315 comments

[ 3.7 ms ] story [ 295 ms ] thread
So enterprise is the next target for Apple?
There are already plenty of Configuration Management and MDM solutions that can handle MacOS and iOS. This is targeted at small businesses that don't have an existing MDM solution.
It makes sense given that this is both an area where they've historically had to deal with the competitive disadvantage of Windows having a large “built-in” market and one where they've made huge inroads with iOS.

For a small business this is especially interesting since an iPad / ChromeOS device is a better call for an awful lot of workers and this makes that switch even easier.

Given the pricing, this strikes me more as “we’re confident enough that we’re going to grow the Mac business, that we need to offer something to enterprise to check a box so we don’t artificially limit sales.”
I hope not. You can see from Microsoft that it is hard to do that without tainting the consumer side.
Even roll your own apps to your employees, bypassing the AppStore review?

Upd: the video suggests that there are 'collections' which distribute apps to users, but it is not clear if own apps can be included in these using Enterprise certificates.

Not enough information on that page but...doubt it?
As far as I know you can already do that with enterprise certificates?
You can sign apps without Apple being "in the loop" and distribute them via the web with an enterprise cert. As far as pushing out updates I think you have to build your own system for that. My company uses enterprise certs and our app will notify the user when there is an update, redirect them to a web portal where they click a link, are prompted to install the app, and then the app is installed.
You could already do that. Facebook notoriously abused the process.
Ahhhhhh. Ohhhhhhh. A film!
That’s how it starts. Later there’s running and screaming.
It is curious that on this page, Apple says "Watch the film to learn more" and "Watch the announcement film" whereas they always use the term "video" (or "movie" where appropriate) everywhere else in all their messaging, as far as I've noticed. I wonder what they're thinking?
2TB of storage for $12 a month? Plus the multi-device management options? Sign me up.
What are the costs for the bandwidth?
consumer backup/storage services typically don't charge bandwidth.
Google One has 9.99/ month for 2TB Option. Which also comes with a VPN.

If Price is the differentiator, I think google provides the best value, but also provide additional services with their storage plans.

Entirely different product though. Apple is providing a MDM solution for SMEs in addition to the storage.

The value of a VPN that doesn't allow you access to a corporate network is... dubious to a company.

Google One only works for gmail.com accounts
Allowing an advertising company to scan all of my traffic is extremely unappealing
Apples and oranges.

Google One is a consumer product for sharing holiday pics with your family mate. The closest offer in the same target market from Apple is iCloud+, with same services for same price! Or as part of Apple One which is slightly pricier but includes a an array of additional consumer entertainment services.

Apple Business Essentials is a set of business services with guaranteed SLA’s.

Google drive business also offers infinite storage
Will it let me use icloud like dropbox? Would be good if those groups they show that can be added also provision an icloud synced shared folder in a predictable location. I love drawing on ipad, but there’s always a bit of friction getting stuff on and off. This would make working with ipad much smoother.
This will be huge.

There is a product I have been wanting to make, there is demand (customers have been asking for it), but would never work with the distributed personal iCloud accounts before. This will allow to consolidate all of it under businesses accounts.

Interesting enough, have other people in my circles that also have wanting to port somethings to be native like this and haven't due to being business apps and the 'individual accounts' being a show stopper to share licenses.

Tough day for Jamf.
The announcement is a little light on details around directory integration for things like AD. I'll be curious to see a feature comparison with Jamf.

Edit: Ahh, I see. "small businesses in the U.S. with up to 500 employees"

So, every day will continue to be a tough day for all Jamf users...
There’s a few headlines talking about backups - does apple finally have a cloud based time machine replacement? I’d be so excited to see that as a general consumer too.
I think that's unlikely to be a thing they're working on. You can get that from storing your files in iCloud already, and these days is there any good reason to back up the rest of your system? If I had to rebuild a system due to hardware failure the absolute last thing I'd want to do would be restore all the accumulated system cruft!
Storing files in iCloud Drive is very different from a backup I would argue.

What a business would want in this case is Backblaze like functionality with versioning / restore. iCloud drive also doesn't really help you with restoring a full system like it is possible on iOS where all your settings, passwords and apps are just like you left them.

To be fair, iCloud has a password manager on MacOS / iOS that works great.
Pages/Numbers/Keynote do support versioning in-app when the doc is stored in iCloud Drive, albeit not as efficient as true versioning.
Doesn't iCloud Drive have a revision history? For example DropBox does, so Apple could add the feature.

> all your settings, passwords and apps are just like you left them

Now that most of these things come from the cloud anyway, do we need the rest of the system backed up?

I don't need to restore my system from a backup - I just log back into Creative Cloud, Jet Brains, etc.

It probably very much depends on what you are using your computer for. If you are just living in Chrome and use Google Docs and Mail there this will work just fine.

If you are someone who has tools set up, apps not from the app store, come custom dot files, your shell history and environment variables this will not help you at all and getting up and running after a device got lost / destroyed will take you a day. Even if it's just simple things like your system theme / Dock positions of your apps.

You could probably fiddle and symlink things and hope everything works but it's not a "log in and have your device be in the same condition as before" like you'd get from an iOS "Restore from iCloud" functionality.

> What a business would want in this case is Backblaze like functionality with versioning / restore

Maybe. Some businesses just back up just their user's files and just reimage machines when something goes wrong.

Honestly as an end-user that's my preference.
I use Backblaze, and aside from the cost, it's great. It's fine for 1 computer, but oof, there's no multi-computer discount. Most of my machines aren't backing up terabytes of storage either. We're talking like ~100gb a machine and there's two of them.

Businesses like to talk up "unlimited" but it's a pain when you're using less storage but have to subsidize those using a ton of storage.

A few years ago Backblaze started offering B2, a storage API priced at $0.005/GB/month, and dirt cheap egress fees unlike the big cloud offerings.

You'd save money switching to a client that supports B2, they have a list on the site, though I'm not sure which provide decent version management.

> these days is there any good reason to back up the rest of your system

From experience, there is definite need. I spilled some water on my work laptop and it died. I was able to get a replacement in maybe 3 hours, but setting everything up again was a major pain.

A Time Machine backup would have let me continue more or less where I left off in a matter of an hour or two, vs. many hours/days (and some lost work). (not that Time Machine is perfect either, but much better than just iCloud)

I agree that getting rid of system cruft can be good, but it's better handled proactively than on machine failure IMO.

That really depends on the user.

As a developer, I’ve modified quite a few system files and would like those things backed up. It’s one reason I don’t use Backblaze – they refuse to backup system files.

As an employer, I can imagine a situation in which those “cruft” files contain information about the actions of an employee that might be valuable in legal proceedings, or just providing they were terminated for cause.

But 98% of the time you’re totally right about not needing to backup every little config file.

>As a developer, I’ve modified quite a few system files

I do as well. Given that such things tend to be more fragile between OS releases though and easy to forget I usually prefer to recreate them for upgrades or reinstalls anyway. Also provides an opportunity to reevaluate them. So these days I think the better way to go about it is with automation as much as possible rather than backups. That said:

>It’s one reason I don’t use Backblaze – they refuse to backup system files.

Well, you can use something like CCC to image your startup disk to a file somewhere else, and regular BB will cheerfully take care of that. Makes restores mildly more work but not much given that a failure which nukes the system files means having to do some level of reinstall/recover anyway.

I use Backblaze B2 though, which has maintained decent pricing vs S3 and is much more natively flexible. Having local systems backup to TrueNAS (or have data folders that just live there) then that go to B2 is another way to handle things. With Apple making custom restores ever more difficult though all that might need some reevaluation too :(. I miss how powerful and pleasant their tools were at one point with no subscriptions or WAN required, and will always be a bit bummed things didn't go the way of adding your own signing to the system image utility, Net Boot/Net Install etc they already had going. Macs were really great to run heavily off a LAN back around 10.5.

I used to have a repo with scripts that "encodes" those change. Stuff like "setup-zsh.sh" and so on. On a new computer, I could just install git, clone the repo then run the scripts.

I stopped doing that because I don't use new systems often enough to be worth it, and as someone else said it's also a good time to examine and improve your workflow.

iOS devices do full backups to iCloud†, restorable onto a new device just like macOS full Time Machine backups are.

So why not macOS backups in iCloud? If anything, you'd expect it to be the other way around—in iOS devices, you/apps can't litter your homedir with random garbage, while in macOS you can. So it's more useful to back up macOS.

† You can also make an iOS backup onto a local macOS computer running iTunes, which is, I believe, what they do for you when transferring your data to a new device in store. I haven't looked at them lately, but if they're just plain-old Time Machine backups, that's even more damning, as that would imply that iCloud is already perfectly set up for receiving Time Machine backups.

> iOS devices do full backups to iCloud

Right but that functionality dates back quite a few years now, back from iTunes and before cloud computing. I'm not sure they'd build that functionality today.

Exactly as you say - what is the point of a full phone backup when you don't normally store any files on your phone? They could back up the metadata of what apps you have installed and where you've put them on your home screen. I'm not sure it's worth doing much else?

It’s worth it for the device migration functionality alone. If I switch/upgrade iOS devices, I can perform iCloud or device-to-device recovery, which is much more useful to me than simply restoring which apps I had installed and their data.
> So why not macOS backups in iCloud? If anything, you'd expect it to be the other way around—in iOS devices, you/apps can't litter your homedir with random garbage, while in macOS you can. So it's more useful to back up macOS.

This is somewhat the reason why no full macOS backup to the cloud. iOS naturally normalizes the content due to its use of iTunes Store content (apps, movies, television shows, books, music).

On macOS, you can't necessarily just ignore apps and say you'll download from the store - not only can you move applications around, you can delete parts of them and _many_ devices have apps which were not downloaded from the store.

So a 1TB Mac backup will take 1TB of iCloud Data and require 1TB of data to be uploaded/downloaded to their storage account.

This also affects the speed of restores on higher-speed connections - a lot of the iTunes content winds up being cached by CDNs.

Apple's solution so far has been to back up just the user's Documents and Desktop folders to iCloud, since these are the two most important "general purpose" locations on the Mac.

> On macOS, you can't necessarily just ignore apps and say you'll download from the store - not only can you move applications around, you can delete parts of them and _many_ devices have apps which were not downloaded from the store.

Sure, but they're by-and-large the same apps. You can delete parts, but the parts that are there will inevitably be parts someone else also uploaded before. Apps are a highly backend de-dup-able kind of data.

As such, couldn't Apple just treat .app bundles (and a few other bundle types, e.g. .framework, .kext, .plugin, etc.) specially for purposes of iCloud backup, by e.g. content-hashing all the files in each bundle, shoving those files into an object store keyed by content hash (i.e. a Content-Addressable Store), CDN-mirroring that CAS, and then saving the .app bundle in your backup as a BOM for reconstructing the bundle from the CAS CDN?

Keep in mind, Apple have never promised E2E encryption for iCloud backups, only "encryption in flight" and "encryption at rest." (See https://support.apple.com/en-ca/HT202303). And even then, that's never included an implied encryption of your applications, only of "your data" (since, as you say, the apps are being turned into symbolic references to ITMS CDN objects.)

So they could have an explicit policy that certain filetypes that aren't "user-generated" would be "backed up in the open, to the commons"; while all other filetypes would get individual treatment. And presumably you could also set some Finder xattr to override that policy one way or the other, if e.g. you had some proprietary binaries you were under NDA to not release.

> Apps are a highly backend de-dup-able kind of data.

AFAIK Apple's backup systems do not de-dup data. Backup data is encrypted and that key never touches the data center.

Instead, they:

1. de-dup data at the local application layer, such as sharing a common link to an image for photo albums along with the encryption key.

2. de-dup the environment by scripting the reinstallation from their controlled sources (stable CDN links to immutable/integrity protected packages with privilege-reduced installation)

> As such, couldn't Apple just treat .app bundles (and a few other bundle types, e.g. .framework, .kext, .plugin, etc.) specially for purposes of iCloud backup, by e.g. content-hashing all the files in each bundle, shoving those files into an object store keyed by content hash (i.e. a Content-Addressable Store), CDN-mirroring that CAS, and then saving the .app bundle in your backup as a BOM for reconstructing the bundle from the CAS CDN?

Many macOS apps are not sandboxed. Even apps which have native iOS ports litter crap all over the macOS filesystem. Of course, the primary offender is apps which have their own always-running autoupdater services.

My money Apple will eventually do a devteam-bound overlay filesystem for apps which have not adopted sandboxing.

> Keep in mind, Apple have never promised E2E encryption for iCloud backups, only "encryption in flight" and "encryption at rest." (See https://support.apple.com/en-ca/HT202303). And even then, that's never included an implied encryption of your applications, only of "your data" (since, as you say, the apps are being turned into symbolic references to ITMS CDN objects.)

I don't know if Apple wants to have more caveats to their privacy story at this point.

I suspect the best system would be the hash-encrypt-hash of Freenet, at which point the privacy leak would be in the downloading/leasing of blocks of identified material - e.g. if someone was upset about a particular app being pirated they could still court-order ask apple for information on which devices were backing that object up.

Small nitpick, they are not full backups. I am continually discovering new gaps in what gets backed up.

One example: apps that you built onto your device as a developer. Get a new phone and restore from backup? That app is gone now.

I do understand the reasons why. But understanding does not make it a full backup.

I agree and disagree. For my gaming desktop, I'd just reinstall apps to get a fresh start.

I started my own software consulting/contracting thing this summer and if my machine crashed, every hour I'm not working is costing me money. So setting up all my apps again to get a fresh start isn't worth it. With TimeMachine on my NAS, I just get the replacement computer and let it restore while I sleep. Then I'm good to go the next morning.

It depends on one's preferences and circumstances. I got a new M1 MacBook recently and I took my time setting it up from scratch.

A few years ago, I had my MacBook stolen. I was up and running within a few hours after getting a new Mac and restoring from my Time Capsule. Dealing with the aftermath of a car break-in (thanks San Francisco!) and a new computer at the same time was going to be a bit much for me.

"There’s a few headlines talking about backups - does apple finally have a cloud based time machine replacement?"

Apple doesn't, but we do.

You simply do a "dumb" 1:1 mirror to an rsync.net account with 'rsync', which you already have.

Then you set up an arbitrary snapshot schedule in your account. rsync.net will then create, and rotate, immutable snapshots of your dataset. [1]

The only difference is that our ZFS snapshots are bit-wise efficient whereas the time machine snapshots are still (I think) file-wise efficient ... which is to say they are less efficient.

We used to advertise this ... the notion that you could clone your time machine config to rsync.net ... but we came to the conclusion that there's a pretty insular hackers-on-osx bubble and, in reality, 99% of mac users don't drop to the command line for any reason.

Which is too bad ...

[1] https://twitter.com/rsyncnet/status/1453044746213990405

Would you say that this is the most time machine-esque way of using your service? I’d imagine using borg (pulled from macports/homebrew) and using MacFUSE to local mount would seem pretty time machine like whilst offering other benefits over rsync such as client side encryption, compression and deduplication (the dedupe might be irrelevant since you’re using zfs)
Yes, I would say that.

It's also the simplest method - again, just a dumb rsync command that you re-run every day.

If you are using borg you would probably handle the retention and versioning yourself with the borg tool and perhaps set just one or two daily snapshots at rsync.net. These would not be for your backup schema, but rather, for safety in case of mistakes/ransomware/mallory.

"Privacy"? Sounds like false advertising to me: https://news.ycombinator.com/item?id=28309202.
At this point, I think Apple's PRISM compliance is common knowledge. I hope.
The downvotes are coming because this has nothing to do with the topic at hand and you are both blatantly trying to start a flame war. You both have form on Apple threads. If they bother you that much, stop reading articles about them.
One of the main cards was explicitly about privacy and security. Find out more…
Clicking through your comments, I think you're setting a double standard. I'm not trying to start a flame war, I'm holding a trillion-plus-dollar company accountable for a claim they made on the webpage this thread was based on. You're welcome to refute these claims or ignore them altogether, but arguing that people shouldn't post about Apple's history of privacy abuse only makes you look bad. Tanking the downvotes is just the cost of making a subversive claim on Hacker News.
Apple advertises its "privacy" in the link. I am saying that the privacy is not included.
So they advertise AppleCare+ features (24/7 support, on-site repair) but they don't currently offer that nor do the prices reflect those services. Page seems deceiving (have to read the small print to really understand the offering).

With those two removed, you're paying for an MDM solution and cloud storage.

The small print, for posterity:

> Plans with AppleCare+ for Business Essentials will be available in spring 2022.

Ah! I thought it was way too cheap for the AppleCare part. I was about to sign up for just my devices at home just for that, because it seemed like a really cheap way to get iCloud and AppleCare!
Wow, what a change! Apple spent many years holding the corporate market in mild contempt. Given the dominance of Windows, I totally get that; Apple was right to focus on the niches where they were successful. But it's amazing how much circumstances have changed to make this plausible.
A few comments:

1. I was paying for iCloud and apple service for *YEARS* but then suddenly when I lost my phone, iCloud had no record of it.

2. I have had multiple employers in Silicon Valley who had the BYOD (Bring you own device) policy implemented but then they attached a SECONDARY DEVICE to my iCloud account and were slurping all personal records from that.

3. Show me a way to FUCKING MANAGE WHO IS ACCESSING MY DATA.

4. I have too many more issues at level 4 that @dang will get mad if I share (and FB and others will sue me again if I dare)... think paul stamets on the secrets of mushrooms -- If you have any sort of work phone, know they are slurping ALL the deets..

Never take a personal phone/device into a workplace environment.

In my case - I was going through a verry messy divorce, and my employer had been surveilling my texts and everything because when I joined I made the mistake of adding my apple ID -- and then the employer added a fucking device to my account and was surveilling everything.

Yeah - if you get a job in tech these days, the ironic thing is to be an off-grid person.

#KazinskiWasRight

(comment deleted)
> 2. I have had multiple employers in Silicon Valley who had the BYOD (Bring you own device) policy implemented but then they attached a SECONDARY DEVICE to my iCloud account and were slurping all personal records from that.

I don't think MDM allow the admin to hijack your icloud account. Are you sure it's your employer, not some other?

Positive. Its happening everywhere, and by dog-years and internet standards, this is ancient

Never EVER trust ANY HR department. They are not your friends.

HR? They are ‘People and Culture’ now.
> Never EVER trust ANY HR department. They are not your friends.

They work for the company, not the employees...

Looks great. I recall Apple held out for a long time to play ball with enterprise IT, focusing on consumer. It seems like they've fully embraced the massive enterprise market.
Apple has supported enterprise device management for a long time, it has just been third parties like Jamf doing most of it until now.
What do you do if you need more than 2TB of storage?
Yeah I guess for "business" users who are only storing office documents 2 TB is plenty, but as a home user, I bought into iCloud Photo Library and I'm about to pass the max 2.2TB storage limit of iCloud and will have to switch to Synology Photos or something
You could have the 2TB iCloud storage add-on and also the Apple One with 2TB to get the total of 4TB.
That's only available in a handful of countries (ones that have Apple News or Apple Fitness+ available), and not where I live.
Graphics and design pro users may need more that that easily.That is an important business segment for Apple .
I mean... I'd like to use that to manage my family's macs/iphone!
You know what would piss me off, if I had kids; would be the lack of support the iPad, in particular - has for multi-user logins.

It would be huge for families, and it would also make parental controls way more of a breeze.

Does anyone know why this is the case? I was positive when they made iPadOS its own thing, we'd finally see this.

I don't know why it's the case, but it is very frustrating to me. I have 3 kids and 3 iPads, not assigned per kid, just a pool they all and my wife use. Current implementation is a common "family" account logged in as a "child" on all 3 iPads with app purchase approval going to me and my wife (we both have iPhones).

This "works" just kind of OK. But it would work MUCH MUCH better if my wife could have her iCloud account sign in from the unlock screen when she wants to use it and have the kids sign in from the unlock screen on the shared kids account. The way it is now my wife ends up signing into various services she wants to use on random iPads, which isn't really ideal.

Apple's solution to my family's problem would be to buy my wife her own iPad. But we don't have a shortage of iPads, there's almost never a time when someone doesn't have an iPad available to them when they need/want it. We have enough hardware, just the software doesn't provide a way to share that hardware in a nice way.

Agree! Even Apple TVs have user profile switching.
They would rather you bought an iPad for each member of your family.
Have kids.

