It shouldn’t surprise anyone that Apple is removing Python 2.7 from the upcoming macOS 12.3 release: As far back as 2019, the company said it was deprecating the scripting and programming language and that Python would not be included with future versions of the OS. Now Apple is simply making good on that promise.
The promise itself shouldn’t have been a surprise, either, given that the Python Software Foundation—which maintains the Python codebase—originally said that it would be sunsetting Python 2 way back in 2008.
And yet the imminent removal of Python 2.7—macOS 12.3 is expected to ship sometime this spring—still demands attention from Apple admins. Here’s what it could mean to you and what you can do to prepare.
Plenty of Warning
To recap: The Python Software Foundation originally intended to sunset Python 2 in 2015; at that point, the group said, it wouldn’t publish any more bug fixes or security patches for that version of the language. That deadline was then pushed to January 1, 2020. Coders who’d been using Python 2 were urged to switch to Python 3. The two versions are different enough that code written in one won’t execute reliably or at all in the other.
In June 2019, as part of preparing for the release of macOS Catalina 10.15, Apple announced that future versions of macOS would not include Python 2.7. Apple has waited two-plus years to actually pull the switch.
Python 2.7 has been bundled with macOS since version 10.8; it’s well-embedded in the Mac ecosystem. Apple admins in particular have gravitated to Python as a way to automate management, in part because its support for parsing data structures such as JSON and XML is superior to that of shell-scripting languages such as bash and zsh.
Starting with macOS 12.0.1, if a program or script called for the Python 2 interpreter, the user would see a warning that the invoking app will not work with future versions of macOS and that it needs to be updated.
Now, in macOS 12.3, apps and scripts invoking Python 2.7 will fail because the Python 2 interpreter simply won’t be there. Whether you install 12.3 from scratch or upgrade from a previous version, it appears that the contents of /usr/bin/python are simply gone, leaving behind only some broken symlinks.
So what should you as an admin be doing about it now?
The first step in addressing the problem is an audit to figure out how many of the scripts and apps you’re pushing out to end-users or using to manage your fleet are dependent on Python 2.7.
If your organization has been rigorous about its development and distribution of scripts, you might have them all under source control on something like GitHub. In that case, you likely have tooling available to help inspect your scripts.
If you don't have that kind of infrastructure, then you’ll have to eyeball your scripts for references to Python 2.7. You could scan for any files that end in .py or that have /usr/bin/python or /usr/bin/env python on the first line. But remember that scripts in other languages can also shell out to Python for specific tasks.
If you’re a Kandji customer, the easiest thing to do is to review the custom scripts you’re deploying in your various Blueprints. Be sure to also check any pre-install, post-install, or audit scripts that you use to deliver custom apps.
Some third-party packages that you're distributing may rely on Python 2.7. You could wait until they break, or you could try using Armin Briegel’s script for checking installer packages for deprecated runtimes. You could also contact vendors to see if they ship Python 2 runtimes with their apps (and encourage them to upgrade to Python 3 instead).
One approach to consider: Upgrade a test Mac to a pre-release version of macOS 12.3 and install Python 3 on it (perhaps as an Auto App). Then add that Mac to a test Blueprint that contains your library of custom scripts and apps, and confirm that each item works as expected when Python 2 is not available.
While you’re digging around, you might also use this as an opportunity to audit the scripts you’re delivering to end-user systems and cull the cruft. Is each script doing what it’s supposed to? Do you still need it? If you don't, get rid of it. If you do, and if it's built for Python 2.7, fix it (see below).
You should also be educating users about the situation.
For general end-users, you can simply inform them that you’ll be upgrading their computers to macOS 12.3, and if they see any error messages in the immediate aftermath they should let you know. If you do start getting reports of such errors, your next call should be to the vendors of the software that's generating them.
If you're talking to developers in your organization, you could say more:
- You’re upgrading to macOS 12.3 and, as a result, Python 2.7 will cease to work. If they’re still using Python 2.7, they need to stop.
- You’re supporting the switch to Python 3. Explain how you plan to distribute that software.
- This might be a good time to start asking your developers to manage their own Python environments and then provide whatever support they need to do so. That way you can be responsible for the version of Python that you’re using to manage your fleet, and they can be responsible for the version they’re using for their projects.
Pause If You Must
If you haven’t yet upgraded to macOS Monterey, anything that depends on Python 2.7 will continue to work without interruption. But that’s still not necessarily wise: Python 2.7 has been unsupported for a long time, with no security patches, so continuing to run it could leave you vulnerable. Consider the release of 12.3 and the loss of Python 2.7 the push you needed to make the change to a newer OS and a more secure Python.
But if you do have lingering dependencies on Python 2.7, you can postpone the upgrade to 12.3 until you resolve them.
Install Python 3
Apple is not bundling Python 3 with macOS the way it did with Python 2. You’re going to have to install Python 3 yourself if you want to leverage it on endpoints. There are several ways to do so.
If you’re a Kandji customer, you can install Python 3 as an Auto App. Alternatively, you can install it on endpoints by installing the Xcode Command Line Tools, via Homebrew, or directly downloading it from python.org. There’s even a Python framework for Mac admins that you can package up and make available as a custom app.
Once you’ve identified the scripts that still rely on Python 2.7, and once you’ve figured out a way to upgrade all the Mac computers that will be running your scripts to Python 3, you can convert those scripts. There are several tools available for that, including Futurize, Modernize, and 2to3. The latter can either report out to you what changes need to be made or it can make the changes itself.
Kandji’s Auto Apps can help you keep the software on all the Mac computers you manage up to date. With powerful features like zero-touch deployment, one-click compliance, and offline remediation, Kandji has everything you need to enroll, configure, and secure your Apple devices.