Archive for October, 2019

Downloading macOS installers with updated signing certificates on macOS Catalina

October 28, 2019 30 comments

As a follow-up to last week’s expiration of the certificate used to sign previously-released macOS installers, Apple has released re-signed macOS installers with the new certificate which is good until April 2029.

For those who archive older macOS installers, this means that the macOS installers in question will need to be re-downloaded. macOS Catalina has added some new functionality to the softwareupdate tool which can assist with this. For more details, please see below the jump.

Read more…

Categories: Mac administration, macOS

Suppressing the Touch ID pop-up window with a profile on macOS Catalina

October 22, 2019 2 comments

Apple has introduced a number of pop-up windows over the years, which appear the first time you log into a Mac and sometimes also after OS updates. In 2016, Apple introduced one for Touch ID as part of introducing the Touch Bar.

LWScreenShot 2019 10 22 at 3 36 51 PM

For a long time, the only way to suppress this window from appearing was by using the command shown below:

defaults write DidSeeTouchIDSetup -bool TRUE

However, as of macOS Catalina, it is possible to suppress the Touch ID pop up window using a profile. For more details, please see below the jump.

Read more…

Rebuilding your macOS Recovery volume or partition with create_macos_recovery

October 21, 2019 40 comments

I recently got an email from a former colleague, requesting assistance with a problem they were seeing. They were cloning drives with macOS Catalina, but their cloning process was not including the Recovery volume. Was there a way to create a new Recovery volume on a macOS Catalina boot drive that didn’t have one?

I did some research on this and found that there was a script to do this on High Sierra and Mojave, but it didn’t appear to work anymore.

With some more digging, I was able to figure out why. The script was downloading and expanding a macOSUpd10.13.6.RecoveryHDUpdate.pkg installer package from Apple’s Software Update service in order to get access to a dm tool included with the installer package. This installer package was no longer available from the Software Update service, but a similar package named SecUpd2019-005HighSierra.RecoveryHDUpdate.pkg with the same dm tool was available.

Once I verified that I could get the same results using the SecUpd2019-005HighSierra.RecoveryHDUpdate.pkg installer package, I wrote a script (based on the original one I had found) to help automate the process of rebuilding a macOS Recovery volume or partition. For more details, please see below the jump.

Read more…

Suppressing the Screen Time pop-up window with a profile on macOS Catalina

October 18, 2019 1 comment

Apple has introduced a number of pop-up windows in various OS versions, which appear the first time you log into a Mac and sometimes also after OS updates. For macOS Catalina, Apple has introduced one for Screen Time.

Screen Shot 2019 10 18 at 3 45 00 PM

To stop the Screen Time pop-up window from appearing for your home folder, run the command shown below:

defaults write DidSeeScreenTime -bool TRUE

Since you normally will be able to run this command only after you’ve seen the Screen Time pop-up window, I’ve posted a profile for suppressing it. For more details, please see below the jump.

Read more…

Managing macOS Catalina’s FileVault 2 with fdesetup

October 17, 2019 7 comments

Since its initial release in OS X Mountain Lion 10.8.x, Apple’s main tool for managing FileVault 2 encryption has been fdesetup. With the transition from managing Core Storage-based encryption on HFS+ to managing the native encryption built into Apple File System completed, this well-developed toolset continues to be Apple’s go-to tool for enabling, configuring and managing FileVault 2 on macOS Catalina.

With its various functions, fdesetup gives Mac administrators the following options for managing FileVault:

  • Enable or disable FileVault 2 encryption on a particular Mac
  • Use a personal recovery key, an institutional recovery key, or both kinds of recovery key.
  • Enable one or multiple user accounts at the time of encryption
  • Get a list of FileVault 2-enabled users on a particular machine
  • Add additional users after FileVault has been enabled
  • Remove users from the list of FileVault enabled accounts
  • Add, change or remove individual and institutional recovery keys
  • Report which recovery keys are in use
  • Perform a one-time reboot that bypasses the FileVault pre-boot login
  • Report on the status of FileVault 2 encryption or decryption

For more details, please see below the jump.

Read more…

Certificate used to sign older Apple software expiring on October 24, 2019

October 16, 2019 3 comments

On February 10, 2015, a number of Mac admins noticed that Apple was re-issuing a number of software updates. The updates themselves hadn’t changed, but were being reposted.

The reason was because part of the chain of certificates Apple was using to sign installers used by Apple’s software updates was expiring on February 14th, 2015.

