Plenty of not-very-granular "enterprise" systems out there, it's not exactly unique to not always have full ACLs on the smallest of objects.

Granted, the M1 and up are not 100% covered yet (driver-wise), but they aren't EOL either. And if they were, Linux would still run anyway. Take a 20 year old Mac and you'll run Linux just fine. 10 year old Mac, Linux still runs fine. Take an M1 and it's a joy to use with Linux. Taken an M2 and it will boot and you can be pretty sure it will run very well long before it's EOL too. And even if it's EOL, it's not going to prevent you from running Linux later.

As for the PC example: definitely EOL problems there. Try getting your EDK2-based UEFI stack patched on an old computer. At some point you won't be getting certificate updates and if you either forget to install a local override or if the vendor didn't add it, you're SOL, especially on laptops where you can't disable secure boot.

Most on-prem deployments were trash and a lot of them still are. Not because it couldn't be better but because it's easier to just have some random hypervisor department do this work manually and not do the work to create it as an internal product. Even VMware with vrealize failed and that's about as 'customisable cloud platform in a box' as COTS enterprise software can get.

Maybe it's because IaC and APIs were just not in the vocabulary of the average system integrator or on-prem operating team (it's still lots of clickops and copy-paste).

I suppose it's a case of 'technically possible, realistically infeasible'.

A more likely scenario might be either a from-scratch not-as-good machine that you can source locally (supply-chain wise) or a novel finding (which is hard to predict if it will happen and if so, when).

Granted, it will not integrate with anything hardware-wise by itself (unless there's a package for it - if not, macOS still handles it, and Aqua/Quartz will keep running in the background anyway), but if what you wanted was something that is KDE or GNOME running with its own WM on its own X11 server, doing the exact same thing you'd get if you're running a Linux distro, that's been natively possible for over 15 years.

If a power user loses their power based on what GUI happens to be in front of them, how much of a power user was the power user to begin with?

It's interesting how with some systems/engineering thinking you'll pretty much always get there in the end anyway, which is also why articles like yours are pretty neat. (sadly, not everyone takes the time to write things down and share them these days)

  1. Doing the password reset
  2. Reboot straight back into recovery
  3. Update your new password back into your old password
  4. Boot into macOS, your default keychain will unlock but you'll still have to re-authenticate to iCloud since your machine-user identity combo will no longer match with what iCloud expects. (not sure if this is part of Octagon Trust, but there are various interesting layers to this)

There are a number of much more in-depth technical guides and specs, but just listing out random articles (or the Black Hat talk(s)) would probably rob someone of a nice excursion into platform security.

Software for running VMs is free.

> Giving users local admin rights is a massive security risk we can't take.

Sounds like you made your endpoints into pets and bastions, that's an architecture that is guaranteed to fail. Work towards a design where the endpoint no longer matters.

I've been trying out similar things to help internal teams to use systems and languages like Rego (for Open Policy Agent) to have a visual and more 'a la carte' experience when starting out, so they don't have to jump straight to learning all syntax and patterns for a language they might have never seen before.

It also really depends on how you perceive the alerts on a device; some people have lots of feelings when they see a dot or a number on an icon, others might not care or give it any attention. If such things are a distraction for you, turn them off. Unless they give you value or have an important meaning, they are not worth your attention.

Depending on your hardware/software vendor, it might be capable of synchronisation between multiple devices so you don't end up getting notifications anyway, and it might have multiple profiles with time boxes, or location-aware or event-aware profiles. Some of them are self-learning (to various degrees of usefulness), but either way, reduce the device to what you need it for.

That's a bit of a creative perspective, isn't it? You have no control over the UEFI implementation of your vendor, same can be said for AGESA and ME, as well as any FSP/BSP/BUP packages, BROM signatures or eFused CPUs. And on top of that, you'll have preloaded certificates (usually from Microsoft) that will expire at some point, and when they do and the vendor doesn't replace them, the machine might never boot again (in a UEFI configuration where SecureBoot cannot be disabled as was the case in this Fujitsu - that took a firmware upgrade that the vendor had to supply, which is the exception rather than the rule). For DIY builds this tends to be better, Framework also makes this a tad more reliable.

If anything, most OEM UEFI implementations come with a (x509) timer that when expires, bricks your machine. iBoot2 is just a bunch of files (including the signed boot policy) you can copy and keep around, forever, no lifetimer.

Now, if we wanted to escape all this, your only option is to either get really old hardware, or get non-x86 hardware that isn't Apple M-series or IBM. That means you're pretty much stuck with low-end ARM and lower-end RISC-V, unless you accept AGESA or Intel ME at which point coreboot becomes viable.

So can Apple stop signing new iBoot2 versions? Sure! And that sucks. But it's a bit of FUD to claim that Apple at arbitrary points in time is going to brick your laptop with no option for you to prevent that.

Granted, if you boot both macOS and Asahi, then yes, you are in this predicament, but again, that is a choice. You can never connect macOS or recovery to the internet, or never boot them.

If you need it, use it, if you don't need it, don't use it. It's not the big revelation people seem to think it is.