Significant Changes in macOS 10.15 Catalina of Interest to Mac Admins
- Similar to how iOS is configured, macOS is now on a separate partition from user data, which acts as if it is read-only (but in beta 1, it’s merely SIP-protected). In the beta, you’ll see “Macintosh HD” and “Macintosh HD — Data”. Data is a separate volume mounted in /System/Volumes. OS-installed applications live in /System/Applications, but the Finder presents them in /Applications as well. Apple calls the technology “firmlinking”. Beta 2 will be fully read-only by default.
- Activation Lock has been added to T2-equipped Macs. MDM’s will need to be able to escrow Activation Lock Bypass Codes. You’ll want to make sure your institution is using Apple Business Manager/Apple School Manager to handle Device Enrollment. Otherwise, it would be possible for a user to sign into iCloud and lock an institutionally-owned T2-based Mac, unless iCloud sign-in was blocked.
- TCC has been expanded to the Documents, Desktop, and Download folders, Trash, iCloud Drive/other cloud storage providers, as well as external, removable, and network drives. Apps must also request your permission to perform key logging, or to capture still or video images from your system.
- DriverKit and user space system extensions — previously, many hardware peripherals and security tools needed to run their code directly within macOS using kernel extensions, or KEXTs. Now, these programs run separately from the operating system, just like any other app, so they can’t affect the OS if something goes wrong. Also, installing third party kernel extensions now requires that you restart your Mac before they’re permitted to load.
- There’s a new Endpoint Security framework (much like the Hypervisor framework in previous versions of macOS) for future security tools (in lieu of KEXTs, which are definitely on their way out — also note there’s an Extensions system preference pane in Catalina, giving those of us who used Mac OS 9 a feeling of deja vu): https://developer.apple.com/documentation/endpointsecurity
- Gatekeeper has been improved to ensure that all new apps you install — from the App Store or the internet — have been checked for known security issues by Apple before you run them the first time and periodically thereafter. This extends the protection from the app’s source to include automated checks for what’s in the app. Confirmed, during Platforms State of the Union, that Apple is requiring Notarization of all apps on macOS. https://developer.apple.com/news/?id=06032019i
“In a future version of macOS, unsigned code will not run by default”
- Future releases of macOS will not include python, perl, or ruby. They are still included in Catalina, but, in the future, it will require a package install if needed (similar to Xcode command-line tool installation, where you are prompted to install). Use of Python2 is not recommended, as it is EOL in January 2020, and will be removed from the OS in a future version (and not necessarily a major version). Like Java, Apple is recommending that if your app depends on one of these languages, that you ship the runtime with your app. Also, svn has been removed.
- The default Unix shell for new users has changed from bash to zsh. bash is still an option for the foreseeable future, so, as long as you have a shebang (#!/bin/bash), your bash scripts will still run in bash (and the symlink for sh still points to bash). For more info on zsh, which has a ton of nice autocomplete functions (link thanks to Jason Broccardo): https://github.com/rothgar/mastering-zsh
- iTunes is now broken into Music, Apple TV, and Podcasts apps. The Finder sidebar now handles iOS devices when directly connected. (iTunes on Windows will remain essentially unchanged).
- “Project Catalyst” to allow iOS apps to be easily ported to/built as Mac apps. This technology has been improved since Mojave’s Home/News/Stocks/Voice Memos apps. This (along with the Mac adopting the iOS security model) is a central part of Apple’s push into enterprise IT, as many businesses have their own internal iOS apps.
- As expected and previously announced, support for 32-bit processes/i386 architectures has been removed.
- Improved Photos, Notes, and Reminders apps, just like on iOS.
- ScreenTime is also now available on macOS.
- “Sidecar” feature lets you use an iPad as a secondary display. There’s also an option to use an Apple Pencil with an iPad Pro as a graphics tablet replacement. Not sure if Sidecar requires an iPad Pro, or the latest iPad Pro (Pencil vs Pencil 2 support?)
- Accessibility improvements include VoiceControl (very impressive), Zoom to Second Display, and Hover Text to zoom in on a selection, by holding down Control. VoiceControl uses the device’s camera to authenticate the user and confirm your intent, based on if you’re looking at the display.
- Improvements in the APFS snapshot functionality, which allow you to boot into Recovery and restore from a previous snapshot. asr has also been modified to handle decrypting encrypted-at-rest volumes (i.e. T2-based Macs), allowing you to create block-copy images of a system.
- Apple Watch can be used to approve app installs, System Preferences unlock, view Passwords, etc. by double-tapping the side button.
- “Find My” allows a Mac’s location to be determined, even if it’s asleep and not connected to a network, via Bluetooth beacon and other Apple devices nearby. More details on how this works via this Wired page: https://www.wired.com/story/apple-find-my-cryptography-bluetooth/
- Still waiting to learn more about Enterprise iCloud Drive and managed Apple ID’s (Azure AD or SAML integration with Active Directory?), mentioned on a slide.
- If you use proxy PAC files, you can no longer use ftp:// or pac:// URL’s, you must use http or https.
- SAML workflows for DEP/ABM:
- Looks like there may be a logging API now, for third-party SIEM (Splunk, LogStash, et. al.) to hook into the new log subsystem (originally introduced in macOS 10.12 Sierra): https://developer.apple.com/documentation/logging
- Requirements for trusted certificates in iOS 13 and macOS 10.15:
- “lpadmin: Printer drivers are deprecated and will stop working in a future version of CUPS”.
man lpadminon a macOS Catalina system for more details. It seems that Apple wants admins to move from lpd/smb/socket (JetDirect) to AirPrint.
This document (which requires an Apple Developer login) provides details of new MDM functionality for iOS/macOS/watchOS in Profile Manager (and presumably also available to other MDM vendors to implement):
Rich Trouton has published some of his notes from sessions and labs on Apple’s Developer Forums (should be able to read without signing in):
Notes from Advances in macOS Security:
Notes from System Extensions and DriverKit:
Questions for Security Lab:
Notes from All about Notarization:
Questions for Notarization Lab:
Questions for Device Management Lab, parts 1 and 2:
Notes from Sign In With Apple:
Installer Lab Questions:
Notes from What’s New in Apple File Systems:
Questions for the File Systems Lab:
Allen Golbig’s Activation Lock Tidbit:
Charles Edge has a blog post with some additional information:
Mac Pro Intro Video that wasn’t shown (presumably due to time), thanks to Jason Broccardo for the link: Introducing the new Mac Pro and Pro Display XDR — Apple
WWDC 2019 sessions of interest:
Live streams: https://developer.apple.com/wwdc19/live/#!/room/
Keynote (replay): https://developer.apple.com/videos/play/wwdc2019/101/
Platforms State of the Union (replay): https://developer.apple.com/videos/play/wwdc2019/103/
Advances in macOS Security — (replay): https://developer.apple.com/videos/play/wwdc2019/701/
System Extensions and DriverKit — (replay):
Introducing iPad Apps for Mac — (replay): https://developer.apple.com/videos/play/wwdc2019/205/
All About Notarization — (replay):
Introducing Sign In with Apple — (replay):
App Distribution — From Ad Hoc to Enterprise — (replay):
What’s New in Apple File Systems — (replay):
Advances in Networking, Part 1 — (replay):
Advaances in Networking, Part 2 — Thu 5 PM PDT:
Network Extensions for the Modern Mac — Fri 9 AM PDT:
What’s New in Managing Apple Devices — Fri 11 AM PDT:
What’s New in Core Bluetooth — Fri 3:20 PM PDT:
Disclaimer: this information is compiled from public sources, including the WWDC keynote, Platforms State of the Union, and other public WWDC sessions, Apple’s macOS Catalina website, and the publicly-facing Developer Seed Notes (no sign-in required) and Developer Forums links above. To my knowledge, none of this information violates any Non-Disclosure Agreement. If you feel otherwise, please contact me via Twitter (Robert Hammen) or MacAdmins Slack (roberthammen).