When Apple announces a new security feature on macOS it takes time to get a handle on how it will affect your deployment workflow. Most likely you are busy streamlining the last change! You end up searching google for links so you can get up to speed as soon as possible. This time around I will attempt to make this easier on you. I will be collecting the most important Notarization links and will add them to this article. Some of the links I will be posting will be from Apple, MacAdmins, 3rd Party Vendors and Security Researchers. A lot of hard work and research was put into some of the articles below. Let’s get started!
Give users even more confidence in your software by submitting it to Apple to be notarized. The service automatically scans your Developer ID-signed software and performs security checks.
2nd Bulletin – April 10th 2019 – We’re working with developers to create a safer Mac user experience through a process where all software, whether distributed on the App Store or outside of it, is signed or notarized by Apple.
Transporter is Apple’s Java-based command-line tool for large catalog deliveries. You can use Transporter to deliver your pre-generated content, in a Store Package, to the iTunes Store, Apple Books, and App Store.
Updated Notarization Requirements 09/03/19 until January 2020
Sophos.com– Advanced Endpoint Protection with EDR and Artificial Intelligence, Next Gen Firewall with Synchronized Security and Business-Grade Security for Home Users.
If you use Active Directory Mobile Accounts with FileVault, password sync problems will be very familiar to you. I have good news, MacOS Mojave 10.14.4-10.14.6 can now sync AD Mobile Account password changes to FileVault when you don’t know the AD password. Apple added this new feature to macOS 10.14.4 for Mobile Accounts. In previous releases, you needed the old password to sync the password down to FileVault. Local Accounts has had this ability for years. Rich Trouton put together a great article on Resetting and Syncing FV2 Local account passwords. He mentions the methods are only for Local Accounts, NOT Mobile Accounts.
You forgot your AD password on 10.13.0-10.14.3
Users who fall into this situation are in a pinch and options to get the system to sync the new password to FileVault are limited. You could boot the system up using the PRK (Personal Recovery Key) and then have the Help Desk reset the AD password. This would get you into the system but your FV2 password would never sync. You will be forced to continue to unlock the Mac with the PRK (Personal Recovery Key), then login with the new AD password.
The only way to fix this was to have a SecureToken Admin on the system.
Do you have an admin support account that is FileVault/SecureToken enabled? Listed below are two methods to fix out of sync passwords.
1. fdesetup remove / re-add user
sudo fdesetup remove user userwhoforgotpass.
Then re-add the user by running
sudo fdesetup add user localadminuser -usertoadd userwhoforgotpass
What this would do is remove the user from the enabled FileVault user list, then add them back. The sync would happen when you are prompted for the new password when re-enabling the account for FileVault unlock.
2. Sysadminctl -secureTokenOff/On
You can also use sysadminctl. Start by turning off SecureToken and then turn it back on.
The process of turning off SecureToken and then turning it back on will sync the password. Also note that you don’t have to run sysadminctl with sudo.
Problem is, some companies don’t want a FileVault enabled admin account on the system.
NOTE: diskutil apfs updatePreboot / – Does NOT sync the password!
Running diskutil apfs updatePreboot / does NOT sync the password from the OS to FileVault. If this worked in the past, it was only a coincidence. If you changed your AD password outside the Mac, password syncing to FileVault would sometimes take 2-3 restarts. This command is only really needed when you wanted to add a new FileVault user to the system. Running this command would then add the new user to the FileVault pre-boot window. You only had to run this command in 10.13. This was actually a bug and was fixed in 10.14. The new account will now automatically show up at the FV2 pre-boot window after creation.
Reading the third line, it does seem to match our situation. If you forgot your AD password, you would have to continually unlock the Mac with the PRK. You would be forced to do this each time you turned on your Mac or restarted. Notice the wording, it does not say “Fixes”.
How to reset your AD mobile account password and have it sync to FileVault, when you don’t know the previous password.
You need to meet all of the following pre requisites.
macOS Mojave 10.14.4 or newer.
Active connection to Active Directory.
Access to the PRK (Personal Recovery Key)
You have the ability to change your password outside the Mac (2nd Mac, Windows PC, or Web Portal). Or the Help Desk can reset and issue you a temporary password which you can then use to set a new password at the loginwindow.
Since you don’t know the previous password you can’t even get past the FileVault Unlock Screen. You will need access to the PRK. Click the user who needs their password reset. In the password line, you will now see a ? button. Click on it, you can now type in the Personal Recovery Key. Try this neat trick to get the Macs serial number. Click the ? a second time.
After booting the system with the Personal Recovery Key the process will stop at the login window. On 10.13.0-10.14.3 systems you are prompted to reset the password at the login window.
This feature is for Local Accounts Only. To change your AD Mobile Account password from the Mac you must give Active Directory the OLD password. You can only do this with System Preferences > Users & Groups > “Change Password” or dscl. As you can see above the interface does not have a box for Old Password.
10.14.4 will now show a new pop up for Mobile Accounts after booting with the PRK.
The Mac now realizes that you are trying to reset a Mobile Account Password. You will no longer see the Reset Password pop up. This is because AD requires that you enter in the OLD password. Since you don’t know it, you will not be able to reset your password. This is why macOS will not show you the password reset window anymore for mobile accounts. If you use the PRK from a Local Account you will get password reset window with password fields like you would normally expect.
Step 2. Reset the AD Password.
As noted above you for this to work you can reset your AD password one of two ways.
Call the Help Desk and have them reset the password and then issue you a temporary password.
Reset the password on a 2nd Mac, Windows PC, Web Portal etc.
Either way will work for the password change system to work.
If you called the Help Desk and had them reset your AD Password they can now give you a temporary password. Your account will be flagged “Password must be changed on next login“. Enter in your username and then type in the temporary password. Hit enter and you will now get a new pop up window.
Enter in your new password. Click Reset Password when ready. You will be greeted with the login keychain message. You will receive this message anytime you change the password outside the Mac. Click “Create New Keychain” and the Mac will continue to login.
Step 3. Restart to complete the FileVault sync.
You will need to restart at least one more time to complete the sync process.
On this next restart you will need to enter in the PRK ONE MORE TIME.
NOTE: I am still trying to figure out if having to use the PRK twice is a bug or not. I think it is because you don’t have to do this extra step with local accounts.
After you perform one last PRK boot, enter in the username and new password and you will be at the desktop once again. The process is now complete, you can restart to confirm. Use your new AD password to unlock the volume and the system will now auto boot you to the desktop.
Conclusion
This is my 3rd article on password fixes/improvements/problems in 10.14.4
MacAdmins who use Active Directory Mobile Accounts want a working password change system that functions seamlessly with FileVault. Now that we have a working native AD Plugin, will this stop the mass exodus to Local Accounts? Only time will tell.
Today Apple released a new BuildVersion of macOS Mojave, 10.14.4 (18E227). The previous build version was 10.14.4 (18E226). The last time a new BuildVersion was released like this with no documented changes was macOS High Sierra. The BuildVersion went from (17G65) to (17G66).
If you look at 18E226 we do have a size difference.
The size difference between the 2 updates is very small but still different. Opening up both installers in Suspicious Package.app I looked inside InstallESD.dmg. Inside was the Core.pkg. I compared 18E266 to 18E227 and they both have 460,632 files installing 12.63GB to the system.
This is only for the full “Install macOS Mojave.app” installer. This is not an combo update or security update.
You do not have to replace 18E226 with 18E227. If you are preparing for upgrades and already cached 18E226 to your Macs, you dont have to re-cache 18E227. As far as we know this is only a re-write of the original 10.14.4 (18E226) installer. 18E226 is no longer available for download.
BridgeOSUpdate also released
Apple also re-released the BridgeOSUpdateCustomer with the Product ID 041-56509.
The previous BridgeOSUpdate 041-49224 was only a few bytes smaller. As of April 18th 2019 the current T2 BridgeOS/iBridge version is 16.16.4507.0.0,0
UPDATE: 05/16/19 – 10.14.5 Update fixes this issue
As noted above this issue is now fixed in macOS 10.14.5. You can read on if you are interested in how this all went down.
