Summer doldrums are here! This is a good thing, because it gives us MacAdmins more time to test the upcoming betas. You are testing and providing feedback, right?
Since I mentioned betas, macOS 11.5 and iOS 14.7 beta5 came out this week, as well!
(Sponsor: Mosyle)
The Fusion of Apple MDM, Identity, Patching & Security.
Mosyle Fuse is the first and only product to bring a perfect blend of an Enterprise-grade MDM, an innovative solution for macOS Identity Management, automated application installation and patching, and purpose-built multi-layer endpoint security, all specially designed for Apple devices used at work at a price point thatβs almost unexplainable.
In other news, I got my second Corona vaccination shot today. Hooray for science and technology! You might enjoy imagining this newsletter getting loopier and loopier as I progress into immune reaction stuporβ¦ π
mikeymikey: “Take the amount of time it would take to manually install and configure critical apps and tools for an employee role and multiply it out by how much of their payroll you’d be wasting without IT ensuring it’s in self-service”
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
When Apple introduced notarization with Catalina, I published a post describing how to notarize a command line tool. At WWDC this year, Apple introduced updates to this process with Xcode 13 (currently in beta). Most importantly, there is a new command line tool called notarytool.
While the previous, altool-based, workflow still works in Xcode 13, there are many advantages to the new notarytool which makes its use much simpler.
Apple has documented this tool in a WWDC21 session and some developer articles, in addition we got some great information through the twitter account of one of the engineers, and Howard Oakley has already written a post as well:
Update 2023-08-28: If you prefer to use Swift Package Manager to build command line tools, you can find instructions to package and notarize an SPM executable in this post.
What you need
Apple Developer Account (Personal or Enterprise, the free account does not provide the right certificates, nor access to the Xcode beta)
Xcode 13 (currently available as beta from the Apple Developer portal)
Developer ID Certificates
Application Specific Password for your Developer account
A command line tool project in Xcode
When you are building tools for macOS, you should have most of these already. We already covered these in the previous post, but to keep things in one place, I will cover them again, here.
There are multiple certificates you can get from the Developer Program. By default you get a ‘Mac Developer’ certificate, which you can use for building and testing your own app locally.
To distribute binaries (apps and command line tools) outside of the App Store, you need a ‘Developer ID Application’ certificate. To sign installer packages for distribution outside of the Mac App Store, you need a ‘Developer ID Installer’ certificate.
We will need both types of Developer ID certificates, the first to sign the command line tool and the second to sign and notarize the installer package.
Once you have created or imported the certificates on your work machine, you can verify their presence in the Terminal with:
% security find-identity -p basic -v
This command will list all available certificates on this Mac. Check that you can see the ‘Developer ID Application’ and ‘Developer ID Installer’ certificates. If you are a member of multiple teams, you may see multiple certificates for each team.
You can later identify the certificates (or ‘identities’) by the long hex number or by the descriptive name, e.g. "Developer ID Installer: Armin Briegel (ABCD123456)"
The ten character code at the end of the name is your Developer Team ID. Make a note of it, we will need it later. If you are a member of multiple developer teams, you can have multiple Developer ID certificates and the team ID will help you distinguish them.
Application Specific Password for your Developer Account
Apple requires Developer Accounts to be protected with two-factor authentication. To allow automated workflows which require authentication, you can create application specific passwords.
Note: If you followed the previous post’s instructions to store an application specific password for altool in the Keychain, you can extract that and re-use it for notarytool or create a new app-specific password.
Create a new application specific password in Apple ID portal for your developer account. Give it a name including notarytool so you know what you are using this for.
You will only be shown the password when you create it.
You can use notarytool to store the credentials in a keychain item, in a format that notarytool can read later.
% xcrun notarytool store-credentials --apple-id "name@example.com" --team-id "ABCD123456"
This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
Profile name:
notary-example.com
Password for name@example.com:
Validating your credentials...
Success. Credentials validated.
Credentials saved to Keychain.
To use them, specify `--keychain-profile "notary-example.com"`
The --store-credentials option will prompt for a profile name. You will need this name to retrieve the information later. Then it interactively prompts for the password associated with the given Apple Developer ID. Enter the application specific password here.
