WWDC Platforms State of the Union Notes

ADC account will now cover Mac, iOS and watchOS

One ADC membership covers all - $99/year


iOS 9 will take up 1.3 GBs of space. OS updates will automatically download overnight.



iOS app-slicing - Developer submits an app to the App Store, App Store will deliver to the device only the component parts of the app that the device can use. Don't have the fast CPU on the device? App Store will leave out the fast-CPU dependent parts of the app.



iOS passcode are now going from four digits by default to six.



System Integrity Protection


  • Protects system files
  • No installing in system locations
  • Protects system processes
  • For developers, streamlined developer workflow to accommodate System Integrity Protection.
  • Utility available in the Recovery partition to disable System Integrity Protection.



IPv6:



  • Use the standard networking frameworks
  • Avoid IPv4-specific APIs
  • Avoid hard-coding addresses in apps




Improved right-to-left language support, important for languages like Arabic or Hebrew.


Improved link support in iOS 9. Click on a link will open up the appropriate native app.


- For example, if someone emails you a link pointing to Twitter, the link will open in the Twitter app rather than Safari.



On OS X, links like these will still open in Safari.




iCloud



iCloud drive


  • iOS getting an iCloud Drive app
  • Allows browsing of iCloud Drive folders and directory structure (created on OS X.)



Swift 2



  • OSI-approved permissive license
  • Available later this year
  • Outside code contributions will be accepted



Swift in Xcode 7



  • Revamped Swift migrator - will move your code from Swift 1 to Swift 2
  • Rich comments in Swift - uses Markdown, can add images and links.



Swift Testing in Xcode 7



  • Unit testing
  • User Interface Testing
  • Code Coverage

Replies

Several intersting thoughts.


Apple Configurator 2.0 might be a game changer in shared use/education environments. sToken support / DEP


OS X Server 5 is OS X agnostic - supports both 10.10.4 and 10.11.0


Looks like there is a new profile for hidden service/admin accounts. This will be very interesting.

Interestingly, it looks like you can still modify files and folders within /System/Library/User Template. I just verified that I could successfully use the following command with root privileges:


touch "/System/Library/User Template/English.lproj/Desktop/test.txt"


I then created a new user account and verified that a text file named test.txt was on that new account's Desktop.

That makes me sad.

Interestingly, it seems that if you upgrade a system to 10.11 from 10.10, any binaries installed in "protected" directories continue to work. Maybe they are whitelisting on the fly?

There appear to be couple of things at play regarding rootless mode:


/System/Library/LaunchDaemons/com.apple.rootless.init.plist - Calls /etc/libexec/rootless-init (registers with XPC?)

/System/Library/Sandbox/rootless.conf - Configures the system locations to sandbox - an asteriks or name in the first column appears to override this globally or by executable name

/System/Library/Sandbox/rootless.compat - Whitelisted executables? Legacy?

/System/Library/Sandbox/com.apple.xpc.launchd.rootless.plist - XPC authorizations config


The one tool that can enable and disable rootless mode right now is on the Recovery partition under /System/Library/CoreServices/Security Configuration.app. It reboots the Mac immediately after applying the configuration change (it calls shutdown -r now).


This appears to write a non-removable key (as far as I've been able to determine so far) named "csr-active-config" which the Security Configuration tool writes to. Notable is that this also appears to affect single user mode - I was not able to make any changes to protected system locations with rootless mode enabled while in SUM. Disabling rootless mode made modifications possible. As far as the "non-removable key" goes: it appears the csr-active-config nvram key is not easily removed using the nvram command. In testing from a Recovery mode Terminal I was able to completely clear all keys except for this one (nvram -c). The key remained with its current configuration set. I am not quite sure yet how the nvram key and rootless-init are connected.


Curious to hear what others have found.


Thanks,

Pepijn.

/System/Library/LaunchDaemons com.apple.rootless.init.plist


There's also a LaunchD located above.


/System/Library/PrivateFrameworks/SIUFoundation.framework


New SIU framework that I haven't delved into.


/System/Library/PrivateFrameworks/WatchdogService.framework


Showed Rich this earlier. Return of the Apple Server?


/System/Library/CoreServices/Security Configuration.app

/System/Library/CoreServices/Security\ Configuration.app/Contents/MacOS/Security\ Configuration


You can run this binary without going into the Recovery Partition, however there are not any CLI options.


/System/Library/CoreServices/XProtect.Bundle


New bundle for XProtect

Another thing Rich and I noticed is User Templates can be written to, but Wallpapers and the Default Desktop symlink are locked.

Rich listed in some notes elsewhere that you can see what files are restricted in /System/Library/Sandbox/rootless.conf. The asterisk denotes items that are excluded from SIP.


Also using the -O (cap o) with the 'ls' command shows if a file is restricted.