Annoying Catalina Security Features

The whole Apple developer experience just isn't fun anymore.

And, increasingly, it's feeling like the Mac user experience in general just isn't fun anymore. Pretty much just cognitive inertia and two or three apps keeping me around at the moment.

Totally not looking forward to this

Wasn't Snell one of the few people saying we should embrace all of these major changes with open arms just last month?

Also: Catalina looks like it will be the first OS X that I will not upgrade to in YEARS. So far it sounds like a train wreck: 32 bit apps will no longer work, everything else will be on lock-down, and iTunes is gone -- then there's a bunch of new stuff like Podcasts and TV apps, iPad Sidecar, Screen Time, that I don't care about.

I see zero reason to upgrade.

I tried 10.15 on a test machine: opened Safari to download something, and it now gives a prompt warning you that you're downloading a file! FFS. No such warnings using App Store I'm sure.

This is iOS unification folks, macOS will be whittled down to an iToy.

> two or three apps keeping me around

I had kind of an epiphany recently. It's pretty trivial to virtualize macOS on Windows nowadays. So now I have a full-screen OS X installation on my Windows laptop that I can just switch to when I need to, say, open an OmniGraffle document. This has given me the peace of mind to stop using my MacBook Pro altogether.

> Lukas

Crazy that Windows can now be considered a better user-experience than macOS... How times change.

I still develop macOS apps, so, for now, I'm tied to the platform. With the direction macOS is headed I would probably have switched to Linux a year or two ago otherwise.

I upgraded to Alfred 4 the other day (on Mojave). There were a total of 4 system permissions required during the first-run process (Accessibility, Full Disk Access, Automation and Contacts). The first two in particular are a total pain to enable (authenticate to unlock, set permission, re-start app). When enabling Accessibility macOS prompted me to restart Alfred, which would not quit, then the entire macOS UI froze - I could do nothing, even though processes still seemed to be running. Had to hard reboot to get back again. Whether this was caused my macOS or Alfred I don't know (macOS I guess), but either way the user-experience is absolutely terrible. Security is a trade-off, but even Mojave has the balance wrong. Badly wrong.

At the time of this writing , I’m not planning to notarize the freeware I’m distributing. My goal in life is not to pay 99$ a year to have the right to distribute free (and open source) software.

I'm still on High Sierra and honestly I'm not sure if there's a good reason to upgrade to Mojave, other than not being too far behind when Catalina is released.

@Lukas
Ah, I'm glad you found a way to do it. My last attempt a year or so ago didn't yield a usable VM. My existing plan is to run High Sierra on a 2010 Mac mini and use VNC, but the VM approach might be better.

Now you've got me considering a Ryzen 9 just to have another 2 cores to put towards that...

@ stephane
Unsigned apps will run like before. But apps signed with a Developer ID certificate needs to be notarized.

@galad Apple’s documentation says “Beginning in macOS 10.15, notarization is required by default for all software.”

Catalina sucks. There is no other word for it.

I got the "log all keystrokes" warning from 2 apps, too. Pretty sure that this is another bug. Among the many many bugs that Catalina has.

[…] Annoying Catalina Security Features – Michael Tsai […]

@galad I don't mind codesigning apps. I'm just just against having to pay a trillion-dollar company a rent to be able to distribute freeware on its neglected desktop platform.

I'm another Mac (shareware) developer about to call it a day. I started writing apps on 10.6 and it was a joy all the way through to Sierra. Then we started getting the hoops to jump through. I think App Translocation was the first one, then Mojave kicked me in the teeth with the first tranche of "user protections" and now Catalina just takes it to beyond a joke. As a developer, I don't mind jumping through hoops if the user is getting a better experience, but the last couple of iterations of OSX/macOS have made both my development AND my user experience a whole lot more painful. Add to that the constant API churn that seems to mean an app rewrite almost every time WWDC comes round, I feel like the effort outweighs the reward.

>My last attempt a year or so ago didn't yield a usable VM

By default, it won't work, but there are easy-to-find tools on the web that will make disk images bottable on Windows. It was basically two minutes of googling, and then 30 minutes of setting things up. Everything worked on the first try.

>bottable

Fortunately, they will also make them bootable.

Aye, ended up figuring it out. It's very slow for me, but for reading/writing the occasional iWork or Omni doc it should be fine.