I have been testing the new password fixes/changes in macOS Mojave 10.14.4. You can see the changes in the “What’s new in the updates for macOS Mojave” support document. What I found was, the 10.14.4 Update breaks local account password reset when using the FileVault Recovery Key.
I wrote about how Apple fixed mobile password syncing issues on how 10.14.4 fixes Mobile Account Password syncing issues in 10.14.0-10.14.3. This was a huge win for Active Directory Users. We finally have a functioning password change system in place. I found this problem while testing these new fixes. Instructions for this procedure are listed in this Apple Support Document.
Let’s confirm this on 10.14.3 and 10.14.4
I setup a fresh 10.14.4 (18E226) system, created a local account and then enabled FileVault. I then performed the following test.
Boot system – Select user
Click the ? Button so I can enter the recovery key.
The system will now boot to the login window
You will see the username filled in with your username with the password reset window.
Type in a brand new password and then hit “Reset Password”
The window thinks for a second then shakes you off.
The password is not changed.
Performing the same test on 10.14.3 (18D109) worked as designed. After clicking “Reset Password” the system accepts the new password then logs you in.
Workaround: resetpassword in Recovery
Good thing is, the resetpassword application in the recovery partition still works.
1st way to reset your password. Boot to Recovery
Boot your Mac holding Command R to boot the Mac into the Recovery Partition. Once in click Utilities from the Menu Bar then select Terminal. Once in type in resetpassword, then follow the instructions.
Note: If you have a T2 Mac, this option requires that you have a SecureToken Admin on the system to access the Terminal.app.
2nd way to reset your password, the FV2 Screen.
You can trigger the 2nd way at the FV2 login window.
Wait up to a minute at the login screen, until you see a message saying that you can use the power button on your Mac to shut down and start up again in Recovery OS. If you don’t see this message, FileVault isn’t on.
Press and hold the power button until your Mac turns off.
Press the power button again to turn on your Mac.
When the Reset Password window appears, follow the onscreen instructions to create a new password.
If you would like to follow Apple’s instructions on how to reset local account passwords you can visit this Apple Support Article.
“Radar or it didn’t happen”
This was a really great quote from Jason Broccardo @zoocoup. Filing bugs and tickets is a really important task for MacAdmins. Apple rates issues by the number of reports/tickets they get for each issue. If this feature is important to you please do the following.
Then open up an Open Radar on openradar.appspot.com. This will help with tracking and you can let others know about the issue. (This site is not affiliated with Apple Inc.)
Today Apple released an updated developer document informing us of upcoming notarization changes.
MacOS 10.14.5 (18F108f) Beta 2 was released this afternoon you can begin testing notarization changes now!
Update 04/09/19 – The cut off date has been found for new or updated Kernel Extensions 03/11/19
Last year Apple took the covers off 10.14 Mojave at WWDC 2018. Apple then released information on the following new security features User Content(TCC), Enhanced Runtime & Notarized Apps. You can watch the entire WWDC presentation “Your Apps and the Future of macOS Security”.
Apple then announced changes around User Approved Kernel Extension Loading (UAKEL). “Starting with macOS 10.13.4, enrolling in MDM no longer disables User Approved Kernel Extension Loading, and extensions previously allowed to load for that reason now require approval”.
10.14.5 Notarization requirements.
This bit of information was just made public late this afternoon. Looking at the requirement paragraph we can make some guesses.
Looking over this paragraph the important part seems to be “all new or updated”.
10.14.5 – New or updated Kernel Extensions
I think this means that once you have 10.14.5 any NEW or UPDATED Kernel extension will NOT LOAD unless it is fully notarized.
Example #1 – I build a brand new application today that has a built-in Kernel Extension. I did not notarize the kernel extension. If I tried to install this app on a 10.14.5 system the Kernel Extension would NOT INSTALL.
Example #2 – If I attempt to install Symantec Endpoint Protection.app that has a Kernel extension built in on a 10.14.5 system. The app WILL INSTALL because this application was built before the change.
