Archive

Author Archive

The macOS user template directories have a new filesystem location on macOS Catalina

October 14, 2019 1 comment

New users on a Mac have a certain set of default settings which are copied into their user profiles the first time they log in. Starting with Mac OS X 10.0.0, these settings have been stored in the following location:

/System/Library/User Template

Screen Shot 2019 10 14 at 11 33 55 AM

Inside the User Template directory are a number of language-specific directories where the default settings for various languages are stored. This allows the new user’s default settings to be appropriate for their language and keyboard configuration.

As of macOS Catalina 10.15.0, the location of the User Template directory has changed to the following:

/Library/User Template

Screen Shot 2019 10 14 at 10 55 23 AM

The reason for the change is that the /System directory is now stored in Catalina’s read-only volume for the OS. By moving it to /Library, the User Template directory and its enclosed language-specific directories remain readable and writable for those folks who prefer to deploy settings by making changes to the user template directories.

Categories: Mac administration, macOS

Enabling root on a Mac which hasn’t gone through macOS Catalina’s Setup Assistant

October 11, 2019 3 comments

On certain occasions, it may be necessary to configure settings on a Mac which has not yet gone through Apple’s Setup Assistant. This process usually involves enabling the root account and setting a password for it, since no user accounts with admin rights exist yet. For more details on how to do this on macOS Catalina, please see below the jump.

Read more…

Categories: Mac administration, macOS

Most Apple apps installed with the OS have a new filesystem location

October 11, 2019 5 comments

Starting with Mac OS X 10.0.0, Mac apps have traditionally been installed into /Applications or /Applications/Utilities. It appears to be the same on macOS Catalina, but appearances can be deceiving.

As part of implementing a read-only volume for the OS, Apple has moved the apps it installs along with the OS from /Applications to a new location on the read-only volume: /System/Applications

Screen Shot 2019 10 11 at 11 06 55 AM

For operations in the Finder, this move won’t make a lot of difference because Apple has made sure that the applications in question still appear in /Applications and /Applications/Utilities.

Screen Shot 2019 10 11 at 11 06 11 AM

However, if a script or other command line tool is referencing an app in /Applications or /Applications/Utilities, the new /System/Applications and /System/Applications/Utilities path must be referenced. In my case, I ran across this as part of a script that as part of its work was referencing the Keychain Access app in the following location:

/Applications/Utilities/Keychain Access.app

The script failed because Keychain Access is no longer available at that location on macOS Catalina. To fix this, I updated the script to use the following location:

/System/Applications/Utilities/Keychain Access.app

Once that was done, the script ran without problems again.

This new location on the read-only volume only applies to apps which Apple installs as part of the OS or which are only updated by OS updates. For example, because Safari may be installed or updated separately, the Safari app is not located on the read-only volume in /System/Applications. Instead, Safari remains in /Applications as /Applications/Safari.app.

Screen Shot 2019 10 11 at 11 22 09 AM

Categories: Mac administration, macOS

Enable automatic macOS and App Store updates on macOS Catalina with a profile

October 10, 2019 Leave a comment

A while back, I wrote a post on enabling automatic software updates on OS X Yosemite through macOS Mojave. As part of the post, I mentioned that it wasn’t possible to manage the options for automatic macOS and App Store updates using a profile. The reasons were the following:

  • The App Store update options were managed by the com.apple.commerce preference domain, which isn’t manageable with a profile
  • The AutomaticallyInstallMacOSUpdates setting in the com.apple.SoftwareUpdate preference domain should be manageable with a profile, but for unknown reasons, it couldn’t be.

As of macOS Catalina, I’m happy to say that this has changed. For more details, please see below the jump.

Read more…

Preventing the macOS Catalina upgrade advertisement from appearing in the Software Update preference pane on macOS Mojave

October 7, 2019 25 comments

Not yet ready for macOS Catalina in your environment, but you’ve trained your folks to look at the Software Update preference pane to see if there’s available updates? One of the ways Apple is advertising the macOS Catalina upgrade is via the Software Update preference pane in System Preferences:

Screen Shot 2019 10 07 at 3 47 35 PM

If you want to prevent that advertising banner from appearing, run the following command with root privileges:

softwareupdate --ignore "macOS Catalina"

You should see text appear which looks like this:

Ignored updates:
(
    "macOS Catalina"
)

Screen Shot 2019 10 07 at 4 04 21 PM

The advertisement banner from the Software Update preference pane should now be removed.

