Recover User Data when you don’t have the user’s FileVault Password
Do you need to recover user data with Target Disk Mode, but you don’t have the user’s FileVault 2 password?
I will show you how to unlock FileVault 2 after you connect the Mac using Target Disk Mode. This can be very helpful for IT Departments that need to access user data when an employee is let go and you don’t have the user’s password.
How to boot a Mac into Target Disk Mode (TDM)
Think of Target Disk Mode as if you are turning your Mac into an External Hard Drive. Once you plug the Target Mac into the host Mac using a USB/Thunderbolt Cable you can access all of the Target Mac’s files on the Host Mac. It’s really a great tool for moving data, especially useful for fast file backup, transfers or data recovery.
Apple’s instructions for how to Boot your Mac to Target Disk Mode.
Once you have booted your Mac into Target Disk Mode and it’s pluged into the host Mac you will be see a GUI message after a few moments.
The unlock message above is what you will see with a T2 Mac. You will get this message if you are encrypted or not encrypted with a password. The users listed will be securetoken enabled users.
FileVault 2 Target Disk Mode GUI unlock pop-up for a non T2 Mac.
If the Mac is not encrypted and doesn’t have a T2 the drive will just mount as Macintosh HD on the Desktop.
If you know the user’s password, type it in and the drive will mount.
Attempting to unlock FileVault 2 TDM “diskutil apfs unlockVolume -passphrase”
You may have used this command in the past if you needed to unlock FileVault in the Recovery Partition.
Unlocking the drive with the PRK and Personal Recovery User.
After typing in the command you will have a prompt that says Passphrase. Paste or type the Mac’s Recovery Key in and hit enter.
NOTE: for the PRK you have to include all the dashes and use all CAPS.
If you don’t you will get this error
Passphrase incorrect or user does not exist
Once you type in the correct PRK you will be see this message.
Unlocked and mounted APFS Volume attached via Target Disk Mode
Copying Files
One last note if you need to copy files from the user’s folder. If you navigate to the user’s folder and see that you do not have permission to view Desktop, Documents or Downloads. This is not a problem.
Permission to view is denied. No problem just copy the entire user folder over.
All you need to do is copy the entire user folder over to the Host Mac. You will be prompted to enter in an admin password. This is the admin password on the Host Mac not the Target Mac. Once the User folder is copied over you will have access to all files.
Thanks
I wanted to thank someone who clarified this procedure and also helped test to make sure it worked.
Thank you Mr. Anonymous!!!
I hope this article has helped you. If you have any questions or comments please don’t hesitate to Contact Me.
How to Restore BridgeOS on a 2018+ T2 Mac using Apple Configurator 2. How to Boot your Mac into DFU Mode
Did a macOS Update Brick your T2 Mac? I will Show you how to Boot your Mac into DFU Mode so you can Restore BridgeOS.
This article will go over how to restore BridgeOS on your T2 Mac. This is not something that you will ever normally have to do. Restoring or reinstalling BridgeOS firmware would only be needed in the following situations.
1. Failed macOS Upgrade
2. Failed macOS Combo or Delta Update
3. Failed macOS Security Update
4. Failed macOS Reinstall
5.Failed BridgeOS or Failed Firmware Update
6. “Command Option R” fails to boot your T2 Mac to the newest version of macOS Internet Recovery. (Example: 10.14 is out but the Mac boots to 10.13)
2. Warning about “Restore” Full Erase! Please Read
The new version of Apple Configurator 2 (2.12.1+) and newer has different options!
Actions > Advanced > Revive Device = Reinstall BridgeOS Only – Revive should be the first option to try. If a Revive does not work, move to the second option Restore.
Actions > Restore = Reinstall BridgeOS & ERASE OS AND USER DATA! – This option will reinstall BridgeOS and erase the SSD. This option is for more serious issues where the Mac does not respond after installing an update.
3. List of T2 Compatible Macs
This is a list of T2 Mac that you can can have BridgeOS restored.
2019-2020 16″ MacBook Pro
2018-2019 13″ & 15″ Macbook Pro
2018-2020 MacBook Air
2018 Mac Mini
2020 iMac
2017 iMac Pro
2019 Mac Pro
4. How do I find the BridgeOS Version on my T2 Mac?
From support.apple.com/en-us/HT203001 – “Choose Apple menu > About This Mac. This opens an overview of your Mac, including your Mac model, processor, memory, serial number, and version of macOS. To see the greater detail provided by the System Information app, click the System Report button.”
About my Mac > System Report > BridgeOS version = 17.16.10525
5. Setup and Cable Requirements before you begin.
You will need to meet the following requirements –
(The Host Mac will do the work and the Target Mac is the Mac you need to Restore)
1. USB-C Mac as the Host Machine.
2. The Host Mac must have at least macOS 10.13.5 and Apple Configurator 2.6 or newer installed. (Version 2.12.1 is the latest)
3. The Host Mac Must be on the same OS version as the Target Mac that you want to Restore. (Example – If the Target Mac is on 10.15 you will need the Host Mac to be on 10.15. If the Host Mac is on 10.14 you will get an error 10)
3. Internet access on the Host Mac – “You may need to configure your web proxy or firewall ports to allow all network traffic from Apple”
4. USB-C to USB-C Cable – The white Apple USB-C Charge will work fine.(USB-C Cable MUST Support Power & Data). Apple notes that a Thunderbolt 3 to Thunderbolt 3 cable is not supported but I’ve tested it and it works fine.
5. The Host Mac can have the cable plugged in anywhere.
6. The Target Mac MUST have the USB-C Cable Plugged in to the Left Hand side USB-C port. This is First port in line (Port closest to the front of the Mac or trackpad) If you are still confused look at the picture below.
If you don’t meet all the prerequisites booting to DFU Mode or BridgeOS Upgrade might fail.
6. Download Apple Configurator 2
Download Apple Configurator 2 app. Version 2.6 or higher is required.
If you do not have Apple Configurator 2, you can download it now from the Mac App Store with this link.
With all the startup keyboard commands you can issue a Mac, booting into DFU Mode should be pretty simple right?
NOPE!
You have to follow a very particular sequence to get this to work. I have attempted to find the exact way to get this to work every time. Even then sometimes the system will refuse to Boot into DFU mode.
Me trying to get my T2 Mac into DFU mode without turning it off or booting into macOS.
Apple’s Instructions
You can find Apple’s instructions for booting into DFU mode here.
Apple’s instructions for booting your T2 MacBook Pro into DFU mode. Image: Apple Inc
8. My Instructions for the MacBook Pro & Air
Bottom line, it’s hard to get your T2 Mac into DFU mode. You could try Apple’s instructions 10 times and STILL not get into DFU mode.
Once you have meet all of the pre requisites above, follow the instructions below to get into DFU Mode every time.
1. The Target Mac must be OFF to begin.
2. Press the Power button and hold for 1 second.
3. While STILL holding power immediately hold down RightShift, Left Control and Left Option.
Hold down all 4 keys for 8 Seconds (count 1 one thousand) then let go of all keys.
You will not see anything on the Target Mac screen.
Keep an eye on the Host Mac’s Apple Configurator 2 Application. The App should say “Connect Devices”
When the Target Mac is booted into DFU mode correctly, the host will show a big DFU icon in Apple Configurator 2.
After you see the DFU picture pop up on the Host Mac you can let go of the keys.
DFU T2 Booting Instructions – Make sure the Mac is OFF. Hold down power for 1 second then also hold Right Shift, Left Control and Left Option for 8 total seconds then let go.
9. Instructions for the iMac (2020) & iMac Pro (2017)
The iMac 2020 & iMac Pro 2017 are a little different yet are super simple to get into DFU Mode.
1. Disconnect the power cord from the iMac Pro or Mac Mini.
2. Plug USB-C/Thunderbolt cable into the USB-C port next to the Ethernet Port.
3. Plug the other end into the Host Mac.
4. While holding down the power button, connect the iMac Pro or Mac Mini to power and continue to hold the power button for about 3-5 seconds
5. You should now see the DFU logo on the Host Mac.
10. Instructions for the Mac Mini (2018)
The Mac Mini 2018 instructions are close to the iMac Pro but the USB-C port that you need is next to the HDMI port instead of the Ethernet port like the iMac Pro.
How to boot a Mac Mini 2018 into DFU mode to restore BridgeOS – Image: Apple Inc
1. Disconnect the power cord from the Mac Mini.
2. Plug USB-C/Thunderbolt cable into the USB-C port next to the HDMI Port.
3. Plug the other end into the Host Mac.
4. While holding down the power button, connect the Mac Mini to power and continue to hold the power button for about 3-5 seconds
5. You should now see the DFU logo on the Host Mac.
11. Instructions for the Mac Pro (2019)
The Mac Pro 2019 instructions were just added to the DFU instruction guide.
How to boot a Mac Pro 2019 into DFU mode to restore BridgeOS – Image: Apple Inc
1. Disconnect the power cord from the Mac Pro.
2. Plug USB-C/Thunderbolt cable into the USB-C port farthest from the power button.
3. Plug the other end into the Host Mac.
4. While holding down the power button, connect the Mac Pro to power and continue to hold the power button for about 3-5 seconds.