The credentials will be stored in the Keychain in an item named com.apple.gke.notary.tool. But you don’t really have to worry about that since notarytool will retrieve the credentials when you add the --keychain-profile "notary-example.com" option. (You can abbreviate the --keychain-profile with -p.)
If you are using iCloud Keychain, the credentials will be stored there, so they will be available to all other Macs you are using iCloud Keychain with. If you prefer, you can store the credentials in a specific (non-iCloud) keychain file with the --keychain option.
The Team ID is usually the 10-digit code which is also the certificates. However, in some cases the Team ID is different. You can can look-up Team IDs in the “Membership” area of the developer portal or with this altool command:
You can also use an App Store Connect API key as an authentication option with notarytool. You can read notarytool‘s man page for details.
A Command Line Tool Project
You may already have a project to create a command line in Xcode. If you don’t have one, or just want a new one to experiment, you can just create a new project in Xcode and choose the ‘Command Line Tool’ template from ‘macOS’ section in the picker. The template creates a simple “Hello, world” tool, which you can use to test the notarization process.
My sample project for this article will be named “hello.”
Preparing the Xcode Project
The default settings in the ‘Command Line Tool’ project are suitable for building and testing the tool on your Mac, but need some changes to create a distributable tool.
The preparation in Xcode 13 diverges significantly from the steps required in the previous post. If you have created the project in earlier versions of Xcode, more configuration may be necessary.
Choosing the proper signing certificates
Before you can notarize the command line tool, it needs to be signed with the correct certificates.
in Xcode, select the blue project icon in the left sidebar
select the black “terminal” icon with your project’s name under the “Targets” list entry
make sure the ‘Signing & Certificates’ tab is selected
under ‘Signing’ disable ‘Automatically manage signing’
choose your Team
enter a bundle identifier for the binary
choose ‘Developer ID Application‘ as the Signing Certificate
Hardened Runtime
Having the “Hardened Runtime” enabled is a requirement for notarization. When you create a new project in Xcode 13, the hardened runtime will be enabled by default. When you see the “Hardened Runtime” section under the “Signing” section, it is enabled.
When you are working with a older project, and do not see the “Hardened Runtime” section, you can enable the hardened runtime by clicking on the “+Capability” button above the “Signing” section and selecting “Hardened Runtime”.
Archive and export the binary
Choose “Archive” from the “Product” menu to build and create an archive. It will appear in the “Organizer” window. When that window does not open automatically, you can access it from the “Window” menu.
To export the binary product, select the latest archive and click on the “Distribute Content” button on the right. Choose “Built Products” as the method of distribution. Click “Next.” Choose a location to save the build products to.
This will create a directory with the project name and a timestamp in the chosen location. When you look inside this directory, you will see a “Products” directory and within it the binary in a /usr/local/bin/ directory hierarchy.
/usr/local/bin is the default location for command line tools in the Command Line Tool project template. It suits me fine most of the time, but you can change it by modifying the ‘Installation Directory’ build setting in Xcode and re-building the archive.
Build the installer package
Command Line Tools can be signed, but not directly notarized. You can however notarize a pkg file containing the Command Line Tool. Also, it is much easier for users and administrators to install your tool when it comes in a proper installation package.
We can use the Products directory as our payload to build the installer package:
I have broken the command into multiple lines for clarity, you can enter the command in one line without the end-of-line backslashes \. You want to replace the values for the identifier, version and signing certificate with your data.
This will build an installer package which would install your binary on the target system. You should inspect the pkg file with Pacifist or Suspicious Package and do a test install on a test system to verify everything works.
This is amazingly less effort than what we needed to do previously with the altool command. We give the filename of the archive we want to submit, the keychain profile with our credentials, and the --wait option.
notarytool will upload the file, give us a submission id, and then wait for the returned status from the Notary service. You can follow the output for the details.
You will also notice that notarytool uploads the pkg much faster than the previous altool workflow.
You can also drop the --wait option. Then the tool will submit the file and exit without waiting for a response. You can then use the info or log verbs with the submission id to get the status later. The Notary service does not seem to send emails anymore when the notarization check is complete.
There is also a --webhook option mentioned in the WWDC session which will make the Notary service call back to a webhook when the notarization is done. I have not seen any documentation on the details of this, though.
Finishing touch: stapler
Before you distribute the pkg, you can and should ‘staple’ the notarization before distributing it. This extra step will download the notarization information from Apple’s servers and attach it to the pkg. This is not mandatory, but will save the Gatekeeper service on the client an extra step when it verifies the pkg.
To do this, use the eponymous stapler tool:
% xcrun stapler staple hello-1.0.pkg
You can then verify that everything works with spctl:
% spctl --assess -vv --type install hello-1.0.pkg
Automation with Xcode
These steps are much simplified compared to the previous workflow. If you only build for distribution occasionally it would not be a big burden to do these steps manually.
Nevertheless, automating these steps saves effort and removes much pontential for errors.
When I wrote the previous post, I had not been able to figure out how all the pieces could work together to automate with a Xcode ‘Run Script’ as part of the normal “Archive” process. With the new tool and some inspiration from this developer article I have gotten this to work now.
In the project’s build settings, search for “Marketing Version” and set it to the version you want to use. Remember to update this entry for future updates as well. (You can use agvtool for this, but that is a topic for a different post.)
In Xcode, choose “Edit Scheme⦔ from the “Scheme” submenu in the “Project” menu. In the pane that opens, make sure the commnad line tool binary is selected at the top. Then expand the “Archive” section in the list on the left and select “Post-actions” in the expanded area. Use the “+” button at the bottom of the area to add a “New Run Script Action.”
Select the binary (again) in the popup next to “Provide build settings from”. Then paste the following in the code field:
With this post-action script in place, every “Archive” action will then also create a pkg in the project folder, submit it for notarization and staple the pkg. Since Xcode doesn’t show the output of post-action scripts, the script logs its output to a notary.log file, also in the project folder. Check that for success or failures. The notarization step takes a while after the “Archive” is complete, so you may have to wait a bit.
If you don’t want to run this workflow on every Archive, you can create a new scheme with this post-action script, then you can choose the scheme, before you do the “Archive” action.
Conclusion
The new notarytool included with Xcode 13 (beta) is a huge step up from the previous altool based workflows. It is much simpler and faster. You should start testing the tool now and move your workflows when possible.
We made it halfway through 2021 already⦠How did that happen?
If you were hoping things would calm down for the summer, we got new macOS 11.5/iOS 14.7 betas and macOS 12 Monterey beta2! Apple has also released iOS 15 and macOS 12 beta2 as in the public beta program. You are testing and providing feedback to Apple and the other software vendors, right?
(Sponsor: Mosyle)
The Fusion of Apple MDM, Identity, Patching & Security.
Mosyle Fuse is the first and only product to bring a perfect blend of an Enterprise-grade MDM, an innovative solution for macOS Identity Management, automated application installation and patching, and purpose-built multi-layer endpoint security, all specially designed for Apple devices used at work at a price point thatβs almost unexplainable.
Anthony Reimer: βAt the suggestion of @scriptingosx, Iβve added T2 Chip information to my Mac Obsolescence Chart for MacAdmins (useful for a number of reasons, including which macOS 12 Macs can be assigned to ABM/ASM/DEP using Apple Configurator for iPhone in iOS 15).β
If you want to support me and this website even further, then consider buying one (or all) of my books. Itβs like a subscription fee, but you also get a useful book or two extra!
Things are settling down after WWDC and we are slowly cruising into the quieter summer weeks. (Northern hemisphere. Our southern hemisphere friends are in the deeps of winter. This week was solstice!)
We did get new betas for Xcode 13, iOS 15 and siblings yesterday. No Monterey beta 2 yet, but hopefully soon!
(Sponsor: Mosyle)
Free Remote Scripting with Mosyle Business FREE
From running scripts remotely to full Mobile Device Management (MDM) for macOS, iOS and tvOS, Mosyle Business FREE provides Apple enterprise customers with the complete MDM feature set of Mosyle Business PREMIUM for up to 30 devices at no charge.
Tim Perfitt: “I am far down the rabbit hole with USB-C, MFI,lighting and smart card readers. Let me explain.” (thread)
William Smith: “Created a JSON Schema manifest for Microsoft OneDrive settings for Jamf Pro macOS Configuration Profiles.” (follow link to tweet for links)
John C. Welch: “Starting to see a lot of talk about the AppleScript/JXA parts of shortcuts. People ask what I think, and I tell them: I think the parts of Shortcuts on macOS that are portable to i(Pad)OS will get a lot of attention and care. The AppleScript/JXA stuff?” (Thread)
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
During and after WWDC, I wanted to see if I could build a SwiftUI app. I thought that building a user interface for this task would be a nice practice project.
