OS X El Capitan’s new System Integrity Protection (SIP) security feature stores its active security configuration in NVRAM. This allows SIP’s configuration to persist across OS installs, but this design choice also means that resetting NVRAM will cause SIP to reset as well. In my testing, this reset will result in the following SIP configuration:
- SIP will be enabled with all protections in place
- No entries will be set in the SIP NetBoot whitelist
Resetting the NVRAM, otherwise known as a PRAM reset or PRAM zap, has been a standard part of the Mac troubleshooting toolkit for a long time and is performed by pressing and holding down the Option, Command (⌘), P, and R keyboard keys at startup.
For shops that do not plan to change SIP’s default configuration or set a NetBoot whitelist, NVRAM resets causing SIP’s configuration to also reset should not affect normal operations.
However, for those shops who will need to maintain a NetBoot whitelist or a custom SIP configuration, I would advise education where needed about this change and how it affects SIP configuration in your environment.
OS X El Capitan adds a new security feature named System Integrity Protection (SIP). Among other things, SIP prevents parties other than Apple from adding, deleting or modifying directories and files stored in certain directories:
Apple has indicated that the following directories are available for developers to access:
All directories in /usr except for /usr/local are protected by SIP.
SIP’s protection of /System affects XProtect’s XProtect.plist and XProtect.meta.plist configuration files as they are stored in the following location inside /System:
As the XProtect configuration files will be locked against editing on OS X El Capitan, this means that they can no longer be managed to allow older versions of the Flash and Java browser plug-ins to run.
If your shop includes a mission-critical system that requires using older Flash or Java browser plug-ins, I recommend working with your vendor and/or in-house developers to find out:
- If the use of the Java and/or Flash browser plug-ins can be discontinued.
- If their use can’t be discontinued, if the system in question can be updated to support the latest versions of these plug-ins and continue to be compatible as new versions of the Java and/or Flash browser plug-ins are released.
Update – 9-14-2015: Josh Dyson has pointed out that there is a way to allow older plug-ins to access specific sites.
By adding the needed sites to a whitelist in Safari and setting those specific sites to Allow Always, those sites’ functions will be accessible with the older browser plug-in even if XProtect would otherwise block the use of the plug-in. Websites not included in the whitelist would still have the use of the plug-in blocked.
Apple has provided a KBase article showing how to manage Safari plug-in options, including how to whitelist websites, using a configuration profile. It’s available via the link below:
Apple took an unusual step this week and released a knowledgebase (KBase) article that refers to an as-yet unreleased operating system:
I can only praise the decision to create it. The content covered affects a number of enterprise Mac environments and gives the Mac admins who support those environments time to prepare for an important change which may affect them.
That said, the KBase article itself is confusingly written and also includes an error. For more details, see below the jump.
A new feature in VMware Fusion 8 Professional is the ability to create a new VM on an ESXi 6.x server. This new functionality gives Fusion users on OS X another tool for managing VMs on VMware’s ESXi hypervisor and complements the ability to copy VMs between VMware Fusion and VMware ESXi 5.5.x and 6.x.
There are a few things to know about if you want to create an OS X VM to an ESXi server running 6.x, so I’ve put together a procedure for those who want to leverage Fusion 8.x Pro to create new OS X VMs on ESXi. See below the jump for the details.
I’ve started filing bug reports with Apple using a handy tool named QuickRadar. It helps streamline the process by filing bug reports via a native app on my Mac, rather than having to go through this process:
- Open a web browser.
- Go through the process of signing into bugreport.apple.com
- File a bug report using Apple’s bug reporting web interface
QuickRadar also makes it easy to cross-post the submission of a bug report to Open Radar. Since bugreport.apple.com is not publicly searchable and only allows developers to see their own bugs, Open Radar is a way for developers to share their own bug reports and keep both themselves and their colleagues up-to-date on the status of various bugs filed with Apple. For more details, see below the jump.
The good folks at Penn State have begun posting the session videos from the Penn State MacAdmins Conference 2015. The sessions slides and currently available videos are all accessible from the Penn State MacAdmins’ Resources page at the link below:
As the session videos are being posted to YouTube, I’ve linked my Virtualization and OS X Testing session here:
The Take Vacations Using this One Weird Trick – Documentation! session I co-hosted with Vanessa White is linked here:
Apple announced on Saturday, August 8th that the FIPS 140-2 validations for the cryptographic modules used by iOS 8 and OS X 10.10.x have now been completed. This is significant news for folks who want to use FileVault 2 in government and regulated industries (such as financial and health-care institutions.)
For folks who haven’t heard of it before, FIPS 140-2 is an information technology security accreditation program run jointly by the US and Canadian governments. This program is used by private sector vendors to have their cryptographic modules certified for use in US and Canadian government departments and private industries with regulatory requirements for security.
As part of the announcement, Apple has released KBase articles and guidance for security offices who deal with encryption:
OS X Yosemite: Apple FIPS Cryptographic Modules v5.0 – http://support.apple.com/kb/HT205017
Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Yosemite v10.10 – https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/HT205017/APPLEFIPS_GUIDE_CO_OSX10.10.pdf
According to Apple, the OS X Yosemite Cryptographic Modules, Apple OS X CoreCrypto Module v5.0 and Apple OS X CoreCrypto Kernel Module v5.0, require no setup or configuration to be in “FIPS Mode” for FIPS 140-2 compliance on devices running OS X Yosemite v10.10.
FileVault 2 is listed as being FIPS 140-2 Compliant as part of the Crypto Officer Role Guide for FIPS 140-2 Compliance OS X Yosemite v10.10 documentation, in the Compliant Applications and Services section.
For more information about the validation certification, please see below the jump.