5. You should now see the DFU logo on the Host Mac.
12. You made it! Apple Configurator 2 Steps
The hard part is now over. Now we can restore BridgeOS on the Target Mac. When you first open Apple Configurator 2 the screen will look like this.
This is what you will see if the Mac is NOT booted to DFU mode.
Once your Mac is booted to DFU mode, you will see this screen on Apple Configurator 2. You are now ready for the next step.
When you see a big DFU icon when your Mac is properly booted into DFU Mode.
13. Begin BridgeOS Revive
You are now ready to restore BridgeOS on the Target Mac. Click Actions > Advanced > Revive Device.
(DO NOT CLICK RESTORE YET) Only run Restore if Revive does not work. (Restore Erases your Hard drive!!!!!!!)
You will now see a warning message. Do you want update “iBridge” to the latest firmware version? You cannot undo this action. This means that once you update BridgeOS/iBridge you cannot go back to the previous version.
An updated Apple support document shows that we now have 2 different options.
Actions > Advanced > Revive Device = Reinstall BridgeOS Only
Actions > Restore = Reinstall BridgeOS & ERASE OS AND USER DATA!
AC2 version 2.11 – 2.12.1 ??? New Message that warns that the BridgeOS Restore will ERASE ALL OS AND USER DATA!
The message below is what you will see on at least AC2 version 2.10 and below. OR if you click Revive instead of restore.
AC2 Version 2.10 and below – Do you want to restore and update “iBridge” to the latest firmware version?
Click the Restore Button to begin. Step one will download the latest BridgeOS update from Apple.
Step 1. Downloading the latest BridgeOS from Apple.
Step 2. Unzipping BridgeOS
Step 2. Unzipping the BridgeOS Update.
Step 3. Installing BridgeOS Update.
Step 3. Installing BridgeOS
14. Finishing Up
If you would like to see more information you can click View and see a new activity window.
Apple Configurator 2 Activity window.
The entire process will only take about 4-10 Minutes. Most of the time is spent downloading the 400-600MB BridgeOS Update. The Unzip and Install parts only take about 1 minute each. When complete the Mac will automatically Boot up.
NOTE: with version 2.12.1, the entire process may never finish correctly and get stuck at the final part (probably a bug). Once your Target Mac is at the login window the restore is complete. The error that you might see is 0xFA5 (4005)
15. Can I Downgrade from a Beta Version of BridgeOS to a Production version? i.e Bug Sur BridgeOS to Catalina Version?
Let’s say that you installed Big Sur Beta 6, and are now having a ton of problems. You probably want to downgrade to Catalina so you can work again. The only problem is, you are still on Big Sur Beta 6 BridgeOS version 18.16.12370. Keep in mind, your Mac SHOULD still work fine with this version. An example of this is if you have Catalina 10.15.6 installed on your Mac, your BridgeOS version is 17.16.16610. Let’s say that you need to test something on version 10.15.3. After installing Catalina 10.15.3, your BridgeOS version will NOT be downgraded to the period correct version of 17.16.13050. It will run just fine on the 10.15.6 version of 17.16.16610 BridgeOS. The same is the case if you have a Big Sur Beta version of BridgeOS and you downgrade to Catalina.
The answer is YES, follow the link below for an explanation.
I can’t get my Mac to boot into DFU mode. This is the toughest part of the whole process as I mentioned above. Keep trying the steps I listed above. Sometimes it takes multiple attempts to get his to work.
You can use System Information to see if the USB-C port lists your Mac in DFU Mode.
System Information showing a Mac plugged in booted to DFU Mode.
BridgeOS Restore Error 79- The OS Cannot be restored on this device. The Operation couldn’t be completed. (AMRestoreErrorDomain error 79 – Failed to handle message type StatusMsg) [AMRestoreErrorDomain – 0x4F (79)] – If you get this error it means that the BridgeOS update has failed and is unable to complete. The system will be unable to boot. When powered on the screen will be black. The Mac will have to be brought to an Apple Store for Service.
BridgeOS Restore Error – The OS Cannot be restored on this device. The Operation couldn’t be completed.
BridgeOS Restore Error 10 – The BridgeOS Restore failed! This is most likely because the host Mac was 1 or 2 OS Versions behind the Target Mac. The Host and Target Mac need to be on the same OS Version.
If your Target Mac is on 10.15, then your Host Mac needs to be on 10.15.
The OS Cannot be restored on this device.
The operation couldn’t be completed. (AMRestoreErrorDomain error 10 – Failed to handle message type StatusMsg) [AMRestoreErrorDomain – 0xA (10)]
BridgeOS Restore Error 10 – The Host and Target Mac need to be on the same OS Version.
Host Mac and Target Mac Disconnected during restore. – Error 4005
The OS Cannot be restored on this device.
