Post

Replies

Boosts

Views

Activity

Notes from System Extensions and DriverKit (Tuesday, June 4th at 10:00 AM)
Kernel extensionsProblems:Difficult to develop and debugStability problems for systemSecurity problems for systemIntroducing System Extensions and DriverKitNew as of CatalinaSimilar to kext, but runs in user space; outside the kernel.Network extensionsEndpoint Security extensions- Replacement for Kauth event monitoringDriver extensions- Control hardware devices- Uses DriverKit, which replaces IOKitDeprecating kernel extensions:macOS Catalina will be the last OS version to run kernel extensions without compromise.Installing third party kernel extensions on macOS Catalina now requires that you restart your Mac before they’re permitted to load.As System Extensions and DriverKit adds functionality, kernel extensions with matching functionality will not load.System Extensions- Always part of the app- No such thing as a "standalone system extension"- Distribute via the MAS or Developer ID (MAS deployment not previously possible with kernel extensions.)Sign System Extension with a Developer ID or MAS certificate- Developer ID for Kernel Extensions certificate is no longer required.System Extension with a Developer ID must be notarizedInstallation- No installer or package is necessary, System Extension is inside the app bundle.Use the new SystemExtension lifecycle is managed by the systemSystem Extension will be stopped and started as needed.UninstallationMoving app to the trash deactivates all of its extensions. No special uninstall process is needed.
5
0
4.9k
Jun ’19
Notes from What's New in Apple Device Management (Tuesday, June 23rd, 2020)
What's New in Managing Apple Devices Stating with managing and deploying macOS Big Sur Automated Device Enrollment Enrollment customization allows the use of various IdPs for authentication: Azure Active Directory Okta Ping More IdPs will work, but they aren't specified. Information from the authentication pane can be used to populate the user's full name (aka Display Name) and the account shortname. Apple also provides the ability to choose if user channel management should be used (?) Setup Assistant can be customized to show or hide various windows. ADE allows Macs running Big Sur to be automatically supervised during activation. Zero-touch ADE setup has been available for Apple TVs for a while and the capability is now coming to the Mac as well. All setup screens are skipped and the Mac goes directly to the OS's login window. Auto Advance for Mac Requirements: Power Ethernet connection with DHCP MDM solution with Apple Business Manager / Apple School Manager If using encrypted disks (FileVault), you will be required to enter the password to unlock the drive's encryption. Lights Out Management for Mac Pro Remotely startup, shutdown and reboot Mac Pro Requirements: MDM server MDM-enrolled Lights Out Management (LOM) Controller macOS Big Sur LOM Controller and Mac Pro bein controlled must be on the same subnet and IPv6 must be active. For diagrams showing how LOM works, see session video. User-approved MDM On previous versions of macOS, User Approved MDM could not be supervised. This has changed on macOS Big Sur. Any Mac enrolled in a user-approved MDM will now be considered supervised. Supervision for user-approved MDM: Control Activation Lock bypass Bootstrap tokens for FileVault Query, list and delete local users Remove or replace profiles Install restrictions via MDM which are restricted to Supervised status. Schedule software updates Managed Software Update Force software updates Defer major OS updates for 90 days Defer non-OS updates for 90 days Removal of the software update catalog Removal of the Ignore Flag Force software updates = Force Macs to accept software updates and subsequently reboot. Removal of the Ignore Flag is for major updates only. Managed Mac apps Apps can be removed by MDM command and on un-enrollment iOS-style managed app configuration and feedback is now supported on macOS MDM can convert an unmanaged app to a managed app Managed App conversion is not supported for user enrolled devices. Content Caching: Support has been added for hosting Internet Recovery The initial boot image for Internet Recovery isn't included but the full 6 GB recovery image is cached by the caching service. New MDM command for Content Caching: Content Caching Information Tethered caching via profile Security improvements More functionality for bootstrap tokens Bootstrap token: Reserved encryption key provided by your MDM server. It allows your MDM to create admin accounts without needing to authenticate with an admin password. Bootstrap tokens enable user accounts to get a Secure Token, which is necessary to enable an account for FileVault. Bootstrap Tokens: Enable users to get Secure Token Supported on latest Macs with T2 chips Authorize software updates and kernel extensions Profiles Automated installation of profiles can now only be performed by an MDM. The profiles command line tool will no longer be able to install profiles. Downloaded Profiles Brought over from iOS Workflow designed to prevent mistaken or malicious installation User must manually install profiles User has the option of ignoring and not installing the profile Downloaded profile remains visible and available in the Profiles preference pane for eight minutes. When using command line tools to install profiles, the profile will be treated as if it were downloaded and you'll have to complete the install in the Profiles preference pane. Profiles command line tool functions remain the same, with the exception of installing profiles. networksetup command line tool limitations for standard users Previously, both standard and admin users had control over the networksetup command line tool. Now, certain limitations have been put in place for standard users. Limited for standard users: Read network settings Turn WiFi power on and off Change the WiFi access point Admins should use sudo to use networksetup's non-limited capabilities. Automated Device Enrollment use serial numbers to identify Macs. To address identifiable information in serial numbers, Apple is changing its serial number format. Serial number format change: Alphanumeric string of 10-characters Current products will use existing format, while new products may use the new format. macOS Management updates: Configuration Profile Updates: Accessibility Greyscale key deprecated Associated Domains option to allow direct downloads Configure Lights Out Management Downloaded profiles require manual install via the Profiles preferences pane. Single Sign-On extension supports the User channel VPN App Mapping updates VPN Added Maximum Transmission Unit New Restrictions Force Delayed App and Software Updates New MDM Commands Content Caching information Bootstrap Token status Force restart for Software Updates Gather Managed App Feedback and App List Install and Remove Managed Apps LOM Setup Request and Device Request Specify short name for local account Supported LOM Device iOS Enable direct downloads for internal websites WiFi MAC Address access control Managed Open in Shortcuts Encrypted DNS SCEP key size supports 4096 bits Locations for Apps and Books MDM Certificate Pinning Skip Setup Assistant panes List eSIM Identifier Shared iPad for Business Notifications Privacy Multiple printers over AirPrint Allow App Clips restrictions New Restrictions Set Time Zone Per Account VPN Setup Assistant Configuration Shared iPad Temporary Session Scalable cfgutil Apple Configurator now supports Apps and Books Locations, where Locations are different places where devices are kept. Admins can assign different sets of apps and books for each Location. cfgutil is now more scalable and supports more devices. Setup Assistant skip keys have been brought over to iOS from macOS. Skipping setup assistant panes during upgrades is now possible for all supervised mobile devices, not just those enrolled with ABM/ASM.
1
0
1.5k
Jun ’20
Notes from What's New in Education (Tuesday, June 23rd, 2020)
What's New in Education Yay, developers. You made a lot of apps for education. Apple Schoolwork Enables teachers to share materials, assign activities and track student progress. Latest version of Schoolwork has a new design, which makes it easier to switch between Handouts and Students view. The Chooser now has more metadata options available for listed activities, including thumbnails and summaries. Adopt the Classkit framework. ClassKit allows your app to report information into Schoolwork. ClassKit by default secures student data and only makes it available to privileged users, like teachers. Activities can only be tracked if assigned via a Schoolwork Handout. Learn more about ClassKit and the new ClassKit Catalog API by watching the "What's New in ClassKit" session video. Apple School Manager (ASM) IT admins can create classes and manage account credentials. Enrolling devices into MDM is made simpler by Automated Device Enrollment. Enroll devices and streamline their setup Buy apps and books for students Distribute custom apps Create Managed Apple IDs for students Assign privileges to IT team members ASM, Classroom and Schoolwork integration ASM-created classes are available in Classroom and Schoolwork. Updates from ASM are synced down to Classroom and Schoolwork. When students sign in with their Managed Apple ID (MAID), they will automatically show up in Classroom and be able to access their classes in Schoolwork. Classroom is also adding features Teachers can launch the same app on the whole class's iPads, or launch different apps for different groups. Teachers can also monitor what is showing on each iPad's screen. If the app is Classwork-enabled, the teacher can launch an app and have the correct activity already open. Teachers can invite students to a class using a four-digit code and use AirPlay to display that code on an Apple TV. Shared iPad All student data should be synced from the cloud and not available on a shared iPad after the student logs out of that iPad. Shared iPad Temporary Session Enables schools to deploy devices with standard configurations which students can use without having sign-in credentials. This allows the use of a Shared iPad in situations where a student's account may be having problems or not yet created. They can use the shared iPad, then sign out and have all the data be cleared from that iPad. For MDMs, there's a option to disable Temporary Sessions. For macOS, Apple is introducing a new Automatic Assessment Configuration Framework . A similar framework called UIKit Assessment has been used on iOS for standardized tests since 2016 and it's being brought over to macOS to take advantage of Mac's more powerful capabilities. The Automatic Assessment Configuration Framework enables tests to be delivered to students without allowing those students to use features of the Mac which may give them unfair advantages while taking tests. The Framework is available in iOS, macOS and also supports Catalyst. Test takers are locked into the testing app and features like the ones below are disabled for the duration of the test: Screen Sharing Universal Clipboard Dictation Learn more about the Automatic Assessment Configuration Framework by watching the "What's New in Assessment" session video. If you decide to incorporate the Automatic Assessment Configuration Framework into an app, you will need to use a new entitlement, so see the the Automatic Assessment Configuration Framework documentation for more details. On iOS, the UIKit Assessment mode has now been deprecated.
2
0
863
Jun ’20
Notes from Custom app distribution and device management lab: (Wednesday, June 24th, 2020):
Question: For Automated Device Enrollment customization using identity providers like Azure AD, Ping or Okta, how is the use of multi-factor authentication being supported? For context, when I log into certain services in my shop using Azure AD, I'm requested to then open the Microsoft Authenticator app on my iPhone and do something (like hit an Approve button, enter a displayed code, get a code from SMS, etc.) How does the enrollment customization handle that? Answer: You can host whatever WebUI you want for your modern authentication view. It shouldn't matter because all ADE is providing a web browser-like view to host whatever URL is needed for your modern authentication, then the modern authentication actions all take place within the web UI window. Once the MDM profile is downloaded and installed, the web view is automatically dismissed. Question: Related - Does your MDM also need to be set up for that same identity provider as the one you're using in ADE, or can it be separated? For context, my shop uses SAP Cloud Identity for its identity provider, but our MDM doesn't really support Cloud Identity so it is using Azure AD instead. Does that mean I can't use Cloud Identity for ADE Enrollment customization? Answer: Technically, it can be different but it would make for a complex setup and potentially fragile. Ideally, the MDM server is also going to be handling the ADE authentication with the same modern authentication used for the MDM's authentication. Question: Will we ever be able to manually add macOS devices into DEP similarly to how we can add iOS devices using configurator? Answer: Apple cannot comment on future plans. File Feedback to request this. Question: Any plans to add sign in with Managed Apple IDs from the login window? Answer: Apple cannot comment on future plans. File Feedback to request this. Question: Will macOS ever require internet connectivity to be provisioned so that Macs cannot skip the device enrollment process? Answer: Apple cannot comment on future plans. File Feedback to request this. User approved MDM will provide supervision on macOS Big Sur now, which may address this. Question: Can we bring back an easier way of renewing the enrollment profile through Recovery? For context, we have received numerous Macs directly from Apple where we have had to "renew" the enrollment profile before DEP/ADE would recognize the device was associated with our MDM, as of 10.15, that process to achieve this became quite cumbersome. Answer: As of now, the only viable solution is to wipe and reload the OS. File Feedback to request this. Question: During the keynote and state of the union it was shown that app store iOS apps can be run on Macs with Apple silicon. Would this also apply to in-house/enterprise apps. Can we just copy an .ipa file to a Mac and double click it? Answer: Yes, it should be possible to run any iOS apps, including in-house apps. It should work to just double-click, but test this out and post questions to the Developer Forums to get confirmation.
0
0
818
Jun ’20
Notes from macOS Package Installation lab: (Wednesday, June 24th, 2020)
Question: Is Apple adding any restrictions to the Installer process to prevent abuses of preinstall scripts, such as those seen used by Zoom? For context, Zoom's preinstall script would detect if your account had admin privileges and do the following during the installation check phase: A. Install the Zoom app without requesting admin credentials. B. Kill the Installer process. C. Launch the Zoom app Answer: Apple cannot comment on future plans, but they are aware of the problem. At this time, no changes. Question: What is the best practice for signing and notarizing packages you build of third-party applications? For context, some vendors prefer to build their own applications to install their apps, rather than using an installer package. It is possible to package up the installer application, then use a postinstall script associated with the installer package to run the vendor's installer application using command line tools. In this case, the vendor would have signed and notarized their installer application, but I would also like to sign and notarize my installer package so that Gatekeeper is OK with it. Answer: It should be fine to sign and notarize the installer package, the notarization of the third-party application should be fine and there shouldn't be a conflict. Question: Why do payload-free packages need to be notarized? There's no payload. Answer: What's in an installer package is recorded during notarization of that installer package. That's when Apple can say for certain whether they've detected something malicious inside an installer package.
