Archive for the ‘Mac OS X’ Category

Word 2016 and Endnote’s “com.ThomsonResearchSoft.EndNote.plist” dialog window

February 5, 2016 5 comments

Microsoft Office 2016’s applications are sandboxed, which means that they don’t have access to external files and settings by default and need to ask permission from the user. Thomson Reuters’ Endnote software is affected by this because it uses a plug-in for Word 2016. This means that the first time you launch Word 2016 after installing Endnote’s plug-in, you will see a dialog box along with this message:

EndNote needs access to the file named ‘com.ThomsonResearchSoft.EndNote.plist’. Select this file to grant access.

If you’re seeing this dialog box, the com.ThomsonResearchSoft.EndNote.plist file should be already selected. If the file has been selected, please click the Grant Access button. This procedure should only need to be performed once.

Screen Shot 2016 02 05 at 7 51 34 AM


However, if you’re seeing this dialog box and the com.ThomsonResearchSoft.EndNote.plist file has not been automatically selected, that means that Endnote has been installed on this Mac but never launched. For more details, see below the jump.

Read more…

Installing Endnote X7.5’s Cite While You Write plug-ins for Office 2008, 2011 and 2016

February 2, 2016 3 comments

Thomson Reuters has released Endnote X7.5, an updated version of their Endnote bibliography software. This updated version had been long-awaited by a number of folks because it added support for Word 2016.

I have an existing process for deploying and licensing Endnote X7.x and I found that the site license which I’ve been using with previous versions of Endnote X7.x also worked fine with 7.5. One thing that did not work was Endnote X7.5 automatically deploying its Cite While You Write (CWYW) plug-ins for Word 2008, 2011 and 2016.

Screen Shot 2016 02 02 at 3 02 20 PM

In previous versions of Endnote, Endnote’s first launch triggered an assistant which installed the CWYW plug-ins to their correct location. Endnote X7.5, or at least Endnote X7.5’s trial version, appeared to lack this functionality. In addition, the CWYW plug-ins for Word 2016 need to be installed into a completely different location than for previous versions of Word:

  • Word 2008: /Applications/Microsoft Office 2008/Office/Startup/Word
  • Word 2011: /Applications/Microsoft Office 2011/Office/Startup/Word
  • Word 2016: /Library/Application Support/Microsoft/Office365/User Content.localized/Startup.localized/Word

Unlike previous versions of Microsoft Office, the Word 2016 support directories were also not created by Office 2016 by default, so they were not likely to exist unless a third-party plug-in for Word had previously been installed.

Screen Shot 2016 02 02 at 3 01 23 PM

To address the various issues identified, I wrote a script. For more details, see below the jump.

Read more…

Suppressing the iCloud and Diagnostics pop-up windows on El Capitan using profiles

January 28, 2016 2 comments

After posting how to control the Diagnostics & Usage report settings on El Capitan, I was tipped off that there were new ways available on OS X El Capitan to manage both the Diagnostics and the iCloud pop-up windows using profiles.

The profile settings can be seen via Server 5.x’s Profile Manager and currently apply only to OS X El Capitan. For more information, see below the jump.

Read more…

Controlling the Diagnostics & Usage report settings on El Capitan

January 21, 2016 Leave a comment

One of the pop-up windows you get on first login to Yosemite and El Capitan is the Diagnostics & Usage pop-up window. This window requests permission for the following:

  1. Send diagnostics and usage data to Apple
  2. Share crash data with non-Apple developers

Screen Shot 2016 01 21 at 10 07 46 AM


I’ve been suppressing this window on OS X Yosemite by setting the values shown below in /Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist


On OS X El Capitan, it looks like the numeric value set for the AutoSubmitVersion and ThirdPartyDataSubmitVersion settings has changed from 4 to 5. The new settings should look like this:


For more details, see below the jump.

Read more…

FIPS 140-2 validation and FileVault 2

January 10, 2016 2 comments

One question I’ve seen which has caused confusion for folks who deal with security regulations is this: Is FileVault 2 FIPS 140-2 validated?

The answer is: Yes, depending on the version of OS X

The cryptography used by FileVault 2 on the following versions of OS X has gone through the FIPS certification process and has been validated as being as being FIPS 140-2 Compliant:

OS X 10.11 is currently in the process of becoming FIPS 140-2 validated. The reason El Capitan is not automatically FIPS 140-2 validated has to do with OS X’s CoreCrypto cryptography foundation and how the FIPS 140-2 certification process works.

FIPS certification

The FIPS certification process tests a specific cryptographic module used inside a system to protect information. It also applies only to a cryptographic module used in a shipping product; the cryptographic module in question can’t be a prototype or in beta. 

