Today Apple released macOS Mojave 10.14.6 (18G48f) Beta 2 to Developers and Public Beta Testers.
macOS Mojave 10.14.6 (18G48f) Beta 2 was released today June 11th, 2019 at 12:00 CST. As a MacAdmin it’s important that you take time to test Apple’s Beta Releases. Beta 2 patch notes do not list any fixes this time around.
Final call for last minute fixes in Mojave!
If you look at previous releases(10.11,12 & 13) the 10.14.6 update will most likely be the last update Mojave receives before 10.15 hits. Be sure to get all your last minute bug fixes into Apple ASAP. Now that 10.15 Beta 1 is out most engineers have moved to the new OS.
10.14.6 (18G48f) Beta 2 Release Notes
Overview
The macOS 10.14.4 SDK provides support for developing apps for Macs running macOS Mojave 10.14.6. The SDK comes bundled with Xcode 10.2.1 available from the Mac App Store. For information on the compatibility requirements for Xcode 10.2.1, see Xcode 10.2.1 Release Notes.
General
There are no SDK release notes for this software update.
macOS Mojave 10.14.6 (18G48f) Beta 2
IMPORTANT NOTE:
Don’t forget that the AD Mobile Account option to “Update Keychain Password” when resting your password outside the Mac is still broken in 10.14.5. This issue is still not fixed in 10.14.6 Beta! Be sure to contact Apple if you haven’t already done so!
This page will be updated when new 10.15 new information or links come in.
WWDC 2019
WWDC is here again! On Monday, June 3rd, 2019 Apple Released macOS 10.15 Catalina. The first question MacAdmins have is, what changes do I need to know about and how will they affect my macOS deployments? Hopefully, I will help you answer that question with this article. I am following the same format as my previous Notarization Index post. MacAdmins have told me they really liked having all the important information on a topic in one place. MacAdmins like Robert Hammem, Charles Edge and Rich Trouton are already crushing it by gathering information on all the latest changes. In this post, I will keep an updated index of changes and links to keep you informed of the latest public information regarding macOS 10.15 Catalina.
zsh is now the default shell instead of Bash – Starting with the macOS Catalina beta, your Mac uses zsh as the default login shell and interactive shell. You can make zsh the default in earlier versions of macOS as well. https://support.apple.com/en-us/HT208050
Python 2.7 is deprecated.
Scripting language runtimes such as Python, Ruby, and Perl are included in macOS for compatibility with legacy software. Future versions of macOS won’t include scripting
language runtimes by default, and might require you to install additional packages. If your software depends on scripting languages, it’s recommended that you bundle the runtime within the app.
Use of Python 2.7 isn’t recommended as this version is included in macOS for compatibility with legacy software. Future versions of macOS won’t include Python 2.7. Instead, it’s recommended that you run python3 from within Terminal.
32 Bit applications are now deprecated
If you still have older software that is 32bit they will NOT load.
Profile installation using the profiles command-line tool will be deprecated in future releases of macOS.
New Activation Lock Option for T2 Macs. – All Mac models with the Apple T2 Security Chip now support Activation Lock — just like your iPhone or iPad. So if your Mac is ever misplaced or lost, the only person who can erase and reactivate it is you. More info: forums.developer.apple.com/message/363374
New Read-Only Filesystem Partition. User data is stored on the 2nd partition “Macintosh HD — Data”. MacOS Catalina runs in a dedicated, read-only system volume — which means it is completely separate from all other data, and nothing can overwrite your critical operating system files.
NOTE: Beta 1 – The Macintosh HD Read Only Partition is writeable
If you want to enable read only you have to place a file in the root of the drive.
sudo touch /.rootro
Then reboot to enable read-only mode.
Verify by trying to create /.rootro2
sudo touch /.rootro2
You should get touch /.rootro2: Read-Only file system
NOTE #2: Beta 2 – The Macintosh HD Read Only Partition is now protected by default
When checking on beta 2 you should get touch /.rootro2: Read-Only file system from running sudo touch /.rootro
TCC now covers the users Desktop & Documents Folder, cloud and external drives. – macOS Catalina checks with you before allowing an app to access your data in your Documents, Desktop, and Downloads folders; iCloud Drive; the folders of third-party cloud storage providers; removable media; and external volumes. In addition, you’re asked before an app can perform key logging or capture a still or video recording of your screen.
User Space System Extensions and SDriverKit. – Previously many hardware peripherals and sophisticated features needed to run their code directly within macOS using kernel extensions, or kexts. Now these programs run separately from the operating system, just like any other app, so they can’t affect macOS if something goes wrong.
Marzipan is now Project Catalyst – Allowing iOS apps to be ported over to macOS using Xcode.
lpadmin: Printer drivers are deprecated and will stop working in a future version of CUPS. CUPS printer drivers and backends are deprecated and will no longer be supported in a future feature release of CUPS. Printers that do not support IPP can be supported using applications such as ippeveprinter.
Enterprise Connect is transforming from an app into a new Apple first-party Single Sign-On macOS extension. This new extension delivers improved Kerberos support on macOS. Developers can now build SSO extensions that integrate with websites or native apps and support identity providers like Microsoft Azure AD, Okta and Ping. 10.14 and under will still support the old application for 1 year.
SecureToken BootStrap or Active Directory BootStrap Tokens will be a new way for Active Directory Accounts to get a SecureToken. This will need to be applied from a UAMDM via profile. This new feature will be for the 2nd 3rd or 4th Active Directory SecureToken User only, NOT the first user to log into the system.
4. Security Changes
Notarization is now enforced for all packages, applications and installers built or after June 1st 2019EDIT: See Update Below.
This includes Kexts, but enforcement was already put into place on macOS Mojave 10.14.5.
Gatekeeper Improvements – Gatekeeper will ensure that all new apps you install — from the App Store or the internet — have been checked for known security issues by Apple before you run them the first time and periodically thereafter. This extends the protection from the app’s source to include automated checks for what’s in the app.
UPDATE: 10/03/19 – Apple has changed this and Kexts will NOT require a reboot! – Kernel Extensions (Kexts) now require a reboot to load – Installing third party kernel extensions now requires that you restart your Mac before they’re permitted to load.
Requirements for trusted certificates in macOS 10.15 – Learn about new security requirements for TLS server certificates in iOS 13 and macOS 10.15. support.apple.com/en-us/HT210176
FileVault & fdesetup changes – FileVault FV2 now requires User-Approved MDM Enrollment or UAMDM. You also can’t pass username/password authentication to fdesetup enable. These changes may break existing scripts, workflows or MDM agents. Be sure to check man fdesetup in 10.15 beta to read more about the new Authorization policy. You will need to follow at least one path to use fdesetup to enable FileVault Encryption.
Advances in macOS Security– We are on a journey to continuously improve macOS security, with a particular focus on preventing malware and protecting user data. developer.apple.com/videos/play/wwdc2019/701/
Network Extensions for the Modern Mac – Learn about powerful new APIs in macOS that you can use to create apps that extend and customize the networking capabilities of macOS without using kernel extensions. developer.apple.com/videos/play/wwdc2019/714
What’s New in Apple File Systems – Learn about what’s new in file system technology, including changes to file system layout and imaging technologies. developer.apple.com/videos/play/wwdc2019/710/
What’s New in Managing Apple Devices – Learn about the latest management enhancements for iOS, macOS, and tvOS and the evolution of management tools over the past year. developer.apple.com/videos/play/wwdc2019/303
App Distribution – From Ad-hoc to Enterprise – Whether you want to share your app with a few colleagues, deliver it to employees within an organization, or release it to the world, there’s a distribution mechanism designed to fit your needs. developer.apple.com/videos/play/wwdc2019/304
Advances in Networking – Part 1 – Keep up with new and evolving networking protocols and standards by leveraging the modern networking frameworks on all Apple platforms and following best practices for efficiency and performance. developer.apple.com/videos/play/wwdc2019/712/
Advances in Networking – Part 2 – Take your networking apps to the next level with advances in Bonjour, custom message framing handlers, and the latest in security. developer.apple.com/videos/play/wwdc2019/713/
Introducing Sign In with Apple – Sign In with Apple is the fast, easy way for people to sign in to apps using the Apple IDs they already have. developer.apple.com/videos/play/wwdc2019/706/
System Extensions and DriverKit – One of the next steps in modernizing and improving the security and reliability of macOS is to provide a better architecture for kernel extensions and drivers. developer.apple.com/videos/play/wwdc2019/702
All About Notarization – Notarization is all about identifying and blocking malicious Mac software prior to distribution, without requiring App Review or the Mac App Store. developer.apple.com/videos/play/wwdc2019/703
7. MacAdmins Blog Links
This list is specifically for MacAdmins. This will be an ongoing list of articles and posts that will help you learn the latest 10.15 changes.
The macOS 10.15 SDK provides support for developing apps for Macs running macOS Catalina 10.15. The SDK comes bundled with Xcode 11 beta available from Beta Software Downloads. For information on the compatibility requirements for Xcode 11, see Xcode 11 Beta Release Notes.
Installing third party kernel extensions now requires that you restart your Mac before they’re permitted to load.
Deprecations
macOS frameworks are now thinned for the x86-64 architecture. Apps that execute i386 code now fail with the EBADARCH error code. The remaining stub frameworks are nonfunctional and exist only for compatibility purposes.
9. macOS Catalina 10.15 Beta 1 Known Issues
Migration Assistant is currently unable to correctly migrate data from a Mac running macOS 10.15 to another Mac running macOS 10.15.
WarningYour Secure Token might be lost if FileVault is enabled on a non-APFS formatted volume while upgrading to macOS 10.15. You might be able to work around this by disabling FileVault before upgrading to macOS 10.15, then reenabling FileVault once the upgrade has completed.
During installation of macOS 10.15 you might be prompted to enter your administrator password multiple times to allow installation to proceed.
macOS 10.15 cannot be installed onto an encrypted volume unless it is already in the APFS format.
During upgrades to macOS 10.15, files and folders stored at the root-level of a volume are moved aside to /Library/SystemMigration/History/Migration-UUID/QuarantineRoot/.
If your Mac currently has macOS 10.10 or earlier installed, you must first upgrade to macOS Mojave 10.14 before upgrading to macOS 10.15.
The Install macOS 10.15 app might quit unexpectedly when run on macOS 10.9.
On Macs with the Apple T2 Security Chip, if you’ve used Startup Security Utility to lower Secure Boot to Medium Security or No Security, you’re currently unable to modify Secure Boot settings after upgrading to macOS 10.15.
Workaround: Set Secure Boot to Full Security before upgrading to macOS 10.15. Alternatively, disabling and reenabling FileVault might resolve the issue.
Some apps might not automatically relaunch after installation or updating and must be manually relaunched.
On Macs with the Apple T2 Security Chip, VoiceOver is currently unavailable while in macOS Recovery.
When using the SecureEnclave API with access control set on keys, users might not be prompted to authenticate. This might cause subsequent operations requiring authentication to fail.
Volume replication shouldn’t be used with Fusion volumes, either as a source or destination.
2018-19 15″ T2 MacBook Pro Supplemental Update.10.14.5 (18F203)
Apple today released a MacBook Pro Supplemental Update for 2018-19 T2 15″ MacBook Pros.
Update 05/24/19 9:00AM: I have updated this article to include BuildVersion info and Apple Download Links.I will continue to add more information when I find it.
The MacBook Pro Supplemental Update is specifically targeted at 15″ 2018 & 2019 T2 MacBook Pros with 10.14.5. The update does NOT show up as available for 10.14.4 and lower OS versions. The update weighs in at 946.8mb.
UPDATE: After the update is installed the BuildVersion number will be (18F203). BridgeOS will also be updated and listed as 16.16.5200.0.0,0.
2018 T2 15″ MacBook Pro Supplemental Update
This update is only available for boardID’s Mac-937A206F2EE63C01 MacBook Pro (15-inch, 2018) & Mac-1E7E29AD0135F9BC MacBook Pro (15-inch, 2018) with a Vega ATI Graphics card. Looks like the 2019 models share the same boardID’s.
MacBook Pro Supplemental Update Download link and information
Apple also released a new 10.14.5 macOS Installer.app, the BuildVersion is (18F203).
UPDATE: The (18F203) Install macOS Mojave .app installer is so far seems to be for 2018 15″ T2’s. I have gone through the boardID’s of 10.14.4 install.app and 10.14.5 18F203 and found no new board id’s that would identify the new 2019 MacBook Pros.
10.14.5 (18F203)
This update weighs in at 6.51gb and has a Product ID number of 041-64745. You will be only able to download this installer if you are using a 2018 or 2019 15″ T2 MacBook Pro.
I ran some more tests trying to download the Install macOS Mojave.app (18F203). It seems you have to be on a 2018 15″ MacBook Pro to get the download. To get it from the App store you have to be on 10.14.5 and on a 2018-19 15″ T2. If you are on any anything else and you are get the (18F132) BuildVersion. For installinstallmacos.py you have to be on a 2018 15″ T2 but can be on an OS lower than 10.14.5. I tested this with a 2018 15″ T2 on 10.14.4 and was able to use installinstallmacos.py to down download the .app (18F203) installer. But the build failed on a 10.13.6 2018 15″ T2. Also the boardID list for (18F203) is exactly the same as (18F132), so it doesn’t seem to be a 2019 MacBook Pro Fork.
