Kernel extensionsProblems:Difficult to develop and debugStability problems for systemSecurity problems for systemIntroducing System Extensions and DriverKitNew as of CatalinaSimilar to kext, but runs in user space; outside the kernel.Network extensionsEndpoint Security extensions- Replacement for Kauth event monitoringDriver extensions- Control hardware devices- Uses DriverKit, which replaces IOKitDeprecating kernel extensions:macOS Catalina will be the last OS version to run kernel extensions without compromise.Installing third party kernel extensions on macOS Catalina now requires that you restart your Mac before they’re permitted to load.As System Extensions and DriverKit adds functionality, kernel extensions with matching functionality will not load.System Extensions- Always part of the app- No such thing as a "standalone system extension"- Distribute via the MAS or Developer ID (MAS deployment not previously possible with kernel extensions.)Sign System Extension with a Developer ID or MAS certificate- Developer ID for Kernel Extensions certificate is no longer required.System Extension with a Developer ID must be notarizedInstallation- No installer or package is necessary, System Extension is inside the app bundle.Use the new SystemExtension lifecycle is managed by the systemSystem Extension will be stopped and started as needed.UninstallationMoving app to the trash deactivates all of its extensions. No special uninstall process is needed.
Post
Replies
Boosts
Views
Activity
What's New in Managing Apple Devices
Stating with managing and deploying macOS Big Sur
Automated Device Enrollment
Enrollment customization allows the use of various IdPs for authentication:
Azure Active Directory
Okta
Ping
More IdPs will work, but they aren't specified.
Information from the authentication pane can be used to populate the user's full name (aka Display Name) and the account shortname.
Apple also provides the ability to choose if user channel management should be used (?)
Setup Assistant can be customized to show or hide various windows.
ADE allows Macs running Big Sur to be automatically supervised during activation.
Zero-touch ADE setup has been available for Apple TVs for a while and the capability is now coming to the Mac as well.
All setup screens are skipped and the Mac goes directly to the OS's login window.
Auto Advance for Mac Requirements:
Power
Ethernet connection with DHCP
MDM solution with Apple Business Manager / Apple School Manager
If using encrypted disks (FileVault), you will be required to enter the password to unlock the drive's encryption.
Lights Out Management for Mac Pro
Remotely startup, shutdown and reboot Mac Pro
Requirements:
MDM server
MDM-enrolled Lights Out Management (LOM) Controller
macOS Big Sur
LOM Controller and Mac Pro bein controlled must be on the same subnet and IPv6 must be active.
For diagrams showing how LOM works, see session video.
User-approved MDM
On previous versions of macOS, User Approved MDM could not be supervised. This has changed on macOS Big Sur. Any Mac enrolled in a user-approved MDM will now be considered supervised.
Supervision for user-approved MDM:
Control Activation Lock bypass
Bootstrap tokens for FileVault
Query, list and delete local users
Remove or replace profiles
Install restrictions via MDM which are restricted to Supervised status.
Schedule software updates
Managed Software Update
Force software updates
Defer major OS updates for 90 days
Defer non-OS updates for 90 days
Removal of the software update catalog
Removal of the Ignore Flag
Force software updates = Force Macs to accept software updates and subsequently reboot.
Removal of the Ignore Flag is for major updates only.
Managed Mac apps
Apps can be removed by MDM command and on un-enrollment
iOS-style managed app configuration and feedback is now supported on macOS
MDM can convert an unmanaged app to a managed app
Managed App conversion is not supported for user enrolled devices.
Content Caching:
Support has been added for hosting Internet Recovery The initial boot image for Internet Recovery isn't included but the full 6 GB recovery image is cached by the caching service.
New MDM command for Content Caching: Content Caching Information
Tethered caching via profile
Security improvements
More functionality for bootstrap tokens
Bootstrap token: Reserved encryption key provided by your MDM server. It allows your MDM to create admin accounts without needing to authenticate with an admin password.
Bootstrap tokens enable user accounts to get a Secure Token, which is necessary to enable an account for FileVault.
Bootstrap Tokens:
Enable users to get Secure Token
Supported on latest Macs with T2 chips
Authorize software updates and kernel extensions
Profiles
Automated installation of profiles can now only be performed by an MDM. The profiles command line tool will no longer be able to install profiles.
Downloaded Profiles
Brought over from iOS
Workflow designed to prevent mistaken or malicious installation
User must manually install profiles
User has the option of ignoring and not installing the profile
Downloaded profile remains visible and available in the Profiles preference pane for eight minutes.
When using command line tools to install profiles, the profile will be treated as if it were downloaded and you'll have to complete the install in the Profiles preference pane.
Profiles command line tool functions remain the same, with the exception of installing profiles.
networksetup command line tool limitations for standard users
Previously, both standard and admin users had control over the networksetup command line tool. Now, certain limitations have been put in place for standard users.
Limited for standard users:
Read network settings
Turn WiFi power on and off
Change the WiFi access point
Admins should use sudo to use networksetup's non-limited capabilities.
Automated Device Enrollment use serial numbers to identify Macs. To address identifiable information in serial numbers, Apple is changing its serial number format.
Serial number format change:
Alphanumeric string of 10-characters
Current products will use existing format, while new products may use the new format.
macOS Management updates:
Configuration Profile Updates:
Accessibility Greyscale key deprecated
Associated Domains option to allow direct downloads
Configure Lights Out Management
Downloaded profiles require manual install via the Profiles preferences pane.
Single Sign-On extension supports the User channel
VPN App Mapping updates
VPN Added Maximum Transmission Unit
New Restrictions
Force Delayed App and Software Updates
New MDM Commands
Content Caching information
Bootstrap Token status
Force restart for Software Updates
Gather Managed App Feedback and App List
Install and Remove Managed Apps
LOM Setup Request and Device Request
Specify short name for local account
Supported LOM Device
iOS
Enable direct downloads for internal websites
WiFi MAC Address access control
Managed Open in Shortcuts
Encrypted DNS
SCEP key size supports 4096 bits
Locations for Apps and Books
MDM Certificate Pinning
Skip Setup Assistant panes
List eSIM Identifier
Shared iPad for Business
Notifications Privacy
Multiple printers over AirPrint
Allow App Clips restrictions
New Restrictions
Set Time Zone
Per Account VPN
Setup Assistant Configuration
Shared iPad Temporary Session
Scalable cfgutil
Apple Configurator now supports Apps and Books Locations, where Locations are different places where devices are kept.
Admins can assign different sets of apps and books for each Location.
cfgutil is now more scalable and supports more devices.
Setup Assistant skip keys have been brought over to iOS from macOS.
Skipping setup assistant panes during upgrades is now possible for all supervised mobile devices, not just those enrolled with ABM/ASM.
Notes from What's New in Apple Device Management (Tuesday, June 23rd, 2020): https://developer.apple.com/forums/thread/650065
What's New in Education
Yay, developers. You made a lot of apps for education.
Apple Schoolwork
Enables teachers to share materials, assign activities and track student progress.
Latest version of Schoolwork has a new design, which makes it easier to switch between Handouts and Students view.
The Chooser now has more metadata options available for listed activities, including thumbnails and summaries.
Adopt the Classkit framework. ClassKit allows your app to report information into Schoolwork.
ClassKit by default secures student data and only makes it available to privileged users, like teachers.
Activities can only be tracked if assigned via a Schoolwork Handout.
Learn more about ClassKit and the new ClassKit Catalog API by watching the "What's New in ClassKit" session video.
Apple School Manager (ASM)
IT admins can create classes and manage account credentials.
Enrolling devices into MDM is made simpler by Automated Device Enrollment.
Enroll devices and streamline their setup
Buy apps and books for students
Distribute custom apps
Create Managed Apple IDs for students
Assign privileges to IT team members
ASM, Classroom and Schoolwork integration
ASM-created classes are available in Classroom and Schoolwork.
Updates from ASM are synced down to Classroom and Schoolwork.
When students sign in with their Managed Apple ID (MAID), they will automatically show up in Classroom and be able to access their classes in Schoolwork.
Classroom is also adding features
Teachers can launch the same app on the whole class's iPads, or launch different apps for different groups.
Teachers can also monitor what is showing on each iPad's screen.
If the app is Classwork-enabled, the teacher can launch an app and have the correct activity already open.
Teachers can invite students to a class using a four-digit code and use AirPlay to display that code on an Apple TV.
Shared iPad
All student data should be synced from the cloud and not available on a shared iPad after the student logs out of that iPad.
Shared iPad Temporary Session
Enables schools to deploy devices with standard configurations which students can use without having sign-in credentials.
This allows the use of a Shared iPad in situations where a student's account may be having problems or not yet created. They can use the shared iPad, then sign out and have all the data be cleared from that iPad.
For MDMs, there's a option to disable Temporary Sessions.
For macOS, Apple is introducing a new Automatic Assessment Configuration Framework . A similar framework called UIKit Assessment has been used on iOS for standardized tests since 2016 and it's being brought over to macOS to take advantage of Mac's more powerful capabilities.
The Automatic Assessment Configuration Framework enables tests to be delivered to students without allowing those students to use features of the Mac which may give them unfair advantages while taking tests.
The Framework is available in iOS, macOS and also supports Catalyst.
Test takers are locked into the testing app and features like the ones below are disabled for the duration of the test:
Screen Sharing
Universal Clipboard
Dictation
Learn more about the Automatic Assessment Configuration Framework by watching the "What's New in Assessment" session video.
If you decide to incorporate the Automatic Assessment Configuration Framework into an app, you will need to use a new entitlement, so see the the Automatic Assessment Configuration Framework documentation for more details.
On iOS, the UIKit Assessment mode has now been deprecated.
Question: For Automated Device Enrollment customization using identity providers like Azure AD, Ping or Okta, how is the use of multi-factor authentication being supported? For context, when I log into certain services in my shop using Azure AD, I'm requested to then open the Microsoft Authenticator app on my iPhone and do something (like hit an Approve button, enter a displayed code, get a code from SMS, etc.) How does the enrollment customization handle that?
Answer: You can host whatever WebUI you want for your modern authentication view. It shouldn't matter because all ADE is providing a web browser-like view to host whatever URL is needed for your modern authentication, then the modern authentication actions all take place within the web UI window. Once the MDM profile is downloaded and installed, the web view is automatically dismissed.
Question: Related - Does your MDM also need to be set up for that same identity provider as the one you're using in ADE, or can it be separated? For context, my shop uses SAP Cloud Identity for its identity provider, but our MDM doesn't really support Cloud Identity so it is using Azure AD instead. Does that mean I can't use Cloud Identity for ADE Enrollment customization?
Answer: Technically, it can be different but it would make for a complex setup and potentially fragile. Ideally, the MDM server is also going to be handling the ADE authentication with the same modern authentication used for the MDM's authentication.
Question: Will we ever be able to manually add macOS devices into DEP similarly to how we can add iOS devices using configurator?
Answer: Apple cannot comment on future plans. File Feedback to request this.
Question: Any plans to add sign in with Managed Apple IDs from the login window?
Answer: Apple cannot comment on future plans. File Feedback to request this.
Question: Will macOS ever require internet connectivity to be provisioned so that Macs cannot skip the device enrollment process?
Answer: Apple cannot comment on future plans. File Feedback to request this. User approved MDM will provide supervision on macOS Big Sur now, which may address this.
Question: Can we bring back an easier way of renewing the enrollment profile through Recovery? For context, we have received numerous Macs directly from Apple where we have had to "renew" the enrollment profile before DEP/ADE would recognize the device was associated with our MDM, as of 10.15, that process to achieve this became quite cumbersome.
Answer: As of now, the only viable solution is to wipe and reload the OS. File Feedback to request this.
Question: During the keynote and state of the union it was shown that app store iOS apps can be run on Macs with Apple silicon. Would this also apply to in-house/enterprise apps. Can we just copy an .ipa file to a Mac and double click it?
Answer: Yes, it should be possible to run any iOS apps, including in-house apps. It should work to just double-click, but test this out and post questions to the Developer Forums to get confirmation.
Notes are attached. They ran over the character limit for a forum posting.
Leverage enterprise identity & authentication - https://developer.apple.com/forums/content/attachment/b0e4bcb1-83e0-4936-bc27-4d509e03e615
Question: Is Apple adding any restrictions to the Installer process to prevent abuses of preinstall scripts, such as those seen used by Zoom? For context, Zoom's preinstall script would detect if your account had admin privileges and do the following during the installation check phase:
A. Install the Zoom app without requesting admin credentials.
B. Kill the Installer process.
C. Launch the Zoom app
Answer: Apple cannot comment on future plans, but they are aware of the problem. At this time, no changes.
Question: What is the best practice for signing and notarizing packages you build of third-party applications? For context, some vendors prefer to build their own applications to install their apps, rather than using an installer package. It is possible to package up the installer application, then use a postinstall script associated with the installer package to run the vendor's installer application using command line tools.
In this case, the vendor would have signed and notarized their installer application, but I would also like to sign and notarize my installer package so that Gatekeeper is OK with it.
Answer: It should be fine to sign and notarize the installer package, the notarization of the third-party application should be fine and there shouldn't be a conflict.
Question: Why do payload-free packages need to be notarized? There's no payload.
Answer: What's in an installer package is recorded during notarization of that installer package. That's when Apple can say for certain whether they've detected something malicious inside an installer package.
Security lab:
Question: It looks like Apple Silicon will be incorporating Secure Enclave into the new System on a Chip (SOC) architecture. Does Secure Enclave on SOC work like Secure Enclave does today on the separate T2 chip?
Answer: Yes, Secure Enclave will work the same. You shouldn't be able to tell the difference.
Question: Will FileVault on Apple Silicon work like it does today on an Intel Mac equipped with a T2 chip? In particular, will FileVault be instantly on / instantly off like it is on an Intel Mac equipped with a T2 chips?
Answer: No changes, Apple Silicon FileVault will work like it does today with T2 Macs.
Question: Will Gatekeeper apply to installer packages downloaded via curl from the command line, where non-signed or notarized packages would be blocked? Or would Big Sur continue to use the same behavior as macOS Catalina, where non-signed or notarized packages are not blocked?
Answer: No expected changes with how quarantine works. Curl will not start attaching quarantine metadata. The same behavior we see today on Catalina will apply to Big Sur.
Notes are attached. They ran over the character limit for a forum posting.
System architecture of Silicon Macs - https://developer.apple.com/forums/content/attachment/f532edd1-c991-4ee9-a08e-99028d509fec
Question: Will Apple offer In-App Purchase via VPP / Apple Business Manager?
Answer: No, Apple will not be offering that.
Question: Will the VPP redownload call time out ( <MDM Client Error 72> ) be fixed for macOS devices running Big Sur?
Answer: We're not familiar with this one, can you check back with us again in the next available lab on Friday?
Question: Will Apple offer the ability to deploy iOS / iPad OS apps via VPP on macOS Big Sur?
Answer: Yes, on Macs running Apple Silicon (assuming the MDM vendor supports it.)
The Endpoint Security framework is meant to be a replacement for:
Kauth API
Unsupported Mac kernel framework
OpenBSM audit trail
Kernel extensions are bad, m'kay?
Using the Endpoint Security framework to build ES system extensions is what developers should be doing now.
