Like the Return of an Old Friend: NetNewsWire 5.0

In the early days of Web 2.0, in the short time after the dot com crash, there arose a common standard for syndicating your blog across the web, into RSS Readers. Google Reader was a big damn deal in those days, but before Google Reader hit the market, there was NetNewsWire.

Brent Simmons’ app was the RSS Reader for the Mac for a good long time, and an app that I lived and died by. In the days where Twitter (blessedly) did not yet exist, getting your news meant going to a website manually, like some kind of animal. NetNewsWire could read the secret code that held these sites together and produce a feed of articles that you could pay attention to directly, without having to remember which sites you needed to see.

In the post-social world, where suddenly everything got dumped out to the feeds full of our friends’ quick thoughts and longer form rants, RSS began to die a bit. Google saw that Reader was cannibalizing their own ads, and rapidly pushed it to the ash-heap of history, and in-so-doing, wrecked a whole lot of models for publishing. Suddenly, we were back to depending on people to go to browser-based reading habits, which came with a ton of terrible ads, tracking that was just full of garbage, or a social existence defined by the hellscape that Twitter and Facebook have become.

All this set the table for the return of NetNewsWire, which exited beta last week, and returned to my dock shortly thereafter. The base metaphor of NetNewsWire (NNW) is unchanged: feeds, grouped according to your choices, contain stories, which can view feed by feed, or in a timeline. Anything that can be served up as RSS can be shunted over into NNW’s hopper to await your attention.

For the last few years, I have used the #blog-feed channel on the Mac Admins Slack as my version of a professional RSS reader. I’m moving all those feeds to NetNewsWire so I can better track what I’ve read and what I haven’t. Now I’ve got a great view into what I’m up to date on, and what I’m yet to cover.

A view into my RSS feeds

This is about to be heavy season for Mac Admins, if it’s not already. We’re in the waning days of the beta period before macOS Catalina 10.15 drops and iOS 13 is released. We’ve got a lot of work ahead of us. How about helping yourself with a whole list of helpful feeds that are there to keep you up to date?

Enter the Mac Admin Blogs OPML Repo.

Download the OPML File, Open NetNewsWire, File > Import Subscriptions.

And there ya go!

The repo is public on Github, so feel free to contribute those blogs I missed.

And congratulations, Brent Simmons! NNW 5.0 is a return to RSS for me, and I couldn’t be more excited to be reading more from my friends.

Notarization Follow-Up and Video

The Loyal Order of the Notaries

This summer, I gave a talk at the Mac Admins Conference at Penn State, focused on Notarization, called The Loyal Order of Notaries. It was a lot of work to put together the talk, and I spent more time on it than I have any talk I’ve ever given. I am proud of the work, but there’s a problem.

I Got Something Very Wrong

46 minutes into the talk I said: “this is good news: whitelisting the Team ID affects the notarization restriction.”

This is not correct.

Whitelisting the Team ID in a Kernel Extensions payload from a User-Accepted MDM does not affect the notarization requirements in the Catalina betas at this time. What I said in the talk was based on my conversations with colleagues and friends, and an conversation I’d had with a member of Apple’s staff, and on my initial results with the first beta of Catalina.

My conclusions were based on the question I asked in that inteview: Will there be a way to whitelist Developer IDs for notarization the same way there is for Kernel Extension loading? The answer was an unequivocal yes.

I assumed that the method for this was the same payload. That has turned out not to be the case in my testing thus far.

So What Now?

I don’t know.

That’s not a very satisfying answer, I recognize. I wish I had a better one.

Here’s what I do know: merely providing a kernel extensions whitelisting of the Team ID of a Developer is insufficient to prevent warnings for packages and disk images signed with that Developer Certificate.

I feel like I blew it.

I had tested this with my Catalina machine, but I realized that the package I was testing with was signed, and with a Developer ID I’d whitelisted, but it wasn’t a unique path or package. I had already installed that package once before, before I’d whitelisted the Developer ID. The LaunchServices Database had a record of the package and the path from where it had come from. It had already exited quarantine, and thus wasn’t passing through the Gatekeeper checks that the talk described, despite having been uninstalled.

How Do I Deal With Non-Notarized Materials?

Catalina’s requirements for notarization on signed packages, signed disk images and unsigned zip files are enforced by Gatekeeper processes, which depend on file quarantine flags. If a package, disk image or zip file arrives via browser download, USB file transfer, or AirDrop transaction, it comes with a quarantine flag. Escaping quarantine means passing a notarization check (online or offline), and a code-signing check, and a check for malicious code as defined by MRT and XProtect.

Or, you can deliver the payload through a non-quarantine method, like curl, or the jamf binary.

These methods are not quarantine aware, and while they do carry some additional ACLs, they do not appear to prevent the installation of packages by Apple-signed Installer, or mount of the image by Apple-signed Disk Utility. That means that tools like Munki or Jamf can continue to deploy software that is not notarized to enterprise machines.

One other consequence of these changes is that it’s not just packages software programs that are affected. During testing, I found a package that is properly signed that delivers Motion and Final Cut Pro templates that also triggered the quarantine warning. They were signed for distribution, but not notarized. They still flagged the quarantine check because they were distributing files. I packaged a sent of fonts for delivery to /Library/Fonts, signed the package, uploaded it to Slack for a colleague to test, and sure enough, quarantined:

If you’re planning for your co-workers to be able to open packages, zip files or disk images that aren’t notarized, you’re going to need to prepare them to right-click on the file, click Open, and then accept the warning that follows.

This isn’t ideal.

This will mean that anything you intend to deliver to Catalina computers will need to either arrive without a Quarantine flag, or be installed by a tool that can receive updates without a Quarantine flag and install them directly.

I apologize to the folks in the room at Penn State, to the organizers of the Mac Admins conference, and to anybody who will see the video. I got it wrong. But I’ll own what’s mine, and we’ll learn more together in the future.

Go For The Moon

Last night, we braved the crowds and the heat to go down to watch Go For The Moon, a multimedia spectacular in front of the Smithsonian Castle. The experience was like nothing I’ve ever seen, or could imagine. Using the Washington Monument as a canvas, along with a pair of split screens framing the obelisk, the incredible team at the National Air & Space Museum and 59 Productions made magic.

Projecting a life-sized Saturn V rocket launch on the Washington Monument, and eventually the arrival of Eagle on the Moon, along with the Rice University speech and the achievement of the Apollo programs, the audience is left to sit in awe for 17 minutes as the video plays out. The score, by Jeff Beal, provides additional encouragement.

The Rice University speech, famous for it’s “We choose to go to the Moon… because it will be hard” also has an incredible section on ethical leadership in technological pursuits:

“For space science, like nuclear science and all technology, has no conscience of its own. Whether it will become a force for good or ill depends on man, and only if the United States occupies a position of pre-eminence can we help decide whether this new ocean will be a sea of peace or a new terrifying theater of war. I do not say the we should or will go unprotected against the hostile misuse of space any more than we go unprotected against the hostile use of land or sea, but I do say that space can be explored and mastered without feeding the fires of war, without repeating the mistakes that man has made in extending his writ around this globe of ours.”

Pres. John F. Kennedy, Rice University, September 12, 1962.

President Kennedy said what so many miss: the application of science and technology has no direct conscience of its own, but rather it is the product of people, in their designs, intents, applications, choices, audiences, marketing, and execution of it. The parallels between the strife of the 1960s and the 2010s was clear last night down on the Mall. We were reminded that Apollo happened amid the unjust Vietnam War, amid the unjust fight against the Civil Rights Act, amid the countercultural rebellion against post-war norms.

“We came in peace for all mankind,” reads the plaque on the leg of Eagle, where it remains today. We are capable of doing incredible things as a nation, and NASA is the embodiment of those goals of exploration, of science, of application of technology. It’s just a part of the funding of science that we do as a nation, as part of our pursuit of the future. We need to do more science, not less. We need to do more exploring, not less.

We need the next velcro, the next teflon, the next LED bulb, the next micro computer, and programs like NASA’s Apollo can build those things, in concert with the National Science Foundation. We can do incredible things when we make science and technology into public goods. Engineering and exploration in the pursuit of the furtherance of humanity is a worthy goal for us all.

And we need it now, more than ever.

We took Charlie with us, last night, to see the rocket go up. We’ve been watching From The Earth To The Moon this week, and I know while he was with my parents they talked a lot about the original moon landing in 1969. Like his father, and his grandfather, he thrust his fist in the air as the rocket went up.

I’m sure there are those who see the rocket programs and exploration of space as secondary or tertiary to the other problems of our present. I can understand that. But what will save our planet in the next century is science. It’s certainly not sticking our head in the sand and hoping for divine intervention that isn’t coming. We have to participate in our own rescue. As we bake in record heat — more of a braise, here in DC this weekend — it’s more and more clear that our climate is changing, and with it our future habitability. Kim Stanley Robinson’s science fiction novels of the last decade are fairly bleak and fairly clear: if we’re getting through this, we’re doing it here, not living anywhere else. I think he’s got a point.

If there’s an Apollo program for Charlie’s generation, it may not be about Mars, or the Moon, or Titan or Enceladus. It might be here. But we have to keep going, keep pressing the boundaries of human space, pressing what we’re capable of.