I HATE that there are no multi user options.

Other people's browser history, settings, preferences, notifications, all jumbled into a mess.

I think they have this for school iPads, with special management software, but not available on the consumer side.

I suspect they're pushing for you to buy a device per user. But even for a household without kids, I could see some utility in being able to pick up the nearest iPad and having your personal state on it. (I think ChromeOS does this, but I haven't used it.)

Also available for business iPads.

Has some catches like... around 30 secs to switch between users, doesn't seem to be instant. Maybe it's faster now.

>Does anyone know why this is the case?

They want people to think of iPads as personal devices like a phone rather than communal devices leading to buying one for each member of the family.

Could this allow per-app VPNs via MDM, e.g. one browser goes to corporate VPN, rest of device uses standard network connection?
So, is a rebranding of Fleetsmith with the Apple magic
You'd think if they were going to rebrand it, that they'd redirect you to the new site. Instead, now they are managing competing products.
Perhaps it’ll be shut down closer to when or shortly after the product actually launches.
After seeing what happened after the Fleetsmith acquisition, it is unlikely. They made several questionable decisions after the acquisition and as far as I can tell haven't really made any significant updates since.
I just signed up for Fleetsmith yesterday, so this is pretty timely. I'm interested to see if/how this changes things.
All I want from Apple is a separate environment for corpware and all of its associated baggage to run. I’d love for that profile to even acquire its own EPS bearers so that its traffic is distinct from personal traffic.
On-site repairs sounds interesting, although their computers are all glued together and every component is soldered to the board so I have no idea how they'll manage that.
I have no evidence for this but I expect the experience would be similar to visiting an Apple store.
Make an appointment 2 weeks from now, go there to hand it in, return in another 2 weeks to be handed a refurbished machine with your data gone?

Sorry to say, that's not competitive with what other vendors offer as business support.

> Make an appointment 2 weeks from now, go there to hand it in, return in another 2 weeks to be handed a refurbished machine with your data gone?

Every time I've visited an Apple store with a problem I've left within 30 mins with either it fixed or a replacement.

What you're describing sounds more like the traditional Dell or HP approach!

One of the best things about Apple is being able to visit a store in almost any major city and getting your problem fixed.

My daughter's Alienware laptop had a keyboard problem. Contacted support over phone and it went nowhere. Contacted support via Twitter and after a bit of back-and-forth they scheduled a next-day on site repair in Toronto even though we live in Texas (where the computer was purchased).
I can't speak to the Apple store, but I do have years of experience with on-site repairs for both Dell and HP.

Both Dell and HP business on-site repair service is really good (though I prefer Dell to HP). Depot warranties for consumers are horrible, no matter the company. I've been advising friends and family to purchase business-oriented equipment and pay for on-site warranties (for the intended duration of the lifetime of the product). It makes life ridiculously easier.

Consumer warranties on PCs are universally awful in my experience.

Good luck getting an appointment within 4 hours at Apple stores near here. The three nearest me have no appointments until November 19.

Dell laptops I can get serviced with an onsite tech within 4 hours if I want that level of service.

Experience 1: MBA wouldn't charge battery. Machine functioned just fine on AC power. Expected maybe $300 in parts and labor, out of warranty. No, "this will be $870. Maybe we can look at getting you into a new Mac today?".

Experience 2: reproducible kernel panics on demand from GPU (later acknowledged as an issue by Apple, over a year later). Despite the tech being able to cause the panic too, "our diagnostic tool says there's no problem, nothing we can do".

Experience 3: screen adhesive delamination. "Within normal limits, expected/not abnormal behavior". That one was belatedly acknowledged by Apple, too.

Dell business support is pretty awesome in my experience, had to fix something 3 times in the past 4 years with my work precision laptop and it took less than 24h to got a technician to my house to do the swap.
If you have a more serious issue the default procedure is to just wipe the device and replace the logic board for the flat rate repair fee. I have a macbook that just shuts off randomly and turns on with CPU1 halt error messages. I bring it to the apple store and they told me flat out they don't know what is going on with the device, gotta replace. Also had macbooks with gpu issues, same deal send away wipe the device and replace the logic board and hope that fixes it. I had a macbook where the flex cable to the screen was going and same thing, wipe and send away. All they do in the store is software based solutions, they scan for hardware issues and they send it away to be repaired.

I wonder what sort of issues you had that could have been fixed in 30 minutes or what sort of replacements you've been given? That's not been my experience at all at apple stores and I've been bringing them screwed up laptops to fix for ten years. I've never been just handed a replacement laptop that day, its always been send away the computer for at least a week and they try gutting it and putting in all new parts vs troubleshooting the underlying issue and replacing the perhaps one bad component that is the root cause.

I'm not some kind of power-customer - just a normal consumer. They always say 'sorry we'll fix that' and fix it then and there or they say 'sorry can't fix it immediately we'll swap it' and I walk out with a new one in minutes. If they wanted to keep it over night I'd be extremely surprised.
You are getting macbooks swapped out at apple? I'm not a power customer either, they just take the laptop away and tell me its ready next friday. Sounds like the fixes they do then and there aren't hardware issues in your case.
I've definitely had at least a battery swapped then and there. If it's anything more than that yeah I guess they're defaulting to swapping it. I'm not complaining about the policy!
That must have been nearly 10 years ago back before they started gluing the battery to the topcase
You only need a normal consumer heat gun to detach them. It's a big hair dryer. It's not the rocket science people make it out to be. I guess they have one in the back.
That's been my experience also. In my case the replacement wasn't even done in the same region of the country, or by Apple employees, although the turnaround was pretty quick when you take that into account.

I dumped a glass of water on a MacBook Pro keyboard earlier this year, and took it to the local Apple Store (in DC) under AppleCare+. After verifying that it in fact wouldn't boot, they told me to leave it for repair and they'd update me. I picked it up about a week later repaired.

Based on the PDF documentation I got with the pickup, they shipped it to a third-party repair shop in Houston (CSAT Solutions), which removed every part that had tripped the liquid sensor, and replaced them with new parts (logic board, touch ID board, I/O board, and "top case with battery"). The repair shop then shipped the resulting mostly-new laptop back to the Apple Store in DC, where I picked it up.

(comment deleted)
When you click the box it seems like it applies only to iPhones
Watching the Apple employee come to the office to repair a glued together MacBook Pro can have an extremely high entertainment value.
The newer MacBooks have easy repairable battery and connectors.
True but how often is the battery the issue in an enterprise environment? In my experience devices are seldom in circulation long enough that they require a battery swap.

Port damage and clumsy or messy employees are far more likely to cause issues.

In my experience the battery was the issue for most MacBook users.
> In my experience devices are seldom in circulation long enough that they require a battery swap.

MacBooks can easily last four to six years in a corporate environment - and heavy load on the battery drastically impact it in two years.