Several types of system extensions are supported:
Network - used for VPNs, content filters, etc.
DriverKit - Controlling hardware
EndpointSecurity - targeted at endpoint detection and response products
Benefits of using EndpointSecurity:
Protected by System Integrity Protection (SIP)
LaunchD job protection
Launch before third party applications
For EndpointSecurity architecture details, I recommend watching the session video.
Runtime requirements:
Entitlement: com.apple.developer.endpoint-security.client
Docs: https://developer.apple.com/system-extensions
System Extensions require an additional requirement for the containing app bundle. For more details, see the documentation linked above.
System extensions also require approval from the user to complete installation, unless whitelisted by a system extension whitelist profile from an MDM server.
Privacy - in order to increase user privacy, applications must obtain user consent for Full Disk Access, unless Full Disk Access permission is granted by a Privacy Preferences Policy Control profile from an MDM server.
Network Events
The EndpointSecurity framework does not provide events related to networking operations. This is intentional, as these events are better covered by the NetworkExtension framework.
There is a minor exception which is related to Unix domain sockets. The EndpointSecurity framework does provide events for this exception.
It is possible to combine the EndpointSecurity and NetworkExtension frameworks into a single unified System Extension. For this use, the system extension APIs and install flow should be used for system extensions which are of a single extension type.
macOS Big Sur includes improvements for efficiency and speed over macOS Catalina and Endpoint Security framework
Most requested data access points will be added by Apple as appropriate.
Question: Are there changes to how Secure Token is granted on Intel Macs running Big Sur, as opposed to how Secure Token is granted now on Intel Macs running Catalina?
Answer: No change to how Secure Token is granted on Intel Macs on Big Sur, as compared to on Intel Macs running Catalina.
Question: Will there be differences in how Secure Token is granted on Macs running Big Sur on Apple Silicon?
Answer: No change to how Secure Token is granted on Apple Silicon Macs on Big Sur, as compared to on Intel Macs running Catalina.
Question: Will FileVault authenticated restarts work differently on Apple Silicon, as opposed to how they work now on Intel Macs? If yes, what are the differences?
Answer: Authenticated restart is now entirely handled by Secure Enclave on Apple Silicon, as opposed to the SMC chip on non-T2 Intel Macs and Secure Enclave / Effaceable Storage on T2 Macs. On Apple Silicon. the authrestart token is one-time and cannot be used multiple times.
fdesetup's behavior (including authrestart) should be consistent across both Intel Macs and Apple Silicon.
Question: In the Building an Endpoint Security app session, it was mentioned that the Endpoint Security framework is meant to be a replacement for OpenBSM audit trails. Is OpenBSM still present in Big Sur? If not, is there a built-in audit tool which replaces it?
Answer: OpenBSM is still in Big Sur, but is now deprecated.
Testing pre-release software
Public beta - available to all users who sign up at beta dot apple dot com. Geared towards reporting livability and/or general use issues.
Updates in this program can be less frequent than other beta seed releases.
Public beta seeds released for the following platforms:
iOS
iPad OS
macOS
tvOS
watchOS (new this year)
Developer beta - seeding program geared towards app developers
Appleseed for IT beta - seeding program geared towards IT professionals in enterprise and education.
AppleSeed for IT testers provide feedback to Apple on how Apple's pre-release tools and frameworks act in the testers' environments. Apple is particularly interested in identifying deployment blockers, as those would prevent deployment of the latest OS when Apple releases.
To enroll into AppleSeed for IT:
Create a managed Apple ID (MAID)
Associate your work email with the MAID, so you can receive communications from AppleSeed.
Log into appleseed.apple.com with your MAID.
To enable devices to test pre-release software, Apple has made the following tools available:
iOS / iPad OS: configuration profile available from appleseed.apple.com
macOS: macOS beta access utility
Report any issues discovered in testing via the Feedback Assistant app.