In 50 years, I plan to be back out on the Mall with him for Apollo 100, helping him remember what came before, and what we have yet to accomplish.

Slide from talk, titled The Loyal Order of Notaries

Mac Admins Talk: The Loyal Order of Notaries

The Notarization of binaries with Apple Notary Service is a fascinating topic worth exploring, and in this year’s talk at Mac Admins, I delved deep into the subject. The current version of macOS now requires all kernel extensions not just to be signed by their authors, but to be notarized by the Apple Notary Service. Beginning with macOS 10.15 Catalina, all software will need to be notarized, as well.

This represents a bit of a change over the past, and it will require software developers not just to submit their software for notarization, but to staple the resultant ticket to their binary. Doing this isn’t terribly complicated, but why does this have to happen? What’s the mechanism for getting something notarized? How can we work around this, if circumstances require it?

This post is designed to be both the repository for the slides from this talk, as well as useful links and documentation associated with the materials discussed in the talk. I will not be including my presenters notes.


Please read this important follow-up before reading the resources that follow.

Slides & Downloads

Here are the slides associated with the talk.

Download (PDF)

Online Resources

Apple: Safely open apps on your Mac, a Gatekeeper Guide
Apple: Your Apps and the Future of macOS Security, a WWDC Video from 2018
Apple: Advances in macOS Security, a WWDC Video from 2019
Howard Oakley: Notarization Category on Eclectic Light, a collection of blog posts on notarization
Apple, Gatekeeper and Developer ID, a WWDC transcript from 2012
Rich Trouton: Clearing the quarantine extended attribute, a blog post on xattr and quarantine bits.
Howard Oakley: More about the quarantine extended attribute, a blog post on xattr and quarantine bits.
Mothers Ruin: Suspicious Package, a tool for reviewing packages and apps

Thank Yous

My sincerest thanks to #notarization on the Mac Admins Slack, to people like Joel Rennich, Robert Hammen, Rich Trouton, Armin Briegel, Jennifer Unger, Dr. Emily Kausalik-Whittle, Some Little Birdies, and anyone else I inflicted my questions and draft slides on. I also want to thank Apple for their wealth of new documentation tools, and the WWDC video archives.

Tom Bridge standing in front of Harbour Bridge and Sydney Opera House

Wrap-Up Documentation from the Fundamentals of Wi-Fi: Physics Always Wins

I’m incredibly grateful to AUC and Tony Gray for their invitation to Chris Dawe and I to present our workshop, Fundamentals of Wi-Fi: Physics Always Wins. While we’re not making our full slides available for this talk, we did want to provide some external-facing documentation for our talk that gives you some of the key materials that we used while making this talk.

How to Reach Us

Tom Bridge
Slack: tbridge
Github: tbridge

Chris Dawe
Slack: ctdawe

Books & Printed Material

Sometimes, you need to start with printed materials.

CWNA 107 Study Guide

The Wireless LAN Professionals organization is the certifying authority for professional WLAN Engineers, and their mission includes training and certification. the CWNA 107 Study Guide (and the now discontinued Sybex volume for the 106 exam that preceded it) is an excellent resource to understanding much of the Wireless sphere.

Online Resources

General References:

WLAN Pros Resources Page (Includes WLPC Sessions)

Certified Wireless Network Professionals

The home of vendor-independent technical certification for Wi-Fi

Revolution Wi-Fi

Andrew von Nagy’s site is home to comprehensive discussion and analysis of developments in Wi-Fi technology. Andrew is also the creator of a Capacity Planning tool that will provide guidance on access point needs based on a description of your fleet.

Capacity Planning Worksheet

Section 1: Wi-Fi and Radio Basics

Attenuation Values for Common Building Materials

History of 802.11 Specification, Justin Berg, George Mason University

Hedy Lamarr and George Antheil’s Patents

When George Antheil Met Hedy Lamarr

How OFDM Subcarriers Work

This piece was what unlocked the importance of OFDM to Wireless connectivity. Learning how it changed Wi-Fi forever helped me understand its importance.

Best 802.11ac Channel Map Ever

Choosing 802.11ac Channels in Australia

Rules of Tens and Threes

802.11ax Brings OFDMA

802.11 Alphabet Soup

Wi-Fi Certified 6

Section 2: Wi-Fi Basic Operations

Understanding 802.11 Management Frames

Explaining the Concept of a TXOP

Modulation & Coding Scheme Lookup Table

Section 3: Network Design

Aerohive High-Density Design Guide

The Dreaded Dragonfly

Mike Albano’s Client Capabilities List

BYO AP on a Stick Kit

Understanding WLAN Capacity, Darrel Derosia, WLPC Phoenix 2017

Watch this video to gain a greater understanding what turns out to be a vast gulf between vendor hardware performance specs and real-world scenarios with a mixed client base.