10.14.5 – All software from Developers new to distributing with a Developer ID.
Reading this again I think it’s the same as Kernel extensions. If you build apps with a brand new Developer ID notarization is required for your app to install.
Example #1 – I build a brand new Application with my new Developer ID that I signed up for today. When I go to install this app on a 10.14.5 system Gatekeeper will BLOCK this application from installing.
Example #2 – I built an application last year with my Developer ID. I attempt to install this application today and Gatekeeper WILL ALLOW the install.
Update 04/09/19 – The date for new/updated kernel extensions is 03/11/19
What does mid-cycle security changes mean for MacAdmins?
I posted above about mid-cycle security update releases because this is the new norm for Mac Administration. Apple is no longer releasing features and security enhancements in the gold master and calling it a day. They are continuing to secure macOS and if that means releasing a security change mid-cycle so be it! Again this is a good thing, anything Apple can do to secure macOS what we want. The rub is MacAdmins have to continually be on top of these changes or they will come back to bite us.
Learn with us! Join the #notarization channel on MacAdmins.slack.com
Notarization is still new to most of us and will start to affect you soon. It’s better to learn how this new system works so you can be ahead of the game!
How to download macOS Sequoia, Sonoma 14,Ventura 13, Monterey 12, Big Sur 11, Catalina 10.15, Mojave 10.14, High Sierra 10.13, Sierra 10.12, El Capitan 10.11, 10.10 Yosemite 10.10, Mavericks 10.9, Mountain Lion 10.8 & 10.7 Lion
UPDATED 10/04/24
If you are wondering how to download macOS full installers direct from Apple’s servers, you’ve found the right place. If you are a macOS user or just starting in Apple IT, you will find out pretty quickly this can get complicated.
8 Different ways to download macOS Full Installers
Need a full macOS installer to rebuild a Mac or create a USB Installer stick? I will show you 8 different ways to download macOS.
1. App Store = High Sierra Mojave Catalina Big Sur Monterey Ventura Sonoma & Sequioa
2. System Preferences/Settings = 10.14, 10.15, 11, 12, 13, 14 & 15 – NEW INFO!
The Mac App Store will be your main way to download macOS. You can download the following versions – 10.13, 10.14, 10.15, 11.7.10, 12, 13, 14 & 15. Each link below will open up that version in the Mac App Store. All you need to do is, click the Download Button. When the download is finished, the installer will be in /Applications.
NOTE: If you are looking for Apple.com direct download links for macOS 10.12 Sierra, 10.11 El Capitan, 10.10 Yosemite, 10.9 Mavericks, 10.8 Mountain Lion & 10.7 Lion skip to section Section 5 & 6
2. macOS New Upgrade System will NO LONGER Download the full installer Automatically -WARNING!
Apple added a new system preference and system settings pane in 10.14+, it’s called Software Update. This new section will show you available macOS software updates, but it will also show you upgrades! In this case we can use this pane to download and install macOS Ventura.
WARNING! macOS Ventura, Sonoma & Sequoia changes the upgrade system. The upgrade is now an “Update” and will not download the full installer app if you are on Monterey 12.3 or newer. If you are on Monterey 12.2.1 or below, you will get the full installer app from System Preferences.
After hitting the “Upgrade Now” button, macOS Ventura will start to download and then it will install on your main system immediately if the size of the update is under 12GB
If you are on Monterey 12.2.1 and below, Big Sur, Catalina or Mojave this is what you will see in Software Update:
3. Download Sequoia, Sonoma, Ventura, Monterey, Big Sur, Catalina, or Mojave with softwareupdate –fetch-full-installer
With the release macOS 11 Big Sur & 10.15 Catalina we got a much needed new option added to the softwareupdate binary. We can now download full installers!
