Archive
Uninstalling macOS system extensions
With the ongoing change from kernel extensions to system extensions, one new thing Mac admins will need to learn is how to uninstall system extensions. Fortunately, Apple has provided a tool as of macOS Catalina that assists with this: systemextensionsctl
If you run the systemextensionsctl command by itself, you should get the following information about usage:
systemextensionsctl: usage: systemextensionsctl developer [on|off] systemextensionsctl list [category] systemextensionsctl reset - reset all System Extensions state systemextensionsctl uninstall ; can also accept '-' for teamID
The last verb, uninstall, is what allows us to remove system extensions. For more details, please see below the jump.
Running recoverydiagnose in macOS Recovery
Most Mac admins, especially those who file bug reports or who work with AppleCare Enterprise, are familiar with running the sysdiagnose tool to gather diagnostic information about a Mac they’re working on. Running sysdiagnose will trigger a large number of macOS’s performance and problem tracing tools and use their reports to assemble what amounts to a snapshot of your Mac’s complete state at the time you ran the sysdiagnose tool, which can be very useful to developers trying to trace down why a particular problem is occurring.
However, this tool only applies to a Mac’s regular OS. What if the problem you’re seeing is in the macOS Recovery environment? In that case, you can run the recoverydiagnose tool in macOS Recovery to gather similar data specifically for macOS Recovery-related problems. For more details, please see below the jump.
create_macos_vm_install_dmg updated for macOS Big Sur installer disk images
As part of testing macOS Big Sur 11.0.0, I’ve updated my create_macos_vm_install_dmg script. For more details, please see below the jump.
Using an Activation Lock bypass code from Jamf Pro to clear Activation Lock on a Mac
As part of macOS Catalina, Apple introduced Activation Lock for Macs. As on iOS, Activation Lock is an anti-theft feature designed to prevent activation of a Mac if it’s lost or stolen.
Activation Lock on Macs does have some requirements in order for it to work. The Mac must:
- Run macOS Catalina or later
- Use the Apple T2 Security chip
- Two-factor authentication must be enabled on the Apple ID used for enable Activation Lock.
- Secure Boot must be enabled with Full Security settings and Disallow booting from external media selected.
Once these requirements are satisfied, Activation Lock is automatically enabled when Apple’s Find My service is enabled.
However, having Activation Lock turn on when Find My is enabled can lead to situations where it’s enabled by an employee on company-owned equipment. When this happens, companies, schools or institutions need a way to bypass Activation Lock without needing to know anything about the Apple ID used by the employee.
To provide this bypass, Apple has made it possible for companies, schools and institutions to use their MDM solution to clear Activation Lock. For more details, please see below the jump:
Allowing external boot drives for T2-equipped Macs
With WWDC 2020 only a couple of weeks away, a number of folks are preparing to run the new beta version of macOS. While some will choose to go all-in and run the new OS on their main boot drive, others will prefer to install the new OS onto an external drive. However, for Macs equipped with T2 chips, there’s an extra step involved with allowing your Mac to boot from an external drive. For more details, please see below the jump.
Mad, bad and possibly dangerous – a cautionary tale of software installation
In my career, I’ve run across a lot of terrible installers in a variety of forms. The one I ran across today though is noteworthy enough that I want to point it out because of the following reasons:
- It’s an installer application. I have opinions on those.
- It’s for a security product where, as part of the installation, you need to provide the username and password for an account on the Mac which has:
- Administrator privileges
- Secure Token
Note: I have no interest in talking to the vendor’s legal department, so I will not be identifying the vendor or product by name in this post. Instead, I will refer to the product and vendor in this post as “ComputerBoat” and leave discovery of the company’s identity to interested researchers.
For more details, please see below the jump.
Enabling Safari to successfully connect after changing a self-signed certificate
Every so often, I need to use Safari to access something which is using a self-signed certificate. When I do so, Safari now walks you through the following procedure:
- Warns you something’s not right and give you the option of either going back or seeing the details.
