Apple announced on Saturday, August 8th that the FIPS 140-2 validations for the cryptographic modules used by iOS 8 and OS X 10.10.x have now been completed. This is significant news for folks who want to use FileVault 2 in government and regulated industries (such as financial and health-care institutions.)
For folks who haven’t heard of it before, FIPS 140-2 is an information technology security accreditation program run jointly by the US and Canadian governments. This program is used by private sector vendors to have their cryptographic modules certified for use in US and Canadian government departments and private industries with regulatory requirements for security.
As part of the announcement, Apple has released KBase articles and guidance for security offices who deal with encryption:
OS X Yosemite: Apple FIPS Cryptographic Modules v5.0 – http://support.apple.com/kb/HT205017
Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Yosemite v10.10 – https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/HT205017/APPLEFIPS_GUIDE_CO_OSX10.10.pdf
According to Apple, the OS X Yosemite Cryptographic Modules, Apple OS X CoreCrypto Module v5.0 and Apple OS X CoreCrypto Kernel Module v5.0, require no setup or configuration to be in “FIPS Mode” for FIPS 140-2 compliance on devices running OS X Yosemite v10.10.
FileVault 2 is listed as being FIPS 140-2 Compliant as part of the Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Yosemite v10.10 documentation, in the Compliant Applications and Services section.
For more information about the validation certification, please see below the jump.
As part of releasing the developer betas for OS X 10.11, Apple announced that El Capitan would be the end of the line for the Java 6 runtime and tools provided by Apple, with the clear statement that developers should be moving on to Oracle’s Java tools.
To completely replace Apple’s Java 6 tools, Oracle’s Java JDK (Java SE Development Kit) will need to be installed. This is because the Oracle Java JRE (Java Runtime Environment) on OS X is a browser plug-in for running Java via a web browser and does not include capabilities for running Java desktop apps or command line tools.
By default though, the Oracle JDK does not set several options to advertise the capabilities provided by the JDK to Java apps, which may cause applications that need those capabilities to fail to launch. The capabilities are actually present in the JDK, but those options need to be set before applications will recognize them as available.
To fix this, we need to add the following options to Oracle’s Java JDK:
In turn, enabling these options means they need to be added to the list of JVMCapabilities stored in the following plist file:
For more details, see below the jump.
One of the issues I worked on this week was building a new Office 2016 installer after Microsoft began making Office 2016 available to its volume license customers. I have an existing process to build a combined Office 2011 installer using Packages, which I’ve used successfully for a while, so I decided to see if I could apply the same process to building an Office 2016 installer.
However, when I installed the combined Office 2016 installer with DeployStudio, then logged in, I was asked to sign into an account and activate Office. Since my work has a volume license, this isn’t a screen I should be seeing.
This is a problem that I’ve seen before with previous Microsoft Office 2011 installers and usually involves the license file not being applied when it should be. This behavior is seen on Macs in the following cases:
- Office 2016 is installed and then updated to 15.12.3 while nobody is logged in
- Office 2016 is installed and then updated to 15.12.3 without any Office applications being launched between the initial installation and the update.
These two scenarios will likely apply if you’re building a new machine using an automated deployment tool, but likely will not if you’re a home user.
The easiest fix I’ve found in my testing is to get the necessary volume license file from a machine that has Office 2016 installed on it and put it back on an as-needed basis.
The needed file is /Library/Preferences/com.microsoft.office.licensingV2.plist. If you have a volume-licensed version of Office 2016 installed on your Mac, you should have this file.
To address this issue, you can use Packages‘ ability to add resources to a Packages-built package. See below the jump for an example using an Office 2016 volume licensed installer package, the Office 2016 15.12.3 updates for Excel, OneNote, Outlook, PowerPoint, and Word, as well the com.microsoft.office.licensingV2.plist license file to build a unified Office 2016 15.12.3 installer package that does not prompt for a product key.
On OS X 10.10.x and later, disabling Gatekeeper does not mean it is permanently off. After a set amount of time (currently 30 days), Gatekeeper will automatically re-enable itself with the Allow apps downloaded from: Mac App Store and identified developers setting.
I was able to track down which part of the OS this was coming from and it looks like it’s defined as part of syspolicyd:
After doing some research, it looks like Gatekeeper’s automatic re-enablement function can be disabled by running the following command with root privileges:
defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool false
This would allow Gatekeeper to be set to Allow apps downloaded from: Anywhere and have it stay that way.
For those who want to set this with a management profile, I’ve created a .mobileconfig file and posted it here on Github:
Update – 7-31-2015: My colleague Tom Burgin points out that this may not be manageable via a profile after all, due to the way Apple has set the value that it’s reading:
If a management profile isn’t being respected, the defaults command listed above is the way to apply this to machines.
I’ve filed a bug report about this. For those interested in duping this bug, the bug report ID is 22094327. I’ve also cross-posted it to OpenRadar:
I do a lot of my application testing in VMs, so when Firefox 39.0 came out, it went into my test environment and I built a new VM to check it out.
Update – 8-13-2015: This issue has been resolved in Firefox 40.x and later.
Firefox 39.0 looked like this when I launched it in my test VM.
As part of my testing workflow, I also installed Firefox 39.0 onto a couple of actual Macs.
Firefox 39.0 looked like this when I launched it on those machines.
As you can see, two very different results were discovered as part of my testing. After a few rounds of “It’s broken in the VM, retest, it’s still broken, retest on my laptop, no problem, repeat,” I finally tracked down a Mozilla bug report that indicated that the issue was not specific to my environment and gave me the potential scope of the issue. For more information, see below the jump.
I recently learned that there are hidden text editing options for the Casper JSS’s script editor. To access these options, do the following:
1. Log into your JSS
2. Go to Computer Management: Scripts
3. Bring up the script editor in your browser
4. Click inside the text entry area of the script editor
5. Press Command + comma (⌘ + ,)
6. The JAMF script editor’s text editing options will appear.
There are some issues to be aware of:
- Changes made are global and will affect all currently logged-in users
- The settings changes are not persistent across sessions. If you log out or are logged out, you will need to re-setup your settings.
Ideally, changes made to the text editing preferences would be:
A. Per-user instead of affecting all users
B. Persistent, so that changes to these settings would not be lost on logout.
There’s an existing feature request on JAMF Nation which requests these changes. If you agree that this would be beneficial, please vote it up.
I had previously written about deploying Sophos Enterprise Anti-Virus for Mac 9.2.x, but I was recently notified that the method I had been using would stop working in a future release of Sophos.
Sophos has a KBase article about pre-configuring their installer application with the AutoUpdate settings, but I also wanted to be able to deploy Sophos using an installer package. Using the information from the KBase article, I was able to update my existing method for building an installer package for deploying Sophos Enterprise Anti-Virus for Mac 9.2.x. For the details, see below the jump.