Your parent commenter mentioned connector as well. What else couldn't be repaired on-site that could be repaired off-site? I'm pretty sure anything that for anything that couldn't be repaired on-site they're just going to replace the whole computer.
>True but how often is the battery the issue in an enterprise environment?

Biggest issue by far. We have a fleet of 100+ MacBooks in my office and expanded batteries are probably the only thing we have that goes wrong with them. They're rock solid otherwise. The new replaceable batteries is a huge deal.

> Onsite repairs apply only to some iPhone models and are subject to availability in specific cities.
I wonder if it will be an actual "repair", or will they just come and give you a refurbished iPhone and transfer all your data to it.
Depending on the size of your business, it's easier just to have a few (or even one if you're really small) spare machines for when one breaks or is having issues. Just turn it on, restore from the latest backup and give it to the user. Then send the old one off for repair if needed.
I work as a freelancer and together with a few colleagues we are essentially a "small product studio". We all have "business only" devices and we are definitely going to try this Business Essentials thing. It kind of reminds me of how easy it is to setup a macOS Server. Very cool!
I'm gonna be real with you, macOS server is a complete joke. Avoid and kill with fire.
So just to make sure I'm reading this correctly (this is not my area of speciality so bear with me):

This is Apple-hosted MDM, yes?

I took a brief spin through this world on a consulting project a few years ago and I found it SUPER weird that Apple didn't do this already. You had to do this weird dance between Apple Business Manager and the MDM solution (we ended up with SimpleMDM but looked at a bunch). I kept saying "Am I missing something? Why doesn't this service come directly from Apple?" and everyone was as puzzled about this as I was. So I guess they're finally closing the loop here.

They already have Fleetsmith. This is their response to Jumpcloud and what not who are offering lower per user plans, as fleetsmith was around $8/device/mo.
> This is their response to Jumpcloud and what not who are offering lower per user plans

They couldn't care less about a few dollars. This is about heading off business adoption of Chromebooks, and "winning" small-medium businesses as primarily Mac shops before they become big-enterprise.

I don't see how they really compete. Google has an array of business apps that far surpass anything Apple is offering here. They would need to partner with Microsoft in order to compete against Google.
Agree I manage 500+ Apple devices and have been in disbelief that Apple recommends using JAMF to manage their own devices.

I use profile manager included with the Server App of MacOS and it is functional but limited in scope. I have expressed for years frustration that Apple recommends using MDM/ profiles to manage their devices … and then doesn’t even really offer an enterprise version of the software.

Google by contrast offers a great admin console to manage chromebook and google devices. Surprised apple has dragged their feet here for so long.

For me this "offer" sounds like that the Sever app with the includes Profile Manager now basically becomes obsolete and will not anymore supported.

That will become an expansive solution for small business like the one I manage with 15 employees.

This gives some services an opportunity to offer an even lower cost offering.

The thing I worry about though is that this first-party solution will have "special" features that are not possible via MDM using private APIs or some special entitlements.

We used JAMF at my last place of business, and it would occasionally kill apps with a 15 minute warning. Normally this was fine, but it really sucked to get JAMFed (as it came to be called) in the middle of a presentation.

At my current company, we use something that destroys CPU and battery (unused 2019 high end MBP hangs sporadically for tens of seconds on any file system syscall, computer gets uncomfortably hot, battery lasts ~1hour on a full charge—happens to everyone I’ve talked to). Not sure what it’s called, but this falcond process always seems to be the culprit. I know nothing about MDM, but I would love it if Apple Business Essentials would be a viable alternative (hard to imagine Apple shipping such miserable software, anyway).

falcond is CrowdStrike’s endpoint antivirus thingy, not device management.

As usual, antivirus is an exercise in trading performance for increased attack surface (and compliance).

As history shows, antivirus is an exercise in trading performance and increased attack surface for checking a box.
The issues you experienced are squarely on the shoulders of your Jamf admins.

It doesn't have to suck, but it usually does because the people put in charge of it are incompetent, or at best, semi-competent. Most self-respecting engineers run fast from this sort of thing.

Having worked with JAMF's API... I don't like it, but yeah, this is not normal and something as to how your company is using JAMF.

The people in charge of this are usually more of the IT than 'self respecting engineers'

Some piece of company malware on my MBP causes it to panic every two or three days. Before that it got mad fan disease and had to be wiped to get it back to 'normal'.

I have eight icons in the menu bar for installed malware/spyware/whatever on my company owned laptop. That's just the stuff that has an icon, I bet there's more (including JAMF, for sure). It's ridiculous.

> use something that destroys CPU and battery

Before you even mentioned falcond, I immediately knew that it was clownstrike

I moved from a company that gave us fresh off the store MacBooks to one that managed them using jamf and a host of other antiviruses and compliance software, and I tell this to all of my colleagues: the experience you're having with your MacBooks - the poor performance, stuttering and random beachballs aren't representative of what MacBooks are actually like.
JAMF is the leader here, but I found it to be too expensive and unfriendly. I eventually settled on mosyle. When I originally learned about MDM I was quite surprised they had this third-party architecture.
For 500+ devices i would NEVER use a solution like JAMF and go with something like InTune or better MobileIron (MI). MI just works and is an absolute no brainer.

Apple gives every option possible for managing their devices via a third party software. They don't need to offer such a software themselves. And you really dont wanna deal with the Android clusterfuck in a BYOD enviroment. Android is such a pain in the ass when it comes to MDM. Even if the admin console is better, the amount of complaints and support tickets with Android is so high that we are just not support this anymore.

Yes. But this is nothing new for even Apple.

Just go an look at WWDCs for the last 10-15 years. There have been regular MDM sessions to talk about featured added to iOS and MacOS for this.

This is also related to agreements made years ago between Apple and IBM to provide exactly this primarily because Apple has never wanted to compromise their customer connection (which in business is IT and NOT the end user), and IBM has needed the opportunity (despite IBM transitioning from Fail they are still not to a level of revenue expected for their stock price and heritage - so they are "hungry").

Business use is a collateral win for apple.

There’s a lot of effort that goes in to support and partner channels for enterprise offerings. Making servers seemed easy enough? Look where that ended up. It’s a completely different business.

Is it? Apple is the go to solution for all media types (photography, film making, design, architecture). The alignment with Adobe products has existed longer than either was cool.
Yes, but that is a completely different setting than an enterprise one.

Having supported large enterprises and pieces of the movie production industry I can tell you there’s a vast difference in how end-user IT is treated.

The users you are referring to are power users that get to select their own tools, more akin to developers (at decent places at least).

Currently a dev manager, about half of my dev team want to use mac. They can, with zero support from central IT.

That’s not a choice our sales org have, for example.

Wonder if an education version of this product will be released?
In your experience, would it make sense to use this to manage 4-5 family members and their devices?
I’d be thinking about Family Sharing for that usecase.
I wish they had a better MDM for kids... All I want to do is ensure that NextDNS is installed/forced and that they can't remove it. Somehow, if you block store, block adding apps and block removing apps and hide the icons, kids still figure out how to remove the damn thing and the only thing you can do to block it is set a 1 minute time limit (why can't you set 0 minutes? wtf apple?) and hope they don't stay up until midnight to click through in 1 minute and slide the slider to off (or figure out how to get into settings/network/dns and disable - which why can't the limits limit that??)
I figured, when my kids were a certain age, that if I took that route, they'd ALWAYS get around whatever control I put in front of them. Either at home, or at school or at a friends house.

Told them there was stuff on the internet that could harm them, that there was stuff they could NOT unsee.

They're 18 now, the results of the science experiment are still out, but they seem to have turned out okay.

When I think back to when I was a kid, getting around school internet filters and helping my friends remove parental controls from their devices, I can't help but think the Streisand Effect was hard at work in my brain. The adults was determined that I wouldn't see a thing so I was determined to see it because what could they be hiding?

Now approaching the age where the thought of having a family and kids is on my mind more and more, I always wonder how I will approach this problem. I can't think I would do it any differently than you. For young children sure, throw up DNS filtering at the router level and the kiddos' will be none the wiser. But if my future kid ever turns out like me, that will probably only work until 7 or 8 (when I figured out how routers worked), at that point I would think it has to be an honest conversation about all the crap on the internet. Even when I was a kid I knew when the adults were feeding me a load of crap.

What do you think schools should do? I teach at a school (K-12), and there's definitely circumvention of technical controls at the high school level. But I can't help but think we're a whole better off because of the filtering.
DNS filtering (pi-hole is great here), scheduled vLAN time of use shutoffs (no after school shenanigans), obvious blacklists and ip request logging + pop-up warning are probably good enough for 95% of kids.
We use Meraki (huge wireless deployment, so it makes a lot of sense to just use their gateway and call it good) with their blacklists. Biggest problem is it considers too many things "gaming" and needs exceptions-- e.g. lichess and chess.com are OK. Authentication and logging are pretty good.

Rateshaping students to have enough bandwidth to do schoolwork but not to have wonderful connectivity (campus has a 2gbps symmetric connection, but we only give students 4-5 megabits/sec over wifi most places on campus) is also a part of the picture.

Whitelists. It's kind of a pain, but might help reign in the teachers that send kids everywhere on the internet without much thought about the surveillance dangers.
MS and HS students are expected to be able to independently browse the internet to do research-- this doesn't work with whitelisting. (And in elementary, there's good human supervision of technology use).
This, not to mention it seems somewhat unproductive to lock off 99% of the internet because of information collection instead of teaching how to defeat those collectors. The kid's going to grow up and leave eventually and will have to contend with the full internet, it doesn't feel like a good idea to leave them without any experience of the kind of things you can run in to.
Kids don't get any "experience" contending with surveillance. It is all done behind your back, on purpose. Results are never deleted.

Certainly schools are not even attempting to teach countermeasures. They tend to dabble in the "be aware of bullying and self-esteem" issues, but are completely outmatched in the security arena. Ignore at your peril.

We, at least, spend a fair bit of time on:

- Advertising and dark patterns

- What else can be inferred about you from seemingly innocuous information, and potential misuse

- Durability of your digital footprint

- Security, file types, etc.

Education doesn't fix these issues, though. Even well-educated developers would often give up and click 'Allow' on a modal privilege escalation box that pops up repeatedly in research. And if I need to get something done and it doesn't work I'm pretty quick to re-enable scripts and tracking.

Knowing these thing exist is a great first step, and glad to hear you are helping out.

But, it doesn't become a concrete, visceral thing until you inspect a no-script menu while browsing a news site. Or run Little Snitch on a freshly unboxed Mac. Or going to a "white pages" site and see the last four addresses of your family members. Salary info, current whereabouts, criminal history, are a fee away.

It's a different world.

Yes, but the whole world won't be developers. And many in the know just don't care.

You're talking about a population of 12 to 18 year olds. Even among the most responsible and least-easily influenced of them, social pressures absolutely dwarf any abstract concerns about corporations knowing a bit more about broke-ass you to try and sell you things.

Most of this population will take a short term gain for an uncertain consequence a few minutes later. You're talking about short term gain versus consequences that they may view as inevitable and occurring decades away.

I can only affect my kingdom, what others do is mostly not my concern. Reminds me of the corporate garbage “food” products most people consume. I speak out but not going to steal their doritos.
You're the dude who spoke of the need to "reign" in teachers and advocated for restrictive whitelists.
I did and would do it again.

These are exactly the population that should be protected. If you wanted to give them agency, which I support, let them manage their own whitelists instead of throwing up hands in defeat.

The future is already here, trends are not reversing:

https://www.latimes.com/business/story/2021-11-09/column-tra...

We can teach them to protect themselves, pretend the problem doesn't exist, or say "aww shucks, all the cool people are being violated."

Then they will probably use their Data Plan if they have one to get around it.
You're obligated to block, because you're responsible for giving it to them and you have to deal with the population as a whole. I based my decisions on my kid's temperament. You don't have that luxury.

It doesn't mean you'll be in any way effective.

By the same token, we block this kind of traffic at work...all it ended up doing was pushing the negative traffic to employee's cellphones. Which is fine, because it makes the office network safer.

This is the right way to go. Teach, don't block. You fuck up your relationship to your kids if you force them to keep secrets from you and constantly "fight" against you. Because trust me, that's how it'll end up.
It doesn't. I have a whitelisting transparent proxy for my primary school-age kids. It's not controversial and they don't attempt to get round it or rail against it. If they want something they ask. If I say no (and explain why) they accept it. They're interested in internet safety and we discuss it frequently. Teaching vs blocking is a false dichotomy.

As they get older I'll remove it in stages: blacklist, logging only, then direct access with no proxy. The opening up will be done when it seems appropriate and in full discussion with them. I don't have a schedule for it.

When they're old enough to have phones I can initially give them managed devices with always-on wireguard and the same transparent proxy. (I've tested this setup and it's not circumventible without wiping the device.)

The claims often made on hn about this stuff, that:

* Kids will resent any attempt to limit their access, and

* Kids are NSA-level hackers who will circumvent any attempt at limiting their access.

are empirically false, at least in my experience so far. I expect they become more true in the teenage years but that's when things can start to open up.

Even if the restrictions have to be entirely dropped or become irrelevant the second they enter senior school, they've already benefited a lot from this over the years.

The other argument, that other kids will have phones etc so there's no point, is just an abdication of responsibility. I feel like I should do my best here, whatever everyone else is doing.

The one thing that is true is that it's quite technically demanding. A managed phone with an always-on wireguard connection to a network with a transparent ssl-bump mitm proxy and a domain-based whitelist with an admin UI to browse logs and block/unblock domains is not an easy thing to set up.

It's possible, though, and it has value. It should be much easier.

> * Kids will resent any attempt to limit their access, and

> * Kids are NSA-level hackers who will circumvent any attempt at limiting their access.