Gave up waiting for device to transition from RestoreOS state to BootedOS State. [com.apple.MobileDevice.MobileRestore – 0xFA5 (4005)]
BridgeOS Restore Error 0xFA5 (4005)
This error will come up when the restore process has been interrupted.
Or, you might get this using Apple Configurator 2 version 2.12.1, as the process never seems to complete properly. If the Target Mac awakes to the login window the process is complete even though the progress bar is at 100%. After unplugging the USB-C cable you will get the error above.
Apple Configurator 2 Reports RECOVERY instead of DFU Status.
Apple Configurator 2 Reports RECOVERY instead of DFU Status.
If you see RECOVERY this means that BridgeOS is unable to boot and is the default status when you power on the Mac.
Failed BridgeOS Restore due to OS Version Mismatch! The Target Mac is a previous OS i.e 10.14 trying to restore a 10.15 Mac, the update will fail with an Error 10
If the Mac already failed the Upgrade, it could already be in this status. If so, you can attempt a BridgeOS restore.
Configurator could not perform the requested action. Apple Controller devices do not support this action.
This means that you selected Actions > Update, which is not supported. You need to select Actions > Advanced > Revive Device
Apple Configurator 2 BridgeOS Firmware Download Location.
Thanks MrMacintosh Reader Max C for letting me know the location of the BridgeOS Firmware files.
Apple Today Released macOS Mojave 10.14.6 Supplemental Update #2 (18G95)
Apple has now released two Supplemental updates for macOS Mojave 10.14.6. The first macOS Mojave 10.14.6 Supplemental Update #1 (18G87) was released on August 1st. You can take a look at what was included inside the first Supplemental Update in the link below. The second one, which was released today is called macOS Mojave 10.14.6 Supplemental Update #2 (18G95). Apple does not call the updates #1 or #2 but I am so you can understand that two different Build Versions are out there.
The macOS Mojave 10.14.6 update improves the stability and reliability of your Mac, and is recommended for all users. This update:
Resolves an issue that may cause certain Mac notebooks to shut down during sleep
Fixes an issue that may degrade performance when working with very large files
Addresses an issue that may prevent Pages, Keynote, Numbers, iMovie, and GarageBand from updating
Which 10.14.6 Update Does Your Mac Need?
Software Update will always point you to the right update.
Supplemental Update #2 = 10.14.6 (18G87)
Combo Update = 10.14.0-10.14.6 (18G87)
Delta Update = 10.14.5
Updated 10.14.6 Full Installer.app 10.8 – 10.14.6 (18G87)
New and Previous Build Versions of 10.14.6
July 22nd version of 10.14.6 = (18G84)
August 1st version of 10.14.6 = (18G87)
August 26th Version of 10.14.6 = (18G95) = Current
T2 Security Chip= BridgeOS update
BridgeOS was also updated and brings the current version to
16.16.6571.0.0
If I deployed/cached the old 10.14.6 Installer.app for OS Upgrades, do I need to redeploy?
Do I have to replace my deployable 10.14.6 Installer.app? – YES!!!
If you deployed the old version of the 10.14.6 (18G87) Installer, you should update it to the new (18G95). If you don’t your users may be stuck with a sleep-wake issue and have to install the 2nd Supplemental Update to fix it again!
The macOS Mojave 10.14.6 Supplemental Update fixes an issue that may prevent certain Macs from waking from sleep properly.
UPDATE: 08/28/19
Apple has released a 2nd 10.14.6 Supplemental update to address additional wake from sleep kernel panic issues. Click on the link below for more information.
MacOS Mojave 10.14.6 Supplemental Update was released today.
On the heels of the 2019-004 Security update rereleases, today Apple released one new update (Supplemental Update) and rereleased 10.14.6 updates.
1. 10.14.6 Supplemental Update – New
2. 10.14.6 Full Installer.app – Rereleased & Fixed
3. 10.14.6 Combo Update – Rereleased & Fixed
4. 10.14.6 Delta Update – Rereleased & Fixed
I say Rereleased & Fixed because the OS version is still 10.14.6, but the Build Version changed and now has the Supplemental update fixes built-in.
“Fixes an issue that may prevent certain Macs from waking from sleep properly.”
When the 2019-004 Security Update wake from sleep Kernel Panics started to happen, most of the reports were from 10.13 High Sierra. I did see a few from 10.12 Sierra and a few from 10.14 Mojave. The issue was coming mostly from users reports on Apple’s Discussion Forum, Reddit, MacRumors & Emails / Comments to me.
Is this issue the same as the 2019-004 Sleep/Wake issue?
I’m not sure if Mojave had the same issue, but it sure looks like it. I tried many times to reproduce this issue but couldn’t on multiple Mac models. Most likely, this means that a very particular software setup caused the problem.
New and Previous Build Versions of 10.14.6
July 22nd version of 10.14.6 = (18G84)
August 1st version of 10.14.6 = (18G87)
Download Links for the new 10.14.6 Updates
10.14.6 Delta Update – Still old July 22nd version do not downloadfrom apple.com/downloads until the page is updated!!!
10.14.6 Combo Update – Still old July 22nd version do not downloadfrom apple.com/downloads until the page is updated!!!
Do I need to reinstall the new 10.14.6 update? & Which update do I need if I’m on a previous version of 10.14?
1. Do I need to reinstall the new 10.14.6 update? – The answer is it depends!
10.14.6 = New Supplemental Update
10.14.5 = New Delta Update
10.14.0 – 10.14.4 =New Combo Update
2. Which update do I need if I’m on a previous version? – The above chart now answers this one ^
If I deployed/cached the old 10.14.6 Installer.app for upgrades, do I need to redeploy?
Do I have to replace my deployable 10.14.6 Installer.app? – YES!!!
If you deployed the old version of the 10.14.6 (18G84) Installer, you should update it to the new (18G87). If you don’t your users may be stuck with a sleep-wake issue and have to install the Supplemental Update to fix it!
What if I cached the old 10.14.6 Update to all my systems?
What will happen if I already cached the old version of 10.14.6 to my users?
My guess was once the Mac reached out to software update it would find the new version of 10.14.6 and download it. Pcrandom ran this test and found that this is, in fact, true with one catch. The old version was still in /Library/Updates.
“I am seeing some Macs that have both copies when running du -hd1 /Library/Updates:“
2.8G /Library/Updates/041-88928
2.8G /Library/Updates/041-94407
202M /Library/Updates/041-86543
5.9G /Library/Updates
I wanted to test installing the new update to see if the old one was removed, but we did not get a chance to test.
Keep in mind that in 10.14 /Library/Updates is SIP protected, so you will not be able to delete the old update if it remains!
Softwareupdate knows all.
If you are using softwareupdate to deploy updates to your Macs, you will be fine. It will let you know which update you need to install. If you want to check just run a quick softwareupdate -l and you will see what’s available for your particular situation.
No, we didn’t time travel 3 weeks into the past. A new version of macOS Mojave 10.14.5 (18F2059) was released yesterday.
Today for some reason and maybe for the first time, Apple released an update to a previous full installer release. The previous build version macOS 10.14.5 (18F2058) was released on July 9th and covered the new 2019 13″ MacBook Pro and 2019 MacBook Air. Apple released MacOS Mojave 10.14.6 (18G84) on July 22 and unified all builds. That means you can install 10.14.6 on any Mac.
I honestly have no clue! Again since 10.14.6 is a unified build we should have no need for a updated installer of a previous build. A user in MacAdmins Slack mentioned that this might be an update to 2058 for the factory restores. If that was the case why was it just now released and not 3 weeks ago? Or maybe this build version was for Internet recovery or something, again though this does not make any sense since agin 10.14.6 is unified.
Today Apple released macOS Mojave 10.14.6 and Security Updates 2019-004 for High Sierra 10.13 and Sierra 10.12. If Apple’s previous update release history is any guide, 10.14.6 will be the final update for Mojave. Once macOS 10.15 Catalina is released in September, Mojave will be security patched for two more years. High Sierra will be supported for one year and Sierra will be dropped.
Zoom Vulnerably Remediation, 14 Total variants & RCE found. Index of Zoom & MRT Links & Info
14 total Zoom Vulnerably / Exploit variants and a RCE Remote Code Execution found!
Just when you had enough of the first Zoom Vulnerably, Apple released MRTConfigData 1.46 (now 1.47!) to deal with 14 total variants and a Remote Code Execution (RCE) . I created this Index of MRT Links & Info to help you get through the confusion.
UPDATED: 07/18/19 – MRTConfigData 1.47 released and 3 more Zoom variants! Brings the total to 14.
MRT Malware Removal Tool Index
1. List of zoom opener variants and MRT versions
2. MRTConfigData Compatible OS versions.
3. Software Update & MRT Commands
4. Malware Removal Tool Documentation
5. Caveats of installing MRTConfigData and how the MRT scan works differently in 10.14 vs 10.13
6. Other ways to install MRT updates
7. Digging into the MRT Binary
8. More questions, Problems and Errors
9. Links to scripts and other MacAdmin articles
10. Disclaimer
1. List zoom opener variants and MRT Versions
How do we even know which variants are included in MRTConfigData v1.45 and v1.46? (Now 1.47!) The only way to find out is to dig into the MRT Binary Code. I talk about how I found the new variants a little more in section 7 below.
