Archive for June 6, 2019

Thursday, June 6, 2019

Security & Privacy in macOS 10.15 Beta

Advances in macOS Security:

We are on a journey to continuously improve macOS security, with a particular focus on preventing malware and protecting user data. Join us on the next step and learn more about what's new in Gatekeeper—for keeping malware out of macOS—as well as new protections that help keep users' data and activity under their control.

Kyle Howells:

Apple still refuses to put an “Allow” button on the macOS security prompts I can see.

Thomas Tempelmann:

And still no option to tell macOS that you trust an app accessing everything at once, instead of being asked for every detail separately? It’s already a pain with apps like iClip and Timing to be acknowledge them using AppleEvents on every app you touch.

Zack Whittaker (tweet):

But the protections [in macOS 10.14] weren’t very good. Those ‘allow’ boxes can be subverted with a maliciously manufactured click.


Wardle, who revealed the zero-day flaw at his conference Objective By The Sea in Monaco on Sunday, said the bug stems from an undocumented whitelist of approved macOS apps that are allowed to create synthetic clicks to prevent them from breaking.

Felix Schwarz:

Just when you thought kext development couldn’t get any more frustrating… a “New Feature” arrives.

DriverKit (Hacker News):

The DriverKit framework provides C++ classes for IO services, device matching, memory descriptors, and dispatch queues. It also defines IO-appropriate types for numbers, collections, strings, and other common types. You use these with family-specific driver frameworks like USBDriverKit and HIDDriverKit.

Felix Schwarz:

Wow! macOS #Catalina adds new frameworks to allow drivers to run IN USER SPACE & manage them via “SystemExtensions”!

More on macOS Catalina #DriverKit drivers:

- packaged alongside the app like modern app extensions.
- removed from the system when the host app is
- (possibly) can be dynamically loaded & unloaded them as needed using OSSystemExtensionRequests

In #SOTU, Apple just announced that “in a future #macOS release”, KEXTs targeting driver categories covered by #DriverKit will no longer work and encouraged developers to adopt #DriverKit now.

Jeff Johnson:

A lot of things bothered me yesterday, but I think the one thing that bothered me the most was 10.15 locking down the Documents folder.

In the past, Documents was the place that apps were supposed to use. Now it’s forbidden ground.

The Mac is dying from permission dialogs.

All About Notarization:

Notarization is all about identifying and blocking malicious Mac software prior to distribution, without requiring App Review or the Mac App Store. Introduced last year and already widely adopted by Mac app developers, this is your opportunity to take an in depth tour of Notarization workflows and find out what's new with the Notarization service.

Mark Munz (Rich Trouton):

‘All About Notarization was somewhat disappointing.

They kind of quickly explained Sparkle.framework issue. 🤷‍♂️

But looks like zero workflow improvements to automation & notarization. 😞

Jeff Johnson:

For Mac App Store apps, I suspect that Catalina will be a very easy update. Not many changes as far as I can tell.

For non-sandboxed apps on the other hand... I pray for you.

Steve Troughton-Smith:

Good news: macOS Catalina still respects your System Integrity Protection setting and lets you write to to the hard disk root if SIP is off


Update (2019-06-10): Jeff Johnson:

Wait, according to the “Advances in macOS Security” video (9:30 mark), there’s no more first launch Gatekeeper dialog for standalone executables on Catalina?

Howard Oakley:

This changes again as of 1 June 2019 with respect to Catalina, but not (as far as we know) in Mojave. From that date onwards, all newly-signed apps and other executable code which undergo first run checks (because of a quarantine flag) are required to have been notarized. You can still run apps which haven’t been notarized or even remain unsigned in Catalina, though.

Update (2019-06-11): Rosyna Keller:

macOS never had a first launch prompt for anything not going through LaunchServices before. Catalina is the first to add it for quarantined files not going through LaunchServices.

