Introducing Power Manager 5

Today we released a major upgrade to Power Manager. This is a significant upgrade and one that has been in development for years.

This upgrade is the first paid upgrade in nine years. We released Power Manager 4 in July 2010 and since then we have been providing support and regular updates to the v4 lineage. From today Power Manager 4 is no longer being actively improved.

We are offering upgrade discounts to all Power Manager 3 and 4 customers. Additionally, if you bought your licence during 2019, upgraded licences are as low as one euro/dollar/pound.

Shifting markets

The market for Mac software has changed dramatically during the last decade. Prices of consumer software has tumbled and insidious productisation of the user has increased. Below cost pricing does not lend itself to sustainable, high quality software; and user productisation is abhorrent.

So in response to this market pressure, we have revamped our licenses and pricing.

You still need a licence for each computer that is running Power Manager's Scheduler. This is unchanged from before. What is new today, is that we are now offering much cheaper expiring licences alongside traditional perpetual licences.

Our expiring licences are a quarter of the price of their perpetual equivalent.

Thus after four years of paying for expiring licences, you will have equalled the equivalent perpetual price. As an expiring licence holder, you will have benefitted from support and upgrades long after the perpetual licence's support period has ended. These are good deals.

If you never upgrade the operating system then, of course, you can continue using a perpetual licence until the computer itself stops working. But not upgrading is rare, and upgrading frequently comes with software-breaking changes from Apple.

A new family licence covers all your computers at home. The cost is equivalent to two computers but the licence covers as many computers as you – and your family – have at home. We think the family licence is a great deal.

Perpetual licences are not going away. Perpetual licences play an important role for consultants and businesses. Alongside today's upgrade, our perpetual licences now come with clear periods of support and included upgrades.

Our pricing has also changed for larger deployments of Power Manager. We now offer a site licence at a fixed price. A site licence covers every computer at an organisation's address. This new licence replaces the scaled pricing we previously offered. We believe this will simplify buying decisions and streamline the purchasing process.

As always, we continue to offer academic and non-profit discounts directly in the store.

Calm on the surface

We have changed as much as we felt comfortable changing in one step.

Power Manager is a twenty-two year old product and thus ensuring continuity for our customers remains important. But be careful not to mistake continuity for stagnation.

Some of this upgrade's changes were exhaustive and had ramifications across Power Manager's architecture. Where possible, we have kept user interface changes to an absolute minimum. Perhaps bizarrely, as an existing user, you should notice remarkably little difference.

So where to start? Let's look at Power Manager's reduced installation footprint and then discuss sandboxing.

When you install the Scheduler on your computer, only one file is saved outside of the application. Everything else is now contained within the application bundle. We still need files in other locations but those are now created and removed as needed. This greatly simplifies getting Power Manager up and running.

Narrowing the installed file count comes with a simple requirement. Power Manager must live in the Applications folder. As a computer wide application, this is reasonable but with this upgrade it is required.

To make Power Manager easier to understand and audit, the supporting agents and daemons have all be renamed to start with uk.co.dssw.powermanager.; a small change but one that makes identifying the related processes in Activity Monitor or debug logs trivial.

Sandboxing and security

And then there is sandboxing the Power Manager application. If you have read other developers' experiences with Apple's sandboxing approach, you already know the problems we too faced. Let's take this moment to explain one impact of sandboxing and what we lost.

Power Manager's applications are code signed, hardened, sandboxed, and notarised. We code signed and hardened Power Manager years ago. Sandboxing and notarisation are new in this version.

Because of sandboxing we lost access to macOS's authentication framework. This macOS specific framework let us know what rights a user had or could obtain. We logged a bug about this loss with Apple in October, 2016. The bug report did not get a response.

Through the authentication framework, applications could safely delegate authentication and authorisation to the operating system. Authorisation rights were discrete, documented, and gave administrators fine-grained control.

An application using the authentication framework was minimally involved in security – which is as it should be. Sandboxed applications are denied use of this framework and have no assured way of knowing even if the user is an administrator or not.

We did what has become a theme for Power Manager over the years. We migrated from a higher level Apple provided framework to the UNIX underpinnings. Power Manager now uses Pluggable Authentication Modules (PAM) for all authentication and authorisation: local or remote. We previously used Pluggable Authentication Modules only for remote connections.

All connections to the Scheduler running on the local computer are now treated as if they were remote. This means Power Manager needs you to unlock the Scheduler even when running locally. Previously we could prove you were – or were not – an administrator and trust your actions appropriately; it all just worked.

Now with one means of authentication to focus on, we have greatly improved the range of Pluggable Authentication Modules that can be used. Power Manager no longer assumes a traditional name and password will be requested. Administrators can now use one-time codes, two factor authentication, or any other enhanced OpenPAM module. This was possible previously via the command line tools but not in the application. Complex authentication support is available across all of Power Manager.

Where name and password style credentials are used, Power Manager will offer to store them in the Keychain. This reduces unlocking a local or remote connection to a single click. Notably, the credentials are associated not with the network address of the connection but instead the connection's Transport Layer Security (TLS) certificate. This certificate pinning approach stops a particular class of attack and sidelines annoyances of changing network addresses.

Sandboxing the Power Manager application has either directly or indirectly consumed a significant amount of development time. I am yet to be convinced the benefits are worth the effort demanded by Apple.

Not just Mac

For the first time, we are offering pmctl for Linux and Windows on multiple hardware platforms: 32/64 Intel and ARM. With pmctl you can connect to and remotely manage your Mac running Power Manager's Scheduler from a Linux server or Windows PC – or even a Raspberry Pi.

This tool can do everything the graphical interface can do. Being a command line tool, pmctl is ideal for use in scripts and by administrators managing larger deployments. Thus offering a cross platform tool means Power Manager better fits into modern organisations. Where once an Xserve or Mac might be used by system administrators, now Linux and Windows are the norm.

From today, system administrators can use pmctl on their platform of choice to manage Power Manager.

After twenty years working as developers for exclusively Apple platforms, we have stepped into the unknown. We started investigating the possibility of supporting other platforms a while ago. Finding the right approach and tooling has been surprisingly enjoyable.

An epoch

Power Manager continues to be an automation tool designed for the user. The version notes for this upgrade are extensive and worth skimming.

During the last year John Fancourt, my co-founder, passed away. I am deeply grateful for all he did for DssW. John stepped back from DssW a few years ago and, while not involved in the day-to-day running of the business, the loss is profound.

Thank you for continued support. We are lucky to have so many great customers.

This article was posted in , , , and and tagged .

Published by Graham Miln on