To get more information you can just run the softwareupdate command from terminal.app and it will give you a quick overview of all the options.
softwareupdate --fetch-full-installer – this command will download the newest version of Monterey.
softwareupdate --fetch-full-installer --full-installer-version – This sub option will allow you to download specific versions. An example of this would be 14.6.1. An example of this command is
When the download is complete the macOS Installer app will be in /Applications
4. Download macOS Sequoia, Sonoma, Ventura, Monterey or Big Sur Full installer via Apple SUS & InstallAssistant.pkg
You can download the full installer of macOS Big Sur from Apple’s own software update servers. The InstallAssistant.pkg includes the entire Install macOS Big Sur.app. Run the pkg and it will put the entire install app into your Applications folder!
installinstallmacos.py is a script that was written by Greg Neagle. The description reads – A tool to download the parts for an Install macOS app from Apple's softwareupdate servers and install a functioning Install macOS app onto an empty disk image
This script reaches out directly to Apple and downloads all the pieces that form the macOS install app. At the end it will install to a blank dmg image. In the end you have a fresh macOS Install app in a .dmg!
Opening the link above shows you the raw script. Download it by Right Clicking anywhere on the page and then select Save As. Now that you have the script, let’s run it.
Open up terminal.app. Below is an example how the script would look on your command line.
Notice that you have 8 versions of full macOS installers available! As of April 9th 2020, the latest version of Catalina is 10.15.4 (19E287). Select 2 (or 6 it’s doubled up for some reason) then hit enter.
The download will start and look like this
All of the download pieces are downloaded to /Users/yourhome/content/downloads
Making empty sparseimage...
installer: Package name is macOS Catalina
installer: Installing at base path /private/tmp/dmg.IJe432
installer: The install was successful.
When the download is complete the .dmg will be located at the root of your home folder.
3. What happens if you have an old version of installer.app on your system and want the latest version?
4. How do I check the macOS version number of Install macOS installer.app?
5. Downloading the latest version after finding an old version.
6. The Mac you are using has to be compatible with the macOS version you are trying to download.
7. If Mojave is not compatible with my system, how do I download High Sierra 10.13?
8. The dreaded 22mb”Stub” installer.
9. The Mac App Store was redesigned for Mojave 10.14!
10. Can I download High Sierra in the new Mojave App Store?
11. The new Mac App Store has solved the dreaded 22mb “Stub” installer problem.
12. Let’s review which macOS versions you can download on Mojave & High Sierra
12. Mac App Store Errors
13. Review of which macOS versions you can download on Mojave & High Sierra depending on your Mac Version.
14. Download full macOS installers using installinstallmacos.py
15. How to download macOS Catalina 10.15 Beta – Apple Beta Software Program.
16. Apple App Store Download links for 10.15, 10.14, 10.13 + direct download links for 10.12, 10.11 & 10.10.
1. Support.Apple.com/Downloads
Let’s say you want to download the full macOS installer.app from Apple so you can deploy in-place upgrades or build a USB Installer. Let’s first check Support.Apple.com/Downloads.
Hmmm… Searching for Mojave and High Sierra installers only show combo and security updates.
2. High Sierra Mac App Store
No big deal, let’s go to the High Sierra App Store and search for Mojave and High Sierra installers.
I found MojaveHigh Sierra not found 404
Ok, well we are getting a little closer it seems. Searching for macOS Mojave comes up, yet High Sierra is nowhere to be found.
3. What happens if you have an old version of installer.app on your system and want the latest version?
The button under the Mojave Circle says OPEN instead of download ???
You now see Mojave is there in the Mac App Store, but instead of Download it says Open. Let’s find out what that means.
Seems like I already have the installer. Let’s click “Show Application” to find out more info.
After clicking Open I am presented with this message above. As you can see the App Store first searched my system and found that I already have macOS Mojave installer.app. Notice that it searches all locations, not just the Applications folder where the installer app normally is stored. It found the macOS Mojave Installer.app in a folder called test.
App Store found the installer!
Great, we are ready to go right? Not really because I have no clue what version this is. Looking at the creation date gives us a pretty good clue. MacOS Mojave was released on September 24th 2018. This Mojave installer download was created 23 days after release so it’s most likely 10.14.0.
4. How do I check the macOS version number of Install macOS installer.app?
We have multiple ways of checking the version number and build number. The easiest way is to simply look at the version number info from Get Info.
ah.. 14.0.22 = 10.14.0!