Daniel Jalkut:

OMG tccutil in Catalina actually accepts the bundle ID it has claimed to accept for years:

% tccutil reset AppleEvents

successfully reset AppleEvents approval status for

Update (2019-06-18): SentinelOne:

10.15 sees some major developments that will affect both the enterprise and developers of security solutions. In this post, we round up what’s been announced so far and explain how it could affect you.

Update (2019-07-01): Peter Steinberger:

Catalina still offers “Allow apps downloaded from anywhere” if you use the terminal.

sudo spctl --master-disable

(Firefox updater stopped working without)

Update (2019-10-13): Felix Schwarz:

127 days have passed since I requested #DriverKit entitlements from @Apple. #Catalina, meanwhile, has shipped.

Still didn’t hear back. Has anyone?

Update (2019-10-17): Mr. Macintosh:

Check this out, Apple REMOVED the line below.

“Installing third party kernel extensions now requires that you restart your Mac before they’re permitted to load.”

Backing Up macOS 10.15 Beta

Dave Nanian:

FYI, anyone using Catalina - SuperDuper does NOT work properly. Please don’t rely on it under Catalina until we’ve managed to figure out why, or if it’s possible.

Mike Bombich:

In the Finder you’ll only see one volume that represents your startup disk and it will appear as if everything is on that single volume. In reality, the startup disk that you see in the Finder is the read-only system volume and doesn’t have any of your data on it; the “Data” volume is separate and hidden.


Allow me to be the first to say it: stick a fork in it, HFS is done. HFS simply won’t work for making a backup of a Catalina system volume, so in the near future, we’re going to drop support for backing up macOS (Catalina and later) to HFS+ formatted volumes.

Dave Nanian:

Anyone out there able to create a disk group under Catalina with diskutil? I keep getting ( (disk3s1 role S):

diskutil ap createVolume disk3 APFS "MacBook Backup-Data" -role D -groupWith disk3s1
Error: -69624: Unable to add a new APFS Volume to an APFS Container

The answer, if anyone cares, is that you have to add a system volume to a data volume. You can’t add a data volume to a system volume. Because…reasons?


Update (2019-07-10): John Martellaro:

In this timely post-WWDC show, Mike [Bombich] joins me to explain the structure of APFS drives and the new read-only System files in macOS Catalina. He explained new features of volumes in macOS 10.15, especially how the System is isolated from the Data volume (which contains /Users). He also explained the new firmlinks that tie these two volumes together, making them appear as one. Finally, Mike explained how Carbon Copy Cloner external drives can no longer be HFS+ in Catalina but must become APFS.

Dave Nanian (tweet):

This new arrangement presents those of us who are creating bootable backups with—and I’ll employ my mildest language here; the forehead-shaped dents in my desk tell a different story—something of a challenge: we can’t write to a system volume (again, it’s read-only) and we can’t create firmlinks. are we going to create backups? How are we going to restore them?


These changes will be as extensive as the ones we had to make when APFS was introduced, if not more so. We have to take a quite different approach to copying, make understandable errors appear when the underlying system APIs provide no details, and we have to depend on a bunch of new, unfinished, un-and-under-documented things to make any of this work at all.


So far, while we’ve validated the general approach, we’ve run into a lot of problems around the edges. Catalina’s file system and tools are rife with bugs. Every time we head down one path, we’re confronted with unexpected behavior, undocumented tools, crashes and failures.

macOS 10.15 Beta


Experience your favorite iPad apps coming soon to Mac. Now developers can easily create Mac apps from the iPad apps you already know and love. They run natively alongside your existing Mac apps so you can drag and drop content between them. And take full advantage of the larger screen and powerful architecture of your Mac to provide a seamless experience across your devices. Enjoy a broad range of Mac apps, with everything from travel, entertainment, and gaming to banking, education, and project management.


With macOS Catalina, there are enhanced security features to better protect macOS against tampering, help ensure that the apps you use are safe, and give you greater control over access to your data. And it’s even easier to find your Mac if it’s lost or stolen.


macOS Catalina includes new features to help everyone get the most out of Mac. Voice Control lets users who don’t use traditional input devices control Mac, iPadOS, and iOS devices entirely with their voice. New tools for users with low vision allow them to zoom a second display or view high-resolution text for items below a cursor.

Here’s the list of new features.

macOS 10.15 Beta Release Notes:

macOS frameworks are now thinned for the x86-64 architecture. Apps that execute i386 code now fail with the EBADARCH error code. The remaining stub frameworks are nonfunctional and exist only for compatibility purposes.

Peter Maurer:

Get off my lawn.

Jerry Jones:

I especially 😳 at the fact that Finder displays “Applications” in a single window, despite it apparently being a collection spread across two separate volumes with different read/write permissions!

Gus Mueller:

Looks like sub-pixel aa is dead dead in 10.15 (it was only mostly dead in 10.14).

Wil van Antwerpen:

This thread describes the problems you bump into if you try to upgrade a macOS Mojave VM to the new beta macOS Catalina. Basically if you run the upgrade then your VM will hang on reboot. If you then try to reboot it in verbose mode, so that you can see what happens, you’ll get the following screen.

Christopher Allen:

A number of people at #wwdc19 today have reported problems using #VMware Fusion to run the macOS Catalina beta (especially as you need it to run #SwiftUI Canvas feature in #Xcode). Reportedly this trick works.


Update (2019-06-10): Marco Arment:

I made a second partition in Disk Utility using APFS space-sharing, installed another copy of Mojave onto it, and upgraded THAT one to Catalina.

Keep FileVault enabled on your main Mojave partition and don’t keep it mounted in Catalina to avoid duplicates in Spotlight.

Update (2019-06-12): Guilherme Rambo:

It looks like NSData.description has changed when linking against iOS13/Catalina, so if you rely on that to generate a string version of your push token, you’re gonna have some issues 😬

It now shows the length and a truncated string of hex bytes, instead of a NeXT-style plist with the entire data’s contents. And it looks like NSDictionary.description calls down do this, so it no longer generates valid ASCII property lists.

Update (2019-06-18): Jonathan Grynspan:

Beginning in macOS 10.15, LSCopyApplicationURLsForURL(), LSCopyAllHandlersForURLScheme(), LSCopyAllRoleHandlersForContentType(), and LSCopyApplicationURLsForBundleIdentifier() all return sorted lists, and it’s documented! 🎉 (NSWorkspace’s equivalent methods do the same.)



What’s in a name? Quite a bit, actually. While built on the same foundation as iOS, iPad has become a truly distinct experience. With powerful apps designed for a large Multi‑Touch display. Multitasking made simple with intuitive gestures. And the ability to drag and drop a file with a fingertip. It’s always been magical. And now it’s called iPadOS.

Here’s the list of new features.

Mitchel Broussard:

Apple today revealed “iPadOS,” a new version of iOS that Apple has designed specifically for the larger screens on the iPad family. Apple said that it renamed the OS to recognize the “distinctive experience” of iPad.


To enhance iPadOS even more, Apple updated Split View to allow users to work with multiple files and documents from the same app at the same time. For example, users can have two emails opened side by side in Mail, or two notes in Notes. Slide Over allows users to quickly view and switch between multiple apps, and App Exposé provides for a quick view of every open window.

Ryan Christoffel:

Files has a new Column view, joining the existing Grid and List views available before. Column view takes better advantage of the iPad’s large display, making it easier to dive into nested folders without getting lost. And a key element of the new Column view is a Preview pane on the right-hand side that includes a visual preview of the currently selected file, rich metadata for that file, and a selection of Quick Actions to easily do things like use Markup, create a PDF, or rotate an image.

At long last, Files includes built-in support for external storage devices. USB drives and SD cards can now be connected to your iPad and the documents they contain can be accessed directly from Files and moved into a separate file provider if you wish.


The most important change to Safari is that it now loads desktop versions of websites by default. But not the same crippled desktop shells that previously existed on the iPad: true desktop versions that are fully optimized for touch input.

