to-date with your PCI/security obligations, but it never hurts to take this kind of thing with an ounce of investigation and a liberal pinch of salt...




Hi. This is Dave. Pleasedtameetcha.


I'm spending a lot more time doing behind the scenes, big-picture IT these days, and it's an odd change of pace compared to the more traditional, I'll-jump-in-the-car-and-fix-things approach. Not a bad change of pace, but an odd one. I seem to spend less time frowning at things while onsite with clients and a lot more time frowning at things remotely on a little screen, which is fundamentally the same experience with the notable exception that I can use saltier oaths now and mutter more.


A big part of what I'm doing could be categorized as future-proofing. It's an interesting time in the whole macOS/iOS ecosystem, and while the changes at foot aren't entirely sea changes they're nonetheless significant ones of a degree not dissimilar to the move from classic MacOS to Mac OS X. iOS 11 has peeked over the horizon and is approaching rapidly, and while High Sierra isn't on the surface a massive upgrade over Sierra there's a lot of stuff going on there that makes it prospectively challenging.


I like the look of iOS 11. I've always maintained that there's a clarity in reduction - doing less with more. I use a 2015 MacBook as my main computer because it's the smallest laptop I could get with a decent screen and battery life, and because I don't mind just having the one USB-C port. Hell, if I could get by with just using my iPhone as my work machine then I'd go with that, but failing that option I've always thought that an iPad would be an excellent laptop replacement.


Except that iOS, well, sucks. Okay, that's not fair: iOS is great for what it does, but my frustration with it is that it's historically walked right up to the line of being a true replacement for a work laptop and just sort of stopped there, toes on the edge, looking over into the abyss with a diffident expression. The approach of sandboxing each app is outstanding from a mobility and security point of view, but I hated the fact that you couldn't make elements from different apps interact (well, that and the lack of a native shell - but that's rather a lot to hope for and I've given up on that). I watched the WWDC keynote just like everyone else, saw what they'd done with the Files app and the *very* macOS-like dock, and then looked at my laptop as if it were some old, incontinent-yet-faithful dog. Maybe I could lose a pound out of my work bag, vastly increase battery life, and put Old Yeller out to chase rabbits. Which is how the book ends in my world.


But the really interesting thing to come out of WWDC was APFS. I'm playing around with it now and there's a lot to dig into; this is the first shift to a fundamentally new file system since 1998 brought us HFS+ and yes, that's nineteen years ago which makes me feel very old. It's in some ways a product indicative of where Apple is right now, and that's kind of interesting.

Back when the Mac first hove into view in 1984 it ran on the creatively named Macintosh File System (MFS), which was functional but limited enough that it was replaced with Hierarchical File System (HFS) a year or so later. HFS was a media-based upgrade over MFS in that MFS was designed to work great when you were running it from a floppy but didn't scale to larger storage like hard drives. Apple intelligently enough came up with a system of replacing the flat catalog of what-file-is-where (which worked well when you were dealing with a small storage device) with the vastly more effective approach of using a B-tree  structure to allow the fast storage and retrieval of file location data, making it massively easier to search files on a larger drive.

In the same mold, HFS+ was largely in response to increased data storage sizes. When HFS was put into commission it would work with the unimaginably vast amounts of storage offered by a twenty-megabyte external SCSI drive, but when you scaled up to volumes in the multiple-gigabyte range then it became almost untenably slow and the approach of having files occupy a logical block meant that even very tiny files could use up a disproportionate amount of space. HFS+ tore that all down by replacing those logical blocks with much smaller 32-bit sectors, as well as increasing the amount of characters you could name a file and offering support to an exponential degree. Later on we got Journaling tacked on top, and all was right with the world.

So, why move to APFS? Lots of small reasons and a few big ones. Based on the reading and poking around with the thing I think they can be reasonably divided up via the magic of bullet points.

• It's a media-driven update. Now that almost all (if not all) Desktop and Laptop Macs come from the factory with some kind of Flash/SSD/Fusion Drive bolted inside, it makes sense to accommodate that by replacing HFS+ with something that can accommodate the specifics of that new technology. APFS supports the TRIM command right out of the box, and it's approach of writing changes to files as opposed to physically copying files leverages the speed of the newer, non-rotational-disk technology to deliver a lot of speed and security.

• Getting Fusion Drives to work in prior versions of macOS was something handled by CoreStorage. HFS+ had no idea what the heck a Fusion Drive was, so CoreStorage stepped in to make it all nice; but now APFS understands all about Fusion Drives. This is a good thing, but I wonder how that will effect the old break-the-fusion-drive-to-get-two-mirrorable-devices trick. Time will tell.

• Time Machine is great in theory but in practice slow and beastly. Not that there's anything fundamentally wrong with Time Machine itself; rather that the process of writing out vast amounts of data and keeping track of the versioning and snapshots put a lot of overhead on a system - overhead that APFS will *drastically* reduce.

• APFS volumes will be shareable on a network via SMB and NFS. AFP over TCP is done, period. It's due for retirement, and I hope it gets a gold watch and a hearty handshake and enjoys its twilight years. It's earned it. Of course, that now means that if you're implementing a new Mac Server then you should probably give a lot of careful thought about your client machines and what OS they should be running; doubling down on SMB is great, but history has shown that differences in the implementation of the SMB stack between client and server machines has occasionally proven problematic - which is a nice way of saying that it can be slow and broken and hateful.


Those are (so far) my major takeaways from APFS. It's an update that I think is likely to change a lot of important professional/prosumer system designs in a lot of unglamorous but pretty essential ways - but it's way overdue and absolutely worth embracing...


I love my Tesla Model S. It's a fabulous car and there are many fabulous and ultimately very boring things that I could say about it. It's fast and quiet and makes you feel like you're sitting in the captain's chair of the USS Enterprise every time you get into the thing on your way to work in the morning. It has many commendable features, but after driving the thing for the better part of two years I've come to the realization that the main problem with the whole man-Tesla symbiotic relationship is that I am, in fact, an idiot.

This manifests itself in many ways, but most of them boil down to some variation on the theme of Oh-No-Where-Are-The-Damn-Keys. You see, as long as you have the keys somewhere about your person then you're able to waltz up to the drivers door and it'll unlock itself and let you in and away you go. However, when you get out of the car you need to push a button on the fob to lock up, which in my case results in a frantic patting of pockets, examining of bags, and occasional spelunking with a flashlight in the darker recesses of the cabin.

Systems and security are only good to a point, and that point is the one at which they're actually both useful and usable.

A couple of years ago Apple came up with the bright idea of SIP (System Integrity Protection), which scored lots of points on the useful scale but not so much on the usable side. SIP locked off access to a slew of places on your Mac that could ostensibly be targets for malicious code, and while the whole thing was a little Big-Brothery it was an undeniably good idea. If you wanted to circumvent it then you could do so relatively simply using the healing power of a relevant Google search, but it probably provided a lot of solid protection for a huge percentage of people who weren't going to fiddle around with the plumbing of their computers and who probably didn't even notice it was there. Like the whole Tesla key thing, it was a little frustrating but demonstrably pretty cool, and you took the former for the sake of the latter.

Which is why it's peculiar that it now--as of macOS Sierra--seems to be switched off by default. Don't believe me? Go on. Try firing up the Terminal and banging in "csrutil status" and see what you end up with.

SIP is a great doorlock, but leaving it wide open by default is at best puzzling and at worst unconscionable...