After checking the version number, I now know the macOS version is 10.14.0. We can find the build number inside the actual installer.app but knowing the version number is usually good enough unless you need a specific hardware build.
5. Downloading the latest version after finding an old version.
I have macOS Mojave Installer.app on my system but it’s outdated. I need the latest version. We now need to get the app store to show the Download button instead of Open. Simply close the App Store, delete the old version of macOS Installer then re-open.
NOT THIS AGAIN!
I deleted the installer.app but the App Store still thinks that I have the installer. The button SHOULD switch to Download but didn’t. If this happens again just restart your Mac.
Great! Lets start the download.
Perfect, after restarting the Mac App Store can’t find any version of the Mojave installer on your Mac so it now shows you the download button.
6. The Mac you are using has to be compatible with the macOS version you are trying to download.
The Mac App Store will not let you download a version of macOS that is not compatible.
We could not complete your purchase. This version of macOS 10.14 cannot be installed on this computer.
I STILL can’t download Mojave because the Mac I’m trying to download it on is not compatible. All I want to do is download macOS Mojave! I do understand why Apple did this, they don’t want a user to think they could install Mojave on a system that can’t run it. Apple should take this one step further and not show it as available in the App Store. Or have the button say Not Supported.
7. If Mojave is not compatible with my system, how do I download High Sierra 10.13?
How do I download macOS High Serra 10.13? If searching High Sierra in the App Store comes up empty how can I download it? You have to visit the Apple Upgrading to High Sierra Support Page for the direct App Store link.
Why in the heck are you trying to install High Sierra when you can install MOJAVE?!?!? If you REALLY want to install High Sierra FINE…. we will give you the link.
We are back in the 10.13 App Store, let’s try to download again.
MacOS High Sierra 10.13 Mac App Store.
After clicking Download we finally get some action!
Wait a minute, that downloaded way too fast….
I have a pretty fast connection but not 5.3 gigabytes in 3 minutes fast. The download just finished let’s see what the deal is.
The dreaded macOS 22mb “Stub” installer
8. The dreaded 22mb”Stub” installer.
This is what’s known as the macOS “Stub” Installer. This is not the 5gb full installer we are looking for it’s only 22mb! All this file will do is start the installation only to download the full 5gb before beginning the install. You cant boot to this file or create a USB Installer from this pkg.
While the 10.13 App Store does not allow you to download the full High Sierra installer, it will allow you to download the full version of Mojave.
9. The Mac App Store was redesigned for Mojave 10.14!
The App Store was totally redesigned for 10.14 Mojave. The look is pretty different from 10.13’s App Store. This is what the Mojave section looks like in the new App Store.
4.5 stars nice!!!
The new design aligns the Mac App Store with the iOS App Store. The first hint is that the Download button is now GET.
The GET button starts the process.Sure you want to download a 6gb file?Need Admin creds to start the downloadProfit
We are off to the races now! The first thing you will notice is that instead of downloading macOS Mojave Installer inside the App Store it opens Software Update. Software Update will search for the Installer and ask if you are sure you want to download the 6gb Mojave Installer. After clicking download you will get a new prompt for admin credentials to start the download (not to actually install yet). After the download completes you will finally have the latest macOS installer.app.
10. Can I download High Sierra in the new Mojave App Store?
Good news, the Full High Sierra installer will now download from the new App Store.
Finally High Sierra!
11. The new Mac App Store has solved the dreaded 22mb “Stub” installer problem.
The “Stub” download problem can be reproduced using 10.13 App Store. Yet I can’t seem to reproduce this on 10.14. I have tried multiple machines. The “Stub” installer problem seems to be gone as long as you are using 10.14’s App Store.
12. Mac App Store Errors
If you get one of the following errors, follow look at the next section below.
The requested version of macOS is not available
This version cannot be installed on this computer
13. Review of which macOS versions you can download on Mojave & High Sierra depending on your Mac Version.
After all this testing, we know what can be download from the App Store. We also found out what can’t download. After performing multiple tests with each OS you can download any newer version, the current version but only 1 OS behind. You will get a mixture of “The requested version of macOS is not available” or “This version cannot be installed on this computer”
T2 Security Chip equipped Macs
The following Macs have a T2 Security Chip.