0
0
680
Jun ’20
Notes from Security lab (Wednesday, June 24th, 2020)
Security lab: Question: It looks like Apple Silicon will be incorporating Secure Enclave into the new System on a Chip (SOC) architecture. Does Secure Enclave on SOC work like Secure Enclave does today on the separate T2 chip? Answer: Yes, Secure Enclave will work the same. You shouldn't be able to tell the difference. Question: Will FileVault on Apple Silicon work like it does today on an Intel Mac equipped with a T2 chip? In particular, will FileVault be instantly on / instantly off like it is on an Intel Mac equipped with a T2 chips? Answer: No changes, Apple Silicon FileVault will work like it does today with T2 Macs. Question: Will Gatekeeper apply to installer packages downloaded via curl from the command line, where non-signed or notarized packages would be blocked? Or would Big Sur continue to use the same behavior as macOS Catalina, where non-signed or notarized packages are not blocked? Answer: No expected changes with how quarantine works. Curl will not start attaching quarantine metadata. The same behavior we see today on Catalina will apply to Big Sur.
0
0
667
Jun ’20
Notes from Building, Signing, and Distribution lab (Wednesday, June 24th, 2020)
Question: Will Apple offer In-App Purchase via VPP / Apple Business Manager? Answer: No, Apple will not be offering that. Question: Will the VPP redownload call time out ( <MDM Client Error 72> ) be fixed for macOS devices running Big Sur? Answer: We're not familiar with this one, can you check back with us again in the next available lab on Friday? Question: Will Apple offer the ability to deploy iOS / iPad OS apps via VPP on macOS Big Sur? Answer: Yes, on Macs running Apple Silicon (assuming the MDM vendor supports it.)
1
0
690
Jun ’20
Build an Endpoint Security App (Thursday, June 25th, 2020)
The Endpoint Security framework is meant to be a replacement for: Kauth API Unsupported Mac kernel framework OpenBSM audit trail Kernel extensions are bad, m'kay? Using the Endpoint Security framework to build ES system extensions is what developers should be doing now. Several types of system extensions are supported: Network - used for VPNs, content filters, etc. DriverKit - Controlling hardware EndpointSecurity - targeted at endpoint detection and response products Benefits of using EndpointSecurity: Protected by System Integrity Protection (SIP) LaunchD job protection Launch before third party applications For EndpointSecurity architecture details, I recommend watching the session video. Runtime requirements: Entitlement: com.apple.developer.endpoint-security.client Docs: https://developer.apple.com/system-extensions System Extensions require an additional requirement for the containing app bundle. For more details, see the documentation linked above. System extensions also require approval from the user to complete installation, unless whitelisted by a system extension whitelist profile from an MDM server. Privacy - in order to increase user privacy, applications must obtain user consent for Full Disk Access, unless Full Disk Access permission is granted by a Privacy Preferences Policy Control profile from an MDM server. Network Events The EndpointSecurity framework does not provide events related to networking operations. This is intentional, as these events are better covered by the NetworkExtension framework. There is a minor exception which is related to Unix domain sockets. The EndpointSecurity framework does provide events for this exception. It is possible to combine the EndpointSecurity and NetworkExtension frameworks into a single unified System Extension. For this use, the system extension APIs and install flow should be used for system extensions which are of a single extension type. macOS Big Sur includes improvements for efficiency and speed over macOS Catalina and Endpoint Security framework Most requested data access points will be added by Apple as appropriate.
0
0
732
Jun ’20
Notes from Security lab (Thursday, June 25th, 2020)
Question: Are there changes to how Secure Token is granted on Intel Macs running Big Sur, as opposed to how Secure Token is granted now on Intel Macs running Catalina? Answer: No change to how Secure Token is granted on Intel Macs on Big Sur, as compared to on Intel Macs running Catalina. Question: Will there be differences in how Secure Token is granted on Macs running Big Sur on Apple Silicon? Answer: No change to how Secure Token is granted on Apple Silicon Macs on Big Sur, as compared to on Intel Macs running Catalina. Question: Will FileVault authenticated restarts work differently on Apple Silicon, as opposed to how they work now on Intel Macs? If yes, what are the differences? Answer: Authenticated restart is now entirely handled by Secure Enclave on Apple Silicon, as opposed to the SMC chip on non-T2 Intel Macs and Secure Enclave / Effaceable Storage on T2 Macs. On Apple Silicon. the authrestart token is one-time and cannot be used multiple times. fdesetup's behavior (including authrestart) should be consistent across both Intel Macs and Apple Silicon. Question: In the Building an Endpoint Security app session, it was mentioned that the Endpoint Security framework is meant to be a replacement for OpenBSM audit trails. Is OpenBSM still present in Big Sur? If not, is there a built-in audit tool which replaces it? Answer: OpenBSM is still in Big Sur, but is now deprecated.
0
0
694
Jun ’20
Notes from Discover AppleSeed for IT and Managed Software Updates (Friday, June 25th, 2020)
Testing pre-release software Public beta - available to all users who sign up at beta dot apple dot com. Geared towards reporting livability and/or general use issues. Updates in this program can be less frequent than other beta seed releases. Public beta seeds released for the following platforms: iOS iPad OS macOS tvOS watchOS (new this year) Developer beta - seeding program geared towards app developers Appleseed for IT beta - seeding program geared towards IT professionals in enterprise and education. AppleSeed for IT testers provide feedback to Apple on how Apple's pre-release tools and frameworks act in the testers' environments. Apple is particularly interested in identifying deployment blockers, as those would prevent deployment of the latest OS when Apple releases. To enroll into AppleSeed for IT: Create a managed Apple ID (MAID) Associate your work email with the MAID, so you can receive communications from AppleSeed. Log into appleseed.apple.com with your MAID. To enable devices to test pre-release software, Apple has made the following tools available: iOS / iPad OS: configuration profile available from appleseed.apple.com macOS: macOS beta access utility Report any issues discovered in testing via the Feedback Assistant app. Collaboration Other Appleseed for IT participants and teammates Field engineering AppleCare With an AppleCare for Enterprise or AppleCare OS support agreement, customers can request testing assistance from an AppleCare account manager or an Apple systems engineer. Filing feedback for your organization: File immediately after the issue occurs with the device it occurs on.This helps ensure the relevant logs are gathered. Gather logs and note the time. Include the steps to reproduce the problem. If possible, include screenshots and/or screen recordings showing the issue. New features in Feedback Assistant Feedback Assistant is available on the following: iOS iPad OS macOS Website Teams for Feedback Assistant: Teams allows members of an organization to work together on feedback with Apple. Teams are configured by Apple Business Manager or Apple School Manager, for AppleSeed for IT and in App Store Connect. Members of the team can: See feedback submitted by others in the team See responses from Apple Participate in the feedback conversation. Reassign feedback to other team members Multi-device diagnostics Initiate feedback from an iPhone or iPad Collect logs from multiple devices All devices must be signed into iCloud. When feedback is submitted, the diagnostics upload from each device directly to Apple. Managing software updates: Control over updating Apple devices Update compatibility with your company, school or institution Consistent deployment across devices Contain critical improvements for stability, performance and security. Organizations should do their best to deploy updates as swiftly as possible. MDM command to update devices to the latest OS version Choose to download only, or download and install. Only updates which are still being signed by Apple are permitted for installation. In order to use MDM to remotely update the OS on the device, supervision is required. For iOS / iPad OS: Passcode will need to be entered before OS update takes place. Deferring software updates: iPad OS, iOS and tvOS MDM restriction available which defers over-the-air software updates Default delay is 30 days Delay can be overridden and specified as being a value between 1 day and 90 days. Once the delay expires, the next update in the deferral window is evaluated. Next update will either be deferred itself or presented immediately for installation. No downgrades or rollbacks Reverting to an older OS involves wiping the device Apple only supports updating devices to newer version of the OS. Apple signs its software for production use and older releases may have their signing revoked to ensure that customers are not susceptible to downgrade attacks. On macOS, automatic checking for updates, download and installation of updates is controlled via the settings in the Software Update preference pane in System Preferences. These settings are manageable via MDM. For macOS, the deferral process is similar to the process used on iOS/iPad OS/tvOS. A profile may be deployed to defer updates up to 90 days. Unique features in macOS: Deferred updates are transparent to the user in System Preferences Once an update is past the deferral window, the user receives a notification and the update will be visible in System Preferences. Deferring software updates does not require being supervised Updates are deferred by date, not version number. This allows the deferral of multiple software updates in succession rather than deferring only one update at a time. Changes to managed software updates Support for deferring software updates during beta seeding in macOS Big Sur 8 Support for deferring major releases was introduced in macOS Catalina 10.15.4 Securing software updates Unification of installation technologies across iOS and macOS Snapshot-based updatesSnapshot of the system volume is taken and the snapshot is updated while the user is using their Mac. - Snapshots are cryptographically sealed using authenticated APFS. This allows verification on boot that the user system matches what was delivered to the Mac by Apple. Cryptographically sealed system volume Remotely driven updates Removals Custom catalog support has been removedThe installation catalog will be managed by AppleNo longer possible to ignore updates indefinitelyIgnore is supported in these releases if the device is supervised - macOS Catalina 10.15.6macOS Mojave 10.14.6 (following installation of the Mojave security updates released along with 10.15.6)
1
0
1.1k
Jun ’20