2018-19 15″ T2 MacBook Pro Supplemental Update.10.14.5 (18F203)
Apple today released a MacBook Pro Supplemental Update for 2018-19 T2 15″ MacBook Pros.
Update 05/24/19 9:00AM: I have updated this article to include BuildVersion info and Apple Download Links.I will continue to add more information when I find it.
The MacBook Pro Supplemental Update is specifically targeted at 15″ 2018 & 2019 T2 MacBook Pros with 10.14.5. The update does NOT show up as available for 10.14.4 and lower OS versions. The update weighs in at 946.8mb.
UPDATE: After the update is installed the BuildVersion number will be (18F203). BridgeOS will also be updated and listed as 16.16.5200.0.0,0.
2018 T2 15″ MacBook Pro Supplemental Update
This update is only available for boardID’s Mac-937A206F2EE63C01 MacBook Pro (15-inch, 2018) & Mac-1E7E29AD0135F9BC MacBook Pro (15-inch, 2018) with a Vega ATI Graphics card. Looks like the 2019 models share the same boardID’s.
MacBook Pro Supplemental Update Download link and information
Apple also released a new 10.14.5 macOS Installer.app, the BuildVersion is (18F203).
UPDATE: The (18F203) Install macOS Mojave .app installer is so far seems to be for 2018 15″ T2’s. I have gone through the boardID’s of 10.14.4 install.app and 10.14.5 18F203 and found no new board id’s that would identify the new 2019 MacBook Pros.
10.14.5 (18F203)
This update weighs in at 6.51gb and has a Product ID number of 041-64745. You will be only able to download this installer if you are using a 2018 or 2019 15″ T2 MacBook Pro.
I ran some more tests trying to download the Install macOS Mojave.app (18F203). It seems you have to be on a 2018 15″ MacBook Pro to get the download. To get it from the App store you have to be on 10.14.5 and on a 2018-19 15″ T2. If you are on any anything else and you are get the (18F132) BuildVersion. For installinstallmacos.py you have to be on a 2018 15″ T2 but can be on an OS lower than 10.14.5. I tested this with a 2018 15″ T2 on 10.14.4 and was able to use installinstallmacos.py to down download the .app (18F203) installer. But the build failed on a 10.13.6 2018 15″ T2. Also the boardID list for (18F203) is exactly the same as (18F132), so it doesn’t seem to be a 2019 MacBook Pro Fork.
SUS 10.14.5 (18E203)
Is 10.14.5 (18F203) a hybrid fork?
Is the 10.14.5 (18F203) installer.app a hybrid fork or was it an error on the installer compatibility list ? Meaning I can only download this installer if I am on a 2018-19 15″ T2, but once downloaded I can install this version of the installer on any 10.14 compatible Mac.
MacOS System Status & Version Info
I am keeping track of all this on my macOS System Status & Version info page. This page was designed to help you keep up to date with the latest versions of macOS software and core applications.
New 8-Core 2019 MacBook Pro. 13″ & 15″ Touch Bar Models are new.
Apple in a surprise launch ahead of WWDC19, releases new 2019 MacBook Pros with a new revised keyboard design. Apple also expanded the Keyboard Service Program to add the 2018 MacBook Pro & Air.
In a move, most did not see coming a new 2019 MacBook Pros were released today. The big news is how the MacBook Pro is getting an 8-Core CPU for the first time. The real news you want to know about probably involves the keyboard. Was it redesigned? Has the mechanism changed? We know one answer was confirmed by Apple though TheLoop.
Another change in the newest MacBook Pro computers is with the keyboard. While Apple says the vast majority of its customers are happy with the keyboard, they do take customer complaints seriously, and work to fix any issues.
To address the problem, Apple said they changed the material in the keyboard’s butterfly mechanism that should substantially reduce issues that some users have seen.
Apple also told me that any problems with the butterfly keyboard on any of its MacBook Pros would be covered at no cost to the customer. The company has also taken steps to improve the repair process, shortening the time it takes to make repairs to the keyboards.
John Gruber @daringfireball.net dug in further when he spoke with Apple.
First, these new MacBook Pros still have the third-generation butterfly-switch keyboard that debuted with last July’s updated MacBook Pros. But Apple has changed the mechanism under the hood, using a new material for at least one of the components in these switches. The purpose of this change is specifically to increase the reliability of the keyboards. Apple emphasized to me their usual line that the “vast majority” of users have no problem with these keyboards, but they acknowledge that some users do and they take it very seriously.
2017 MacBook Pros with 3rd Gen Keyboard can get new revised replacement.
From the Verge
According to The Verge, some existing MacBook Air and MacBook Pro models that experience keyboard failures will have their keyboards replaced with the new 2019 keyboard that Apple has developed. Unfortunately, only MacBooks with the third-generation butterfly keyboard can get the updated 2019 keyboard, which includes the 2018 MacBook Pro and the 2018 MacBook Air.
Testing the new 2019 MacBook Pro.
I will try to get my hands on one of these new 2019 MacBook Pros as soon as possible. Looks like the earliest they can be had is Thursday May 23rd.
Forked version of macOS Mojave 10.14 ?
You can almost bet 100% that the new 2019 MacBook Pros will have a forked build of 10.14 on it. Checking Apple’s catalog nothing has shown up yet. I will update when I have more info.
If you have any questions, please don’t hesitate to Contact Me.
Editor’s Note: This post is MrMacintosh.com’s first guest article. Jason posted a summary of this new venerability last night. It immediately reminded me of how he owned the coverage of the 10.14.4 Gmail problem and before that Spectre & Meltdown Vulnerabilities. Last night I posted an article on how to mitigate the issue (Disable Hyper-Threading) if you are looking for a detailed step by step .
Last Updated: Tue May 14 20:41:42 CDT 2019
Microarchitectural Data Sampling (MDS) Vulnerabilities Summary
At this point there are four identified vulnerabilities that all share a common root of forcing information to leak from the CPU’s buffer. Much like the Spectre vulnerabilities announced in 2018, these flaws could potentially allow the execution of malicious code or the extraction of information on machines with Intel processors (at this time ARM and AMD processors are not affected). Intel has released microcode firmware updates to address the issue at the hardware level but OS and application vendors will need to release additional software updates to patch potential exploit vectors from the software side.
For all vendors, disabling Hyper-Threading is the recommendation for most complete mitigation but in all cases there will be a performance impact for doing so. Disabling Hyper-Threading involves manipulating EFI/BIOS/NVRAM and a restart of the computer..
“MDS is not fully mitigated if your processor supports Hyper-Threads and Hyper-Threads are enabled.” —
As of May 14th, 10.14.5 looks to be the only fully patched edition of macOS as Apple has noted that the version of Safari 12.1.1 included with 10.14.5 (Safari 12.1.1 also exists for macOS 10.12 and 10.13) contains additional fixes. It’s possible Apple will clarify the position of Safari 12.1.1 in 10.12 and 10.13 at a later date. Watch the two security documents below for additional changes.
From Apple on the Performance impact of disabling hyper-threading:
“The full mitigation, which includes disabling hyper-threading, prevents information leakage across threads and when transitioning between kernel and user space, which is associated with the MDS vulnerabilities for both local and remote (web) attacks.
Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.”
For Macs that support it, disabling Hyper-Threading requires booting to the Recovery Partition and editing NVRAM settings. There is no way to mass distribute these changes through MDM or script.
About the security content of macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra
These Mac models may receive security updates in macOS Mojave, High Sierra or Sierra, but are unable to support the fixes and mitigations due to a lack of microcode updates from Intel:
1. MacBook (13-inch, Late 2009)
2. MacBook (13-inch, Mid 2010)
3. MacBook Air (13-inch, Late 2010)
4. MacBook Air (11-inch, Late 2010)
5. MacBook Pro (17-inch, Mid 2010)
6. MacBook Pro (15-inch, Mid 2010)
7. MacBook Pro (13-inch, Mid 2010)
8. iMac (21.5-inch, Late 2009)
9. iMac (27-inch, Late 2009)
10. iMac (21.5-inch, Mid 2010)
11. iMac (27-inch, Mid 2010)
12. Mac mini (Mid 2010)
13. Mac Pro (Late 2010)
Microsoft
Windows guidance to protect against speculative execution side-channel vulnerabilities
“Firefox has applied the mitigation recommended by Apple on macOS,” said a Mozilla spokesperson. “The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”
When sending the InstalledApplicationList MDM command to macOS clients, apps that had been installed via VPP would fail to report when an app update was available.
When using the Time Server payload on earlier version of macOS 10.14, the time zone was not getting set properly.
The Accessibility Events switch was removed, because related aspects of the W3C AOM effort are no longer applicable.
10.14.5 Standard Update Notes
Adds AirPlay 2 support for sharing videos, photos, music and more from your Mac directly to your AirPlay 2-enabled smart TV
[C and US English only] Adds the ability to follow a magazine from the Apple News+ catalog browsing view
[J only] Includes support for the Reiwa (令和) era of the Japanese calendar
Improves audio latency on MacBook Pro models introduced in 2018
Fixes an issue that prevented certain very large OmniOutliner and OmniPlan documents from rendering properly
Other New Updates Released
iTunes Device Support Update – 108.3mb – MobileDeviceSU- 041-62886
Gatekeeper Config Data – v166 – 3.5mb – 041-56834
10.13 High Sierra
10.13.6 High Sierra Security Update 2019-003 – New BuildVersion – (17G7024) Size 1.9gb
If you are here for the 10.15.1 issue, you can follow the same 10.14.4 workaround instructions below.
UPDATE: 07/31/19
This will probably be the final update. Sadly the issue is NOT fixed in 10.146. Even worse, this will be the final update and the issue will not be fixed in Mojave. I submitted this issue right after it was found in 10.14.4 and it’s just a bummer that this will never be fixed in Mojave. The only good news I can give you is that this is fixed in macOS Catalina 10.15.
UPDATE: 07/09/19
The AD Mobile Account option to “Update Keychain Password” when resting your password outside the Mac is still broken in macOS Mojave 10.14.5. This issue is still not fixed in current 10.14.6 Beta! Be sure to contact Apple if you haven’t already done so!
10.14.4 Update password fixes/problems
I really like the 10.14.4 update, trust me I do! It arrived with so many fixes that have really helped MacAdmins. The problem is, it also broke a few things. Just when I thought we found all the fixes/problems a new one pops up. If you have been following along, this is now my 4th article on password fixes/problems in the 10.14.4 update. Lets quickly review
10.14.4 Update breaks “Update Keychain Password” process for Ad Mobile Accounts.
This issue affects Active Directory Mobile Account users. If you use Mobile Accounts you have seen this message before.
Which option should I pick? In 10.14.4 it doesn’t matter they both create a new keychain!
You will only see this message if you change your Active Directory Password outside the Mac. An example of this would be if you changed your AD password on a 2nd Mac, Windows PC or Web Portal. Logging in with the new password will sync that new password down to the Macs local cache but can NOT change the keychain password without the OLD password. You can click “Create New Keychain” and brand new login keychain will be created. But what if you have Xcode Developer Certs and Private keys or Wifi certs? In this case you need your old keychain intact.
Clicking “Update Keychain Password” just creates a new login keychain.
If you click “Update Keychain Password” you should see this. (10.14.0-10.14.3)
What you should see in 10.14.0-10.14.3
Instead, after clicking the update button you will not see this message and you are now at the desktop. If you open up keychain access you will see that your login keychain was wiped out.
Workaround – Find renamed keychain, change password and restore.
Good news, I have a workaround for you. The old login Kkeychain luckily still remains in ~/Library/Keychains
We will have to perform a few steps to restore your old login keychain
1. Find renamed keychain – located in ~/Library/Keychains and called login_renamed_1.keychain-db
2. Change password of login_renamed_1.keychain-db from old to new
3. Remove login.keychain-db
4. Rename login_renamed_1.keychain-db to login.keychain-db
5. Restore login.keychain-db to Keychain Access.app
6. Log out and back in.
1. Find renamed keychain
The old keychain is located in ~/Library/Keychains and called login_renamed_1.keychain-db
Your old login keychain and the new one that was just created.
2. Change login_renamed_1.keychain-db password
You used to be able to change the login keychain password through Keychain Access. This is no longer possible.
What if we clicked “Add Keychain” and tried to add the renamed keychain then try to change the password?
This looks promising but after clicking “change password for keychain login_renamed” nothing happens. I then tried to unlock it with the old password.
After unlocking I attempted to change the password again.
Still no go! After clicking change password nothing happened. At this point, I thought I was out of luck.
Enter CLI command security
Never give up a fight without visiting the Command Line Interface! The CLI can be your best friend. Let’s take a look at the security man page and see if anything will help us. Open terminal and type in man security
set-keychain-password Set password for a keychain.
Oh ya, now we are talking! Let’s take a look at the options.
Perfect, just what we are looking for. Lets try it out.
You will be prompted for your old and new password. Now that the old keychain has the same password as your AD account we can move it back into Keychain Access.app.
3. Remove login.keychain-db
Now we can just delete the empty login keychain.
Right click on login and select Delete Keychain “Login” then click “Delete References & Files”. You should now only have Local Items, System and System Roots.
4. Rename login_renamed_1.keychain-db to login.keychain-db
We now need to rename login_renamed_1.keychain-db to login.keychain-db. You can either do this in keychain access or in the finder. Let’s rename in the finder. Click once on login_renamed_1.keychain-db and change it to login.keychain-db.
5. Restore login.keychain-db to Keychain Access.app
Now all we need to do is add our old keychain back to Keychain Access.app. Right click in the keychain section and select “Add Keychain”.
Navigate to ~/Library/Keychains/login.keychain-db and select it. You will now see login in the keychain box! At this time it will be locked. You can test unlocking it now. Right click on login and select “Unlock Keychain login”
You will now be prompted to enter in your current password.
6. Log out and back in to confirm
You have now restored your old keychain. Log out and then back in to confirm. You are now good to go!
As always, we need to submit a bug report to Apple.
I can not stress how important this is. The more reports we put in the higher priority the issue gets. We are also running out time and only have about 3 weeks before 10.14.5 is released.
Thanks to hawkzhang45 from JAMF Nation forum for calling this issue out. Also to m.entholzner for conformation and submitting an Apple Enterprise Ticket. You can read the original thread here.
We have been waiting for SecureToken Documentation since 10.13 Beta 1 and the introduction of APFS. I go into this in my previous article 3 Undocumented macOS Mojave 10.14 Enterprise Fixes. I talk about what SecureToken is and how we need SecureToken Documentation. The sysadminctl binary still doesn’t have a man page. You will see why, once you read on how Apple recommends that you use fdesetup instead of sysadminctl.
sysadminctl’s only documentation.
Documentation Please!
Many MacAdmins have called on Apple to give us some information explaining how the system works. Since 10.13 Beta 1 we have been left to fumble around and figure all this out on our own. The other problem was, that from 10.13.0 to 10.14.4 the system had many bugs and has even changed many times. It was really hard to keep up much less understand what was going on.
Enter macOS Deployment Reference “Use of SecureToken”
Now that we have the document, what does it say? Does it shed any light on the situation? In a word no… but it finally puts everything into words for new MacAdmins. Most of the information posted was already known and hashed out by experienced MacAdmins who have spent hours testing SecureToken. We will be able to share this document when anyone has questions about how SecureToken works.
Any key takeaways from the document?
1. If local user account creation in the macOS Setup Assistant is skipped using MDM and a directory service with mobile accounts is used instead, the directory user won’t be granted SecureToken when logging in to the Mac.
This statement is a little confusing yet could also be true depending on your setup. For example you can use MDM/DEP with the setting “Skip Account Creation” then bind to a directory service with a policy to enable FV2 on login. In this situation the management account/admin user is not granted a SecureToken. The first directory user to login will get a SecureToken by enabling FV2 . This is the perfect scenario, as you don’t need a tech waiting around to enter in the admin username and password for the first user logging in.
Editor’s Note: for the above situation. If you do not have a policy to enable FV2 on login the mobile account will not get a SecureToken. I never tested out this scenario. Big thanks for the clarification from TravellingTechGuy who put together a really nice SecureToken flow chart. You can find that chart here.
2. “Important: In macOS 10.13.5 or later when using a directory service and mobile accounts, users won’t be prompted about SecureToken during first login if there are no SecureToken accounts already available on the Mac. See below for additional information.”
In 10.13.3-10.13.4 directory users were prompted with this message even if the first user was logging in. You had to hit bypass to get that first login SecureToken. Now as this message states, if you logged in as the first user you are not prompted. The document also goes over how you can disable this pop up.
Seeing this note reminds me of an additional change to the SecureToken Pop up message in 10.14.4. When you log in the SecureToken message will not come up if the SecureToken account already on the system is not an admin. The point of this change is that the SecureToken user has to be an admin to enable the new user logging in. If the standard SecureToken user is not an admin don’t even bother to show the message because you would be unable to add the new user to FileVault anyway.
3. ” Managing which users can unlock a FileVault encrypted volume should generally be done using the command-line tool fdesetup. However, you can use the command-line tool sysadminctl specifically to modify SecureToken status for user accounts on the Mac. This should be done with caution and only when necessary.“
It’s interesting how Apple actually recommends using fdesetup instead of sysadminctl. The reason I say that is that we all use sysadminctl to create accounts and mange SecureToken.
The problem with using fdesetup to add an additional user to FileVault is, the account does not show the securetoken as enabled. Instead you should really should use diskutil apfs listCryptoUsers / or sudo fdesetup list -extended to get a proper list of enabled CryptoUsers. I am just pointing out that we are still having non consistent results when checking the FV2 status of a user when using sysadminctl.
You can try this yourself in 10.13.6 (17G6029) & 10.14.4 (18E226)
sysadminctl Secure token is DISABLED for user mrmacintosh
You can still unlock the volume in this condition and will report properly using the above command diskutil apfs listCryptoUsers / or sudo fdesetup list -extended.
Conclusion
In this article I point out a few things that still need some work. With that said, this document is a move by Apple to give us the needed documentation that we have asked for. We are also seeing more information in beta patch notes and Enterprise Content when a combo update is released. I hope this trend continues!
Apple Link to Device And Data Security Use of SecureToken.
I have been thinking for a while now of creating a one-stop-shop for macOS System Status & Version Info. The idea behind this is a page you can visit that has the latest information, from what’s broke in the latest macOS release to what forked build number the new 2019 iMac has. This page will follow the general idea of Apple’s System Status Page but include a lot more information.
I have received some really great feedback on my Updated List of Notarization Links page and how it has helped many MacAdmins. This page will be an extension on that. With the amount of work we are all dealing with, it’s very difficult to keep up. I can’t tell you how many times I have spent hours troubleshooting an issue only to find out that it was a known problem. If this page can save you that lost time it will be worth the effort!
Table of Contents
Mojave Core System Status
This section will cover critical core macOS system functions. If something major is not working, it will be listed here. Most of the system functions listed are very important to MacAdmins. I verify each section myself and also include reports from other sources. NOTE: Be sure to verify in your own lab, I am providing a “best effort”service.
macOS System Updates/Versions
In the 2nd section, I will list the current Mojave Installer and the current Beta. Forked installers will also be listed. (A forked macOS installer is a special app installer that is only used for a new Mac Hardware releases). BridgeOS and built-in security versions (Malware Removal Tool, XProtect, Gatekeeper) are also listed.
Core Application updates/versions
In the final section, I included a list of core macOS Applications. The table contains size of the update, release date and patch notes.
Improvements ?
Should I add other sections? Add older OS’s like High Sierra or Sierra? What about including issues in previous Mojave Point releases? Could the layout be better? Let me know.
When Apple announces a new security feature on macOS it takes time to get a handle on how it will affect your deployment workflow. Most likely you are busy streamlining the last change! You end up searching google for links so you can get up to speed as soon as possible. This time around I will attempt to make this easier on you. I will be collecting the most important Notarization links and will add them to this article. Some of the links I will be posting will be from Apple, MacAdmins, 3rd Party Vendors and Security Researchers. A lot of hard work and research was put into some of the articles below. Let’s get started!
Give users even more confidence in your software by submitting it to Apple to be notarized. The service automatically scans your Developer ID-signed software and performs security checks.
2nd Bulletin – April 10th 2019 – We’re working with developers to create a safer Mac user experience through a process where all software, whether distributed on the App Store or outside of it, is signed or notarized by Apple.
Transporter is Apple’s Java-based command-line tool for large catalog deliveries. You can use Transporter to deliver your pre-generated content, in a Store Package, to the iTunes Store, Apple Books, and App Store.
Updated Notarization Requirements 09/03/19 until January 2020
Sophos.com– Advanced Endpoint Protection with EDR and Artificial Intelligence, Next Gen Firewall with Synchronized Security and Business-Grade Security for Home Users.
If you use Active Directory Mobile Accounts with FileVault, password sync problems will be very familiar to you. I have good news, MacOS Mojave 10.14.4-10.14.6 can now sync AD Mobile Account password changes to FileVault when you don’t know the AD password. Apple added this new feature to macOS 10.14.4 for Mobile Accounts. In previous releases, you needed the old password to sync the password down to FileVault. Local Accounts has had this ability for years. Rich Trouton put together a great article on Resetting and Syncing FV2 Local account passwords. He mentions the methods are only for Local Accounts, NOT Mobile Accounts.
You forgot your AD password on 10.13.0-10.14.3
Users who fall into this situation are in a pinch and options to get the system to sync the new password to FileVault are limited. You could boot the system up using the PRK (Personal Recovery Key) and then have the Help Desk reset the AD password. This would get you into the system but your FV2 password would never sync. You will be forced to continue to unlock the Mac with the PRK (Personal Recovery Key), then login with the new AD password.
The only way to fix this was to have a SecureToken Admin on the system.
Do you have an admin support account that is FileVault/SecureToken enabled? Listed below are two methods to fix out of sync passwords.
1. fdesetup remove / re-add user
sudo fdesetup remove user userwhoforgotpass.
Then re-add the user by running
sudo fdesetup add user localadminuser -usertoadd userwhoforgotpass
What this would do is remove the user from the enabled FileVault user list, then add them back. The sync would happen when you are prompted for the new password when re-enabling the account for FileVault unlock.
2. Sysadminctl -secureTokenOff/On
You can also use sysadminctl. Start by turning off SecureToken and then turn it back on.
The process of turning off SecureToken and then turning it back on will sync the password. Also note that you don’t have to run sysadminctl with sudo.
Problem is, some companies don’t want a FileVault enabled admin account on the system.
NOTE: diskutil apfs updatePreboot / – Does NOT sync the password!
Running diskutil apfs updatePreboot / does NOT sync the password from the OS to FileVault. If this worked in the past, it was only a coincidence. If you changed your AD password outside the Mac, password syncing to FileVault would sometimes take 2-3 restarts. This command is only really needed when you wanted to add a new FileVault user to the system. Running this command would then add the new user to the FileVault pre-boot window. You only had to run this command in 10.13. This was actually a bug and was fixed in 10.14. The new account will now automatically show up at the FV2 pre-boot window after creation.
Reading the third line, it does seem to match our situation. If you forgot your AD password, you would have to continually unlock the Mac with the PRK. You would be forced to do this each time you turned on your Mac or restarted. Notice the wording, it does not say “Fixes”.
How to reset your AD mobile account password and have it sync to FileVault, when you don’t know the previous password.
You need to meet all of the following pre requisites.
macOS Mojave 10.14.4 or newer.
Active connection to Active Directory.
Access to the PRK (Personal Recovery Key)
You have the ability to change your password outside the Mac (2nd Mac, Windows PC, or Web Portal). Or the Help Desk can reset and issue you a temporary password which you can then use to set a new password at the loginwindow.
Since you don’t know the previous password you can’t even get past the FileVault Unlock Screen. You will need access to the PRK. Click the user who needs their password reset. In the password line, you will now see a ? button. Click on it, you can now type in the Personal Recovery Key. Try this neat trick to get the Macs serial number. Click the ? a second time.
Pretty neat trick so users can tell the Help Desk the Macs serial number. (Key Escrow or MDM required).
After booting the system with the Personal Recovery Key the process will stop at the login window. On 10.13.0-10.14.3 systems you are prompted to reset the password at the login window.
Mobile Account Password reset pop-up for 10.13.0-10.14.3 systems after booting with the PRK.
This feature is for Local Accounts Only. To change your AD Mobile Account password from the Mac you must give Active Directory the OLD password. You can only do this with System Preferences > Users & Groups > “Change Password” or dscl. As you can see above the interface does not have a box for Old Password.
10.14.4 will now show a new pop up for Mobile Accounts after booting with the PRK.
This is the new 10.14.4 Mobile Account password reset message, but you still can’t reset the AD password here.
The Mac now realizes that you are trying to reset a Mobile Account Password. You will no longer see the Reset Password pop up. This is because AD requires that you enter in the OLD password. Since you don’t know it, you will not be able to reset your password. This is why macOS will not show you the password reset window anymore for mobile accounts. If you use the PRK from a Local Account you will get password reset window with password fields like you would normally expect.
Step 2. Reset the AD Password.
As noted above you for this to work you can reset your AD password one of two ways.
Call the Help Desk and have them reset the password and then issue you a temporary password.
Reset the password on a 2nd Mac, Windows PC, Web Portal etc.
Either way will work for the password change system to work.
If you called the Help Desk and had them reset your AD Password they can now give you a temporary password. Your account will be flagged “Password must be changed on next login“. Enter in your username and then type in the temporary password. Hit enter and you will now get a new pop up window.
Enter in your new password. Click Reset Password when ready. You will be greeted with the login keychain message. You will receive this message anytime you change the password outside the Mac. Click “Create New Keychain” and the Mac will continue to login.
Step 3. Restart to complete the FileVault sync.
You will need to restart at least one more time to complete the sync process.
On this next restart you will need to enter in the PRK ONE MORE TIME.
NOTE: I am still trying to figure out if having to use the PRK twice is a bug or not. I think it is because you don’t have to do this extra step with local accounts.
After you perform one last PRK boot, enter in the username and new password and you will be at the desktop once again. The process is now complete, you can restart to confirm. Use your new AD password to unlock the volume and the system will now auto boot you to the desktop.
Conclusion
This is my 3rd article on password fixes/improvements/problems in 10.14.4
MacAdmins who use Active Directory Mobile Accounts want a working password change system that functions seamlessly with FileVault. Now that we have a working native AD Plugin, will this stop the mass exodus to Local Accounts? Only time will tell.
Today Apple released a new BuildVersion of macOS Mojave, 10.14.4 (18E227). The previous build version was 10.14.4 (18E226). The last time a new BuildVersion was released like this with no documented changes was macOS High Sierra. The BuildVersion went from (17G65) to (17G66).
18E227 6.52GB
If you look at 18E226 we do have a size difference.
18E226 6.53gb
The size difference between the 2 updates is very small but still different. Opening up both installers in Suspicious Package.app I looked inside InstallESD.dmg. Inside was the Core.pkg. I compared 18E266 to 18E227 and they both have 460,632 files installing 12.63GB to the system.
This is only for the full “Install macOS Mojave.app” installer. This is not an combo update or security update.
You do not have to replace 18E226 with 18E227. If you are preparing for upgrades and already cached 18E226 to your Macs, you dont have to re-cache 18E227. As far as we know this is only a re-write of the original 10.14.4 (18E226) installer. 18E226 is no longer available for download.
BridgeOSUpdate also released
Apple also re-released the BridgeOSUpdateCustomer with the Product ID 041-56509.
BridgeOSUpdate Product ID 041-56509
The previous BridgeOSUpdate 041-49224 was only a few bytes smaller. As of April 18th 2019 the current T2 BridgeOS/iBridge version is 16.16.4507.0.0,0