We now have 14 new Zoom Opener variants to worry about. Each one is a hidden folder listed in your user folder!
MRT Versions
1. MRTConfigData v1.45 – 7/10/19
2. MRTConfigData v1.46 – 7/16/19
3. MRTCOnfigData v1.47 -7/18/19
Zoom Variants
1. /.zoomus – 1.45
2. /.ringcentralopener – 1.46
3. /.telusmeetingsopener– 1.46
4. /.btcloudphonemeetingsopener– 1.46
5. /.officesuitehdmeetingopener– 1.46
6. /.attvideomeetingsopener– 1.46
7. /.bizconfopener– 1.46
8. /.huihuiopener – 1.46
9. /.umeetingopener– 1.46
10./.zhumuopener– 1.46
11./.zoomcnopener– 1.46
12./.earthlinkmeetingroomopener – 1.47
13./.videoconferenciatelmexopener – 1.47
14./.accessionmeetingopener – 1.47
2. MRTConfigData Compatible OS versions.
You can run the MRTConfigData update on the following macOS versions.
Mojave 10.14
High Sierra 10.13
Sierra 10.12
El Capitan 10.11 (Note: You can only usesoftwareupdate -ia --backgroundas the --include-config-dataoption was new in Sierra 10.12)
3. Software Update & MRT Commands
Let’s get right to it, here are the commands again if you want to remediate right now!
1. Check for config data updates:/usr/sbin/softwareupdate -l --include-config-data
2. Manual Install of MRT v1.47:/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data
3. Verify Version of MRT:/usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString
4. Force Run MRT.app in Agent mode:/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a
If MRT finds Zoom the manual scan will look like this.
A manual MRT -a agent scan found ZoomOpener and deleted it.
4. Malware Removal Tool Documentation
Apple has not documented how the MRT Scan works. The MRT Tool is called out with just a few lines in the macOS Security Overview for IT.
macOS Security Overview for IT 2018
Apple refers to MRT updates as “Silent or Quiet Update” when referenced in the media. The MRT Binary doesn’t have a MAN page or a -help section. Targeted malware variants are not documented. Sounds like a job for #MacAdmins!!!
5. Caveats of installing MRTConfigData and how the MRT scan works differently in 10.14 vs 10.13
You need to know about a few caveats with this process. I have tested the installation and scan multiple times and found differences in each OS! Let’s start with Mojave 10.14 then move to High Sierra 10.13.
MRT in Mojave 10.14.5
When you manually install the MRTConfigData update the MRT.app will automatically run a MRT Scan!
You only have to worry about other users who may have installed any of the opener variants as the MRT Scan only runs for the logged in user only.
A restart and Logout/Login will kick off a manual MRT Scan.
You can run a script that Rich wrote that will remove zoom from all logged in users.
When you manually install the MRTConfigData update the MRT Scan will NOT run automatically!!!
You will need to run the MRT.app agent scan manually to remove any zoom variants.
TLDR: Installing MRTConfigData in 10.14 automatically kicks off the MRT.app scan, while in 10.13 the MRT scan does NOT run automatically.
H/T to @howardnoakley and @alvarnell for pointing out that after installing MRTConfigData the MRT Scan kicks off automatically. I did not know it at the time but they were testing in 10.14. All my testing was on 10.13, so thats why I was getting different results!
6. Other ways to install MRT updates
If you are on Mojave 10.14.5 you will automatically get the MRTConfigData update as long as you have the following SoftwareUpdate Settings set to ON.
Software Update – Required settings to get “System Data Files and Security Updates”
As long as you have these settings set to ON your Mac should automatically check in for new updates and install them every 24 hours.
For the com.appleSoftwareUpdate.plist file you need the following settings set to ON.
If you want to install all background updates now without waiting you can issue the following command.
sudo softwareupdate --background --include-config – Only background updates
or
sudo softwareupdate -ia --include-config-data – Background updates AND OS level Updates
NOTE! The -ia option will install ALLavailable software updates including Combo, Safari and Security Updates.
The above commands will only install Xprotect updates if you have all the automatic software update settings set to ON.
7. Digging into the MRT Binary
Apple does not list the targeted malware variants anywhere, so the only way to find them is to dig into the MRT Binary Code. You cant just open the code inside MRT as it has thousands of lines of code. You have to first compare the current version to the old one. This will give you the first clues, as each piece of malware is given a code. In this case it was MACOS.354c063.
Now that we have the Malware Family ID we can then search the MRT Binary using a disassembler application. A disassembler like Hopper is used to view the actual code of the new MRT binary.
BINGO!!! The actual code calling out /.zoomus/ZoomOpener.app
8. More questions, Problems and Errors
We still have questions about how the MRT works especially the MRT -d or daemon mode. I have even reached out to Apple for an answer on this.
Howard Oakley wrote a great article looking into this.
The Zoom Client before 4.4.53932.0709 on macOS allows RCE remote code execution – CVE-2019-13567
Apple.com – About background updates in macOS Mojave Your Mac automatically installs background updates for the security configuration and data files used by macOS. – support.apple.com/en-us/HT207005
Howard Oakley – twitter.com/howardnoakley – eclecticlight.co – Howard really dug into this when it first came out writing multiple articles on the zoom exploit. He also has multiple applications that he wrote that will help you, including one called SilentKnight that will tell you if all your XProtect definitions are up to date.
Rich Trouton – twitter.com/rtrouton – derflounder.wordpress.com – Rich has written the best script yet to remediate the Zoom venerability on all user accounts.
Macadmins.slack.com – You can also talk about the Zoom Vulnerability and join the #zoom channel or #security in MacAdmins Slack.
10. Disclaimer
I tried to test and research as much as possible to save you time. I hope this Index of MRT Links & Info helps you, but since this issue revolves around security please double check and test before you deploy. After deployment check again that the files inside the opener are in fact deleted.
Yup, the Zoom Vulnerability has been THE talk of the MacAdmins community for the past 2 days. This stuff moves very fast and you have to keep an eye out! We will be The vulnerability was first released by Jonathan Leitschuh. This is not just Zoom but also Ringcentral and possibly BlueJeans. A statement Link from BlueJeans is below.
Tuesday, July 9 Zoom issued an update to our Mac app with the following: Removed the local web server via a prompted update Allowed users to manually uninstall Zoom. This new option to the Zoom menu bar allowed users to manually uninstall the Zoom client, including the local web server. A new menu option says, “Uninstall Zoom.” By clicking that button, Zoom’s app and web server are removed from the user’s device along with the user’s saved settings
Wednesday, July 10 Apple issued an update to ensure that the Zoom web server is removed from all Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch. Zoom worked with Apple to test this update, which requires no user interaction.
Weekend of July 13 We have a planned release for the weekend of July 13 that will address video on by default. With this release, first-time users who select “Always turn off my video” will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. (Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.)
Option #2 Apple MRT – Malware Removal Tool
Apple in a very quick move released MRTConfigDat 1.45 at 5PM CST yesterday. According to TechCrunch
The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app. Apple said the update does not require any user interaction and is deployed automatically.
TechCrunch
MRTConfigData v1.45
Apple’s Malware Removal Tool will update on all 10.11, 10.12, 10.13 & 10.14 within 24 Hours
As long as you have sofwareupdate set to Automatically Check for Updates, Download New updates in the background & Install System Data Files and Security Updates. NOTE: 10.11 does not have the include-config-data option so you have to run sudo softwareupdate -ia -background
I need the update now!
Got you covered! You can use softwareupdate to manually install MRTConfigData 1.45. You can run this to list all available Xprotect Updates.
Manually download MRTConfigData using softwareupdate
I am not sure yet if just installing the new update actually activates and runs MRT or not. This command works great because it ONLY installs the called out update. If you use softwareupdate -l --include-config-data it will install ALL softwareupdates including combo and Safari ETC.
NOTE: If you are trying to run MRT.app remotely over ssh or by using an MDM, it needs to run as the logged in user at least in 10.14. In 10.12 and 10.13 MRT seems to run fine no matter the user. You can use the 2 lines of code below to get the logged in user then run the command as the user. The error you will get in 10.14 will say failedToReceiveProfileList.
How you could run a quick small script as the logged in user.
Manual Command that you can run if you are logged in as the user.
/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a
Manually updating MRT on the fly!
Hat Tip to AndyInCali on MacAdmins Slack for the MRT -a !!!
Option #3 Manual Removal + Scripts and Links
Rich Trouton wrote a great script to manually remove zoom’s WebServer.
NOTE: Keep in mind trashing the app will NOT remove the ~/.zoomus Web Server. You will either need to kill the process and then overwrite the file like in Rich’s Script below or wait for MRT or install the new version which removes the Web Server.
Today Apple Released a New Mojave 10.14.5 (18F2058) Forked Full Installer app
UPDATED: 07/10/19
In the past when Apple released a build it would start with a 2 digits followed by a letter. An example of this would be 18F132 which is a unified build of macOS Mojave 10.14.5. Just this morning Apple released new hardware which I covered here. Usually with new hardware comes a specific BuildVersion of the OS.
MacOS Mojave 10.14.5 (18F2058)
To find out if this really was a forked build, I cracked open the OSInstall.mpkg inside the new build. The build is listed as Product ID 041-69971 – 10.14.5 – 18F2058 and was released on 2019-07-09 (Today). Inside you will find the Distribution file. Inside this file you will find all the compatible boardIDs for this build. After comparing both Distribution files two new board ID’s popped up.
Mac-53FDB3D8DB8CA971 = MacBookPro15,4
Mac-226CB3C6A851A671= MacBookAir8,2
Normally when you do a Google search on a board ID you will find a hit somewhere. In this case nothing…
Ace in the hole GeekBench.com
GeekBench.com is one of the most well known benchmarking sites around. When you run a benchmark with GeekBench it will put the results in a searchable database.
Bingo!!! New Entry-Level 13″ MacBook Pro 15,4! Plus new iBridge!
Bingo, someone inside Apple ran this test or someone got an early review unit. Either way we know know what board ID Mac-53FDB3D8DB8CA971 is, a new 13″ MacBook Pro! Also notice the new iBridge/BridgeOS 16.16.5601.0.0,0. The Benchmark was only ran 6 days ago!
Matches the 1.7 Ghz of the GeekBench Score.
What is Mac-226CB3C6A851A671?
UPDATE: Found! MacBookAir8,2
Not totally sure yet, the best guess right now would be the updated 2019 MacBook Air. I will have to wait to confirm, when I find out I will update this post.
Found it!
Found! MacBookAir8,2
You can only download and install 10.14.5 (18F2058) on the newly released hardware.
As usually with forked builds you can only install this BuildVersion on the newly released hardware. You will also only be able to download this version using the Mac App Store or instalinstallmacos.py on said new hardware. Trying to download this from the Mac App Store on older hardware will get you the old 18F132 or 18F203. If you try to download (18F2058) using installinstallmacos.py using older hardware you will get Installer: Error – ERROR_90F0494CE3 Product installation failed or one of the very similar number errors.
This version is only recommended for the new hardware.
2018-19 15″ T2 MacBook Pro Supplemental Update.10.14.5 (18F203)
Apple today released a MacBook Pro Supplemental Update for 2018-19 T2 15″ MacBook Pros.
Update 05/24/19 9:00AM: I have updated this article to include BuildVersion info and Apple Download Links.I will continue to add more information when I find it.
The MacBook Pro Supplemental Update is specifically targeted at 15″ 2018 & 2019 T2 MacBook Pros with 10.14.5. The update does NOT show up as available for 10.14.4 and lower OS versions. The update weighs in at 946.8mb.
UPDATE: After the update is installed the BuildVersion number will be (18F203). BridgeOS will also be updated and listed as 16.16.5200.0.0,0.
2018 T2 15″ MacBook Pro Supplemental Update
This update is only available for boardID’s Mac-937A206F2EE63C01 MacBook Pro (15-inch, 2018) & Mac-1E7E29AD0135F9BC MacBook Pro (15-inch, 2018) with a Vega ATI Graphics card. Looks like the 2019 models share the same boardID’s.
MacBook Pro Supplemental Update Download link and information
Apple also released a new 10.14.5 macOS Installer.app, the BuildVersion is (18F203).
UPDATE: The (18F203) Install macOS Mojave .app installer is so far seems to be for 2018 15″ T2’s. I have gone through the boardID’s of 10.14.4 install.app and 10.14.5 18F203 and found no new board id’s that would identify the new 2019 MacBook Pros.
10.14.5 (18F203)
This update weighs in at 6.51gb and has a Product ID number of 041-64745. You will be only able to download this installer if you are using a 2018 or 2019 15″ T2 MacBook Pro.
I ran some more tests trying to download the Install macOS Mojave.app (18F203). It seems you have to be on a 2018 15″ MacBook Pro to get the download. To get it from the App store you have to be on 10.14.5 and on a 2018-19 15″ T2. If you are on any anything else and you are get the (18F132) BuildVersion. For installinstallmacos.py you have to be on a 2018 15″ T2 but can be on an OS lower than 10.14.5. I tested this with a 2018 15″ T2 on 10.14.4 and was able to use installinstallmacos.py to down download the .app (18F203) installer. But the build failed on a 10.13.6 2018 15″ T2. Also the boardID list for (18F203) is exactly the same as (18F132), so it doesn’t seem to be a 2019 MacBook Pro Fork.
SUS 10.14.5 (18E203)
Is 10.14.5 (18F203) a hybrid fork?
Is the 10.14.5 (18F203) installer.app a hybrid fork or was it an error on the installer compatibility list ? Meaning I can only download this installer if I am on a 2018-19 15″ T2, but once downloaded I can install this version of the installer on any 10.14 compatible Mac.
MacOS System Status & Version Info
I am keeping track of all this on my macOS System Status & Version info page. This page was designed to help you keep up to date with the latest versions of macOS software and core applications.
