Author Archive

Configuring System Integrity Protection without booting to Recovery HD

October 5, 2015 2 comments

One interesting part of Apple’s developer documentation for System Integrity Protection (SIP) is the note shown below, indicating that it’s possible to configure SIP for environments that can’t access Recovery.

Apple developer documentation for configuring SIP outside recovery

When I followed up with Apple about this, I was told that this meant I could configure it using NetBoot, using a NetBoot set that included the needed Recovery environment.

The example used was leveraging a new option in System Image Utility to create a package-only installation NetBoot set.

System image utility package only installation

This new type of NetBoot set is is designed to install only scripts, configuration profiles and packages as opposed to installing an OS. For more details, see below the jump.

Read more…

Enabling an IPv6-only network using Internet Sharing on El Capitan

October 5, 2015 Leave a comment

One of the hidden features of OS X El Capitan is the ability to enable Internet Sharing to provide only IPv6 addresses. This feature was added to El Capitan to help developers ensure their apps are ready to work with IPv6. It uses NAT64, which facilitates communication between IPv6 and IPv4 hosts by using a form of NAT.

For those interested in having the ability to set up an IPv6-only network, see below the jump for the procedure.

Read more…

System Integrity Protection – Adding another layer to Apple’s security model

October 1, 2015 4 comments

As part of the release of OS X El Capitan, Apple has added a new layer named System Integrity Protection (SIP) to its security model. To understand how System Integrity Protection fits in, let’s first take a look at Apple’s security model as it existed as of OS X Yosemite.

OS X Defenses



Gatekeeper is one of the outer lines of defense. It allows users to restrict which sources they can install applications from, with the general idea being that malware will not be from an allowed source.



OS X also uses sandboxing extensively. A sandbox typically provides a tightly controlled set of resources for programs to run in. Network access, the ability to inspect the host system, or reading from input devices is usually disallowed or heavily restricted.


POSIX permissions

OS X uses the Unix permissions model as defined by POSIX, which governs which users and groups can access which files and directories. If a particular user account requests access to a particular file or directory and does not have the necessary rights, that account is refused access.



The innermost layer of defense are keychains. Keychains are very specialized databases which are designed for the storing of secrets, like passwords, private keys, PIN numbers, and then controlling access to those secrets. To help protect these secrets, keychains are encrypted.


There’s an issue with this model though and it’s been there for decades. It pre-exists OS X and even pre-exists Apple as a company. That issue is found in the POSIX permissions layer.

OS X defenses with POSIX highlighted


Whoami root


Root is the superuser for a Unix system and the Unix permissions model is designed around the assumption that root has access to everything. Apple has not ignored this issue and has put some controls in place to limit the actual root user. These controls include disabling the root user account, discouraging its use, and providing ways to access elevated or root privileges using other means.

However, the root user account is still present and still can do anything on the system.


System Integrity Protection

To limit what the superuser can do and add another layer to OS X’s security model, Apple has developed SIP and deployed it as part of OS X El Capitan. SIP is designed to limit the power of root and to protect the system even from the superuser. For more details, see below the jump.

Read more…

Outlook 2011, OS X El Capitan and the Pinwheel of Patience

September 30, 2015 162 comments

If you’re planning to upgrade to OS X El Capitan and you use Outlook 2011 to get email from Microsoft Exchange, you may want to delay upgrading. On El Capitan, connecting to Exchange email servers causes Outlook 2011 to freeze and display a beachball cursor.

 Outlook Pinwheel of Patience

The issue appears to only affect Outlook 2011 when configured to access Exchange servers. When set up with only IMAP accounts, Outlook 2011 does not appear to display this behavior.

Microsoft is aware of the issue and has posted a knowledgebase article about it:

Downloading older versions of OS X using Recovery

September 29, 2015 1 comment

As of September 28th, 2015, Apple has apparently removed the listings for older versions of OS X and other discontinued software from the Purchased tab of users who had previously purchased or downloaded them.

Screen Shot 2015 09 28 at 7 29 18 PM

With this software unavailable in the Mac App Store, this change means that it’s no longer possible to download the following versions of OS X from the Mac App Store:

  • Mac OS X Lion
  • OS X Mountain Lion
  • OS X Mavericks

Update – 9-29-2015: The listings for older versions of OS X and other discontinued software have re-appeared in the Purchased tab as of this morning, so this software is now available for download again.

Screen Shot 2015-09-29 at 6.59.12 AM

Fortunately, it’s still possible to download installers for these versions of OS X, provided you have access to a Mac or virtual machine running the version of OS X that you need to download. For more details, see below the jump.

Read more…

PATH environment variables and Casper 9.8

September 24, 2015 1 comment

In the wake of the release of Casper 9.8, where the Casper agent’s jamf and jamfAgent binaries have made their planned move from /usr/sbin to /usr/local/jamf/bin, a number of Casper-using folks who were used to running commands that referenced the jamf and jamfAgent binaries from Apple Remote Desktop (ARD) or other tools began to see errors that indicated that the jamf and jamfAgent binaries could not be found.

Screen Shot 2015 09 23 at 8 23 05 PM

Screen Shot 2015 09 23 at 8 11 28 PM

Conversely, opening a Terminal session and running the exact same command works fine.

Screen Shot 2015 09 23 at 8 21 14 PM

Why are different tools acting differently? The root cause is that they each have different PATH environmental variables, usually referred to as $PATH. For more details, see below the jump.

Read more…

System Integrity Protection and resetting NVRAM

September 21, 2015 Leave a comment

OS X El Capitan’s new System Integrity Protection (SIP) security feature stores its active security configuration in NVRAM. This allows SIP’s configuration to persist across OS installs, but this design choice also means that resetting NVRAM will cause SIP to reset as well. In my testing, this reset will result in the following SIP configuration:

Resetting the NVRAM, otherwise known as a PRAM reset or PRAM zap, has been a standard part of the Mac troubleshooting toolkit for a long time and is performed by pressing and holding down the Option, Command (⌘), P, and R keyboard keys at startup.

PRAM zap

For shops that do not plan to change SIP’s default configuration or set a NetBoot whitelist, NVRAM resets causing SIP’s configuration to also reset should not affect normal operations.

However, for those shops who will need to maintain a NetBoot whitelist or a custom SIP configuration, I would advise education where needed about this change and how it affects SIP configuration in your environment.


Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: