It’s the most wonderful time of the year: a new version of macOS has dropped! But with all the excitement over macOS Catalina, you might have missed some of the other stuff Fleetsmith has released lately. So here’s your monthly update:
macOS 10.15 Catalina
Catalina hit the Apple Store on Monday, and Fleetsmith was ready to support it on the first day. It’s in the Fleetsmith Catalog now, waiting for you to add it to profiles and enforce it across the fleet.
Fleetsmith makes these updates nearly effortless, but behind that smooth experience there’s a lot of hard work that goes into research, documentation, implementation and testing. In addition to announcing support for the update, we wanted to highlight some of the new features in Catalina and what we did to support them.
TCC Permissions in Catalina
macOS Catalina added a slew of new TCC permission controls, which means there’s a possibility your users will see new TCC pop ups after they upgrade. In most cases, the whitelist payload that Fleetsmith pushes to your machine will suppress these for all Fleetsmith Catalog apps. There are a few prompts that Apple doesn’t let us whitelist—Camera, Microphone, ListenEvent, and ScreenCapture—but otherwise we cover them all.
There is a possibility of a race condition between the Fleetsmith Agent and any apps that load on startup, however. If an app loads before the Fleetsmith Agent checks in, then the whitelist may not be updated before that app triggers a TCC notification. This is unlikely to cause any disruption—no matter what the user does with the popup, their device will honor the TCC and Permissions payloads that it receives when the agent checks in. This usually happens within 5 minutes.
One of the tricky things about TCC is that it often isn’t tripped until a specific action is taken (e.g. Slack requesting Downloads folder access during for a file download). So while we tested every app in the Fleetsmith Catalog thoroughly, it’s entirely possible we may have missed some actions that trigger additional permissions. Please let us know about any TCC prompts you encounter by writing email@example.com. We want to ensure that we are providing the best experience to all our customers, and your feedback is essential!
Activation Lock is an important security feature for iOS (and now macOS as of Catalina) which prevents thieves from simply wiping a stolen device and selling it. But if you’re not careful it is easy for users to associate company-owned devices with their personal Apple ID, resulting in a locked device that you can’t easily reprovision once that employee leaves.
For DEP-enrolled devices, we now prevent this by managing Activation Lock through Fleetsmith when the device is provisioned, and automatically disabling it when it’s archived.
This functionality will be available soon—there’s a few final details that Apple is working out so that every device type is supported, and we’re waiting to enable it until they do. Activation Lock is actually an interesting topic that warrants a more in-depth treatment, so keep an eye on our blog for a primer about this soon.
By default, we limit the download speeds for packages pushed through Fleetsmith. This prevents a situation where your whole fleet tries to download an update all at once, slamming your network, but it also means downloads take longer. Depending on how much bandwidth you have available, it might make more sense to uncap the download.
Now you’ve got the flexibility to make that choice yourself, just in time for Catalina. We’ve made Bandwidth Management an optional setting. It will be disabled by default going forward for new customers that sign up, but we didn’t change the setting for any existing accounts. So if you were using Fleetsmith prior to this announcement, you’ll need to go into the preferences tab if you want to turn it off.
Thanks for a great month! And please drop us a line at firstname.lastname@example.org with any questions.