I am interested to hear what others are doing to manage the restrictions of system integrity protection. I've so far identified 3 distinct instances in which SIP will impact current workflow considerations. Luckily, one of the conditions appears to be rectified in the GM release (user template modification).
Obviously, in most of these cases, SIP can be disabled, the changes can be made, and then it can be enabled. But, this means that every machine in the fleet must be individually touched in order to accomplish the tasks. Or we fall back to monolithic imaging which seems to be out of favor, especially when considering DEP, JAMF, and other management solutions.
Here are the issues I've identified so far:
1: Time Machine Execution Interval
A one hour execution interval for consumers may be appropriate when all they are doing is email and web browsing. But for content creative customers using Time Machine server or locally attached Time Machine volumes, every hour is too aggressive and can result in filled TM volumes. Consider a user working on a single PS file that is 500 MB. Working on this file during a full day will result in over 4 GB of archived content for one file. Sure, the excess is paired out over time but this remains too aggressive. Apply this to video customers and it gets ever worse. A common action is to increase the time interval between backup exection. To do this, you must edit a launch daemon at the system level. This is now denied by SIP. Once agian, this used to be a scripted process for a fleet of hundreds if not thousands of machines. Now, it requires either the physical touching of each device or the creation of a monolithic image. For DEP, thin imaged, end user driven deployments, this simply does not work.
2: Servers with RAIDs
First, I will point out what a train wreck the new Disk Utilty is. I am fully expecting a new release before Sept 30 because if this is what is unleashed on the public it is a travesty. But I digress. Here is the issue I am seeing. I will use a Mid 2011 Mac mini Server as an example. It shipped with 10.7 but can run 10.11. It is a server class device and contains two drives that can be configured into a raid. Once configured as a RAID, you get no recovery partition. Since there is no local recovery partition, holding down command R will boot from the Internet Recovery partion. But since this model shipped with 10.7, you get a 10.7 Recovery Partition. The 10.7 recovery partition does not contain the csrutil command. How do you disable SIP on a Server class machine configured with a software RAID? If there is no recovery partition to locally boot from, how do you run the crsutil command? Now, I am hoping that I will not need to modify much on the Server. Originally, the beta limitations of protecting the user template meant that network home folder template customization was impossible on RAIDed servers. At this point on the GM I am able to modify the user template so the concern I had is fading. But, what if there is another requirement of server that needs modification? Look, I get it. Xserves and Mac mini Servers are a thing of the past. But they are stull supported devices and the common configuration for these units was a mirrored RAID. Considering the varied requirements I get for server, I fear the inability to alter /System level resources.
3: Modification of the User Template (thank you Apple!!!! - not present in the GM release but I am fearful as this limitation was in all tested betas)
This is a workflow process that I've employeed for as long as I can recall. Either through the creation of a monolithic image or via a scripted delivery to a thin imaged device, the reality is that configuration profiles simply do not cover everything that may need to be set as a defautl value or as default data. Some items that come to mind are suppressing the iCloud login after each update, scroll bars, mouse behavior, 3rd party preferences (especially from those lunatics at Autodesk), and .DS_Store suppression. There are plenty of other reasons to populate the template. This includes custom brushes, swatches, etc for Adobe tools and even documents that all employees should see. With SIP, modification of the User Template is not possible. In a thin imaging solution where I do not touch the machine, I will never be able to deliver the preferences to the template. Instead, I will need to build a solution to deliver the payload to accounts as they are created.
As stated, I am relieved that this location was permitted with the release of the GM. But I fear the future.
Now, there are other concerns. What about adding DHPC options codes? mDNS timeout? OD defualts? And all the other hacks and tweaks that are occasionally required in enterprise environments?
I would love to hear strategies that others have crafted to work around this. I would also like to hear opposing opinions. Thanks for reading. Here is to a usable SMB client.
Reid