Another important thing to know is that the testing is very specific and applies only to the cryptographic module submitted for review. If the vendor changes anything in the cryptographic module, it loses its FIPS certification and has to be resubmitted for laboratory testing and government review.

There are three major phases in the process:

Phase 1: Design and Documentation

In order to prepare for the FIPS validation process, the cryptographic module in question has to be designed to pass the various tests involved and also be properly documented. This is the part of the process which the vendor has the most control over.

Phase 2: Laboratory Testing

Once the cryptographic module has been designed, documented and shipped, it is submitted to a third-party accredited Cryptographic and Security Testing (CST) laboratory to test the module(s) in question against FIPS 140-2’s qualitative levels of security. This testing can take an indeterminate amount of time, depending on how well the cryptographic module is designed and documented.

Best case: A cryptographic module that properly meets the requirements and with all required documentation written correctly can complete its laboratory testing in two to three months.

Phase 3: Government Review

After the lab has tested the cryptographic module, a report on the testing is submitted to the Cryptographic Module Validation Program (CMVP) for review. CMVP is a joint US-Canadian program that reviews all the test reports, with the CMVP Validation Authorities being the National Institute of Standards and Technology (NIST) for the US Government and the Communications Security Establishment (CSE) for the Government of Canada. This review can also take an indeterminate amount of time, depending on how many test reports need review, and can range from two months to eight months.

Apple and CoreCrypto

Apple’s CoreCrypto library is used by various components in OS X to provide low level cryptographic primitive support. This is the cryptographic library which is submitted by Apple to the FIPS 140-2 certification process.

With every version of iOS and OS X, Apple has made changes to CoreCrypto. As part of making those changes, Apple has had to resubmit CoreCrypto to laboratory testing and government review as part of the FIPS 140-2 certification process.

Apple’s stated intention is to continue FIPS 140-2 validation for OS X’s CoreCrypto cryptography foundation, which would also cover FileVault 2 on future versions of OS X, but the certification process itself can only be begun once that future OS has been released. Meanwhile, as noted above, the testing and governmental review process will take months to complete.

The good news is that it’s possible to at least see where Apple is in the process. NIST has a website where the current list of modules in the process can be viewed via a PDF which is updated weekly. To check for Apple’s progress, search the PDF for entries where Apple, Inc. is listed as the vendor.

Apple’s existing FIPS certifications are also available for reference via the link below:

First look at Veertu

January 10, 2016 3 comments

One of the lesser-known changes that Apple introduced with OS X Yosemite was a Hypervisor framework, which was designed to allow virtualization solutions to be built for OS X without the need for third-party kernel extensions.

Screen Shot 2016 01 08 at 11 58 50 PM

One reason for this was that eliminating the need for kernel extensions allowed the possibility of virtualization software to be distributed and sold via the Mac App Store. While neither VMware or Parallels have taken advantage of this, a new virtualization product named Veertu has recently become available in the MAS.

Screen Shot 2016 01 08 at 8 13 38 AM

Veertu is available for free from the MAS, and allows installation of selected Linux VMs, downloaded from Veertu’s online library. For more details, see below the jump.

Read more…

Managing El Capitan’s FileVault 2 with fdesetup

December 20, 2015 2 comments

For the first time since fdesetup‘s initial release in OS X Mountain Lion 10.8.x, Apple has not added new features to fdesetup as part of a new OS release. Instead, fdesetup maintains the same set of features in OS X El Capitan 10.11.x as it had in OS X Yosemite 10.10.x.

This decision may mean that fdesetup, an essential command-line tool for enabling, administering and disabling Apple’s FileVault 2 encryption, is now considered by Apple to be a fully-developed toolset for managing FileVault 2.

fdesetup gives Mac administrators the following command-line abilities:

  • Enable or disable FileVault 2 encryption on a particular Mac
  • Use a personal recovery key, an institutional recovery key, or both kinds of recovery key.
  • Enable one or multiple user accounts at the time of encryption
  • Get a list of FileVault 2-enabled users on a particular machine
  • Add additional users after FileVault has been enabled
  • Remove users from the list of FileVault enabled accounts
  • Add, change or remove individual and institutional recovery keys
  • Report which recovery keys are in use
  • Perform a one-time reboot that bypasses the FileVault pre-boot login
  • Report on the status of FileVault 2 encryption or decryption

I’ll be taking you through all of the capabilities mentioned above, with a focus on showing exactly how they work. See below the jump for details.

Read more…


Get every new post delivered to your Inbox.

Join 272 other followers

%d bloggers like this: