Tuesday, November 24, 2020

M1 Macs Add Hurdles for Audio Plug-ins

Rogue Amoeba (via Peter Steinberger, Jeff Johnson, Paul Kafasis):

In MacOS 11 (Big Sur), the initial installation of ACE requires a bit more set-up. The in-app installer provides an overview of the process, and is likely all you need. This page lists the full sequence of steps to install ACE and get Airfoil working.

[…]

Click the lock in the lower left corner, then enter your Administrator password. The Security & Privacy system preference will then be unlocked, and you’ll be able to make changes. From here, click the Enable system extensions… button to permit ACE to run on your Mac.

[…]

Boot to the Mac’s “Recovery” environment by pressing and holding down the Touch ID or power button on your Mac.

[…]

The default configuration is pictured above. Switch to Reduced Security and enable the first checkbox, “Allow user management of kernel extensions from identified developers”.

[…]

Despite the name of this setting, ACE is not a kernel extension. Instead, it’s a standard audio plug-in, which receives enhanced privileges to access your system’s audio. MacOS simply uses the kernel extension verification system to allow ACE to load as well.

[…]

Now, you need to allow ACE to run on your Mac, by authorizing it in the Security & Privacy system preference.

Keep in mind that you have to go through all of this even though the app has already been notarized. The last few versions of macOS have been a disaster for apps that do anything off the beaten path. Apple keeps adding hoops for users to jump through, scaring potential customers away. Developers have to spend time engineering mitigations for the bad user experience, working around bugs in the new security features, and providing support for customers who have trouble with the hoops. Apple talks about how it loves the Mac and innovation, but each step of the way it does more to discourage the development and success of interesting apps.

Previously:

Update (2020-11-25): Jason Snell:

The good news for Rogue Amoeba’s customers is that their stuff works, and once you do the reboot two-step, you shouldn’t need to do it again. It’s a multi-step process, but it’s over fast and then you can get on with your work.

But it really shouldn’t work this way, and that’s on Apple. One reboot is bad, but two is ridiculous. Surely there’s a way, at the very least, to pre-approve an extension before rebooting to adjust the security setting? I know that Apple is trying to protect users from bad actors, but when a list of instructions like these are required to install Mac software, something’s really gone wrong.

See also: Reddit.

Update (2020-11-27): Dave Mark:

I’ve jumped through these hoops, and they are both intimidating and cryptic. Neither are Rogue Amoeba’s fault. If I want to use Audio Hijack, I have to jump through the cryptic hoops, and trust that it’s OK to accept “reduced security”.

I get it. I just hate that this is where we’ve landed.

5 Comments RSS · Twitter


I'm the sort that likes reverse engineering things and figuring out how they work... Even so, this would certainly make me think twice about trying ACE.


Nathanaël Havez

This is pure madness.


Maybe there's a law like Moore's in which the bigger and more successful a company gets the less it thinks user experience matters?


I read this and thought – this process sounds like the kind of broken thing I'd expected to have found a decade ago on Windows.

A dozen complicated steps, a couple restarts, multiple admin password prompts, having to enable ominous-sounding security settings that don't apply to the thing you're installing because the OS doesn't have a path for dealing with that component and so reuses some other system, and then at the end of it all, a potential silent security preferences failure where you have to reboot another time and hope it works next time.

Not good.


I sure hope there's eventually a less convoluted way of enabling this. I'm leery--rightfully or not--of jumping through these kind of backdoors on a brand new Mac that I'm using for production work, since I don't want driver, etc. conflicts down the line.

Leave a Comment