Incidentally, I decided to give a genuine Mac one more fair shake and brought a 27" iMac home, but will be returning it after less than a week. The screen is still too glossy and, despite getting the best standard SKU, the combination of only 8GB RAM + the Fusion Drive makes the experience miserable once the swapping starts (which doesn't take long). Apple should be ashamed at how sluggish this $2,600 (!) computer is. I'd have to spend even more for sufficient RAM and a non-fusion SSD to make it usable, and I'm not comfortable making that investment at a time when there are still so many software quality concerns.

The last thing I want to do is walk away from 15 years of Mac familiarity, habits, muscle memory, and software investments... all in exchange for spending a bunch of time re-learning a different OS. But, I'm not really sure what else to do at this point. All of the Macs are either too expensive or don't fit my needs. And macOS itself is in such a state where, for the first time ever, I'm not even sure I would 'upgrade' to the new version. It's frustrating.

Incidentally, I decided to give a genuine Mac one more fair shake and brought a 27” iMac home, but will be returning it after less than a week. The screen is still too glossy and, despite getting the best standard SKU, the combination of only 8GB RAM + the Fusion Drive makes the experience miserable once the swapping starts (which doesn’t take long). Apple should be ashamed at how sluggish this $2,600 (!) computer is.

I’m not going to defend Apple’s pricing, but there is no $2,600 standard SKU 27-inch iMac, and a configuration with 16 GB RAM and SSD is $2,099. Heck, at $2,699, a hundred bucks above your configuration, you get 32 GB RAM and 512 GB SSD, which is a bit low on the storage side (but it’s a desktop, so external expansion isn’t that annoying), and more RAM than most people need.

Having said all that, I feel like they should just drop some of these low-end configurations.

Ben G, did you mean the article from May where I specifically advocated for a "developer mode" like Gruber? Where I said that Apple seemed to be trying to find a balance between security and usability? Where I advocated for better default security on the Mac? I assume you did.

https://www.macworld.com/article/3393195/why-the-mac-wont-end-up-locked-down-like-ios.html

Slamming me for saying that is like slamming someone for saying they want to read the next (insert name of beloved novelist) novel here, only for it to end up not being very good. It's ALL in the execution, and the execution in the Catalina betas is terrible.

Anyway, I talked about this for about 20 minutes on Upgrade this week.

https://www.relay.fm/upgrade/256

>It's very slow for me

It's interesting. I haven't enabled graphics card support, and I'm not sure whether enabling it will work, so screen drawing feels a bit sluggish. It's definitely not as snappy as a real Mac (although it does feel much better than remote desktop on a local network). However, all of the CPU-bound stuff executes quite fast. So I don't think speed is the problem, it's just drawing stuff on the screen that makes the whole thing feel a bit slow. Having said that, I'm running this on a Lenovo Legion y740 17 with an i7-8750H, and I'm assigning four cores and 16GB of RAM to the virtual machine, so ymmv.

>but there is no $2,600 standard SKU 27-inch iMac

In Switzerland, the 3,7 GHz 27" standard SKU iMac costs 2’656.83 US$. Not sure if that's the one remmah is talking about, but different people pay different prices for Apple's products, depending on where they live.

Yeah, here in Sweden the 3,7 GHz 27" standard SKU iMac costs 29,066 SEK which is 3,024 in US dollars. It's a combination of different prices in different regions, a higher tax (VAT) and an unfortunately low Swedish crown.

[…] Annoying Catalina Security Features […]

>but there is no $2,600 standard SKU 27-inch iMac

The default 3.7GHz $2,299 SKU + tax + AppleCare = over $2,600 where I live.

What I did: I built a Threadripper (2950x) system, put a lot of ram into it, 2 GPUs, installed Linux, set up KVM and installed macOS into a VM. I passed through the 2nd GPU to that VM. The VM is just as responsive as a native Mac. I do all my Mac development inside that VM. All my day to day computing I do on Linux (Arch btw. + i3-gaps).

This whole setup cost half of the base price of the new Mac Pro and it boasts 128 Gigs of Ram, 16 Cores and 2 modern'is GPUs (Vega64 + Radeon 7).

@Jason Snell
Thank you for taking the time to respond to this thread. I missed the initial conversation surrounding this issue, so without the initial comment by @Ben G and then your response, I would have been left in the dark.

"third-party System Preference panes on Catalina are loaded into a separate “legacyLoader” process"

3rd party screen-savers UI are also loaded in a "sandbox" since macOS Mojave. Which leads to numerous issues with UI (like secondary windows not becoming keys, NSOpenPanel crashing System Preferences.app, NSOpenPanel returning incorrect URLs, etc.).

