High Sierra’s Small Print: installation, firmware updates, Content Caching, and more

Over the last few weeks, Apple has released several notes providing further details of some of the more significant changes which come with its High Sierra upgrade. This article looks at those details, and their impact on those upgrading (or contemplating doing so). The closest that Apple has come to producing a coherent, integrated summary of these changes is in this article, which contains links to others.

macOS High Sierra installation and updating

High Sierra supports the following methods for macOS installation:

  • Running the macOS Installer,
  • Creating a bootable installer and starting up from that,
  • Starting in Recovery mode and installing from there,
  • Using System Image Utility and creating a NetInstall image.

Installing High Sierra onto a Mac connected in Target Disk mode is not supported, and monolithic system imaging is only supported as a means of re-installing, not upgrading or updating, macOS.

Details are in this article, which also links to an article which explains the official way of creating a bootable installer. However, Apple has not (yet) updated those instructions for High Sierra.

Firmware updates

These are only performed by the macOS Installer, and require an internet connection during installation. If your Mac’s firmware gets corrupted, perhaps during a macOS install or update, and it cannot start up in Recovery mode, you are almost certainly going to have to send or take it to an Apple store or authorised service agent.

Most, perhaps all, Macs should have a firmware update included as part of the High Sierra upgrade.

Content Caching

Previously, if you wanted to share downloaded content such as App Store updates and iTunes apps/content to other Macs or iOS devices, you had to run a service for that in macOS Server. In High Sierra, you can cache content on any Mac and share it to other macOS and iOS systems (which are almost certainly going to have to be running High Sierra or iOS 10.3 or later). This is set using a new Content Caching feature in the Sharing pane.

In essence, you designate one or more Macs as ‘parents’, which serve their cached content to ‘children’ (which can themselves host caching services, to allow tiered setups). Parents also need to share their internet connection, must be running a minimum of iOS 10.3 for iOS devices, have a wired Ethernet connection to your router, and cannot sleep, so they must run on mains power. Content caching is not allowed on virtual machines, and it should not be used to share iCloud content.

This is a new feature which should help those with a Mac and other Macs and iOS devices, and the details released so far are here.

Third-party kernel extensions (KEXTs)

Any new third-party kernel extensions must have user approval before they can be loaded. Third-party products which rely on these will need to take this into account. Fuller details are here.

Approval is not required for KEXTs which were installed before High Sierra, or for those which replace previously-approved KEXTs. This approval behaviour can be changed in Recovery mode using the spctl command, and is modified by Mobile Device Management.

Approval policy is stored in NVRAM. When you reset a Mac’s NVRAM, this will reset any policy change made using spctl to the default, in which new third-party KEXTs will require user approval before they can be loaded. Unless you have changed that behaviour from High Sierra’s default, resetting NVRAM will therefore not have any effect on KEXT approval behaviour.

Apple Pro apps

High Sierra is incompatible with older versions of Apple’s Pro apps. You will need to be running at least Final Cut Pro X 10.3.4, Motion 5.3.2, Compressor 4.3.2, Logic Pro X 10.3.1, and MainStage 3.3, or later. Users intending to upgrade to High Sierra should purchase the current versions from the App Store before upgrading.

TLS (SSL) connections

iOS 11 and High Sierra no longer support SHA-1 certificates for TLS connections, and require RSA key sizes of 2048 bits or more. Any connections using SHA-1 or shorter keys must be updated accordingly. By default, iOS 11 and High Sierra will use TLS 1.2 to negotiate connections, but those requiring older 1.0 support can change their configuration profile to support that for older clients.

File sharing

Apple’s old AFP protocol is not supported for sharing with APFS, nor when making Time Machine backups to network storage (NAS). SMB must be used instead.

Directory services

High Sierra no longer support Windows Server 2003, but requires 2008 or later. Support for NIS (Solaris Network Information Services, formerly Yellow Pages) has also been removed.

Configuration Profiles

SIP now protects these, and the profiles command is required to install startup configuration profiles.

macOS Server 5.4

Apple has not yet released details of significant changes brought with this forthcoming update, which is expected to be required for High Sierra support.

(KEXT approval details corrected 0745 13 September: thanks to Alan Stonebridge for pointing out my previous error.)