There's plenty of people in their mid-20s now on HN who have been the kids, either working around their parents restrictions or their friends parents restrictions. I had an internet enabled phone as a 12 year old in 2004, so it's not a post-iPhone kid experience only.

And yes, parental control software has got smarter to not just be a matter of changing your DNS or using an alternative browser, but tunneling over SSH still defeats much of it, and yes the audience here is more tech savvy, but there's a hundred new web based proxies that open up every day that your chosen solution may not be up to date on blocking - whitelists avoid that but it's something a lot of people here are opposed to on moral grounds once kids reach a certain age. Certainly if you let them go out unsupervised that's not enforcable, and honestly you should be able to let a 12 year old go out unsupervised.

To what extent this applies to 12 year olds is to be determined in my case. My kids are younger than that

I think a lot of the "try and restrict and you'll just harm your relationship" stuff comes from 20 somethings whose memories are primarily of their teenage years. There's 12 years before you get to twelve, and we're in a situation where clueless parents are allowing (knowingly or not) their preteen kids to have their own youtube channels and watch Squid Game. (And much worse besides no doubt, those are just a couple of things I know particular kids have been doing.)

We teach and re-enforce. Blocking is the result of failing to respect the established terms and losing the privilege until we have re-established them.

It's really that simple.

In the case of NextDNS its less controlling what they see, we're not naive about that - but more about ensuring their safety and well being.

>I figured, when my kids were a certain age, that if I took that route, they'd ALWAYS get around whatever control I put in front of them

My son is 14, and when my wife proposed blocks and access control, I made this very point. Even if we were able to perfectly lock down our home and his phone, we can't control every other place he can access the Internet. So, we also are in a talk about it, occasionally check on what he's been into, talk about anything "interesting" that comes up, but NEVER make a big deal of if. As long as we're able to discuss it (and no, he doesn't love talking about it), I'm OK. By keeping it low stress and low key, there's no incentive for him to hide.

You should still do some blocking to make sure he learns how to circumvent them. Those are valuable skills to have later in life, I still profit from the lessons I learned circumventing high school internet restrictions.
Through Norton's suite I had filtered out YouTube app from being installed. It took ~10 minutes for my 5 yo to figure out use it via Safari :-| Since then it's been education over enforcement as OPs have mentioned.
Does the Norton suite not have website/URLbase filtering? Weak sauce.
My kids learned all about that in schools...by the teachers...so they could bypass the blocks to see youtube videos for class!
I'm confident he already has those skills. When he was in fourth grade, my wife and I were called into a meeting with the (private) school Principal because my son had "hacked all of the tablets used for class so kids could play games on them."

As it turns out, he merely figured out that flipping the Wi-Fi Off switch killed the network connection on the chrome-based tablets, which makes it easy to get to the chrome dino jumping game.

I was disappointed that he disrupted class, but equally impressed by his resourcefulness.

I don't understand why it's healthy to provide one click access to the hardest core pornography to a 12 year old. Putting some restrictions in place are better than nothing in my book.
Because when you are an adult, your choices have real consequences. Kids have to learn that lesson.

All told, a 12 year old kid seeing porn they sought out is small potatoes compared to the consequences of some other decisions.

Porn isn’t harmless.

Source: maladjusted, mid thirties virgin, who grew up with on instant and infinite access to online porn

As someone who grew up in an extremely religious (arguably "cult-ish") home. I can tell you that your approach to parenting leads to healthier children (at least mentally).

Hiding children from facts of life (sex, death, drugs, abuse, alcohol, etc) does not in fact help them, it helps you (the parent). It makes parents feel good, but leaves children scarred and unprepared for when they will inevitably face those facts later in life.

There are stages of life when children will (or should be) exposed to those things. The brain naturally regulates these things. If a child is exposed at the proper time, their brain regulates the amount of information they are capable of understanding. As they re-experience the same thing later in life, they will understand more and their progress towards understanding that concept is more gradual and healthy. By contrast, if you shelter a kid, they will still inevitably face reality later in life, but the experience will be more difficult because they have to face everything at once.

Parents should not be afraid to discuss or even introduce difficult concepts to children. The children will inevitably face these. It is better for them to face them in a controlled manner early in life so they can build healthier relationships with these hard ideas. It also gives parents better control over the introduction of these ideas. If you turn sex, alcohol, and drugs into a taboo in your house, you might think you are helping your children, but the reality is that you are actually setting them at higher risk to abuse these things later in life.

Back to the original comment. If your kids are going through all this effort to subvert your DNS and controls in order to see something on the internet. It would be better to allow the child to confront their curiosity in a controlled way. Their curiosity is clearly very strong if they are willing to go to this extreme to satisfy it. Letting the curiosity pent up, will ultimately have the reverse effect than you desire. It could lead to overindulgence of that curiosity, or potentially abuse of that curiosity later in life.

I think there are good cases to be made about pre-puberty vs post-puberty controls. Strong fences for the 4-8 age group is pretty different than than 9-11, 12-14 or 15+
Oh believe me, NextDNS isn't because i'm trying to keep my kids safe from sex, death, drugs and alcohol, it's because the world is out to harm 13 year old girls and I want them to be protected. They watch horror movies and we've never been ashamed of nudity and sex is nothing to be ashamed of.

Ironically, its not porn, warez, hacking or any of that crap that concerns me - it's the dudes who pray on girls - it's the people with fake disorders building communities to cause people to have ticks and self diagnose with severe disorders. It's kids who don't sleep because they're addicted to tik tok and instagram.

Take away their phone to help break that addiction and they end up with friends phones or connecting on other devices...

I can't police all that, I can't talk my kids out of that and I certainly won't hide them from the internet - but i can block the URLS of places i know that shouldn't exist and i can set sane restrictions as any good parent should

Of course kids are gonna find porn and yeah, they're going to try and bypass controls. Clearly, they're figuring it out and clearly, they think we don't know so whose the clever one now?

Still think Apple should have MDM for families. When i was a kid we were stealing pornos from Circle K so it's not about that at all.

Mate, your second paragraph is essentially reframing trauma. It's true that trauma can prepare one to face a bigger challenge later in life, but not always, and it can make facing other kinds of challenges more difficult and incentivize withdrawing from a number of wonderful parts of life.

There have been successful societies built around early trauma (Spartans, etc.) but we remember many of them as brutal by necessity of their surrounding environment.

Agree with the rest entirely.

The "at your own peril" strategy is effective for some.

Or go the panopticon route: "I have software on the router that can see everything you do, but I don't usually look at it."

This sounds like fueling anxiety in the kids that they are being watched. Doesn’t sound okay
> kids that they are being watched

They already are though. Usually by tech companies without the kid's best interests at heart.

Tailor it to the kid. Certain amounts of anxiety in developing minors around surveillance seem healthy, especially given the risks associated with unfettered access to the dangerous fire-hose that is the internet which itself has tracking at every corner.