Divergent Dynamics: Wi-Fi Design and Deployment Methodology

Understanding Airtime Utilization

Section 4: Apple-specific Design Concerns

Apple Deployment Documentation (Appendixes include WiFi Specs for iOS and macOS Devices)
iOS Deployment Guide
macOS Deployment Guide

Apple’s two deployment guides supply Apple’s general recommendations for Wi-Fi networks (which aren’t too far from ours, generally), as well as Wi-Fi specs for Apple’s devices. Oddly, the iPad specs list is currently badly broken.

Enterprise Best Practices for iOS Devices and Mac Computers on Cisco Wireless LAN

Apple Roaming Documents
Apple TechNote: macOS Roaming
Apple TechNote: iOS Roaming

Advanced Roaming Technologies for iOS (discusses 802.11k, 802.11r, and 802.11v and their utility in roaming)

Section 5: Tools & Software

Wi-Fi Explorer (Lite, Regular, Pro)

Wi-Fi Signal




Metageek Channelyzer & Wi-Spy DBx

Ekahau Pro & Ekahau Cloud

Tamograph Site Survey

Section 6: Security

Podcast: Understanding the 4-way Handshake

David Acland’s Talk on Certificates, Signing and Hashes

KRACK Attacks

Analysis of SAE and WPA3

802.1X and EAP Types

10.12.5 and SHA-1 Certs

Waving the Green Flag

I love this time of year. This is where the rubber meets the road for people who manage Macs and iOS devices. Apple’s Worldwide Developer Conference is going on in San Jose, after a kickoff yesterday with a banner keynote and a fascinating state of the union.

Last night, we talked about this in a Flashcast Episode of the Mac Admins Podcast:

This is open season for engineering. This is where I find immense satisfaction in my chosen profession. We have so much to do between now and the release of macOS 10.15 Catalina in the Fall, and there’s a lot that we’re going to have to deal with between now and then. Here’s what my questions are, right now:

  1. What is the practical effect of a read-only system container from the Admin’s perspective? This appears to be a fully-abstracted development in the security story, and that represents a huge win for the security of the platform.
  2. What are the ramifications of modern authentication methods for automated device enrollment? Is this a place where, once we’ve performed a successful authentication, we can use what’s returned from the OIDC endpoint to generate a user account?
  3. What all do I need to know about the deprecation of bash and other scripting tools included with the OS as default? Most organizations are already pushing their own toolchain, how’s this fit into the picture?
  4. What does the gating of fdesetup behind PPPC-style controls mean for things like Crypt?
  5. How are the new Device Management controls going to be used in real-world situations?

There’s a lot more to think about as we get into sessions this week. I’m excited. This appears to be a huge win for the Mac Admins community, and there’s so much in here that I’m excited to get rolling. While I won’t be upgrading my daily driver to Catalina for a bit (it’s okay to laugh at me, I’ll probably be upgraded by Friday), I am looking forward to setting up the lab and getting deep into the guts of the new security and device management features.

As much as things can be broken during development releases, and feature choices can feel like frustration in the moment, as beautifully-crafted workflows that represent the culmination of effort and intention fall apart, this is where the work begins anew. We get new tools. Better tools. I can’t look at System Extensions and the new security endpoint protection frameworks and not see the possbilities.

At times like this, we get to invent our own future.

Let’s get to it, shall we?

macOS 10.14.5 beta 4 & Notarization Update

Editors Note: This remains a work in progress. Notarization dates are a moving target as of beta 4.

Previous Posts

macOS 10.14.5 beta, Notarization and Stapling Review (April 18th 2019)
macOS 10.14.5 beta 2: Kernel Extension Notarization, UAMDM, Whitelisting & You (April 9th, 2019)

New Notarization Deadline

Apple released a new version of macOS 10.14.5 to the beta groups today, and as of the beta 4 build, the notarization cutoff date is now April 7th, 2019, for new software developers to sign and notarize their new builds of kernel extensions, and for newly registered developers to sign and notarize all builds fo their software signed with Developer ID certificates.

This April 7th date corresponds with Apple’s April 8th post to all Apple Developer members explaining the new Notarization Requirements:

We’re working with developers to create a safer Mac user experience through a process where all software, whether distributed on the App Store or outside of it, is signed or notarized by Apple. With the public release of macOS 10.14.5, we require that all developers creating a Developer ID certificate for the first time notarize their apps, and that all new and updated kernel extensions be notarized as well. This will help give users more confidence that the software they download and run, no matter where they get it from, is not malware by showing a more streamlined Gatekeeper interface.

As with previous releases, if the installer package has been notarized, but doesn’t have a stapled ticket, and network access is unavailable, the installer package will not successfully installed. This would be a great week to be testing your critical kernel extension installers with an up to date release of the beta to make sure that you’re not going to be faced with surprises when this is the new law of the land.

As with previous releases, kext whitelisting via UAMDM will successfully route around incomplete or non-existent notarization processes. Which reminds me: if you’re not using UAMDM of some kind, why is that exactly?

macOS 10.14.5 beta, Notarization and Stapling Review

Editor’s Note: Once again, this is a moment frozen in time, designed to educate about a passing moment in time. This post is one of a series, so please be sure to read the other posts in this series, and recognize that things are changing constantly.

Related posts

macOS 10.14.5 beta 2: Kernel Extension Notarization, UAMDM, Whitelisting & You


Last time on this blog, I talked about a new requirement that is present in the early betas of macOS 10.14.5. Kernel Extensions that are installed on a 10.14.4 system that is upgraded to 10.14.5 may not operate correctly if they are not notarized by Apple. In this situation, if the kernel extension is whitelisted (aka UAKEL) by a user-accepted MDM (aka UAMDM), you have nothing to worry about for now. If you’re not using UAKEL and UAMDM, and you are installing kernel extensions that are not signed and notarized by Apple, you’re going to have a bad time. These extensions will not load, and the applications that depend on them will not operate, if they are built and signed after the demarcation date, which is currently 11 March 2019, but may change in the future.

An Example

Recently, DisplayLink released a new version of their kernel extension:

The release notes state:

Software package notarized by Apple as required for macOS 10.14.5 onwards.

DisplayLink Release Notes

However, should one download the software, and inspect it, one might find that things are lacking:

Persephone:Downloads tom$ stapler validate -v DisplayLink\ USB\ Graphics\ Software\ for\ macOS\ 5.1.1.dmg 
Processing: /Users/tom/Downloads/DisplayLink USB Graphics Software for macOS 5.1.1.dmg
Properties are {
    NSURLIsDirectoryKey = 0;
    NSURLIsPackageKey = 0;
    NSURLIsSymbolicLinkKey = 0;
    NSURLLocalizedTypeDescriptionKey = "Disk Image";
    NSURLTypeIdentifierKey = "";
    "_NSURLIsApplicationKey" = 0;
Creating synthetic cdHash for unsigned disk image, DisplayLink USB Graphics Software for macOS 5.1.1.dmg. Humanity must endure.
Signing information is {
    cdhashes =     (
        <fd2d35b7 cea70fab 2e22850b 3f39070d a7fa0f52>
    "cdhashes-full" =     {
        2 = <fd2d35b7 cea70fab 2e22850b 3f39070d a7fa0f52 781113f0 7b8686a8 7803c116>;
    cms = <>;
    "digest-algorithm" = 2;
    "digest-algorithms" =     (
    flags = 2;
    format = "disk image";
    identifier = ADHOC;
    "main-executable" = "file:///Users/tom/Downloads/DisplayLink%20USB%20Graphics%20Software%20for%20macOS%205.1.1.dmg";
    source = "explicit detached";
    unique = <fd2d35b7 cea70fab 2e22850b 3f39070d a7fa0f52>;
Stored Codesign length: 12 number of blobs: 0
Total Length: 12 Found blobs: 0
DisplayLink USB Graphics Software for macOS 5.1.1.dmg does not have a ticket stapled to it.

Well, they didn’t staple the DMG file, how about the kext itself?

Persephone:Extensions tom$ stapler validate -v DisplayLinkDriver.kext/
Processing: /Library/Extensions/DisplayLinkDriver.kext
Properties are {
    NSURLIsDirectoryKey = 1;
    NSURLIsPackageKey = 1;
    NSURLIsSymbolicLinkKey = 0;
    NSURLLocalizedTypeDescriptionKey = "Kernel Extension";
    NSURLTypeIdentifierKey = "dyn.ah62d4qmuhk2x445ftb4a";
    "_NSURLIsApplicationKey" = 0;
Props are {
    cdhash = <c90f6a0c 1076a443 e73cf694 9fe11422 f63f383e>;
    digestAlgorithm = 2;
    flags = 65536;
    secureTimestamp = "2019-04-12 09:34:45 +0000";
    signingId = "com.displaylink.driver.DisplayLinkDriver";
    teamId = 73YQY62QM3;
DisplayLinkDriver.kext does not have a ticket stapled to it.

