10.14.4 Update breaks local account password reset when using FileVault Recovery Key.
UPDATE: 05/16/19 – 10.14.5 Update fixes this issue
The macOS 10.14.5 update fixes this issue.
As noted above this issue is now fixed in macOS 10.14.5. You can read on if you are interested in how this all went down.
I have been testing the new password fixes/changes in macOS Mojave 10.14.4. You can see the changes in the “What’s new in the updates for macOS Mojave” support document. What I found was, the 10.14.4 Update breaks local account password reset when using the FileVault Recovery Key.
Enterprise Content section from the what’s new in 10.14.4 update document.
I wrote about how Apple fixed mobile password syncing issues on how 10.14.4 fixes Mobile Account Password syncing issues in 10.14.0-10.14.3. This was a huge win for Active Directory Users. We finally have a functioning password change system in place. I found this problem while testing these new fixes. Instructions for this procedure are listed in this Apple Support Document.
Let’s confirm this on 10.14.3 and 10.14.4
I setup a fresh 10.14.4 (18E226) system, created a local account and then enabled FileVault. I then performed the following test.
Boot system – Select user
Click the ? Button so I can enter the recovery key.
The system will now boot to the login window
You will see the username filled in with your username with the password reset window.
Type in a brand new password and then hit “Reset Password”
The window thinks for a second then shakes you off.
The password is not changed.
Reset password window after entering in the recovery key.
Performing the same test on 10.14.3 (18D109) worked as designed. After clicking “Reset Password” the system accepts the new password then logs you in.
Workaround: resetpassword in Recovery
Good thing is, the resetpassword application in the recovery partition still works.
Trusty ole resetpassword still works.
1st way to reset your password. Boot to Recovery
Boot your Mac holding Command R to boot the Mac into the Recovery Partition. Once in click Utilities from the Menu Bar then select Terminal. Once in type in resetpassword, then follow the instructions.
Note: If you have a T2 Mac, this option requires that you have a SecureToken Admin on the system to access the Terminal.app.
2nd way to reset your password, the FV2 Screen.
You can trigger the 2nd way at the FV2 login window.
Wait up to a minute at the login screen, until you see a message saying that you can use the power button on your Mac to shut down and start up again in Recovery OS. If you don’t see this message, FileVault isn’t on.
Press and hold the power button until your Mac turns off.
Press the power button again to turn on your Mac.
When the Reset Password window appears, follow the onscreen instructions to create a new password.
If you would like to follow Apple’s instructions on how to reset local account passwords you can visit this Apple Support Article.
“Radar or it didn’t happen”
This was a really great quote from Jason Broccardo @zoocoup. Filing bugs and tickets is a really important task for MacAdmins. Apple rates issues by the number of reports/tickets they get for each issue. If this feature is important to you please do the following.
Then open up an Open Radar on openradar.appspot.com. This will help with tracking and you can let others know about the issue. (This site is not affiliated with Apple Inc.)
Today Apple released an updated developer document informing us of upcoming notarization changes.
MacOS 10.14.5 (18F108f) Beta 2 was released this afternoon you can begin testing notarization changes now!
Update 04/09/19 – The cut off date has been found for new or updated Kernel Extensions 03/11/19
Last year Apple took the covers off 10.14 Mojave at WWDC 2018. Apple then released information on the following new security features User Content(TCC), Enhanced Runtime & Notarized Apps. You can watch the entire WWDC presentation “Your Apps and the Future of macOS Security”.
If you wanted to install profiles that managed Kernel extensions a UAMDM was required.
User Approved Kernel Extension Loading
Apple then announced changes around User Approved Kernel Extension Loading (UAKEL). “Starting with macOS 10.13.4, enrolling in MDM no longer disables User Approved Kernel Extension Loading, and extensions previously allowed to load for that reason now require approval”.
Starting in 10.13.4 all new kernel extensions installed needed to be approved or white listed.
10.14.5 Notarization requirements.
This bit of information was just made public late this afternoon. Looking at the requirement paragraph we can make some guesses.
Looking over this paragraph the important part seems to be “all new or updated”.
10.14.5 – New or updated Kernel Extensions
I think this means that once you have 10.14.5 any NEW or UPDATED Kernel extension will NOT LOAD unless it is fully notarized.
Example #1 – I build a brand new application today that has a built-in Kernel Extension. I did not notarize the kernel extension. If I tried to install this app on a 10.14.5 system the Kernel Extension would NOT INSTALL.
Example #2 – If I attempt to install Symantec Endpoint Protection.app that has a Kernel extension built in on a 10.14.5 system. The app WILL INSTALL because this application was built before the change.
10.14.5 – All software from Developers new to distributing with a Developer ID.
Reading this again I think it’s the same as Kernel extensions. If you build apps with a brand new Developer ID notarization is required for your app to install.
Example #1 – I build a brand new Application with my new Developer ID that I signed up for today. When I go to install this app on a 10.14.5 system Gatekeeper will BLOCK this application from installing.
Example #2 – I built an application last year with my Developer ID. I attempt to install this application today and Gatekeeper WILL ALLOW the install.
Update 04/09/19 – The date for new/updated kernel extensions is 03/11/19
What does mid-cycle security changes mean for MacAdmins?
I posted above about mid-cycle security update releases because this is the new norm for Mac Administration. Apple is no longer releasing features and security enhancements in the gold master and calling it a day. They are continuing to secure macOS and if that means releasing a security change mid-cycle so be it! Again this is a good thing, anything Apple can do to secure macOS what we want. The rub is MacAdmins have to continually be on top of these changes or they will come back to bite us.
Learn with us! Join the #notarization channel on MacAdmins.slack.com
Notarization is still new to most of us and will start to affect you soon. It’s better to learn how this new system works so you can be ahead of the game!
Do you need to download a full macOS installer? I’ll show you 7 different ways!
How to download macOS Sequoia, Sonoma 14,Ventura 13, Monterey 12, Big Sur 11, Catalina 10.15, Mojave 10.14, High Sierra 10.13, Sierra 10.12, El Capitan 10.11, 10.10 Yosemite 10.10, Mavericks 10.9, Mountain Lion 10.8 & 10.7 Lion
UPDATED 10/04/24
If you are wondering how to download macOS full installers direct from Apple’s servers, you’ve found the right place. If you are a macOS user or just starting in Apple IT, you will find out pretty quickly this can get complicated.
8 Different ways to download macOS Full Installers
Need a full macOS installer to rebuild a Mac or create a USB Installer stick? I will show you 8 different ways to download macOS.
1. App Store = High Sierra Mojave Catalina Big Sur Monterey Ventura Sonoma & Sequioa
2. System Preferences/Settings = 10.14, 10.15, 11, 12, 13, 14 & 15 – NEW INFO!
The Mac App Store will be your main way to download macOS. You can download the following versions – 10.13, 10.14, 10.15, 11.7.10, 12, 13, 14 & 15. Each link below will open up that version in the Mac App Store. All you need to do is, click the Download Button. When the download is finished, the installer will be in /Applications.
NOTE: If you are looking for Apple.com direct download links for macOS 10.12 Sierra, 10.11 El Capitan, 10.10 Yosemite, 10.9 Mavericks, 10.8 Mountain Lion & 10.7 Lion skip to section Section 5 & 6
2. macOS New Upgrade System will NO LONGER Download the full installer Automatically -WARNING!
Apple added a new system preference and system settings pane in 10.14+, it’s called Software Update. This new section will show you available macOS software updates, but it will also show you upgrades! In this case we can use this pane to download and install macOS Ventura.
This is what the new Ventura “Delta upgrade” looks like, notice how small it is, you will NOT get the full installer.app, it will install immediately after download.
WARNING! macOS Ventura, Sonoma & Sequoia changes the upgrade system. The upgrade is now an “Update” and will not download the full installer app if you are on Monterey 12.3 or newer. If you are on Monterey 12.2.1 or below, you will get the full installer app from System Preferences.
After hitting the “Upgrade Now” button, macOS Ventura will start to download and then it will install on your main system immediately if the size of the update is under 12GB
If you are on Monterey 12.2.1 and below, Big Sur, Catalina or Mojave this is what you will see in Software Update:
You will get the full installer app if you are on Monterey 12.2.1 and below, Big Sur Catalina or Mojave. NOTICE the full 12.5GB size.
3. Download Sequoia, Sonoma, Ventura, Monterey, Big Sur, Catalina, or Mojave with softwareupdate –fetch-full-installer
With the release macOS 11 Big Sur & 10.15 Catalina we got a much needed new option added to the softwareupdate binary. We can now download full installers!