1. 2017 iMac Pro
2. 2019 Mac Pro
3. 2018 Mac Mini
4. 2018-2010 MacBook Air
5. 2019 16″ MacBook Pro
6. 2018-2019 15″ MacBook Pro with TouchBar
7. 2018-2019 13″ MacBook Pro with TouchBar
10.14.4 and up (non T2 Macs) Mac App Store
Can download 10.14 & 10.13
(Note: on 10.14.0 – 10.14.3 High Sierra 10.13 shows as “not available” further confusing people)
Can’t download 10.12 or 10.11
10.14.x (T2 Macs) Mac App Store
Can download 10.14
Can’t Download 10.13
10.13.6 Mac App Store
Can download 10.14, 10.13 & 10.12
Can’t download 10.11
14. Download full macOS installers using installinstallmacos.py
I showed you how to download the macOS installer through the Mojave Mac App store. The thing is, a better way to download the full installer exists and is called installinstallmacos.py. I was going to explain how to use installinstallmacos.py here but now realize the topic deserves a full article. I did not even get into hardware specific (Forked) builds. As you can see we have a lot to go over, so stay tuned. I will put the link here when complete.
15. How to download macOS Catalina 10.15 Beta – Apple Beta Software Program.
macOS Catalina 10.15 Beta Software Program signup
If you would like to test Apple’s Public Betas you can sign up using this link. You can then download and try macOS Catalina 10.15 Beta.
In this article, I will talk a little bit about the current state of Apple’s Documentation. After that, I will show you 3 Undocumented 10.14 Mojave fixes that can help you as a MacAdmin.
Documentation, Documentation, and Documentation. Say it three times fast! MacAdmins just want Apple to provide proper documentation for features, controls and security settings and Enterprise Fixes. In some cases, Apple provides excellent documentation. An example of this would be the T2 Security Chip Security Overview released in October of last year. In other cases when it comes to binaries like sysadminctl not so much.
I tried to searching for something that specifically mentions SecureToken or sysadminctl and came up empty.
The best that I could find was a document called “If you see authentication server errors when turning FileVault on in macOS High Sierra“. This article does not even mention SecureToken. You can get a few nuggets of information by checking the sysadminctl binary options but sysadminctl doesn’t have a man page. I even performed a search on developer.apple.com/documentation as you can see in the picture above. I will be writing about sysadminctl next week. Maybe I can create a MacAdmins version of a sysadmincatl man page! Yet when I search for “SmartCard” three documents show up. SmartCard support is a small piece in the overall macOS pie, yet has multiple documents! Side Note: Shout out to all my peeps in the MacAdmins.slack.com #SmartCard channel (about 5 people) 🙂
Documentation is getting better.
If you have been keeping track, Apple documentation is getting better. If you look at the “What’s new in the updates for macOS Mojave” page you will see a large number of fixes. Eagle eye MacAdmins will be first to spot “Enterprise Content”, this is the stuff MacAdmins are interested in.
10.14.2
10.14.3
10.14.4
Check out that first one under 10.14.4! As noted in my previous article, I fought to get that one fixed since 10.14.0. It’s really great to see that fix get mentioned in the Enterprise Content area.
What do you mean undocumented fixes ?
Apple is constantly fixing things behind the scenes. MacAdmins continue to file radars, call Apple Care, test beta releases, submit feedback and submit Apple Enterprise Support tickets. Defects and bugs ARE getting fixed but are not listed in Apple’s Enterprise Content listing. I am not totally sure why certain fixes do not make the list.
Maybe Apple wants to keep the list short while focusing on the major fixes. I wish Apple would list more of them, even if they posted them in an enterprise only area. An example of this would be AppleSeed for IT. If you are part of an Enterprise or School you can be selected to join the program. I highly recommend joining if you are not a member already. You can read the FAQ about joining eligibility here. Inside you will find links to macOS beta downloads and beta documentation. Each beta release (Sometimes up to 6 releases per combo update) will show what has been fixed between updates. This is great information for any MacAdmin to have so you can stay on top of what’s going on.