Nope, no joy there, either. How about the package inside the DMG?

Persephone:Extensions tom$ stapler validate -v /Volumes/DisplayLink\ Installer/DisplayLink\ Software\ Installer.pkg 
Processing: /Volumes/DisplayLink Installer/DisplayLink Software Installer.pkg
Properties are {
    NSURLIsDirectoryKey = 0;
    NSURLIsPackageKey = 0;
    NSURLIsSymbolicLinkKey = 0;
    NSURLLocalizedTypeDescriptionKey = "Installer package";
    NSURLTypeIdentifierKey = "";
    "_NSURLIsApplicationKey" = 0;
Sig Type is RSA. Length is 3
Sig Type is CMS. Length is 3
Package DisplayLink Software Installer.pkg uses a checksum of size 20
We do not know how to deal with trailer version 41376. Exepected 1
DisplayLink Software Installer.pkg does not have a ticket stapled to it.

Well, if they notarized any of the parts, they didn’t actually complete the process in a way that allows us to verify the process offline.

When I ran the installer package on my machine, I did receive a UAKEL alert during install that indicates that the payload was being blocked until I accepted the kext, which means that the kext was notarized, just not stapled.

So, what would lead a developer to think that they have notarized their kernel extension successfully, but the operating system would believe otherwise? I can’t be sure of what happened in DisplayLink’s case, but there’s a possibility that it was built on an airgapped system where Xcode could compile the code, and then when it was submitted to Apple for signing and notarization, the final step of stapling the returned ticket to the application was not completed. If the ticket isn’t stapled, Gatekeeper will recognize the unstapled object, because Gatekeeper can talk with Apple and ask for a check based on other factors.

Apple’s Developer Documentation says:

Notarization produces a ticket that tells Gatekeeper that your app is notarized. After notarization completes successfully, the next time any user attempts to run your app on macOS 10.14 or later, Gatekeeper finds the ticket online. This includes users who downloaded your app before notarization.

So, if you deliver an unstapled object, as DisplayLink has, it may still pass muster, but that requires your machine to be able to talk with Apple at the time of install. If you are operating a network which embraces 802.1X user certificates, and you install software at the login window (with Munki, say) you may run into a circumstance where the software is actually notarized by Apple, but without that stapled ticket, you’re stuck if you can’t talk to Apple to prove it. This will result in a failed install.

So, Who Do You Need To Talk To?

According to Apple:

In addition, stapler uses CloudKit to download tickets, which requires access to the following IP address ranges, all on port 443:

If you can’t open up your network to those segments, consider that failure to do so will mean you cannot run what you need to run to make your Mac endpoints successful.

So, What Can I Do?

Well, you might be able to try stapling on your own. If it’s been validated by Apple during a notarization process, but the distributed resources are unstapled, you may be able to “fix” that by trying to staple the necessary objects yourself. They’re notarized, after all, just not by you! You can attempt this yourself.

xcrun stapler staple /path/to/DisplayLinkDriver.pkg

This results in a different result when you review the dmg file:

Persephone:Extensions tom$ stapler validate -v ~/Desktop/DisplayLink\ Software\ Installer.pkg 
Processing: /Users/tom/Desktop/DisplayLink Software Installer.pkg
Properties are {
    NSURLIsDirectoryKey = 0;
    NSURLIsPackageKey = 0;
    NSURLIsSymbolicLinkKey = 0;
    NSURLLocalizedTypeDescriptionKey = "Installer package";
    NSURLTypeIdentifierKey = "";
    "_NSURLIsApplicationKey" = 0;
Sig Type is RSA. Length is 3
Sig Type is CMS. Length is 3
Package DisplayLink Software Installer.pkg uses a checksum of size 20
Terminator Trailer size must be 0, not 2073
{magic: t8lr, version: 1, type: 2, length: 2073}
Found expected ticket at 7812133 with length of 2073
JSON Data is {
    records =     (
            recordName = "2/1/5362032c46062ca6e74bab1bf6ce672f6a578989";
 Headers: {
    "Content-Type" = "application/json";
Domain is
Response is <NSHTTPURLResponse: 0x7f85265134a0> { URL: } { Status Code: 200, Headers {
    "Apple-Originating-System" =     (
    Connection =     (
    "Content-Encoding" =     (
    "Content-Type" =     (
        "application/json; charset=UTF-8"
    Date =     (
        "Thu, 18 Apr 2019 20:23:51 GMT"
    Server =     (
    "Strict-Transport-Security" =     (
        "max-age=31536000; includeSubDomains;"
    "Transfer-Encoding" =     (
    Via =     (
        "icloudedge:sv05p01ic-ztde010811:7401:19RC85:San Jose"
    "X-Apple-CloudKit-Version" =     (
    "X-Apple-Request-UUID" =     (
    "X-Responding-Instance" =     (
    "access-control-expose-headers" =     (
        "X-Apple-Request-UUID, X-Responding-Instance",
    "apple-seq" =     (
    "apple-tk" =     (
} }
Size of data is 3377
JSON Response is: {
    records =     (
            created =             {
                deviceID = 2;
                timestamp = 1555062296808;
                userRecordName = "_d28c74d190a3782e89496b0a13437fef";
            deleted = 0;
            fields =             {
                signedTicket =                 {
                    type = BYTES;
                    value = "snipped for simplicity.";
            modified =             {
                deviceID = 2;
                timestamp = 1555062296808;
                userRecordName = "_d28c74d190a3782e89496b0a13437fef";
            pluginFields =             {
            recordChangeTag = judvxvj5;
            recordName = "2/1/5362032c46062ca6e74bab1bf6ce672f6a578989";
            recordType = DeveloperIDTicket;
Downloaded ticket has been stored at file:///var/folders/tk/qhvvt21x7z3fzt125dpgjlym0000gp/T/95f1738a-0da3-441e-abe4-982d57970d51.ticket.
The validate action worked!

This will mean that, as admins, if we want to install notarized software in a circumstance where network access won’t permit a conversation with the Apple CloudKit servers, you’re going to want to make sure the notarization ticket is stapled to the installer. This may require changes to our workflows, and now’s a good time to start thinking about what that will mean for automatic download and interpretations of installers.

Thanks as always to the gang from #notarization on the Mac Admins Slack for providing good discussion of a difficult topic.

macOS 10.14.5 beta 2, Kernel Extension Notarization, UAMDM, Whitelisting and You

Editor’s Note: This is an evolving topic and by the time you come across this in a search engine, circumstances may have changed. Treat this post as a frozen moment in time, things may have evolved for better or worse in the intervening weeks.

BLUF: If you are whitelisting kernel extensions on Macs with UAMDM, by Team ID, or by Team ID and Bundle ID, notarization is not necessarily required as of beta 2 of macOS 10.14.5. Those without UAMDM-defined kernel extension whitelists will need to make sure that kernel extensions are installed with both valid signatures and a correct notarization secureTimestamp.

Kernel Extension Signing in macOS 10.14.5 beta 2

Let’s begin with the recitals: beginning with macOS 10.14.5’s release, kernel extension signing is no longer sufficient. Kernel extensions updated after March 11th, 2019, or created for the first time after that date, will need to be notarized as well as signed. This means that your application and all attendant parts must have been signed and notarized by Apple. Here is how Apple explains this:

Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. Notarization is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.

Notarizing Your App Before Distribution, Apple Developer Documentation

We had two easy tests for how this operated. Once macOS 10.14.5 beta 2 was installed on my daily driver, I downloaded updates to two of the apps we use that have kernel extensions and had been updated after March 11th: VMware Fusion Pro 11.0.3 and Kerio’s VPN Client 9.3.0.

On install of the new VPN Client, I received the following dialog:

Rejection Dialog from macOS for an invalid kernel extension

Kerio’s VPN Client was now dead in the water and not functional, no matter what I could do to follow up. An inspection (which requires Xcode 10.2 and not just the command line tools) of the kvnet.kext file in /Library/Extensions indicated I did not have a valid kernel extension any longer:

Persephone: tom$ stapler validate -v /Library/Extensions/kvnet.kext/
Processing: /Library/Extensions/kvnet.kext
Properties are {
    NSURLIsDirectoryKey = 1;
    NSURLIsPackageKey = 1;
    NSURLIsSymbolicLinkKey = 0;
    NSURLLocalizedTypeDescriptionKey = "Kernel Extension";
    NSURLTypeIdentifierKey = "dyn.ah62d4qmuhk2x445ftb4a";
    "_NSURLIsApplicationKey" = 0;
Props are {
    cdhash = <5bf723ec 9f7a0027 4592266d 0514db04 5f1760bb>;
    digestAlgorithm = 1;
    flags = 0;
    secureTimestamp = "2019-04-08 12:34:03 +0000";
    signingId = "com.kerio.kext.kvnetnew";
    teamId = 7WC9K73933;
kvnet.kext does not have a ticket stapled to it.

Without a valid ticket stapled to the kext, I was going to have a problem running it, as the secureTimestamp value is after 2019-03-11.

Well crap. I need that kernel extension to work for my VPN to client locations to work, so how am I going to get around it? Thanks to #notarization on the Mac Admins Slack, and Allen Golbig at NASA Glenn, Graham Pugh, and the help of others, the answer was already in our hands: User-Accepted Mobile Device Management and Team ID Whitelisting in the Kernel Extensions Whitelisting payload in MDM.