Matt Birchler:

Apple fails their own “Safari for iPadOS is a desktop-class browser” as they still ask you to not use their website from it.

On the other hand, Google Docs (on this and other more complex, but also more personal docs) works pretty great. Smooth and works as I’d expect. Really nice!

Colin Cornaby:

Wonder if iPad OS could imply an organizational shift in Apple as well. iPhone and iPad software being the same means they share a team and resources.

...or it’s just marketing!

Guilherme Rambo:

It’s still iOS, still runs SpringBoard, still called “iPhone OS” in the manifest.

Steve Troughton-Smith:

Multi-window really is multi-window. You can spawn as many windows as you want in an app and cycle between them as necessary, or tear them off into new spaces

Nick Lockwood:

I don’t get the whole iPadOS rebranding. Does that mean it’s a new target, like tvOS or watchOS, if so what happens to hybrid apps? Or is it just a marketing gimmick, in which case what possible benefit does it serve? Will they rename iOS back to iPhoneOS again now?

Steve Troughton-Smith:

‘iPadOS’ is a statement, not an OS. iPad is now a top-tier platform on its own, which means Apple needs to address it as such every year with new features. Means they can’t ignore it anymore

Craig Federighi:

It’s become a truly distinct experience. It’s not an iPhone experience. It’s not a Mac experience. The name is a recognition of that. We’ve expanded the domain where people can say the iPad is the best solution.

Tom Warren:

Reminder: Apple CEO Tim Cook once described laptop / tablet hybrids as like trying to converge a “toaster and a refrigerator.” Apple has an iPad Pro with a keyboard, and now it looks like it’s going to create a dedicated iPadOS for it

Dan Masters:

Precisely what concerned me when I heard about iPadOS – Apple is piling all this desktop functionality onto iPad, but is missing the desktop UX, thus ruining what made it appealing in the first place: its simplicity.

To be sure, it’s not an easy problem.

Juli Clover:

As rumored, iPadOS introduces mouse support for the first time, allowing a USB mouse to be connected to an iPad for the first time.

Mouse support is not a standard feature, but is instead available as an AssistiveTouch option within the Accessibility settings on your iOS device.

Owen Williams:

The funniest thing about the iPad getting mouse support? Apple goes out of their way to avoid saying mouse anywhere. In the pairing menu, the mouse name is blocked and it just says “accessory” 😂

See also: Hacker News.


Update (2019-06-18): Federico Viticci:

For now though, after using the iPadOS beta on my 12.9" iPad Pro for a few days, I’d like to share some initial considerations on iPadOS and what it means for the future of the platform.

Rui Carmo:

Having read about (and watched videos of) iPadOS, I still get the feeling that this is much ado about a few little tweaks (again, Apple sweating out the details and doing incremental improvements) rather than an actual breakthrough.

John Gruber:

I think “desktop-class browsing” in Safari is going to be a game-changer for many people. It really is like browsing on Safari with a Mac.

I still don’t get the multitasking metaphor on iPadOS, though.

Jason Snell:

Overall, I’m excited by iPadOS and where Apple is taking the iPad. But it wouldn’t be the post-WWDC hangover period if I weren’t also realizing that some of my most wished-for items just didn’t make it, or didn’t manifest themselves in the way I’d hoped. But that’s okay—this is natural any time fantasy crashes into cold, hard reality.

iOS 13 Beta


iOS 13 introduces a bold new look, major updates to the apps you use every day, new ways to help you protect your privacy, and improvements across the entire system that make your iPhone even faster and more delightful to use.


Apps will launch up to 2x faster than before and be smaller in download size.

Here’s the list of new features.

Joanna Stern:

You will FINALLY able to select a WiFi network in Control Center on iOS 13. How was this not 30 minutes of today’s presentation?!

Ryan Jones:

New title bar size and buttons! Less vertical space waste.

Eli Schiff:

Thread of changes in iOS elements:

Ryan Jones:

Automatic What’s New screens!!!

Ryan Jones:

And automatic ask for feedback.

Tanner Bennett:

This notification appears when you first join a hotspot.

This is the sort of power-user feature iOS needs more of. Bravo!


WebKit on iOS has always been the same engine as macOS. It was just significantly constrained due to the technical limitations of early iPhones. In iOS 13 we have removed many of these old limitations.

Dave Mark:

iOS 13 Apple Maps added traffic lights and stop signs. Apple Maps is getting steadily better.

Pierre Habouzit:

For people curious about this up to 2x app launch win, here is an overview straight from Craig’s mouth (for about 2-3 minutes at the 1:04 mark)

It sounds like the FairPlay DRM that prevents you from installing apps not signed by Apple has been slowing down app launching for all these years.

Federico Viticci:

No more URL schemes, no more clipboard hacks – all done natively and securely.

And the Shortcuts editor is much easier to use thanks to new pickers and natural language-style syntax. ❤

Steve Troughton-Smith:

One neat nugget of information in the File Management session: iOS apps can now be granted read/write access to an entire folder, rather than just a file (!!)

Juli Clover:

Apple in iOS 13 introduced a new “Optimized Battery Charging” feature, which is designed to extend the total battery life of your iOS device.

Found in the Battery section of Settings under “Battery Health,” the optional toggle learns from your personal habits and waits to finish charging all the way up until you need your iPhone.

Nick Heer:

I was blown away by the demo of Voice Control during the Platforms State of the Union presentation and, having had the opportunity to try it myself, it works pretty much as advertised. It’s shockingly good, almost to the extent that I was considering keeping it on so I could use my iPad while I’m cooking, for example, but I worry about its impact on battery life.

Juli Clover:

In the Phone section of the Settings app in iOS 13, there’s an interesting new toggle called “Silence Unknown Callers,” which appears to do exactly what the name suggests. With this feature enabled, calls received by people not in your contacts list seem to be sent straight to voicemail.

Update (2019-06-10): Bradley Chambers:

Apple announced data separation for BYOD devices. While we don’t know all of the details about how this will work, it does appear that Apple is moving to what I was asking for. Employees want to be able to make sure that IT departments can’t access their personal data, and IT departments want to ensure that their corporate data will be secure. I will have more to say on this as we learn more.

Meek Geek:

Oh look, Apple copied the Qnovo charging tech used by some Android flagships for years […] Hopefully iPhone batteries will last 2 years instead of being throttled after 1 year!

Matt Birchler:

First and foremost, the talk confirmed what I feared: there is no way to add arbitrary fonts you already own into iOS. They must be installed by apps downloaded from the App Store.

Geoff Hackworth:

I want to focus on immediately noticeable, and potentially breaking, changes to view controller presentations in iOS 13.

Update (2019-06-13): Michael Saji:

The explanation for why Apple took so long to implement USB storage for iOS: they had to rewrite the kernel storage driver to live in userspace. The most secure USB storage ever. Same for fonts.

Juli Clover:

In addition to these features that made it into Apple’s keynote event, there are dozens if not hundreds of smaller new changes and tweaks that are included in iOS 13. Below, we’ve rounded up a comprehensive list of new and notable “hidden” features in iOS 13.

Update (2019-06-18): Steven Aquino:

One cool tidbit about Voice Control: It uses the TrueDepth camera on iOS/iPadOS to tell if you’re looking at the computer. If someone walks over and you turn your head, Voice Control will stop listening until you go back to your computer.

Update (2019-06-19): John Gruber:

The new volume HUD in iOS 13 is delightful. Notice how it is physically aligned with the hardware volume buttons. This position and the animation make hardware and software feel as one.

Update (2019-07-05): Vinoth Ragunathan:

Stock apps load stupidly fast on iOS 13 beta 3.

Pierre Habouzit:

You’re welcome.


A lot of it is dyld3 and careful systematic runtime optimizations (I did a lot of obj-c work with @mikeash and others e.g.), and it wasn't just me, there was a whole team.