Collaboration
Other Appleseed for IT participants and teammates
Field engineering
AppleCare
With an AppleCare for Enterprise or AppleCare OS support agreement, customers can request testing assistance from an AppleCare account manager or an Apple systems engineer.
Filing feedback for your organization:
File immediately after the issue occurs with the device it occurs on.This helps ensure the relevant logs are gathered. Gather logs and note the time. Include the steps to reproduce the problem.
If possible, include screenshots and/or screen recordings showing the issue.
New features in Feedback Assistant
Feedback Assistant is available on the following:
iOS
iPad OS
macOS
Website
Teams for Feedback Assistant:
Teams allows members of an organization to work together on feedback with Apple.
Teams are configured by Apple Business Manager or Apple School Manager, for AppleSeed for IT and in App Store Connect.
Members of the team can: See feedback submitted by others in the team
See responses from Apple
Participate in the feedback conversation.
Reassign feedback to other team members
Multi-device diagnostics
Initiate feedback from an iPhone or iPad
Collect logs from multiple devices
All devices must be signed into iCloud.
When feedback is submitted, the diagnostics upload from each device directly to Apple.
Managing software updates:
Control over updating Apple devices
Update compatibility with your company, school or institution
Consistent deployment across devices
Contain critical improvements for stability, performance and security.
Organizations should do their best to deploy updates as swiftly as possible.
MDM command to update devices to the latest OS version Choose to download only, or download and install.
Only updates which are still being signed by Apple are permitted for installation.
In order to use MDM to remotely update the OS on the device, supervision is required.
For iOS / iPad OS:
Passcode will need to be entered before OS update takes place.
Deferring software updates:
iPad OS, iOS and tvOS
MDM restriction available which defers over-the-air software updates
Default delay is 30 days
Delay can be overridden and specified as being a value between 1 day and 90 days.
Once the delay expires, the next update in the deferral window is evaluated. Next update will either be deferred itself or presented immediately for installation.
No downgrades or rollbacks Reverting to an older OS involves wiping the device
Apple only supports updating devices to newer version of the OS.
Apple signs its software for production use and older releases may have their signing revoked to ensure that customers are not susceptible to downgrade attacks.
On macOS, automatic checking for updates, download and installation of updates is controlled via the settings in the Software Update preference pane in System Preferences. These settings are manageable via MDM.
For macOS, the deferral process is similar to the process used on iOS/iPad OS/tvOS. A profile may be deployed to defer updates up to 90 days.
Unique features in macOS:
Deferred updates are transparent to the user in System Preferences
Once an update is past the deferral window, the user receives a notification and the update will be visible in System Preferences.
Deferring software updates does not require being supervised
Updates are deferred by date, not version number. This allows the deferral of multiple software updates in succession rather than deferring only one update at a time.
Changes to managed software updates
Support for deferring software updates during beta seeding in macOS Big Sur
8 Support for deferring major releases was introduced in macOS Catalina 10.15.4
Securing software updates
Unification of installation technologies across iOS and macOS
Snapshot-based updatesSnapshot of the system volume is taken and the snapshot is updated while the user is using their Mac. - Snapshots are cryptographically sealed using authenticated APFS. This allows verification on boot that the user system matches what was delivered to the Mac by Apple. Cryptographically sealed system volume
Remotely driven updates
Removals
Custom catalog support has been removedThe installation catalog will be managed by AppleNo longer possible to ignore updates indefinitelyIgnore is supported in these releases if the device is supervised - macOS Catalina 10.15.6macOS Mojave 10.14.6 (following installation of the Mojave security updates released along with 10.15.6)
I took notes during the "What's new in managing Apple Devices" session. If interested, please see the attached "Notes from session":
Notes from session
For the session video, please see the following link: https://developer.apple.com/wwdc21/10130
Notes from What's new in managing Apple Devices (Tuesday, June 8th 2021):
https://developer.apple.com/forums/thread/681765