• Mac OS X,  Mac Security,  Swift

    Removing Extensions Cruft from macOS

    Extensions have gotten a pretty substantial overhaul over the past few years. Traditionally, a kernel extension (or kext for short) would usually be located in /Library/Extensions or /System/Library/Extensions and have a file extension (no pun intended) of .kext. Apple began to move away from Kernel Extensions and towards more purpose-built extensions, which included System Extensions, located at /Library/SystemExtensions. Apple also introduced a number of new extension types that reside in application bundles. An app can load the extension and developers get those features “for free” rather than writing their own code to do what they once had to do with Kernel Extensions. To remove Extensions, Apple has introduced the Extensions…

  • Mac OS X,  Mac OS X Server,  Mac Security

    Can’t Schedule Reboots in Ventura: Mac Observer’s Gotcha

    I was talking to Jeff Butts at Mac Observer yesterday and he mentioned something I hadn’t noticed: macOS Ventura removes the option to schedule an automatic reboot from the graphical interface. I actually went back a version and couldn’t find it there. I guess since I don’t have servers I hadn’t noticed this oversight. Or I guess it’s more emblematic that it’s not an oversight, it’s how the use of the Mac has shifted over the years. The old power management system preference features are still there – Jeff wrote an article how to use pmset to set the automatic reboot feature at https://www.macobserver.com/tips/how-to/how-to-schedule-your-mac-to-shutdown-or-reboot-in-macos-ventura/. Around 13 years ago, I wrote…

  • Mac OS X,  Mac Security

    Use UTM To Run Virtual Machines of macOS from macOS

    UTM is a virtualization tool available on the Mac App Store at https://apps.apple.com/us/app/utm-virtual-machines/id1538878817?mt=12 with a GitHub at https://github.com/osy. UTM uses the new virtualization framework (documented here) from Apple, so runs the most modern virtualization stack currently available on a Mac. It also emulates via the QEMU system emulation. It can run guest operating systems in Windows, Linux, etc – emulating RISC, ARM, Intel, etc. Installation from the App Store is easy. Once installed, open the UTM app and click on the plus sign to create a new virtual machine. Here, there are options to Virtualize or Emulate. Given that we’ll be installing a beta OS from Apple for this example,…

  • Mac OS X,  Mac Security

    LSAppInfo can’t hide processes but it’s still useful

    Once upon a time we could hide a process from users: lsappinfo setinfo -app BackgroundRootkitOfDoom ApplicationType=UIElement 1 I’m not sure when that got removed but it’s probably for the best. There were was to hide everything, like users and groups (UID below 500 or insert an _ in front of the username), objects on the file system, etc. Then people abused what admins used for various workflows and much of that has since been removed. The lsappinfo binary is still pretty useful, though. The simplest incantation would be to just list what’s running: lsappinfo list The output has the bundleID and the bundle, the executable, pid and some other metadata.…

  • Mac OS X,  Mac OS X Server,  Mac Security

    Disable Disk Image Verification On Mac

    Sometimes you have to mount a whole lot of disk images (like a script that fires up 9,999 and proceeds to sing the bottles of beer on the wall song but instead transposes those lyrics with “disks images to verify” and we can all understand how excruciating it would be to get down to 0) and just don’t want the Mac to verify each one. To disable that, send skip-verify key with a value of true(so a Boole) into com.apple.frameworks.diskimages as follows: defaults write com.apple.frameworks.diskimages skip-verify -bool true Or course, interacting with corrupt objects is bad if any corruption occurs so run it again with a false to disable that…

  • Mac OS X,  Mac OS X Server,  Mac Security

    Secure Keyboard Entry on macOS

    The Secure Keyboard Entry option has been in Terminal going back almost a decade. Secure Keyboard Entry was added as EnableSecureEventInput way back in Mac OS X 10.3 and was developed to protect the more sensitive inputs people provided, so also made into a public API. It was meant to protect the more sensitive types of data so if we had a login screen with a password field or something else, we’d protect those with it. The purpose was to lock what other processes could use the GetKeys function (once used to write keystroke loggers), tap the IOHIDDeviceInterace and IOHIDOptionsTypeSeizeDevice processes or tap any events that involved any HID system…

  • Mac OS X,  Mac OS X Server,  Mac Security

    Disable Safari Extension Updates During Development

    I’ve been experimenting with Safari Extensions for awhile ( https://github.com/krypted/Word-Replacer-Safari-Extension ) and once we publish them we might need to continue to use an old version for testing. Extension updates can then be deleted by writing a boolean InstallExtensionUpdatesAutomatically key into the com.apple.Safari defaults domain and setting the option to false: defaults write com.apple.Safari InstallExtensionUpdatesAutomatically -bool false To remove the key and simply return to the default state: defaults delete com.apple.Safari InstallExtensionUpdatesAutomatically

  • Mac OS X,  Mac OS X Server

    Clear that QuickLook Cache

    Seems like just yesterday that I first wrote about using Apple’s QuickLook from the command line. And yet it’s been eight years: https://krypted.com/mac-security/qlmanage/. Guess time flies when you’re having fun. One thing that isn’t fun is when all of a sudden QuickLook stops generating previews for objects when you hit that space bar, or just provides a generic preview. I’ve been working with a lot of more resource intensive file types recently, like .stl files and these can clog the system up. Luckily, filling up the cache, or getting corrupted objects in the cache is something Apple planned for and this is cleaned during a reboot as part of standard…

  • Mac OS X,  Mac OS X Server

    Change Default Finder Views Using defaults

    We can manage the way the Finder displays objects using the FXPreferredViewStyle key in the com.apple.finder defaults domain. There are four options in the Finder drop-down for view style and these are Icons (icnv), List (nlsv), Columns (clmv), and Gallery (glyv). Given that only communists use anything other than the list view, we’re going to set the default to that with a simple defaults command: defaults write com.apple.finder FXPreferredViewStyle -string "nlsv" To undo our change and allow it to default to the last view, we can simply delete the key: defaults delete com.apple.finder FXPreferredViewSTyle

  • Mac OS X,  Mac Security

    Export Objects from Keychain

    Once upon a time, we could run a command like the following to dump all our keychain data: security dump-keychain -d ~/Library/login.keychain > ~/Desktop/dump.txt I go into more detail on those techniques in an article I did back in 2009, here: Now there are more keychains and the entitlements for the security binary to access this kind of information has changed. We can make some changes to the authorizationdb (as explored in https://krypted.com/utilities/authorizationdb-defaults-macos-10-14/) but I’ve yet to find a magic combination that allows me to script interactions with the keychain without a GUI pop-up (and one that blocks synthetic interaction. The data for each keychain is stored in an encrypted…