To get more information you can just run the softwareupdate command from terminal.app and it will give you a quick overview of all the options.
softwareupdate --fetch-full-installer – this command will download the newest version of Monterey.
softwareupdate --fetch-full-installer --full-installer-version – This sub option will allow you to download specific versions. An example of this would be 14.6.1. An example of this command is
When the download is complete the macOS Installer app will be in /Applications
4. Download macOS Sequoia, Sonoma, Ventura, Monterey or Big Sur Full installer via Apple SUS & InstallAssistant.pkg
You can download the full installer of macOS Big Sur from Apple’s own software update servers. The InstallAssistant.pkg includes the entire Install macOS Big Sur.app. Run the pkg and it will put the entire install app into your Applications folder!
installinstallmacos.py is a script that was written by Greg Neagle. The description reads – A tool to download the parts for an Install macOS app from Apple's softwareupdate servers and install a functioning Install macOS app onto an empty disk image
This script reaches out directly to Apple and downloads all the pieces that form the macOS install app. At the end it will install to a blank dmg image. In the end you have a fresh macOS Install app in a .dmg!
Opening the link above shows you the raw script. Download it by Right Clicking anywhere on the page and then select Save As. Now that you have the script, let’s run it.
Open up terminal.app. Below is an example how the script would look on your command line.
After running installinstallmacos.py, this is what you should see.
Notice that you have 8 versions of full macOS installers available! As of April 9th 2020, the latest version of Catalina is 10.15.4 (19E287). Select 2 (or 6 it’s doubled up for some reason) then hit enter.
The download will start and look like this
installminstallmacos.py is downloading all the parts of the installer.
All of the download pieces are downloaded to /Users/yourhome/content/downloads
Making empty sparseimage...
installer: Package name is macOS Catalina
installer: Installing at base path /private/tmp/dmg.IJe432
installer: The install was successful.
When the download is complete the .dmg will be located at the root of your home folder.
3. What happens if you have an old version of installer.app on your system and want the latest version?
4. How do I check the macOS version number of Install macOS installer.app?
5. Downloading the latest version after finding an old version.
6. The Mac you are using has to be compatible with the macOS version you are trying to download.
7. If Mojave is not compatible with my system, how do I download High Sierra 10.13?
8. The dreaded 22mb”Stub” installer.
9. The Mac App Store was redesigned for Mojave 10.14!
10. Can I download High Sierra in the new Mojave App Store?
11. The new Mac App Store has solved the dreaded 22mb “Stub” installer problem.
12. Let’s review which macOS versions you can download on Mojave & High Sierra
12. Mac App Store Errors
13. Review of which macOS versions you can download on Mojave & High Sierra depending on your Mac Version.
14. Download full macOS installers using installinstallmacos.py
15. How to download macOS Catalina 10.15 Beta – Apple Beta Software Program.
16. Apple App Store Download links for 10.15, 10.14, 10.13 + direct download links for 10.12, 10.11 & 10.10.
1. Support.Apple.com/Downloads
Let’s say you want to download the full macOS installer.app from Apple so you can deploy in-place upgrades or build a USB Installer. Let’s first check Support.Apple.com/Downloads.
Searching for macOS 10.14 MojaveSearching for macOS 10.13 High Sierra
Hmmm… Searching for Mojave and High Sierra installers only show combo and security updates.
2. High Sierra Mac App Store
No big deal, let’s go to the High Sierra App Store and search for Mojave and High Sierra installers.
I found MojaveHigh Sierra not found 404
Ok, well we are getting a little closer it seems. Searching for macOS Mojave comes up, yet High Sierra is nowhere to be found.
3. What happens if you have an old version of installer.app on your system and want the latest version?
The button under the Mojave Circle says OPEN instead of download ???
You now see Mojave is there in the Mac App Store, but instead of Download it says Open. Let’s find out what that means.
Seems like I already have the installer. Let’s click “Show Application” to find out more info.
After clicking Open I am presented with this message above. As you can see the App Store first searched my system and found that I already have macOS Mojave installer.app. Notice that it searches all locations, not just the Applications folder where the installer app normally is stored. It found the macOS Mojave Installer.app in a folder called test.
App Store found the installer!