Still, lying to your kids is not ok. If you don’t have software on your router that tracks everything they do, don’t pretend that you have. Being surveilled is a feeling that sticks. Being tricked, too. Don’t assume your kids will forget eventually.
> kids that they are being watched

Not sure that "kids" is well defined here. But it seems completely normal that "kids" would be watched by their parents.

I realize that the appropriate nature of "watching" is going to change with the age of the "kid", but oversight and watchfulness by a parent shouldn't be viewed as inherently problematic.

Unless you're running a MITM proxy for SSL traffic with root certificates installed on the home devices, this statement can not be true. And if you're running such a proxy, you would need to have a guest WiFi for people coming into the house who would like to use internet without installing the certificate. At that point, circumventing the tracking is the matter of connecting to the guest WiFi.
16 year old me bypassed this and all other monitoring by running a patch cable from the cable modem directly to my machine when up to shenanigans.
All you are doing is teaching your kids to hack into their own device (speaking from experence) . Try a different strategy than attempting to lock down a device . When your are dealing with an individual who has a large payout if they succeed in getting around security and a long amount of time to circumvent it’s an extremely lost cause.

Instead you should limit the amount of time for device access or even just take the device away.

The ScreenTime feature for family members on iOS is an absolute car-crash. Not only is it almost impossible to find (it's not in Settings -> ScreenTime), but I'm endlessly impressed with the ways around it my daughter is able to find. I've recently noticed that she can use WhatsApp without limits just by launching it from the share sheet in Photos.
I wasn’t clear I mean physically take the device from them.
I've done this. This is when you find out that they can get online with their switch, their ipad, the long lost android tablet you didn't know you had or the one they bought from 7-11 because they sell 49 dollar kindle fires there. They also have friends phones and buy sims and all sorts of crap.. it's hilarous the lengths kids go to get online...
I was posting in support of your comment, sorry that wasn't clear.
Training them for a career in tech/security ;) Parent is playing the career long game.
>All you are doing is teaching your kids to hack into their own device (speaking from experence)

That doesn't seem like a bad skill to foster.

Never said it was bad just pointing out the original posters false conclusion.
> All you are doing is teaching your kids to hack into their own device

Ha! Lock down everything and casually leave a printout on the kitchen table titled "How to bypass home network security" with a bunch of Python exercises that lead up to disabling the filters. Presto, now they know Python :-)

I would not leave books on the table so they can figure out how to google.
Did you try setting the device up with the MDM app from a Mac? It's called Apple Configurator or so, can't remember now. But as far as I remember it came with many options.
Also, first time i read about NextDNS. Looks rather interesting. Thank you!
You can setup NextDNS at the router level.
It is, but the kids know they can juse use 5g and no more home router :)
Can't you do that with Apple configurator by creating a profile and installing it on their phones? It is clunky though.
If your kids are intelligent enough to bypass locks... give it up. Seriously.

Better, prepare them for the worst of what they will experience on the Internet: violence, pornography, abuse of all kind, and guide them in their use of the Internet. Place yourself as the person your kids can come for help instead of the person they have to be afraid of. That is an incredibly easy and common thing for groomers to exploit.

nah, not giving up.

Both kids have fought it, my oldest is 17 and nextdns for her just blocks ads and keeps the spyware from calling home.

Every generation has "wtf is that" and what my 13 year old is going through is "WTF IS THAT!??"

Can you DM me? I’m working on something along those lines.
I still have a lot of resentment for the internet restrictions my parents put on my devices. They didn't usually work, but made whatever i was doing significantly more annoying.

I still remember discovering a bug in the iphone parental controls where i could go to the amazon app, leave a comment for google.com, click it and open that in a webview, then open that into safari with restrictions disabled. How i discovered that, i have no idea. But there's always a way.

Later i just wasted my money on a crappy android phone and forced their hand.

Edit: please, please, parents do not do this to your child. Learn trust, have conversations, and let them explore. If you trust your child (truly trust them) and they know it (believe you, not just hear you say it) then they will mostly try to make good decisions. Controls will just be bad for your child in the long run, even if it makes parents job easier in short run. Once a child isn't in eg. middle school, you have to start letting them access tech on their own.

So I haven't completely thought this through as my kids are still too young, but I'm leaning towards doing both.

Some level of controls feels like a way to encourage exploration and learning and the "hacker" mindset. If they escape the controls, great! We also have the conversations about what's out there, how to handle it, etc.

A quick thanks here for making me feel hideously old by mentioning your experience of parental controls being on an iPhone, a device that didn’t even exist until well after I’d moved away from home and was paying for my own internet connection.
You do realize, that often times controls are put in place when the communications and trust has been violated right? Most people want to not give a shit, it's the kid forcing the response.

Beyond that, The internet for a boy, is much different than the internet for a girl - your experience isn't the same as everyone elses and neither are the filters.

We home school so some of the controls are just in place so they actually do some school and they're only in place because they choose NOT to do school.

> controls are put in place when the communications and trust has been violated right?

Oh yes, i certainly broke trust of my parents, but mostly by bypassing controls they put. That deteriorated trust (and encouraged more trust-breaking) much faster than if the controls werent there.

So you're mad your parents blocked rape websites? Child Porn? Incest? Or are we talking about you're mad that they blocked youtube and twitch?? Which we don't? And i'm not talking about kids being interested in those, but sites where people try and perpetuate them and bait young girls with.

All blocks are not created equal here.

There are 10s of thousands of girls going through therapy, rehab, mental hospitals and such because of some of what is going around right now and much of the blocking is learning from parents who didn't and lost their kids to suicide or sex trade.

It all starts with a supposed nice 14 year old kid on discord who buys you a gift and turns out to be a grown ass man praying on girls who are susceptible to social issues - they're the ones boosting the servers and writing free advice and coming off as being helpful to teen issues but its all a big con... and that's just one channel of the absurdity. THe other is social pressures on tiktok and insta and their addictive properties - especially for young women. Unchecked/unbound you're asking for trouble for you and your kids.

Be a parent and let your parents parent.

The running joke in my country is that pastors’ children always round up to be delinquent in their teens. You won’t be able to completely control the environment of your child. The re will be a moment, when he/she will realize you do not know everything and your word, while important will be just a voice in many. It is very hard to resist temptation when you see people your age doing them without restrictions. I would say teach them values, not enforce them.
It's never been about complete control - or even control at all. It's about safety, health and wellbeing. As i mentioned to others - this isn't about blocking HBO max, youtube, twitch or steam. It's about safety against people praying on 13 year old girls and general computer safety blocking threats that nextdns blocks that every one should block.

The thing is, when kids grow up - they're gong to work at places that have blocks to ensure employee safety too and they're going to have to realize what they need to do to keep their kids safe

and the kids will hate it, as they have always hated it.

I can’t tell exactly but this seems to be going down the compete with Active Directory route.

Which honestly, isn’t a bad thing. AD is getting long in the tooth and AAD is a mess, we can absolutely use a few clever apple innovations to this space.