SUS 10.14.5 (18E203)
Is 10.14.5 (18F203) a hybrid fork?
Is the 10.14.5 (18F203) installer.app a hybrid fork or was it an error on the installer compatibility list ? Meaning I can only download this installer if I am on a 2018-19 15″ T2, but once downloaded I can install this version of the installer on any 10.14 compatible Mac.
MacOS System Status & Version Info
I am keeping track of all this on my macOS System Status & Version info page. This page was designed to help you keep up to date with the latest versions of macOS software and core applications.
New 8-Core 2019 MacBook Pro. 13″ & 15″ Touch Bar Models are new.
Apple in a surprise launch ahead of WWDC19, releases new 2019 MacBook Pros with a new revised keyboard design. Apple also expanded the Keyboard Service Program to add the 2018 MacBook Pro & Air.
In a move, most did not see coming a new 2019 MacBook Pros were released today. The big news is how the MacBook Pro is getting an 8-Core CPU for the first time. The real news you want to know about probably involves the keyboard. Was it redesigned? Has the mechanism changed? We know one answer was confirmed by Apple though TheLoop.
Another change in the newest MacBook Pro computers is with the keyboard. While Apple says the vast majority of its customers are happy with the keyboard, they do take customer complaints seriously, and work to fix any issues.
To address the problem, Apple said they changed the material in the keyboard’s butterfly mechanism that should substantially reduce issues that some users have seen.
Apple also told me that any problems with the butterfly keyboard on any of its MacBook Pros would be covered at no cost to the customer. The company has also taken steps to improve the repair process, shortening the time it takes to make repairs to the keyboards.
John Gruber @daringfireball.net dug in further when he spoke with Apple.
First, these new MacBook Pros still have the third-generation butterfly-switch keyboard that debuted with last July’s updated MacBook Pros. But Apple has changed the mechanism under the hood, using a new material for at least one of the components in these switches. The purpose of this change is specifically to increase the reliability of the keyboards. Apple emphasized to me their usual line that the “vast majority” of users have no problem with these keyboards, but they acknowledge that some users do and they take it very seriously.
2017 MacBook Pros with 3rd Gen Keyboard can get new revised replacement.
From the Verge
According to The Verge, some existing MacBook Air and MacBook Pro models that experience keyboard failures will have their keyboards replaced with the new 2019 keyboard that Apple has developed. Unfortunately, only MacBooks with the third-generation butterfly keyboard can get the updated 2019 keyboard, which includes the 2018 MacBook Pro and the 2018 MacBook Air.
Testing the new 2019 MacBook Pro.
I will try to get my hands on one of these new 2019 MacBook Pros as soon as possible. Looks like the earliest they can be had is Thursday May 23rd.
Forked version of macOS Mojave 10.14 ?
You can almost bet 100% that the new 2019 MacBook Pros will have a forked build of 10.14 on it. Checking Apple’s catalog nothing has shown up yet. I will update when I have more info.
If you have any questions, please don’t hesitate to Contact Me.
Today Apple released macOS Mojave 10.14.6 (18G29g) Beta 1 to Developers and Public Beta Testers.
10.14.6 (18G29g) Beta 1 was released today at 12:00 CST. As a MacAdmin it’s important that you take time to test Apple’s Beta Releases. 10.14.6 Beta 1 came up pretty fast this time around due to the new Intel Microarchitectural Data Sampling (MDS) vulnerabilities. Apple released 10.14.5 and 2019-003 a day before the news broke. I posted an article about this vulnerability yesterday.
Final call for last minute fixes in Mojave!
If you look at previous releases(10.11,12&13) the 10.14.6 update will most likely be the last update Mojave receives before 10.15 hits. Be sure to get all your last minute bug fixes into Apple ASAP. MacOS 10.15 will be announced at WWDC (I WILL BE THERE!) on June 3rd, 2019.
10.14.6 (18G29g) Beta 1 Release Notes
Overview
The macOS 10.14.4 SDK provides support for developing apps for Macs running macOS Mojave 10.14.6. The SDK comes bundled with Xcode 10.2.1 available from the Mac App Store. For information on the compatibility requirements for Xcode 10.2.1, see Xcode 10.2.1 Release Notes.
General
There are no SDK release notes for this software update.
Note:
Don’t forget that the AD Mobile Account option to “Update Keychain Password” when resting your password outside the Mac is still broken in 10.14.5.
Editor’s Note: This post is MrMacintosh.com’s first guest article. Jason posted a summary of this new venerability last night. It immediately reminded me of how he owned the coverage of the 10.14.4 Gmail problem and before that Spectre & Meltdown Vulnerabilities. Last night I posted an article on how to mitigate the issue (Disable Hyper-Threading) if you are looking for a detailed step by step .
Last Updated: Tue May 14 20:41:42 CDT 2019
Microarchitectural Data Sampling (MDS) Vulnerabilities Summary
At this point there are four identified vulnerabilities that all share a common root of forcing information to leak from the CPU’s buffer. Much like the Spectre vulnerabilities announced in 2018, these flaws could potentially allow the execution of malicious code or the extraction of information on machines with Intel processors (at this time ARM and AMD processors are not affected). Intel has released microcode firmware updates to address the issue at the hardware level but OS and application vendors will need to release additional software updates to patch potential exploit vectors from the software side.
For all vendors, disabling Hyper-Threading is the recommendation for most complete mitigation but in all cases there will be a performance impact for doing so. Disabling Hyper-Threading involves manipulating EFI/BIOS/NVRAM and a restart of the computer..
“MDS is not fully mitigated if your processor supports Hyper-Threads and Hyper-Threads are enabled.” —
As of May 14th, 10.14.5 looks to be the only fully patched edition of macOS as Apple has noted that the version of Safari 12.1.1 included with 10.14.5 (Safari 12.1.1 also exists for macOS 10.12 and 10.13) contains additional fixes. It’s possible Apple will clarify the position of Safari 12.1.1 in 10.12 and 10.13 at a later date. Watch the two security documents below for additional changes.
From Apple on the Performance impact of disabling hyper-threading:
“The full mitigation, which includes disabling hyper-threading, prevents information leakage across threads and when transitioning between kernel and user space, which is associated with the MDS vulnerabilities for both local and remote (web) attacks.
Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.”
For Macs that support it, disabling Hyper-Threading requires booting to the Recovery Partition and editing NVRAM settings. There is no way to mass distribute these changes through MDM or script.
About the security content of macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra
These Mac models may receive security updates in macOS Mojave, High Sierra or Sierra, but are unable to support the fixes and mitigations due to a lack of microcode updates from Intel:
1. MacBook (13-inch, Late 2009)
2. MacBook (13-inch, Mid 2010)
3. MacBook Air (13-inch, Late 2010)
4. MacBook Air (11-inch, Late 2010)
5. MacBook Pro (17-inch, Mid 2010)
6. MacBook Pro (15-inch, Mid 2010)
7. MacBook Pro (13-inch, Mid 2010)
8. iMac (21.5-inch, Late 2009)
9. iMac (27-inch, Late 2009)
10. iMac (21.5-inch, Mid 2010)
11. iMac (27-inch, Mid 2010)
12. Mac mini (Mid 2010)
13. Mac Pro (Late 2010)
Microsoft
Windows guidance to protect against speculative execution side-channel vulnerabilities
“Firefox has applied the mitigation recommended by Apple on macOS,” said a Mozilla spokesperson. “The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”
Security researchers have found a new series of vulnerabilities in Intel chips dating back to 2011.
We now know why Apple released the 10.14.5 Combo update and the 2013-003 security updates early. Keeping with Apple’s normal release schedule, Combo and Security updates should have been released 2-3 weeks from now. The updates were released one day before news of the ZombieLoad New Intel Chip Vulnerability hit. This is great news, especially if you remember Apple’s response to the Meltdown & Spectre vulnerabilities. We had to push Apple to release fixes for 10.12 and 10.11 after the news hit.
NOTE: clarifying the situation.
The Mojave 10.14.5 update does the following
1. Updates Safari to version 12.1.1. “This update prevents exploitation of these vulnerabilities via JavaScript or as a result of navigating to a malicious website in Safari.“
2. Enables the ability for you to enable full mitigation by Disabling Hyper-Threading (instructions listed below)
The 10.12 and 10.13 (2019-003) security update only does the following.
Enables the ability for you to enable full mitigation by Disabling Hyper-Threading (instructions listed below)
Safari 12.1.1 is a separate install for both 10.12 and 10.13. I can’t find any documentation that confirms Apple patched this for 10.13 & 10.12 Safari. This will be the page to watch to see if Apple adds more information later. support.apple.com/en-us/HT210123
All Macs from 2011 & forward are vulnerable to this new attack.
You can read about this from multiple news sites below. We have to worry about both Speculative Execution Vulnerabilities and Microarchitectural Data Sampling (MDS) vulnerabilities.
Do I need disable Hyper-Threading as mentioned in the above documents?
Almost all PC Vendors say YES, but Intel says NO. According to Apple “There are no known exploits affecting customers at the time”. The 10.14.5 combo update only covers updates to Safari (12.1.1) only. We will have to wait to see if this was addressed in the High Sierra and Sierra versions of 12.1.1. If you need full mitigation for the Mac you will need to disable Hyper-Threading.
Disabling Hyper-Threading
Let’s take a look at the instructions Apple gave us.
Step 1
Turn on or restart your Mac and immediately press and hold Command (⌘)-R or one of the other macOS Recovery key combinations on your keyboard.
oh no… If you are a MacAdmin you just realized this solution is not deployable by any means.
Step 2
From the Utilities menu in the menu bar, choose Terminal.
If you have a deployed T2 Mac with only one FV2 enabled standard user you will be out of luck. You can’t open terminal without a SecureToken Admin.
Step 3
Type the following two commands, one at a time, at the Terminal prompt. Press Return after each one.
nvram boot-args="cwae=2"
nvram SMTDisable=%01
Note #1 According to Apple you need to be on 10.14.5 or have 2019-003 installed on a 10.13 or 10.12 Mac for this to work.
Note #2 Apple mentions that disabling Hyper-Threading could “cause a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks”.
Let’s boot to recovery and try this out.
After typing in both commands you can check to see if they are set in nvram by typing in
nvram -xp
This will print out all the variables in nvram. You will be looking for 2 entries.
<key>boot-args</key>
<string>cwae=2</string>
<key>SMTDisable</key>
<data>
AQ==
</data>
If you see these the settings should be in play. All you need to do is restart to enable the new settings.
Note: I tried this out on a system that did NOT have the 2019-003 security update on it and the commands did work. The system booted and was acting normal. It is possible that without the security update installed the system does not understand the values. When I checked for the Hyper-Threading Technology field in System Information it did not exist. I DO NOT RECOMMEND YOU DO THIS! I just tested this out so you know what happens.
Confirm the settings worked and Hyper-Threading is disabled.
Click the Apple menu click “About this Mac” then System Information. Under hardware you should see this.
Hyper-Threading Technology: Disabled
How to revert back and enable HT again.
If you would like to revert the mitigation and reenable Hyper-Threading, reset NVRAM and restart your Mac. To reset the NVRAM remember you need to disable Firmware Password Protection.
GeekBench 4 Benchmark test
Figured it would be fun to run one test to see the performance hit when Hyper-Threading is disabled.
Again this is only one testbut sure seems far away from the 40% number.
Apple also notes the following
“If you previously set custom boot-args, you will need to add those boot-args to the nvram command.“
Note: The full mitigation is not enabled while using Boot Camp to run Windows on a Mac.
Disclaimer
As always when it comes to security, please be sure to test test test and follow Apple’s direct linked documentation if you need to enable security settings in a secure production environment.
Contact Me if you have anything to add to this Speculative Execution & ZombieLoad MDS Intel Chip Vulnerability article.
When sending the InstalledApplicationList MDM command to macOS clients, apps that had been installed via VPP would fail to report when an app update was available.
When using the Time Server payload on earlier version of macOS 10.14, the time zone was not getting set properly.
The Accessibility Events switch was removed, because related aspects of the W3C AOM effort are no longer applicable.
10.14.5 Standard Update Notes
Adds AirPlay 2 support for sharing videos, photos, music and more from your Mac directly to your AirPlay 2-enabled smart TV
[C and US English only] Adds the ability to follow a magazine from the Apple News+ catalog browsing view
[J only] Includes support for the Reiwa (令和) era of the Japanese calendar
Improves audio latency on MacBook Pro models introduced in 2018
Fixes an issue that prevented certain very large OmniOutliner and OmniPlan documents from rendering properly
Other New Updates Released
iTunes Device Support Update – 108.3mb – MobileDeviceSU- 041-62886
Gatekeeper Config Data – v166 – 3.5mb – 041-56834
10.13 High Sierra
10.13.6 High Sierra Security Update 2019-003 – New BuildVersion – (17G7024) Size 1.9gb
If you are here for the 10.15.1 issue, you can follow the same 10.14.4 workaround instructions below.
UPDATE: 07/31/19
This will probably be the final update. Sadly the issue is NOT fixed in 10.146. Even worse, this will be the final update and the issue will not be fixed in Mojave. I submitted this issue right after it was found in 10.14.4 and it’s just a bummer that this will never be fixed in Mojave. The only good news I can give you is that this is fixed in macOS Catalina 10.15.
UPDATE: 07/09/19
The AD Mobile Account option to “Update Keychain Password” when resting your password outside the Mac is still broken in macOS Mojave 10.14.5. This issue is still not fixed in current 10.14.6 Beta! Be sure to contact Apple if you haven’t already done so!
10.14.4 Update password fixes/problems
I really like the 10.14.4 update, trust me I do! It arrived with so many fixes that have really helped MacAdmins. The problem is, it also broke a few things. Just when I thought we found all the fixes/problems a new one pops up. If you have been following along, this is now my 4th article on password fixes/problems in the 10.14.4 update. Lets quickly review
10.14.4 Update breaks “Update Keychain Password” process for Ad Mobile Accounts.
This issue affects Active Directory Mobile Account users. If you use Mobile Accounts you have seen this message before.
Which option should I pick? In 10.14.4 it doesn’t matter they both create a new keychain!
You will only see this message if you change your Active Directory Password outside the Mac. An example of this would be if you changed your AD password on a 2nd Mac, Windows PC or Web Portal. Logging in with the new password will sync that new password down to the Macs local cache but can NOT change the keychain password without the OLD password. You can click “Create New Keychain” and brand new login keychain will be created. But what if you have Xcode Developer Certs and Private keys or Wifi certs? In this case you need your old keychain intact.
Clicking “Update Keychain Password” just creates a new login keychain.
If you click “Update Keychain Password” you should see this. (10.14.0-10.14.3)
What you should see in 10.14.0-10.14.3
Instead, after clicking the update button you will not see this message and you are now at the desktop. If you open up keychain access you will see that your login keychain was wiped out.
Workaround – Find renamed keychain, change password and restore.
Good news, I have a workaround for you. The old login Kkeychain luckily still remains in ~/Library/Keychains
We will have to perform a few steps to restore your old login keychain
1. Find renamed keychain – located in ~/Library/Keychains and called login_renamed_1.keychain-db
2. Change password of login_renamed_1.keychain-db from old to new
3. Remove login.keychain-db
4. Rename login_renamed_1.keychain-db to login.keychain-db
5. Restore login.keychain-db to Keychain Access.app
6. Log out and back in.
1. Find renamed keychain
The old keychain is located in ~/Library/Keychains and called login_renamed_1.keychain-db
Your old login keychain and the new one that was just created.
2. Change login_renamed_1.keychain-db password
You used to be able to change the login keychain password through Keychain Access. This is no longer possible.
What if we clicked “Add Keychain” and tried to add the renamed keychain then try to change the password?
This looks promising but after clicking “change password for keychain login_renamed” nothing happens. I then tried to unlock it with the old password.
After unlocking I attempted to change the password again.
Still no go! After clicking change password nothing happened. At this point, I thought I was out of luck.
Enter CLI command security
Never give up a fight without visiting the Command Line Interface! The CLI can be your best friend. Let’s take a look at the security man page and see if anything will help us. Open terminal and type in man security
set-keychain-password Set password for a keychain.
Oh ya, now we are talking! Let’s take a look at the options.
Perfect, just what we are looking for. Lets try it out.
You will be prompted for your old and new password. Now that the old keychain has the same password as your AD account we can move it back into Keychain Access.app.
3. Remove login.keychain-db
Now we can just delete the empty login keychain.
Right click on login and select Delete Keychain “Login” then click “Delete References & Files”. You should now only have Local Items, System and System Roots.
4. Rename login_renamed_1.keychain-db to login.keychain-db
We now need to rename login_renamed_1.keychain-db to login.keychain-db. You can either do this in keychain access or in the finder. Let’s rename in the finder. Click once on login_renamed_1.keychain-db and change it to login.keychain-db.
5. Restore login.keychain-db to Keychain Access.app
Now all we need to do is add our old keychain back to Keychain Access.app. Right click in the keychain section and select “Add Keychain”.
Navigate to ~/Library/Keychains/login.keychain-db and select it. You will now see login in the keychain box! At this time it will be locked. You can test unlocking it now. Right click on login and select “Unlock Keychain login”
You will now be prompted to enter in your current password.
