diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml
index bb499df5c..273aedc94 100644
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@@ -7,6 +7,7 @@
   include_tasks: roles/network/tasks/dnsmasq.yml
   #when: dnsmasq_install    # Flag might be used in future?
 
+
 - name: Install uuid-runtime package (debuntu)
   package:
     name: 
@@ -37,13 +38,6 @@
   set_fact:
     uuid: "{{ stored_uuid.stdout_lines[0] }}"
 
-#- name: Does directory /ro exist? (indicating OS is Ubermix)
-#  stat:
-#    path: /ro
-#  register: ro_dir
-
-#- debug:
-#    var: ro_dir
 
 - name: Does 'ubermix' exist in /etc/lsb-release?
   shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
@@ -52,9 +46,6 @@
   #ignore_errors: True
   #check_mode: no
 
-#- debug:
-#    var: grep_ubermix
-
 - name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix
   copy:
     src: roles/1-prep/files/iiab.conf
@@ -64,7 +55,6 @@
     # mode: '0644'
     force: yes
   when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
-  #when: ro_dir.stat.exists
 
 # 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
 # This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
@@ -75,6 +65,7 @@
   shell: apt -y remove "libgeos-*"
   when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
 
+
 # Required by OpenVPN below.  Also run by roles/4-server-options/tasks/main.yml
 - name: SSHD
   include_role:
@@ -91,20 +82,24 @@
     name: openvpn
   when: openvpn_install
 
+
 # Debian 10 "Buster" is apparently enabling AppArmor in 2019:
 # https://wiki.debian.org/AppArmor/Progress
 # https://wiki.debian.org/AppArmor/HowToUse
 # https://packages.debian.org/buster/apparmor
 # Curiously this has NOT stopped IIAB 7.0/master from working on Debian 10
 # pre-releases, during @floydianslips' March 2019 testing anyway!  SEE #1387
-- name: Disable AppArmor -- override OS default (ubuntu)
-  systemd:
-    name: apparmor
-    enabled: False
-    state: stopped
-  when: is_ubuntu
-  ignore_errors: True
 
+# PR #2654 - AppArmor works w/ IIAB on Debian 10/11, so also now on Ubuntu?
+#- name: Disable AppArmor -- override OS default (ubuntu)
+#  systemd:
+#    name: apparmor
+#    enabled: False
+#    state: stopped
+#  when: is_ubuntu
+#  ignore_errors: True
+
+# PR #2648 - Can be restored in future if truly nec, w ansible.posix collection
 #- name: Disable SELinux on next boot (OS's other than debuntu)
 #  selinux:
 #    state: disabled
@@ -115,8 +110,10 @@
 #  command: setenforce Permissive
 #  when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed
 
+
 ##  DISCOVER PLATFORMS ######
 # Put conditional actions for hardware platforms here
+
 - include_tasks: raspberry_pi.yml
   when: first_run and rpi_model != "none"
 
@@ -132,7 +129,8 @@
     timeout: "{{ download_timeout }}"
   when: internet_available and usb_NUC6.stdout|int > 0
 
-# this script can be sourced to get IIAB location
+
+# This script can be sourced to get IIAB path/location
 - name: Recording STAGE 1 HAS COMPLETED ============================
   template:
     src: roles/1-prep/templates/iiab.env.j2