Ironically, since I want the app to work on Big Sur, I could not use any of the new Swift and SwiftUI features Apple introduced this year. Even so, since I had not used SwiftUI to build a Big Sur application, most of the features Apple introduced last year were still new to me.
It was often unexpected to me which parts turned out to be challenging and which parts were really easy to implement. For example, implementing a preferences window, turned out to be super-easy, but it took me two false-starts to find the correct approach. Communicating with the preferences system of macOS is also very easy, but so poorly documented that you are always second guessing if what you are doing is right.
Apple’s documentation for Swift and SwiftUI on this has definite highlights, but is very sparse overall. I am still not sure if some of the decisions I made while putting this together were “good” choices.
I am a bit behind: the videos for both presentations I did in the last weeks at MacDeployment and MacDevOps YVR are now available. I made pages for each presentation with links to the slides, videos, and all the links I mentioned:
I had a really good time presenting and participating at both conferences. Even though they were remote, it was good to see everyoneβagain and for the first time.
There are more conferences coming up this year and I will be presenting more. You can see the list of MacAdmin conferences on the continually updated conference page.
(Illustration by Ashton Rodenhiser (Twitter, Web))
While attending WWDC and MacDevOps YVR last week β or at least attempting to β I realized that you can get real jet lag from virtual conferences.
Many people are catching up to the news from WWDC last week with many posts reacting to and/or summarizing the news. We also a patch for iOS 12 and and new macOS 11.5/iOS 14.7 betas.
(Sponsor: Mosyle)
Free Remote Scripting with Mosyle Business FREE
From running scripts remotely to full Mobile Device Management (MDM) for macOS, iOS and tvOS, Mosyle Business FREE provides Apple enterprise customers with the complete MDM feature set of Mosyle Business PREMIUM for up to 30 devices at no charge.
I’d like to thank Mosyle for being the new sponsor for this news summary! I have been watching what they have been doing in the macOS MDM space and believe they are a great fit as a sponsor.
Morten Just: “Go To Folder – ββ§G in Finder got its first update in ~15 years with Monterey. Spotlight-style UI, and you can search for any folder https://t.co/jfGe1Z1RAw” (video)
Rich Trouton: “The more I look at macOS Monterey, the more that Iβm convinced it is kindred to Mac OS X Snow Leopard – an OS focused on fixing existing issues and beneficial improvements to previously introduced features. This is a Good Thing and I look forward to the fall release.”
Anthony Reimer: “Reminded of the model-specific features of macOS Monterey by @howardnoakley and @TidBITS, Iβve updated my Mac Hardware/Software Obsolescence Chart (yes, for the 3rd time in a week) with info on support for Universal Control and AirPlay for Mac.”
mikeymikey: “Almost every scripted language in macOS provides a warning if you execute it interactively. Tcl, ruby, perl, you name it.”
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
WWDC week! We got to see new iOS, iPadOS, watchOS and most importantly: the new macOS 12 Monterey.
What a week (or two). In addition to WWDC, there were and are MacDeployment last week and MacDevOps YVR this week. It is a good thing that all the sessions (including WWDC) will be made available online, because I have a lot of catching up and re-watching to do. You can find links to all the conferences and their session archives on my conferences page.
(Sponsor: SentinelOne)
Focus on Security Among all the new features announced by Apple this week with macOS Monterey are a number of topics directly related to security. Letβs take a look at 12 things to know from WWDC!
The first MacAdmin reactions for macOS Monterey are (cautiously) positive. Apple introduced several new features, like an “Erase all Content and Data” option, better management features for software updates, remote lock, and better extension management, which MacAdmins had been clamoring for. We also got a preview of some technologies like declarative management. It all looks very promising and I hope the features will hold up to practical use.
AppleSeed for IT is making the beta available, along with some extra documentation for admins. You can sign up with the managed Apple ID you use to sign into Apple School Manager or Apple Business Manager. The earlier you get your feedback in to Apple, the higher the chance that it can be addressed before release.
MacSysAdmin conference will be online again this year. While it is sad that we will not be able to meet in Gothenburg this year, this was my favorite virtual conference to watch and present at last year. Like WWDC, MacSysAdmin will be releasing pre-recorded presentations every day from October 5 through 8. There will be T-shirt sale to help fund the conference.
Mr. Macintosh: “macOS 12 Monterey compatibility list RIP 2013* & 2014 Mac Computers *2013 Mac Pro Saved!” (Image)
Pepijn Bruienne: “Hey macadmins here’s a fun thing to look forward to with upcoming macOS Monterey” (Thread)
Marcus Ransom: “Thank you for focusing on the enterprise and listening to the hordes of passionate MacAdmins Apple. You have some seriously good people working for you @tim_cook and you should be proud of them!”
Rosyna Keller: “Iβd been meaning to discuss the features in the altool command line tool used for notarization that were new to Xcode 12.5, and it seems like Iβve smacked against a deadline. So hereβs a thread of some new stuff in Xcode 12.5βs altool 4.047.1207 for use with notarization et fam” (Thread)
Mitchell Hashimoto: “Weβre happy to announce that the Vagrant VMware plugin is now free and open source. This plugin paid for the salaries of numerous people over the years, but weβve happily outgrown it and are excited to share this now with the broader community.”
Rosyna Keller: “FWIW, macOS Monterey does not change Gatekeeper, signing, or notarization requirements from macOS Big Sur. Still getting used to that name.”
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
So, WWDC started yesterday and Apple will release more than 200 sessions over the next week. Of course, most of these sessions are focussed on developers building apps for the Apple platforms. As a Mac and iOS admin, which sessions are interesting?
Of course, we won’t know which sessions are good until we can watch them. But here is the list of sessions that I expect to be interesting. I will update this post all week. Let me know if you find something interesting that I missed.
Apple releases the sessions every day of the WWC week at 9am PDT/17:00CEST. I will add the day of the week after the session title. You can watch the sessions in the Developer app on your Apple device and on Apple’s developer web page.
Keep in mind that while the excitement is huge around WWDC time, you do not have to watch all the sessions this week. The sessions will remain available and you can take your time to catch up.
The keynote is of course press- and end-user facing and very marketing driven. Still worth watching it (if you haven’t already) for the highlights. The ‘Platform State of the Union’ is the ‘real’ developer-focussed keynote. It is interesting to watch to understand where Apple thinks the focus is going to be. This year the highlights are the new Xcode Cloud, new Swift features, Object Capture and many new frameworks.
Device Management
There is actually a dedicated category for “Device Management” in the Developer app. Some of these sound very promising:
Some of the other sessions will ahve relevance for MacAdmins (and users) as well. Often these sessions will have segments with a general overview of a feature, followed by details on how to implement it in code.
When you can use your managed Apple ID from Apple Business Manager or Apple School Manager to log in to AppleSeed for IT. There you can download the beta systems to start testing now. AppleSeed for IT also contains more detailed release notes, which you find as a PDF under the downloads category.
Keep in mind that while you can discuss information released in the WWDC sessions in public, information that is exclusive to AppleSeed for IT and the other seed and beta programs is subject to the NDA, and should not be discussed in public forums.
We did get updates to the apps formerly known as iWork and the second macOS 11.5 beta with some interesting notes in the AppleSeed for IT docs.
(Sponsor: SentinelOne)
Security Research
20 Common Tools & Techniques Used by macOS Threat Actors & Malware. We’ve included real in-the-wild examples and information about IoCs, hashes, and researcher analyses.
MacDeployment, hosted by the University of Calgary, was this week. Many thanks to the organizers, speakers, and audience. It was a fun event and a great one to kick-off the virtual conference season. They have already posted links to the three session blocks as videos on their sessions page.
Rich Trouton: “Generating remote lock or wipe commands and need a random six digit number? Run this command: ((RND=RANDOM<<15|RANDOM)) ; echo ${RND: -6}“
Nathaniel Strauss: “macOS 11.5 beta 2 (re)introduces a couple very sought after features. Go read the release notes. Feeling a lot better about deploying M1 Macs to students in the fall. Thanks MacAdmin community for coming together to file feedback.”
David Smith: “Helpful Mac debugging tip You can enable super detailed UserDefaults logging with: sudo log config --subsystem=com.apple.defaults --mode "level:debug, persist:debug" (And disable again with sudo log config --subsystem=com.apple.defaults --reset)”
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