6. Log out and back in to confirm
You have now restored your old keychain. Log out and then back in to confirm. You are now good to go!
As always, we need to submit a bug report to Apple.
I can not stress how important this is. The more reports we put in the higher priority the issue gets. We are also running out time and only have about 3 weeks before 10.14.5 is released.
Thanks to hawkzhang45 from JAMF Nation forum for calling this issue out. Also to m.entholzner for conformation and submitting an Apple Enterprise Ticket. You can read the original thread here.
We have been waiting for SecureToken Documentation since 10.13 Beta 1 and the introduction of APFS. I go into this in my previous article 3 Undocumented macOS Mojave 10.14 Enterprise Fixes. I talk about what SecureToken is and how we need SecureToken Documentation. The sysadminctl binary still doesn’t have a man page. You will see why, once you read on how Apple recommends that you use fdesetup instead of sysadminctl.
sysadminctl’s only documentation.
Documentation Please!
Many MacAdmins have called on Apple to give us some information explaining how the system works. Since 10.13 Beta 1 we have been left to fumble around and figure all this out on our own. The other problem was, that from 10.13.0 to 10.14.4 the system had many bugs and has even changed many times. It was really hard to keep up much less understand what was going on.
Enter macOS Deployment Reference “Use of SecureToken”
Now that we have the document, what does it say? Does it shed any light on the situation? In a word no… but it finally puts everything into words for new MacAdmins. Most of the information posted was already known and hashed out by experienced MacAdmins who have spent hours testing SecureToken. We will be able to share this document when anyone has questions about how SecureToken works.
Any key takeaways from the document?
1. If local user account creation in the macOS Setup Assistant is skipped using MDM and a directory service with mobile accounts is used instead, the directory user won’t be granted SecureToken when logging in to the Mac.
This statement is a little confusing yet could also be true depending on your setup. For example you can use MDM/DEP with the setting “Skip Account Creation” then bind to a directory service with a policy to enable FV2 on login. In this situation the management account/admin user is not granted a SecureToken. The first directory user to login will get a SecureToken by enabling FV2 . This is the perfect scenario, as you don’t need a tech waiting around to enter in the admin username and password for the first user logging in.
Editor’s Note: for the above situation. If you do not have a policy to enable FV2 on login the mobile account will not get a SecureToken. I never tested out this scenario. Big thanks for the clarification from TravellingTechGuy who put together a really nice SecureToken flow chart. You can find that chart here.
2. “Important: In macOS 10.13.5 or later when using a directory service and mobile accounts, users won’t be prompted about SecureToken during first login if there are no SecureToken accounts already available on the Mac. See below for additional information.”
In 10.13.3-10.13.4 directory users were prompted with this message even if the first user was logging in. You had to hit bypass to get that first login SecureToken. Now as this message states, if you logged in as the first user you are not prompted. The document also goes over how you can disable this pop up.
Seeing this note reminds me of an additional change to the SecureToken Pop up message in 10.14.4. When you log in the SecureToken message will not come up if the SecureToken account already on the system is not an admin. The point of this change is that the SecureToken user has to be an admin to enable the new user logging in. If the standard SecureToken user is not an admin don’t even bother to show the message because you would be unable to add the new user to FileVault anyway.
3. ” Managing which users can unlock a FileVault encrypted volume should generally be done using the command-line tool fdesetup. However, you can use the command-line tool sysadminctl specifically to modify SecureToken status for user accounts on the Mac. This should be done with caution and only when necessary.“
It’s interesting how Apple actually recommends using fdesetup instead of sysadminctl. The reason I say that is that we all use sysadminctl to create accounts and mange SecureToken.
The problem with using fdesetup to add an additional user to FileVault is, the account does not show the securetoken as enabled. Instead you should really should use diskutil apfs listCryptoUsers / or sudo fdesetup list -extended to get a proper list of enabled CryptoUsers. I am just pointing out that we are still having non consistent results when checking the FV2 status of a user when using sysadminctl.
You can try this yourself in 10.13.6 (17G6029) & 10.14.4 (18E226)
sysadminctl Secure token is DISABLED for user mrmacintosh
You can still unlock the volume in this condition and will report properly using the above command diskutil apfs listCryptoUsers / or sudo fdesetup list -extended.
Conclusion
In this article I point out a few things that still need some work. With that said, this document is a move by Apple to give us the needed documentation that we have asked for. We are also seeing more information in beta patch notes and Enterprise Content when a combo update is released. I hope this trend continues!
Apple Link to Device And Data Security Use of SecureToken.