Screen Shot 2019 10 07 at 4 04 38 PM

Categories: Mac administration, macOS

Downloading macOS Mojave from the Mac App Store

October 7, 2019 2 comments

Now that macOS Catalina has been released, it’s become more difficult to access the macOS Mojave installer for those who still need it. Fortunately, Mojave has not been removed from the MAS and it is still available for download. Apple has a KBase article that shows how to access the macOS Mojave page in the Mac App Store, available via the link below:

https://support.apple.com/HT210190

Screen Shot 2019 10 07 at 2 44 56 PM

To access the macOS Mojave page directly, please click on the link below:

https://itunes.apple.com/us/app/macos-mojave/id1398502828?ls=1&mt=12

That link should open the MAS and take you to the macOS Mojave download page.

Screen Shot 2019 10 07 at 2 47 51 PM

The Mojave installer itself will download via the Software Update pane in System Preferences.

Screen Shot 2019 10 07 at 2 50 14 PM

Screen Shot 2019 10 07 at 2 50 38 PM

In the event that you’re blocked from downloading macOS Mojave, you should be able to download it in a virtual machine. I have a post on how to do this, available via the link below:

https://derflounder.wordpress.com/2017/02/21/downloading-older-os-installers-on-incompatible-hardware-using-vms/

Categories: Mac administration, macOS

Notarization on macOS Catalina and IT auditing

October 3, 2019 Leave a comment

One of the changes Apple is introducing in macOS Catalina is the notarization requirement for code in the following categories:

  •  All apps signed after June 1st, 2019
  •  Signed executable code which are undergoing first run checks (this check would be triggered by the executable having a com.apple.quarantine extended attribute.)

Note: Signed executable code can take many forms, including command-line binaries or other tools which don’t fit into the usual macOS app category. In this post, I’m going to be using “executable” or “executable code” in this post as shorthand for “It’s not an app, but you can sign, notarize and run it.”

Notarization is commonly thought of as Apple doing a malware scan on the app / executable in question, but it’s also more than that. Notarization also includes a code hardening process for the app or executable, which sets up the app or executable code to run in a protected environment. What protections are provided? According to Apple:

  •  App / executable can’t create executable memory without the app / executable being associated with a code signature.
  •  When the OS is reading code or data from drive storage, all the data being read in to the running app or executable must match the app /executable’s code signature.
  •  Code which is modified in memory and which no longer match the app / executable’s code signature can’t be executed.
  •  Protection provided against code injection and/or dylib hijacking.

While there are entitlements provided by Apple to allow apps / executables to bypass these protections, they’re embedded as part of the notarization process and can’t be changed later without breaking the code signature. Meanwhile, notarization is for the life of that particular app / executable code. It’s not just checked once, like has been the case with Gatekeeper’s code signature check for apps / executables on previous versions of macOS.

How does this relate to IT auditing and making it less painful? Well, imagine you had an auditor come to you and say “I need you to check and verify that all third-party apps used in your environment have been scanned for malware.”

Holy cow. That’s a huge requirement.

Or it was. Notarization provides exactly that capability and it can be verified on-demand using the stapler tool. Even better, since the OS is what’s requiring notarization for apps, it’s automatically handling compliance for you. Meanwhile, notarization’s protected environment limits considerably the ability of malware to hijack notarized apps. That likely would check a few more malware-related compliance boxes on the auditor’s checklist.

For an example of this, let’s take a look at the Australian Cyber Security Centre’s guidance for application whitelisting. For enforcement mechanisms, two of them are provided by macOS Catalina’s handling of notarized apps:

  • Cryptographic hash rules
  • Publisher certificate rules

Screen Shot 2019 10 03 at 11 57 06 AM

The US’s National Institute of Standards and Technology provides similar guidance (please see Section 2.2.1 File and Folder Attributes of NIST SP 800-167):

Screen Shot 2019 10 03 at 12 04 51 PM

This is not to say that you can hold up a “Notarized!” sign to the auditor, watch the auditor leave after just tossing the checklist aside and commence the post-audit party. But for those folks who have to undergo regular compliance auditing, I would recommend you examine your auditing requirements carefully to see which IT audit controls on your list now get handled automatically on macOS Catalina with its notarization requirements.

%d bloggers like this: