Today Apple released an updated developer document informing us of upcoming notarization changes.
MacOS 10.14.5 (18F108f) Beta 2 was released this afternoon you can begin testing notarization changes now!
Update 04/09/19 – The cut off date has been found for new or updated Kernel Extensions 03/11/19
Last year Apple took the covers off 10.14 Mojave at WWDC 2018. Apple then released information on the following new security features User Content (TCC), Enhanced Runtime & Notarized Apps. You can watch the entire WWDC presentation “Your Apps and the Future of macOS Security”.
Later that year Apple released a document reminding us of the upcoming changes. This time they gave us a time frame “Spring 2019 release”
A little history on Apple releasing mid-cycle security changes.
Last year Apple released the following security changes midway through High Sierra’s deployment.
User Approved MDM (UAMDM)
Apple released this document explaining the User Approved MDM system and User Approved Kernel Extension Loading (UAKEL).
User Approved Kernel Extension Loading
Apple then announced changes around User Approved Kernel Extension Loading (UAKEL). “Starting with macOS 10.13.4, enrolling in MDM no longer disables User Approved Kernel Extension Loading, and extensions previously allowed to load for that reason now require approval”.
10.14.5 Notarization requirements.
This bit of information was just made public late this afternoon. Looking at the requirement paragraph we can make some guesses.
Looking over this paragraph the important part seems to be “all new or updated”.
10.14.5 – New or updated Kernel Extensions
I think this means that once you have 10.14.5 any NEW or UPDATED Kernel extension will NOT LOAD unless it is fully notarized.
Example #1 – I build a brand new application today that has a built-in Kernel Extension. I did not notarize the kernel extension. If I tried to install this app on a 10.14.5 system the Kernel Extension would NOT INSTALL.
Example #2 – If I attempt to install Symantec Endpoint Protection.app that has a Kernel extension built in on a 10.14.5 system. The app WILL INSTALL because this application was built before the change.
10.14.5 – All software from Developers new to distributing with a Developer ID.
Reading this again I think it’s the same as Kernel extensions. If you build apps with a brand new Developer ID notarization is required for your app to install.
Example #1 – I build a brand new Application with my new Developer ID that I signed up for today. When I go to install this app on a 10.14.5 system Gatekeeper will BLOCK this application from installing.
Example #2 – I built an application last year with my Developer ID. I attempt to install this application today and Gatekeeper WILL ALLOW the install.
Update 04/09/19 – The date for new/updated kernel extensions is 03/11/19
What does mid-cycle security changes mean for MacAdmins?
I posted above about mid-cycle security update releases because this is the new norm for Mac Administration. Apple is no longer releasing features and security enhancements in the gold master and calling it a day. They are continuing to secure macOS and if that means releasing a security change mid-cycle so be it! Again this is a good thing, anything Apple can do to secure macOS what we want. The rub is MacAdmins have to continually be on top of these changes or they will come back to bite us.
Learn with us! Join the #notarization channel on MacAdmins.slack.com
Notarization is still new to most of us and will start to affect you soon. It’s better to learn how this new system works so you can be ahead of the game!
Join us on macadmins.slack.com
