Apple TV,  Apple Watch,  Apps,  iPhone,  JAMF,  Mac Security,  MacAdmins Podcast

Notes from the Underground: Apple WWDC and You

June 4, 2019

Apple kicked off the annual WWDC conference yesterday and boy there was a flurry of information. There always is, but for people charged with managing Apple devices and vendors that support Apple devices there were some important releases. Some general themes to think about as you read through this list:

  • Privacy is a thing. This includes securing files in the directories of a user by having the user accept a request to touch them (e.g. My Documents, er, I mean, Documents). This also means apps harvesting user data are doomed. The restrictions continue to flow in from iOS to the Mac. And that’s probably a good thing – as it helps keep people from getting taken advantage of. Because a global interconnected world has meant that crappy people are still crappy.
  • Kexts are not a thing. Touching the kernel means a third party developer can pretty much do anything they want. That’s just not cool any more. So System Extensions are more controllable and now we’ll have a System Preference pane to manage them. So long live Extension Manager! Behind the scenes Apple developer relations is obviously looking at everything that requires a kext (security and network were on this years list) and trying to build legitimate frameworks that make those features work better and reduce the risk that developers without real Apple domain expertise will cause a poor user experience on a Mac.
  • The age of federated identities is upon us. ASWebAuthentication came in 10.14. ASWebAuthenticationSession joins us in 10.15. Not every OpenID Connect, SAML, or OAuth 2 flow is supported, but it’s new and the people building those frameworks are clearly gaining the domain expertise to allow us to federate identities across apps. Might we some day see a pane in the System Preferences for a user’s identity like we do for other Accounts?
  • Apple is playing better in the office. Managed Apple IDs, a federated ID for all your Apple assets, getting access to files on file servers for iOS, more documentation that organizations are asking for. This isn’t to say every enterprise will be happy. But the ones that believe in the same thing Apple developers believe in likely will. And that’s an important philosophical difference between trying to please all the people all the time.
  • “There’s an app for that” has meant that every small utility you can think of gets its own app. Many of these are web apps with a slimmed down GUI experience built just for iOS platforms. Apple is clearly showcasing those that build different, great user experiences for different platforms. I just hope we don’t see some of the sub-par user experiences for iOS eek their way into crap-tastic software for the Mac. You have a lot more horsepower, a lot more screen real estate, and a lot more frameworks to call upon; use them.
  • iPadOS. Rather than moving to bring platforms together, Apple is clearly sending a sign that they’re OK maintaining watchOS (which is now less of an extension of iOS and more of its own thing), macOS, iOS, now iPadOS, tvOS, and of course bridgeOS. The Mac will continue to see more and more requirements around sandboxing and have less native 3rd party scripting libraries; but at this point it seems clear that macOS is not going anywhere.

For release notes about specific OS advancements, see:

Changes in macOS

  • Activation Lock added to macOS: This means that a Mac can now be turned into a brick if an AppleID is used on the Mac
    • MDMs need to escrow Activation Lock Bypass codes using ActivationLockBypassCodeCommand
  • The default shell is now zsh but you can still use bash
  • Moving from python 2.7 to python3 in Xcode command line tools
  • svn removed
  • System volume and data volume, meaning Apple-provided apps have all moved to `/System/Applications` which is more fully sandboxed
  • New Endpoint Security framework: https://developer.apple.com/documentation/endpointsecurity?changes=latest_minor
    • Likely there to reduce the reliance on a kext for security software
    • EndpointSecurity system extensions load later than expected so cause certain events during startup to not be caught
  • Federated Identities
  • Enterprise iCloud Drive
  • System Extensions https://developer.apple.com/documentation/systemextensions?language=objc
  • iTunes Broken up into AppleTV app, etc.
  • NSURLSessionTasks that use GET HTTP with a body throw an NSURLErrorDataLengthExceedsMaximum.
  • Less stuff in Recovery Mode
  • Scripting languages (Python, Ruby, and Perl) now labelled as “legacy software”. “Future versions of macOS won’t include scripting language runtimes by default”
  • Use of Python 2.7 isn’t recommended as this version is included in macOS for compatibility with legacy software. Future versions of macOS won’t include Python 2.7. Instead, it’s recommended that you run python3 from within Terminal. (51097165)
  • Apps that execute i386 code now fail with the EBADARCH error code (all should be 64 bit by now anywho)
  • The Privacy Preference pane now includes the following privacy keys: File Provider Presence, Listen Event, Media Library, Screen Capture, Speech Recognition, System Policy Desktop Folder, System Policy Documents Folder, System Policy Downloads Folder, System Policy Network Volumes, and System Policy Removable Volumes
  • EOL for kauth API likely coming in 10.16
  • Support for FTP URL scheme is gone (so ftp:// won’t work)
  • Support for PAC URL scheme is gone so should use HTTP and HTTPS for PAC files. True for profiles 
  • SPDY support is removed so must switch to HTTP2 for URLSession and NSURLConnection APIs
  • Network Kernel Extension API will be deprecated by release time
  • Install Profile for macOS 10.15
  • 802.1x System SetupMode at the loginwindow now correctly passes credentials
  • Bundle (versus binary) packages are either not working properly or deprecated?
  • New MacPro and MacPro monitor, the return of rack mount kits
  • Can’t write directly to /Library/Preferences/OpenDirectory/Configurations/Search.plist
  • New command line options:
    • cpuctl: bring CPUs online and offline
    • esctl: control endpoint security components
    • ping_seedctl: loads the kernel PRNG seed file at /var/db/SystemEntropyCache
  • /var/db/ConfigurationProfiles/Store
  • Click fatigue anyone. Here’s a single workflow: Setup script automation prompt, Chrome with webauthn prompts for tracking keystroke/accessibility events, Desktop permission prompt, Documents permission prompt, Contacts/Music/Photos prompt, then auth to system preferences and an app is gonna’ crash in there somewhere because it’s burned too many resources waiting. This will get better but for now it kiiiiiinda’ sucks. I’d rather compile a project selecting the full list of warnings on first open for the user (as with installing an OpenID Connect token with pre-defined Scopes).

Changes in iOS 

Developer

  • New Mac checkbox for iOS apps (so Marzipan is now called Catalyst because why not)
  • SwiftUI more layered (like Angular)
  • Quartz Composer is deprecated
  • AppleID used to federate access to Apple portals (but not made available to 3rd parties like a standard OpenID Connect App would be)
  • WatchOS has an App Store. And new complications. And isn’t exactly tied to an iPhone. Yah…

Changes in MDM Spefication

tvOS

tvOS didn’t get a lot of love this year. But it did recently enough that there’s no reason to be concerned:

  • AVFoundation now supports encoding video with alpha channels using HEVC
  • CAMetalLayer is now in the Simulator

Apple Remote Desktop

How is ARD still getting updates that don’t include tunneling to remote clients? Well, now we can export computer lists to an encrypted archive and move them (with passwords!). And there’s a security tab in the preferences for improving auth. And Touch Bar support. Because that’s still a thing. Oh and Assistance cursors in the custom toolbar. Computer lists and their credentials can be exported to an encrypted archive and restored to other computers.

Podcasts!

We also did a MacAdmins Podcast Flashcast, which is available below.

Or stream audio!

It’s worth mentioning that my perspective is very much around device management. People who write software for audio and video will have a very different list. People who got Sherlocked yesterday will probably be drunk in an alley behind a bar so have… no list. Yet. They built a great product once. They can do it again. When they sober up. Or before. Dostoyevsky would be proud.