Great, we are ready to go right? Not really because I have no clue what version this is. Looking at the creation date gives us a pretty good clue. MacOS Mojave was released on September 24th 2018. This Mojave installer download was created 23 days after release so it’s most likely 10.14.0.
4. How do I check the macOS version number of Install macOS installer.app?
We have multiple ways of checking the version number and build number. The easiest way is to simply look at the version number info from Get Info.
ah.. 14.0.22 = 10.14.0!
After checking the version number, I now know the macOS version is 10.14.0. We can find the build number inside the actual installer.app but knowing the version number is usually good enough unless you need a specific hardware build.
5. Downloading the latest version after finding an old version.
I have macOS Mojave Installer.app on my system but it’s outdated. I need the latest version. We now need to get the app store to show the Download button instead of Open. Simply close the App Store, delete the old version of macOS Installer then re-open.
NOT THIS AGAIN!
I deleted the installer.app but the App Store still thinks that I have the installer. The button SHOULD switch to Download but didn’t. If this happens again just restart your Mac.
Great! Lets start the download.
Perfect, after restarting the Mac App Store can’t find any version of the Mojave installer on your Mac so it now shows you the download button.
6. The Mac you are using has to be compatible with the macOS version you are trying to download.
The Mac App Store will not let you download a version of macOS that is not compatible.
We could not complete your purchase. This version of macOS 10.14 cannot be installed on this computer.
I STILL can’t download Mojave because the Mac I’m trying to download it on is not compatible. All I want to do is download macOS Mojave! I do understand why Apple did this, they don’t want a user to think they could install Mojave on a system that can’t run it. Apple should take this one step further and not show it as available in the App Store. Or have the button say Not Supported.
7. If Mojave is not compatible with my system, how do I download High Sierra 10.13?
How do I download macOS High Serra 10.13? If searching High Sierra in the App Store comes up empty how can I download it? You have to visit the Apple Upgrading to High Sierra Support Page for the direct App Store link.
Why in the heck are you trying to install High Sierra when you can install MOJAVE?!?!? If you REALLY want to install High Sierra FINE…. we will give you the link.
We are back in the 10.13 App Store, let’s try to download again.
MacOS High Sierra 10.13 Mac App Store.
After clicking Download we finally get some action!
Wait a minute, that downloaded way too fast….
I have a pretty fast connection but not 5.3 gigabytes in 3 minutes fast. The download just finished let’s see what the deal is.
The dreaded macOS 22mb “Stub” installer
8. The dreaded 22mb”Stub” installer.
This is what’s known as the macOS “Stub” Installer. This is not the 5gb full installer we are looking for it’s only 22mb! All this file will do is start the installation only to download the full 5gb before beginning the install. You cant boot to this file or create a USB Installer from this pkg.
While the 10.13 App Store does not allow you to download the full High Sierra installer, it will allow you to download the full version of Mojave.
9. The Mac App Store was redesigned for Mojave 10.14!
The App Store was totally redesigned for 10.14 Mojave. The look is pretty different from 10.13’s App Store. This is what the Mojave section looks like in the new App Store.
4.5 stars nice!!!
The new design aligns the Mac App Store with the iOS App Store. The first hint is that the Download button is now GET.
The GET button starts the process.Sure you want to download a 6gb file?Need Admin creds to start the downloadProfit
We are off to the races now! The first thing you will notice is that instead of downloading macOS Mojave Installer inside the App Store it opens Software Update. Software Update will search for the Installer and ask if you are sure you want to download the 6gb Mojave Installer. After clicking download you will get a new prompt for admin credentials to start the download (not to actually install yet). After the download completes you will finally have the latest macOS installer.app.
10. Can I download High Sierra in the new Mojave App Store?
Good news, the Full High Sierra installer will now download from the new App Store.
Finally High Sierra!
11. The new Mac App Store has solved the dreaded 22mb “Stub” installer problem.
The “Stub” download problem can be reproduced using 10.13 App Store. Yet I can’t seem to reproduce this on 10.14. I have tried multiple machines. The “Stub” installer problem seems to be gone as long as you are using 10.14’s App Store.
12. Mac App Store Errors
If you get one of the following errors, follow look at the next section below.
The requested version of macOS is not available
This version cannot be installed on this computer
13. Review of which macOS versions you can download on Mojave & High Sierra depending on your Mac Version.
After all this testing, we know what can be download from the App Store. We also found out what can’t download. After performing multiple tests with each OS you can download any newer version, the current version but only 1 OS behind. You will get a mixture of “The requested version of macOS is not available” or “This version cannot be installed on this computer”
T2 Security Chip equipped Macs
The following Macs have a T2 Security Chip.
1. 2017 iMac Pro
2. 2019 Mac Pro
3. 2018 Mac Mini
4. 2018-2010 MacBook Air
5. 2019 16″ MacBook Pro
6. 2018-2019 15″ MacBook Pro with TouchBar
7. 2018-2019 13″ MacBook Pro with TouchBar
10.14.4 and up (non T2 Macs) Mac App Store
Can download 10.14 & 10.13
(Note: on 10.14.0 – 10.14.3 High Sierra 10.13 shows as “not available” further confusing people)
Can’t download 10.12 or 10.11
10.14.x (T2 Macs) Mac App Store
Can download 10.14
Can’t Download 10.13
10.13.6 Mac App Store
Can download 10.14, 10.13 & 10.12
Can’t download 10.11
14. Download full macOS installers using installinstallmacos.py
I showed you how to download the macOS installer through the Mojave Mac App store. The thing is, a better way to download the full installer exists and is called installinstallmacos.py. I was going to explain how to use installinstallmacos.py here but now realize the topic deserves a full article. I did not even get into hardware specific (Forked) builds. As you can see we have a lot to go over, so stay tuned. I will put the link here when complete.
15. How to download macOS Catalina 10.15 Beta – Apple Beta Software Program.
macOS Catalina 10.15 Beta Software Program signup
If you would like to test Apple’s Public Betas you can sign up using this link. You can then download and try macOS Catalina 10.15 Beta.
In this article, I will talk a little bit about the current state of Apple’s Documentation. After that, I will show you 3 Undocumented 10.14 Mojave fixes that can help you as a MacAdmin.
Documentation, Documentation, and Documentation. Say it three times fast! MacAdmins just want Apple to provide proper documentation for features, controls and security settings and Enterprise Fixes. In some cases, Apple provides excellent documentation. An example of this would be the T2 Security Chip Security Overview released in October of last year. In other cases when it comes to binaries like sysadminctl not so much.
I tried to searching for something that specifically mentions SecureToken or sysadminctl and came up empty.
The best that I could find was a document called “If you see authentication server errors when turning FileVault on in macOS High Sierra“. This article does not even mention SecureToken. You can get a few nuggets of information by checking the sysadminctl binary options but sysadminctl doesn’t have a man page. I even performed a search on developer.apple.com/documentation as you can see in the picture above. I will be writing about sysadminctl next week. Maybe I can create a MacAdmins version of a sysadmincatl man page! Yet when I search for “SmartCard” three documents show up. SmartCard support is a small piece in the overall macOS pie, yet has multiple documents! Side Note: Shout out to all my peeps in the MacAdmins.slack.com #SmartCard channel (about 5 people) 🙂
Documentation is getting better.
If you have been keeping track, Apple documentation is getting better. If you look at the “What’s new in the updates for macOS Mojave” page you will see a large number of fixes. Eagle eye MacAdmins will be first to spot “Enterprise Content”, this is the stuff MacAdmins are interested in.
10.14.2
10.14.3
10.14.4
Check out that first one under 10.14.4! As noted in my previous article, I fought to get that one fixed since 10.14.0. It’s really great to see that fix get mentioned in the Enterprise Content area.
What do you mean undocumented fixes ?
Apple is constantly fixing things behind the scenes. MacAdmins continue to file radars, call Apple Care, test beta releases, submit feedback and submit Apple Enterprise Support tickets. Defects and bugs ARE getting fixed but are not listed in Apple’s Enterprise Content listing. I am not totally sure why certain fixes do not make the list.
Maybe Apple wants to keep the list short while focusing on the major fixes. I wish Apple would list more of them, even if they posted them in an enterprise only area. An example of this would be AppleSeed for IT. If you are part of an Enterprise or School you can be selected to join the program. I highly recommend joining if you are not a member already. You can read the FAQ about joining eligibility here. Inside you will find links to macOS beta downloads and beta documentation. Each beta release (Sometimes up to 6 releases per combo update) will show what has been fixed between updates. This is great information for any MacAdmin to have so you can stay on top of what’s going on.
3 Apple Enterprise fixes included in 10.14.0 – 10.14.4
1. macOS 10.14 Mojave can now provide FV2 Authenticated Restarts for Combo and startOSinstalls.
In 10.14 macOS Updates and Upgrades are now able to perform Authorized Restarts. This feature was not an option in previous releases. This is a pretty big deal, especially for #MacEDU and Enterprise customers who have computer labs.
Previously if you installed a macOS update and the system was FV2 encrypted it would restart but STOP at the FV2 unlock screen. If you performed this update remotely you would lose control of the machine. Things get worse at FV2 login window because firmware will shut the Mac down after 5 minutes of inactivity. The same problem will happen when you start a macOS Upgrade. You will be disappointed after returning from lunch thinking the update is complete only to find the Mac turned OFF. You then power the Mac back on only to find the installer has just started with 40 minutes remaining. With 10.14 if you kick off a combo update or macOS upgrade the installer will perform an Authorized Restart and you will never get stuck at the FV2 prompt again!
For startosinstall you just have to store the mojave.app in a folder like /Users/Shared. Then kick it off with this command – sudo /Users/Shared/Install\ macOS\ Mojave.app/Contents/Resources/startosinstall –nointeraction The –nointeraction option will prevent license agreement message.
2. Installing software updates using the -R restart option at the login window now properly restarts the Mac to the installer. (10.14.4)
When Apple released the T2 security chip they also added additional options to the softwareudpate binary so it could handle BridgeOS updates. Installing a combo update on a T2 Mac is now a multi-step process. Using softareupdate step one remains unchanged, it will download the combo update from Apple which in turn stores in /Library/Updates. For step two, the Mac reaches out to Apple’s personalization service (gs.apple.com) verify the BridgeOS and combo update. When the verification is complete you will have a new folder in /Library/Updates called PersonalizedManifest.
You are automate the entire process by using sudo softwareupdate -iaR. Options -i will install the update, -a will download all updates and -R will perform an automated restart. The process works just fine if you are the logged in user. If the system needs to update the BridgeOS the Mac will shutdown and then will power back on with the T2 Chip to install the BridgeOS update. If the system does not require a BrigeOS update the system will restart to the update installer. The problem comes in if you try to automate the install from the login window using the softwareupate -R or –restart option. Softwareudpate will run run through the process listed out above only to stop at the very end and be unable to restart.
Looks great until the very end, when at the login window the system will NOT restart!
Once all your Macs are updated to 10.14.4, you can now use the -R restart for all situations. Softwareupdate can now restart the Mac if it’s at loginwindow.
3. 10.14 FV2 Authorized restarts can use the PRK (Personal Recovery Key) again.
When 10.13 arrived you could no longer perform FV2 Authenticated restarts using the PRK (Personal Recovery Key). This feature was just flat out broken. This previously worked in 10.12 Sierra and below. NOTE: You could still perform an Authorized restart with your FV2 name and password. An example of a PRK Authorized restart would be if you are a JAMF Pro customer and had a policy that installed a package but it also required a restart. You could select the option “Perform Authenticated Restart” Jamf would then send a fdesetup authrestart using the PRK. The package would install and then the system would perform an FV2 authorized reboot so the user did not have to enter in the password at the FV2 unlock screen.
10.12, 10.11 & 10.10 – Works!
sudo fdesetup authrestart = Enter a password for ‘/’, or the recovery key:
10.13 – Doesn’t work
sudo fdesetup authrestart = Enter the user name: ( hit the enter key to toggle Recovery Key Entry) = Error: Missing user name. Error: Unable to restart (error = -54).
10.14 – Works again!
sudo fdesetup authrestart = Enter the Username: (again hit the enter key to toggle Recovery Key Entry) Enter the current recovery key:
I hope that at least one of the fixes I mentioned in this article helps you. In the future I would love to see more documented Enterprise fixes listed in the combo update patch notes. Until then though, I will continue to document said fixes and let you know about them when I can.
Two shout-outs in one day for @AnthonyReimer (@jazzace)! He installed the latest High Sierra Security Update and found the build number had changed. I started to look into this and found that both Security Updates for both 10.13. and 10.12 have been replaced with new builds. The original build number for the 10.13 High Sierra 2019-002 was 17G6029. As of 2 pm CST, the new build offered is 17G6030. Checking Sierra, the Build number also changed from 16G1917 to 16G1918. Apple (usually) does not update the .app installer with security update fixes when released so the installer builds remain the same. No word on yet on what was changed in both updates.
Bottom line, if you installed the previous update (17G6029) the new build (17G6030) will show as available. It would be advisable to deploy the updated Security Update.
T2 BridgeOS update
New Apple BridgeOS updates are also listed.
Note: After installing the new (17G6030) Security Update the iBridge version was not updated. iBridge should read 16.16.4507.0.0,0
To examine further I opened up BridgeOSUpdateCustomer.pkg and inside was the version number.
CFBundleVersion 16.16.4507.0.0
SUS Inspector
Check out SUS Inspector, it’s a great tool to view macOS updates.
Before we get started I’m am going to talk a little bit about how macOS and Active Directory work together. I will also go into some history behind the built-in AD Connector. In the end, I will explain the current problems we are having with Active Directory Mobile Account password syncing and how Apple fixed the issue.
If your company or school uses Active Directory, you most likely use Mobile Accounts. To get Mobile Accounts to work you first have to bind the Mac to Active Directory, once bound the Mac is now trusted. You can now log in with any Active Directory user and access to Global Groups, Kerberos and Directory Contacts.
Sounds great right? It was!
Once you log in, the system caches your AD account to the local directory. If you then disconnect the Mac from the network you can still log and continue to work. When the time comes to change your AD password you could change it on a 2nd Mac, a Windows device or even a Web Portal.
How did the AD password change work?
If you changed your password on the Mac it would first check if any password requirements are set at the domain level. If you passed the requirements the password would be immediately changed in Active Directory. The password would then change at the local offline level of your Mac. If you changed your password outside the Mac (Web Portal etc..) the system would receive the password change the next time you connected the Mac to the network and logged in. You would then be promoted to Update or create a new Login Keychain.
Active Directory & FileVault 2
The AD password change system changed in 10.7 with the addition of FileVault 2. Now when you changed your password an extra step had to be performed. Once the password was changed in AD it would then change the locally cached password and then had to sync that password down to your FV2 account. When you turned on your Mac, you could then use the same password as your AD account to unlock the volume and start booting the system. The AD password sync system worked pretty well from 10.7 all the way up to 10.12 Sierra. Users would sometimes have issues here and there when the Mac dropped off the domain but usually a rebind and would save the day.
10.13, APFS and SecureToken
Apple introduced the next-generation file system called APFS (Apple File System). We first got to test it out in 10.12 Sierra in beta form. APFS was standard for all SSD drive installations on 10.13 High Sierra installs. You could still opt out with commands and spinning hard drives would still use HFS. When 10.14 arrived APFS was standard across all hard drives. The introduction of APFS brought an added undocumented security feature called SecureToken. If you wanted to enable FileVault 2 you had to have SecureToken enabled for said account. You could no longer you use the PRK (Personal Recovery Key) or even a local admin to add extra users to unlock the volume like you could with HFS. You have to grant the 2nd user a SecureToken before they could become an authorized CryptoUser. To get the token in the first place you had to be the first user logging into macOS at the SetupAssistant.
10.13 was the start of syncing issues for Mobile Accounts.
The main problem with this new system was that the SecureToken system was not tested. Mobile account users, in particular, had nothing but problems with this new system. From 10.13.0-10.13.3 AD Mobile Account password syncing to FV2 flat out did not work. During this time frame we had multiple high priority tickets in with Apple Enterprise Support. When 10.13.4 hit Apple finally fixed the issue and password syncing started to somewhat work again. I say somewhat because everyone still reported issues but at least it worked SOME of the time now. 10.13 still had problems when you changed the password off the Mac.
Enough of the history lesson, get to the 10.14 problem!
Once 10.14 hit we were hoping that the problems we had on 10.13 Mobile Accounts would fixed. Unfortunately, we were wrong, way wrong. The problem worse when 10.14.0 released. How could it be worse than 10.13 and how did miss the problem in 10.14 beta? On 10.13 as I mentioned above we had to deal with of Mobile Account syncing of FV2 passwords. The user would change the password outside the system and it would not make it down to FV2. The good thing is we actually have fix for this!
The following instructions will change or Sync the password for the CryptoUser account that belongs to the AD user. This will only work if the user KNOWS the old password since the command will prompt for the current password.
1. diskutil apfs list (Grab the disk label for Volume Macintosh HD usually disk1s1)
2. sudo fdesetup list -extended (grab the UUID of the OS USER) You can also use diskutil apfs listCryptoUsers /
3. diskutil apfs changePassphrase disk1s1 -user UUIDhere (add in the UUID of the OS USER from the pevious command and put it in UUIDHere.
That’s cool, but you still haven’t told us why is the situation worse in 10.14?
The local cached offline password is never changed!
The problem is the issue is undetectable UNTIL the user attempts to authenticate OFF the network. When they try the current password it will NOT work. They will then have to call the helpdesk, who then changes the AD password making the situation even worse. This is the situation for 10.14.3 and below.
When connected to the network = Current AD Password works!
When Disconnected from the network = ONLY previous password works.
FV2 password = Previous Password.
Things get even more annoying is if the user actually uses the old password to authentiate the Screen Saver while offline. The system will accept the password but then immediately prompt the user to unlock the Login Keychain. This is due to the keychain being set to the current AD password. You would be in a never-ending keychain password cycle.
Do you have a fix for the offline sync issue?
The good news is we do, as long as you have a SecureToken enabled Admin user. All you need to do is turn off SecureToken and then turn it back on. Something in this system will then sync the offline cached password. Shout out to @annemacro on MacAdmins Slack for figuring this out!
Now that 10.14.4 is out the password sync mechanism now working. As long as you update systems to 10.14.4 before users change their AD password they will not have this issue going forward. I have not had the chance to actually test the 10.14.4 update on a system that is already out of sync. The good news is that even if it doesn’t fix the issue when it is already happening you now have the tools to fix it yourself. The next time the user changes their password they will not experience the issue.
Why did this take so long to fix?
The answer to this question is pretty simple. Everyone missed the bug from beta 1 all the way through into 10.14.0. I performed hours and hours of testing in beta. I was so concerned about that the FV2 password did not sync that I did not even think to test the offline password. Even worse, neither did anyone else including Apple. It was not until around 10.14.2 when I had an enterprise ticket in with Apple and finally got a response.
“This bug will not be fixed until the next release of macOS”
When I read the reply to this support ticket I was in complete shock. Are you going to tell me that we are going to flat out have a NON FUNCTIONING MOBILE ACCOUNT SYSTEM FOR THE ENTIRE 10.14 RELEASE? I could not believe it. The Apple Enterprise Support Engineer I was working with also agreed and he was fantastic to work with and helped work through the issue with me. At this point what else would a #MacAdmin do but RANT in MacAdmins Slack!!! The best way to do this is to document and explain the issue to others. You can then rally other MacAdmins to file Enterprise tickets or Radars. This will draw attention to the issue and generate heat inside Apple Enterprise Support. In the end that’s exactly what happened. We were not the only company that Used Mobile accounts. Those same companies let Apple know that we needed a fix ASAP. Apple realized this was important and fixed this issue for us in 10.14.4. (Thank you Apple!)
Where does that leave Mobile Accounts?
Before 10.13 Mobile Accounts worked very well. We had thousands of Macs connected to AD utilizing Mobile accounts and did not have any issues. Once 10.13 hit things started to go downhill. The problem is, it seems like Apple is not spending enough time on Mobile Accounts. The MacAdmins community has started to realize this and starting at the end of 2017 and into 2018. This began what I call “The great Mobile Account exodus to Local Accounts”. NoMAD and Enterprise Connect make using local accounts while still having the ability to use AD resources easy. Mobile Accounts still serves it’s purpose but it seems the writing is on the wall.
Thanks
If you stuck around to read the entire article I really do appreciate it. If you are at WWDC 2019 or JNUC 2019 I will buy you a beer or non-alcoholic beverage. Just mention coupon code #ISURVIVEDMOBILEACCOUNS.
I hope to write many more articles like this in the future. Over the past 15 years MacAdmins have helped me get to where I am today. I hope I can give back to the community and help the next generation of MacAdmins rise through the ranks! Drop me a note at com gmail mrmacintoshblog
Starting with Xcode 10.2, Swift 5 command line programs you build require the Swift 5 runtime support libraries built into macOS. These libraries are included in the OS starting with macOS Mojave 10.14.4. When running on earlier versions of macOS, this package must be installed to provide the necessary Swift 5 libraries. This package is not necessary for apps with graphical user interfaces.