In Catalina (last beta I checked was b5), the issues are still there, with different symptoms for some of them (e.g. NSOpenPanel is AWOL).

It looks like you don't need to code using Catalyst to create poor user/developer experience on macOS.

[…] Annoying Catalina Security Features […]

[…] Apple can also repeat mistakes that Microsoft once made with Windows Vista, by requiring so many permission approvals from users that they start clicking on them all without thinking. Michael Tsai collected a ton quotes from developers and users who were already worried about this problem in July. […]

In the past, to debug a System Pref Pane, you could make a copy of System Preferences and self-sign it, then use this copy as the debug target. With legacyLoader this is no longer possible. Although you can still make a copy and self-sign legacyLoader, there is no way to force System Preferences to use the modified self-signed copy as it will always launch the built-in, Apple-signed legacyLoader. The only way I can see on 10.15 to debug a prefPane is to disable SIP system-wide. Not a great solution.

Seriously considering downgrading to Mojave because of this. I just downloaded 'Logitech Options' for my new mouse and had to allow access 5 separate times (with quitting the app in between each) to give it enough access to identify my mouse... PITA Apple.

You know what? We should just deal with it. I guess we gotta wait for the next upgrade unless you want to downgrade, but I wouldn't want to, since you have to reboot everything. I mean eventually, things will get better right?

If you don’t push back against slow transition to multi-thousand dollar closed system- Sun style OS glorified iPads with vestigial keyboards and mouse, no it never gets better. “Deal with it?”

Nah, you deal with it. I’m not rewarding Tim Cook for limiting the hardware I bought and just staying on Mojave. Everything works and “if it doesn’t get better” then I still have work to do, I’ll just have some hard decisions to make about what what platform makes my life easier.

Switching back to Windows or pivoting to Linux and throwing Tim Cook OS in a VM. Never buying “new Apple” anything becoming a given. What a timeline.

Most of those annoying things is cause because lack of information from Apple.

For those who are being constantly receiving popup from Gatekeeper when opening some documents, or some app, here is how it works.
Gatekeeper works by reading 1(one) just one extented attribute on any file you open or execute. It reads the `com.apple.quarantine` attribute. This attribute is set once you download a file, or copy it from some neutral/untrusted source.

1) You can check that attribute on terminal, using `ls` command: ls -lea@O

If the file HAS that attribute, gatekeeper may popup on certain conditions (being the most comom: first time you open/execute that file, but there are others), so to get rid of it popping up, you have to REMOVE that attribute. By removing it you are telling the Operational System that you trust that file, you know what it is, and you don't want it to check that file anymore.

2) Cleaning the attribute is easy. On the example below, the command will clean the quarantine attribute on all my VST Components (sound effects) that I use to download and install
sudo xattr -r -d com.apple.quarantine /Library/Audio/Plug-Ins/VST

You can use it to any app:
sudo xattr -r -d com.apple.quarantine /Applications/Quiver.app

Or any document, on which the system is annoying you. You can even tell it to clean all your documents from that attribute:
sudo xattr -r -d com.apple.quarantine ~/Documents/

Thats is all about those prompts "Apple Cannot verify...", "This app was downloaded from abcd do you trust it", etc...

--
Another way to tell the system that you trust such app you downloaded, is to Open it using the mouse right-button and selecting OPEN. You have to open it 2 (two) times via right-click -> Open, and that will tell the security system mechanism that you Trust that file, and you don't want it to be annoying you anymore. And it will mark that app as Trusted on its internal database (actually the launch database). The extented attribute will continue to exist, but the action of open it 2 times this way marks that app as trusted.

Once you get used to it, its become very simple to do it, because it is just ONE time you have to do it, and the system will be your friend by not annoying you anymore, and you know you are safe because you dont have do disable the Gatekeeper service (as a lot of people do), instead you now understand it, and you tell the Gatekeepeer to trust what you want it to trust.

[…] ratcheted tighter with every recent version of MacOS. Catalina, in particular, is notable for the vast quantity and types of cautions that users are expected to […]

I did a downgrade from Catalina to Mojave 6 months after committing to the former. While that was a painful process because none of the old backups helped in the process, it still turned out to be less of a hassle than the constant fighting with OS permissions in Catalina.

If there were a Mac equivalent of Windows 8, then Catalina would be it.

[…] Apple may be repeating Microsoft’s mistakes when they return to Windows Vista because there are so many permissions from users that the button starts all of them without even thinking about it. Michael Tsai has many collections comments from developers and users were also raised about this issue in July. […]