search

chef / chef

Chef Infra, a powerful automation platform that transforms infrastructure into code automating how infrastructure is configured, deployed and managed across any environment, at any scale
http://www.chef.io/chef/
Apache License 2.0
7.6k stars 2.51k forks source link

Deprecate osx_profile resource since it can longer silently install profiles #14278

Open williamtheaker opened 8 months ago

williamtheaker commented 8 months ago

Context

In 2020, Apple dropped support for non-interactively installing configuration profiles. The final macOS version to support this was macOS Catalina (version 10.15), which was released in 2019 and stopped receiving security updates in 2022.

This change was only really documented in the man page for the profiles tool:

DESCRIPTION
     profiles is used to handle various profile types on macOS.   Starting with macOS 11.0 (profiles tool 8.0 or later), this tool cannot be
         used to install configuration profiles.  You should add your profiles using the System Settings Profiles
         preference pane.    Additionally, startup profiles are no longer supported.

Frustratingly, this requires access to a macOS device because Apple doesn't publish man pages online and the profiles tool is nonfree/proprietary so there's no public source code to link as documentation.

This line in a video transcript of a June 2020 dev talk is the closest I can get to an Apple statement on the subject:

As of macOS Big Sur, you will no longer be able to completely install profiles using Terminal.

https://developer.apple.com/videos/play/wwdc2020/10639/?time=629

Motivation

As a Chef user,
I want Chef core resources to match my expectations,
so that using Chef is easier.

(copied from RFC-98 Deprecate deploy and erl_call)

Specification

Since this resource can't install new profiles, it doesn't really do anything useful on currently-supported versions of macOS.

Anyone who was using this resource has almost certainly replaced it with MDM-managed profiles a long time ago, since the overlap between having an MDM server and needing config profiles on nodes should be near 1:1. This could be marked as deprecated in the next Chef Infra 18 release and eventually removed in either Chef Infra 19 or 20.

Downstream Impact

I searched Github for repos referencing osx_profile and didn't find any repos that were updated in the last five years.

erikng commented 8 months ago

I would be so bold and say it should be fully removed without any deprecation notice, since Chef currently only supports macOS 12 and higher. https://docs.chef.io/platforms/

Platform and Version | Vendor End-of-Life Date | Chef End-of-Life Date
-- | -- | --
Apple macOS 11 | Sep 26, 2023 | Sep 26, 2023
-- | -- | --

If you attempt to use this resource on a support version of macOS, chef will fail without explicitly marking as ignore_failure true