By the Fleetsmith Product Team
Yesterday, Apple released its long-awaited macOS 10.15 Catalina update, and it’s ready to roll out to your fleet in the Fleetsmith Catalog now.
If you work in IT, a new macOS version is an exciting moment. It’s also kinda stressful. How will you get everyone in your company running the new update? More importantly, will everything still work when you do?
We know how stressful those feelings of uncertainty can be, which is why we spend so much time preparing for macOS updates—testing, refactoring, dealing with edge cases. The goal is to do this work for you ahead of time, so you can simply enforce the update and be confident that everything will just work.
For Catalina specifically, that’s meant spending months investigating the best way to support big changes to notarization, Activation Lock, and TCC/PPPC security prompts. Now that macOS Catalina is now ready to go in the Catalog, we thought we’d take a few moments to talk about these changes, how they work in Fleetsmith, and the work we did to get there.
As we wrote in our primer on notarization earlier this year, Apple wants every app running on its devices to be notarized, and Catalina is where the rubber meets the road on this effort.
Starting with this update, developers will need to notarize all apps by registering them with Apple, not just the ones requiring kernel extensions. There’s a bit of a grace period until January 2020 where running an un-notarized app is still possible, but the user will get a fun pop-up if they do.
Regardless, we’ve been working under the assumption that notarization would be necessary from day one, so we’re ready now. All components of Fleetsmith are both notarized and stapled so that they’ll run without mishap even if Apple’s servers are unresponsive. We’ve also ensured that apps delivered through the Fleetsmith Catalog are notarized, so you won’t see any hiccups there, either.
One very welcome change in macOS 10.15 Catalina is that Activation Lock is now available for devices with the T2 chip. This brings macOS’s remote lock capabilities into parity with iOS, and also provides a way for MDM providers to manage this directly rather than requiring a device to be associated with a user’s Apple ID.
This feature can also cause problems, however, if a company-owned device accidentally gets registered to a user rather than the MDM. Association with an account will persist even if a device is wiped. So it’s useful when your MacBook is stolen because it means a thief can’t just wipe it and sell it. It’s much less useful when an employee departs and you realize, too late, that Activation Lock was keyed to their Apple ID making it impossible to reprovision their laptop.
We’ve implemented Activation Lock such that this shouldn’t be a problem, at least for DEP-enrolled devices. However, there’s still a few final details that are being ironed out on Apple’s side—we’ll update this section when they’re finalized and Activation Lock is ready for use.
It’s a deep enough topic that it warrants its own blog post, so be on the lookout for a more detailed primer coming soon.
New TCC Prompts
Starting in Catalina, Apple has expanded the number of access privileges that trigger a Transparency, Consent & Control (TCC) prompt the first time an app is run. This means any app that needs to access those functions will generate new pop ups once the update is complete, even if the user had previously okayed it.
This is potentially annoying for users, but it could be an even bigger headache for IT and support if a user accidentally disallows something critical for an important app. That’s why we went through an exhaustive process of testing all of the apps in the Fleetsmith Catalog to find the ones that needed new permissions in Catalina so that we could whitelist them when they’re enforced through Fleetsmith.
One interesting thing we found in our testing is that there was a new prompt that wasn’t covered by the standard TCC whitelist payload. So for those apps that need it, we’re also delivering a new “Notifications Settings” payload that ensures all prompts are suppressed.
New shell: zsh
If you’re currently running a lot of custom scripts through MDM, you might be a little nervous about this shift. It needn’t be a breaking change, however. While it’s no longer the default, bash is still available in Catalina, so bash scripts will run as normal provided you include the proper shebang.
This is already hardcoded into our custom script functionality, so it’s extra simple. There’s no need to modify any scripts you’re running—everything will continue to function seamlessly post-update.
We’re committed to supporting macOS versions from day one, and to doing the work to make updates as stress-free as possible. We welcome your feedback and questions about Catalina—contact us at email@example.com!