Screen shot 2015 02 10 at 7 11 06 am

The new expiration date was set as October 24, 2019 at 1:27 PM US Eastern Daylight Time, which is eight days from the date of this post.

Screen Shot 2019 10 16 at 1 22 18 PM

Time marches on and once again, Apple is re-signing and re-issuing updates ahead of the October 24th 2019 expiration date.

It looks like the re-signed installers have an expiration date of April 14th, 2029 at 5:28 PM US Eastern Daylight Time.

Screen Shot 2019 10 16 at 1 41 42 PM

The certificate expiration will also affect macOS installers or boot media that are signed with the certificates which expire on October 24th. In testing by @neilmartin83, these installers will not work properly following the certificate expiration.

Apple will also be re-signing these installers though, so the fix in most cases will be to download new copies of the relevant macOS installers from the Mac App Store or Software Update.

Categories: Mac administration, macOS

The macOS user template directories have a new filesystem location on macOS Catalina

October 14, 2019 11 comments

New users on a Mac have a certain set of default settings which are copied into their user profiles the first time they log in. Starting with Mac OS X 10.0.0, these settings have been stored in the following location:

/System/Library/User Template

Screen Shot 2019 10 14 at 11 33 55 AM

Inside the User Template directory are a number of language-specific directories where the default settings for various languages are stored. This allows the new user’s default settings to be appropriate for their language and keyboard configuration.

As of macOS Catalina 10.15.0, the location of the User Template directory has changed to the following:

/Library/User Template

Screen Shot 2019 10 14 at 10 55 23 AM

The reason for the change is that the /System directory is now stored in Catalina’s read-only volume for the OS. By moving it to /Library, the User Template directory and its enclosed language-specific directories remain readable and writable for those folks who prefer to deploy settings by making changes to the user template directories.

Categories: Mac administration, macOS

Enabling root on a Mac which hasn’t gone through macOS Catalina’s Setup Assistant

October 11, 2019 9 comments

On certain occasions, it may be necessary to configure settings on a Mac which has not yet gone through Apple’s Setup Assistant. This process usually involves enabling the root account and setting a password for it, since no user accounts with admin rights exist yet. For more details on how to do this on macOS Catalina, please see below the jump.

Read more…

Categories: Mac administration, macOS

Most Apple apps installed with the OS have a new filesystem location

October 11, 2019 5 comments

Starting with Mac OS X 10.0.0, Mac apps have traditionally been installed into /Applications or /Applications/Utilities. It appears to be the same on macOS Catalina, but appearances can be deceiving.

As part of implementing a read-only volume for the OS, Apple has moved the apps it installs along with the OS from /Applications to a new location on the read-only volume: /System/Applications

Screen Shot 2019 10 11 at 11 06 55 AM

For operations in the Finder, this move won’t make a lot of difference because Apple has made sure that the applications in question still appear in /Applications and /Applications/Utilities.

Screen Shot 2019 10 11 at 11 06 11 AM

However, if a script or other command line tool is referencing an app in /Applications or /Applications/Utilities, the new /System/Applications and /System/Applications/Utilities path must be referenced. In my case, I ran across this as part of a script that as part of its work was referencing the Keychain Access app in the following location:


The script failed because Keychain Access is no longer available at that location on macOS Catalina. To fix this, I updated the script to use the following location:


Once that was done, the script ran without problems again.

This new location on the read-only volume only applies to apps which Apple installs as part of the OS or which are only updated by OS updates. For example, because Safari may be installed or updated separately, the Safari app is not located on the read-only volume in /System/Applications. Instead, Safari remains in /Applications as /Applications/

Screen Shot 2019 10 11 at 11 22 09 AM

Categories: Mac administration, macOS

Enable automatic macOS and App Store updates on macOS Catalina with a profile

October 10, 2019 2 comments

A while back, I wrote a post on enabling automatic software updates on OS X Yosemite through macOS Mojave. As part of the post, I mentioned that it wasn’t possible to manage the options for automatic macOS and App Store updates using a profile. The reasons were the following:

  • The App Store update options were managed by the preference domain, which isn’t manageable with a profile
  • The AutomaticallyInstallMacOSUpdates setting in the preference domain should be manageable with a profile, but for unknown reasons, it couldn’t be.

As of macOS Catalina, I’m happy to say that this has changed. For more details, please see below the jump.

Read more…

%d bloggers like this: