In this article, I will talk a little bit about the current state of Apple’s Documentation. After that, I will show you 3 Undocumented 10.14 Mojave fixes that can help you as a MacAdmin.
Documentation, Documentation, and Documentation. Say it three times fast! MacAdmins just want Apple to provide proper documentation for features, controls and security settings and Enterprise Fixes. In some cases, Apple provides excellent documentation. An example of this would be the T2 Security Chip Security Overview released in October of last year. In other cases when it comes to binaries like sysadminctl not so much.
The best that I could find was a document called “If you see authentication server errors when turning FileVault on in macOS High Sierra“. This article does not even mention SecureToken. You can get a few nuggets of information by checking the sysadminctl binary options but sysadminctl doesn’t have a man page. I even performed a search on developer.apple.com/documentation as you can see in the picture above. I will be writing about sysadminctl next week. Maybe I can create a MacAdmins version of a sysadmincatl man page! Yet when I search for “SmartCard” three documents show up. SmartCard support is a small piece in the overall macOS pie, yet has multiple documents! Side Note: Shout out to all my peeps in the MacAdmins.slack.com #SmartCard channel (about 5 people) 🙂
Documentation is getting better.
If you have been keeping track, Apple documentation is getting better. If you look at the “What’s new in the updates for macOS Mojave” page you will see a large number of fixes. Eagle eye MacAdmins will be first to spot “Enterprise Content”, this is the stuff MacAdmins are interested in.
10.14.2
10.14.3
10.14.4
Check out that first one under 10.14.4! As noted in my previous article, I fought to get that one fixed since 10.14.0. It’s really great to see that fix get mentioned in the Enterprise Content area.
What do you mean undocumented fixes ?
Apple is constantly fixing things behind the scenes. MacAdmins continue to file radars, call Apple Care, test beta releases, submit feedback and submit Apple Enterprise Support tickets. Defects and bugs ARE getting fixed but are not listed in Apple’s Enterprise Content listing. I am not totally sure why certain fixes do not make the list.
Maybe Apple wants to keep the list short while focusing on the major fixes. I wish Apple would list more of them, even if they posted them in an enterprise only area. An example of this would be AppleSeed for IT. If you are part of an Enterprise or School you can be selected to join the program. I highly recommend joining if you are not a member already. You can read the FAQ about joining eligibility here. Inside you will find links to macOS beta downloads and beta documentation. Each beta release (Sometimes up to 6 releases per combo update) will show what has been fixed between updates. This is great information for any MacAdmin to have so you can stay on top of what’s going on.
3 Apple Enterprise fixes included in 10.14.0 – 10.14.4
1. macOS 10.14 Mojave can now provide FV2 Authenticated Restarts for Combo and startOSinstalls.
In 10.14 macOS Updates and Upgrades are now able to perform Authorized Restarts. This feature was not an option in previous releases. This is a pretty big deal, especially for #MacEDU and Enterprise customers who have computer labs.
Previously if you installed a macOS update and the system was FV2 encrypted it would restart but STOP at the FV2 unlock screen. If you performed this update remotely you would lose control of the machine. Things get worse at FV2 login window because firmware will shut the Mac down after 5 minutes of inactivity. The same problem will happen when you start a macOS Upgrade. You will be disappointed after returning from lunch thinking the update is complete only to find the Mac turned OFF. You then power the Mac back on only to find the installer has just started with 40 minutes remaining. With 10.14 if you kick off a combo update or macOS upgrade the installer will perform an Authorized Restart and you will never get stuck at the FV2 prompt again!
For startosinstall you just have to store the mojave.app in a folder like /Users/Shared. Then kick it off with this command – sudo /Users/Shared/Install\ macOS\ Mojave.app/Contents/Resources/startosinstall –nointeraction The –nointeraction option will prevent license agreement message.
2. Installing software updates using the -R restart option at the login window now properly restarts the Mac to the installer. (10.14.4)
When Apple released the T2 security chip they also added additional options to the softwareudpate binary so it could handle BridgeOS updates. Installing a combo update on a T2 Mac is now a multi-step process. Using softareupdate step one remains unchanged, it will download the combo update from Apple which in turn stores in /Library/Updates. For step two, the Mac reaches out to Apple’s personalization service (gs.apple.com) verify the BridgeOS and combo update. When the verification is complete you will have a new folder in /Library/Updates called PersonalizedManifest.
You are automate the entire process by using sudo softwareupdate -iaR. Options -i will install the update, -a will download all updates and -R will perform an automated restart. The process works just fine if you are the logged in user. If the system needs to update the BridgeOS the Mac will shutdown and then will power back on with the T2 Chip to install the BridgeOS update. If the system does not require a BrigeOS update the system will restart to the update installer. The problem comes in if you try to automate the install from the login window using the softwareupate -R or –restart option. Softwareudpate will run run through the process listed out above only to stop at the very end and be unable to restart.
Once all your Macs are updated to 10.14.4, you can now use the -R restart for all situations. Softwareupdate can now restart the Mac if it’s at loginwindow.
3. 10.14 FV2 Authorized restarts can use the PRK (Personal Recovery Key) again.
When 10.13 arrived you could no longer perform FV2 Authenticated restarts using the PRK (Personal Recovery Key). This feature was just flat out broken. This previously worked in 10.12 Sierra and below. NOTE: You could still perform an Authorized restart with your FV2 name and password. An example of a PRK Authorized restart would be if you are a JAMF Pro customer and had a policy that installed a package but it also required a restart. You could select the option “Perform Authenticated Restart” Jamf would then send a fdesetup authrestart using the PRK. The package would install and then the system would perform an FV2 authorized reboot so the user did not have to enter in the password at the FV2 unlock screen.
10.12, 10.11 & 10.10 – Works!
sudo fdesetup authrestart = Enter a password for ‘/’, or the recovery key:
10.13 – Doesn’t work
sudo fdesetup authrestart = Enter the user name: ( hit the enter key to toggle Recovery Key Entry) = Error: Missing user name. Error: Unable to restart (error = -54).
10.14 – Works again!
sudo fdesetup authrestart = Enter the Username: (again hit the enter key to toggle Recovery Key Entry) Enter the current recovery key:
I hope that at least one of the fixes I mentioned in this article helps you. In the future I would love to see more documented Enterprise fixes listed in the combo update patch notes. Until then though, I will continue to document said fixes and let you know about them when I can.
If you have any questions or comments, please feel free to reach out!