3 Apple Enterprise fixes included in 10.14.0 – 10.14.4
1. macOS 10.14 Mojave can now provide FV2 Authenticated Restarts for Combo and startOSinstalls.
In 10.14 macOS Updates and Upgrades are now able to perform Authorized Restarts. This feature was not an option in previous releases. This is a pretty big deal, especially for #MacEDU and Enterprise customers who have computer labs.
Previously if you installed a macOS update and the system was FV2 encrypted it would restart but STOP at the FV2 unlock screen. If you performed this update remotely you would lose control of the machine. Things get worse at FV2 login window because firmware will shut the Mac down after 5 minutes of inactivity. The same problem will happen when you start a macOS Upgrade. You will be disappointed after returning from lunch thinking the update is complete only to find the Mac turned OFF. You then power the Mac back on only to find the installer has just started with 40 minutes remaining. With 10.14 if you kick off a combo update or macOS upgrade the installer will perform an Authorized Restart and you will never get stuck at the FV2 prompt again!
For startosinstall you just have to store the mojave.app in a folder like /Users/Shared. Then kick it off with this command – sudo /Users/Shared/Install\ macOS\ Mojave.app/Contents/Resources/startosinstall –nointeraction The –nointeraction option will prevent license agreement message.
2. Installing software updates using the -R restart option at the login window now properly restarts the Mac to the installer. (10.14.4)
When Apple released the T2 security chip they also added additional options to the softwareudpate binary so it could handle BridgeOS updates. Installing a combo update on a T2 Mac is now a multi-step process. Using softareupdate step one remains unchanged, it will download the combo update from Apple which in turn stores in /Library/Updates. For step two, the Mac reaches out to Apple’s personalization service (gs.apple.com) verify the BridgeOS and combo update. When the verification is complete you will have a new folder in /Library/Updates called PersonalizedManifest.
You are automate the entire process by using sudo softwareupdate -iaR. Options -i will install the update, -a will download all updates and -R will perform an automated restart. The process works just fine if you are the logged in user. If the system needs to update the BridgeOS the Mac will shutdown and then will power back on with the T2 Chip to install the BridgeOS update. If the system does not require a BrigeOS update the system will restart to the update installer. The problem comes in if you try to automate the install from the login window using the softwareupate -R or –restart option. Softwareudpate will run run through the process listed out above only to stop at the very end and be unable to restart.
Looks great until the very end, when at the login window the system will NOT restart!
Once all your Macs are updated to 10.14.4, you can now use the -R restart for all situations. Softwareupdate can now restart the Mac if it’s at loginwindow.
3. 10.14 FV2 Authorized restarts can use the PRK (Personal Recovery Key) again.
When 10.13 arrived you could no longer perform FV2 Authenticated restarts using the PRK (Personal Recovery Key). This feature was just flat out broken. This previously worked in 10.12 Sierra and below. NOTE: You could still perform an Authorized restart with your FV2 name and password. An example of a PRK Authorized restart would be if you are a JAMF Pro customer and had a policy that installed a package but it also required a restart. You could select the option “Perform Authenticated Restart” Jamf would then send a fdesetup authrestart using the PRK. The package would install and then the system would perform an FV2 authorized reboot so the user did not have to enter in the password at the FV2 unlock screen.
10.12, 10.11 & 10.10 – Works!
sudo fdesetup authrestart = Enter a password for ‘/’, or the recovery key:
10.13 – Doesn’t work
sudo fdesetup authrestart = Enter the user name: ( hit the enter key to toggle Recovery Key Entry) = Error: Missing user name. Error: Unable to restart (error = -54).
10.14 – Works again!
sudo fdesetup authrestart = Enter the Username: (again hit the enter key to toggle Recovery Key Entry) Enter the current recovery key:
I hope that at least one of the fixes I mentioned in this article helps you. In the future I would love to see more documented Enterprise fixes listed in the combo update patch notes. Until then though, I will continue to document said fixes and let you know about them when I can.