- If you choose to see the details, Safari will let you view the certificate.
Safari will also give you the option of proceeding anyway.
If you choose to proceed anyway, Safari will store the self-signed certificate in your login keychain and mark it as trusted.
With this certificate now marked as trusted, Safari will allow you to visit the website.
However, what happens when the SSL certificate changes but keeps the same subject name? At this point, connections from Safari to the site will fail with an error message similar to the one described below:
Safari Can’t Open the Page
Safari can’t open the page because Safari can’t establish a secure connection to the server “server.name.here”.
The reason that this message appears is because Safari is using HTTP Strict Transport Security, otherwise known as HSTS. One of the requirements of HSTS as implemented by Safari is that if the security of the connection cannot be ensured, Safari must terminate the connection and should not allow the user to access the web application.
Since the self-signed certificate stored in your login keychain and the SSL certificate being received don’t match each other, that tells Safari that the certificate being received can’t be trusted. The result is Safari immediately terminates the connection and displays an error message like the one shown above.
However, what if the certificate changing is known behavior and you know that proceeding is safe? It’s possible to re-set Safari’s behavior, but it’s not intuitive. For more details, please see below the jump.
Erasing a FileVault-encrypted T2-equipped Mac
Normally, reinstalling macOS on a Mac is a straightforward process:
1. Boot to macOS Recovery
2. Select Reinstall macOS from macOS Utilities.
3. Follow the onscreen instructions.
However, if you have a Mac equipped with a T2 chip where FileVault is turned on, there’s an extra step involved. When you boot to macOS Recovery on a T2 Mac with FileVault on, you will be prompted for the password of an account on the Mac which has admin privileges.
If you don’t have the password to any of the accounts which appear, you can select the Forget all passwords? option.
This will bring up a new screen where you can enter a FileVault Personal Recovery Key.
If you can provide either the account password or the personal recovery key, the next thing you should see is the macOS Utilities screen.
What if you don’t have either a password or a personal recovery key? Is your Mac now a paperweight? For more details, please see below the jump.
Booting to macOS Recovery or Diagnostics via Jamf Pro’s Self Service
One of the advantages provided by Jamf Pro’s Self Service is that you can use it to provide easy access to tools for your users or helpdesk folks. One such tool could be a script which helps folks boot to their Macs to one of the following Apple support services:
- Diagnostics / Apple Hardware Test: https://support.apple.com/HT202731
- macOS Recovery: https://support.apple.com/HT201314
For more details, please see below the jump.
Kernel extension warning dialogs in macOS Catalina 10.15.4
As part of macOS Catalina 10.15.4, Apple has begun displaying a new dialog window message concerning third-party kernel extensions. macOS Catalina is the last macOS to fully support the use of kernel extensions and these messages are meant to notify users of the following:
- macOS had detected that a third-party kernel extension had been loaded.
- The loaded kernel extension would be incompatible with an unspecified future version of macOS
To further reinforce the message that kernel extensions are going away, Apple refers to them in the message window as “legacy system extensions”. System extensions were introduced as part of macOS Catalina and are Apple’s replacement for kernel extensions.
As of macOS 10.15.4, these messages are informational only and do not indicate that anything is wrong with the referenced third-party kernel extension. For more information, please see the link below:
https://support.apple.com/HT210999
Blocking the messages
For a number of managed environments, these messages can be prevented from appearing. As long as a third-party kernel extension is whitelisted using an appropriate configuration profile, the message for it should not appear.
For more information about whitelisting kernel extensions using a configuration profile, please see the links below:
https://derflounder.wordpress.com/2018/04/12/whitelisting-third-party-kernel-extensions-using-profiles/
https://support.fleetsmith.com/hc/en-us/articles/360037495013-What-is-a-kernel-extension-
https://support.apple.com/guide/mdm/kernel-extension-policy-mdm88f99b98a/web
Recent Comments