If you have a Mac with UAMDM (either via actual user acceptance, or via implied acceptance through Automated Enrollment), and you are specifying the Team ID of kernel extensions that you want to be whitelisted the new requirement of kernel extension whitelisting is transitive, meaning checks are not made to the notarization of the kernel extension, as the signing of the kernel extension is sufficient to its privileged execution.

MacADUK 2019: Highlights & What I’m Taking Forward

St. Paul’s and the Thames

This year’s MacADUK Conference is in the books, and I’ve made it back to the States in one piece. It was a busy week, full of socializing and engaging with colleagues, as well as learning about new topics in client management and deployment workflows, encryption details, and security philosophy. My sincerest thanks to Ben Toms and James Ridsdale from Datajar who chaired this year’s conference, and to the team at Amsys that handled logistics and details.


Park nearby Prospero House

This year’s conference had some great sessions. When the videos are out, I would strongly recommend seeing the following sessions on the small screen:

Armin Briegel, Deployment: Modern deployment workflows for business

Deployment is a source of opportunity for every IT out there. It’s literally your coworkers’ first impression of your operation, so why aren’t you putting your best foot forward with customized deployment via Automated Enrollment and Mobile Device Management. Figuring out how to replace the older technologies of ASR-based imaging with new deployment strategies is a challenge worth embracing.

Chris Chapman, macOS in a Docker Container for Development

There’s no question that Docker and Kubernetes are key components of modern software development stacks, especially for web-oriented applications. Chris Chapman of MacStadium has taken this to a whole new level, by writing a boot loader for Kubernetes and Docker for Apple hardware, allowing you to deploy a macOS image through orchestration and docker. The more I think about this, the crazier it is, but it demonstrates a flexibility that wasn’t possible before. I’m sure this is completely unsupported, but what a phenomenal way to think about the underlying tool chains we build from. It’s called Orka, and MacStadium is looking for beta sites.

David Acland, All about digital signatures

We spend a whole lot of our admin life making sure that signatures align and are approved, but how does that process actually happen? What’s the working relationship between a hash and a signature? What’s the actual cryptographic process used to take a hash and sign it as a measure of identification integrity? David took us through the details, and it was a real pleasure. And my head didn’t explode.

Ben Goodstein, Working with APIs: Power up your scripts with real time information

APIs as part of scripts is table stakes for adminry these days, and where better to get a refresher than with a low-stakes custom API that Ben wrote for accepting data from a script. He also told us about Insomnia, a GUI app for practicing with, in order to review what’s come down from an API call, and help better gather information. It was a great session, and I learned a lot of useful things to iterate against.

Commit No Nuisance


I had a few big thought lines that came back a few times during the conference, and lead to some noodling in my head on walks through London. We’re once again at an inflection point in macOS Administration, much as we were in the 10.8/10.9 period, the 10.7 period, and the 10.5 period. There are changes to our management structures that are no longer flashes in a pan:

MDM is not optional.

Deployment should be automated.

Manage as little as you need to retain a presence on the platform.

Managing more than you need to results in Shadow IT and Loopholes.

IT Operations relies on trust. Not just mechanized and automated trust chains established through TLS certificates and certificate authorities, it relies on a human trust that is implicit between Management and IT, and IT and the end users, your coworkers. For any IT policy to succeed, it must come with buy-in from your coworkers, not just in your department, but in your whole organization. Systems that are deemed too complicated will be ignored. Systems that are deemed too cumbersome to be operated will spark grudges. Systems that are deemed to be unpersonalizeable will result in shadow IT usage on personal equipment.

The balance between security, usability, and management philosophy remains the single most important challenge of any IT environment, large or small. If you have a bad balance, your coworkers will fight with you, resent you, and eventually work around you and cut you out.

Having a light hand on your workstations will be fought by internal and external security guidelines, though, and you’ll need to be ready with justifications based on feedback in the event that your choices are questioned. Obviously, there are some guidelines you can’t ignore. But, the security of the platform needs to be part of your process, not bolted on, not thought of after, but holistically part of your deliberations and choices. Self-healing management is a part of that, as is centralized reporting mechanisms designed to track the state of a machine.

If IT isn’t working to enhance the culture of your organization by extending and embracing systems of participation and training, your value will be subsumed by internal groups that are doing these things. That means providing good guard rails, but also providing knowledge and power at the workstation level to enhance your colleagues’ ability to do their jobs.

IT is a human-facing department in 2019. We serve the people. We just also serve the machines they use.