Monday, September 23, 2024

Sequoia’s spctl and csrutil

Rich Trouton:

On macOS Sequoia, running the [sudo spctl –global-disable] command to disable Gatekeeper produces the following output:

Globally disabling the assessment system needs to be confirmed in System Settings.

This seems to be an intentional change—security through preventing automation.

Jeff Johnson (Mastodon):

Today I learned that I can no longer change the startup security policy or disable System Integrity Protection (SIP) on any of the boot volumes.

[…]

When I open Terminal app in the recovery volume and enter csrutil disable to disable SIP, I get the following error:

csrutil: Failed to update security configuration for "Sequoia": Failed to create paired recovery local policy

I’m not sure what’s happening here. It seems like installing Sequoia changed something in his Mac’s firmware so that csrutil no longer works with previous macOS versions, either.

Previously:

Update (2024-09-25): Rich Trouton:

Now that the spctl tool can no longer separately manage Gatekeeper, management profiles are the best way to manage Gatekeeper on macOS Sequoia. For more details, please see below the jump.

14 Comments RSS · Twitter · Mastodon


Issues like this drive me insane. Recently I wasted hours pulling my hair out because I couldn't get macOS to install or update on my external drive, only to discover that there's one USB-C port on every mac where if you try to boot an external drive off of it, it'll boot, but all sorts of things will silently fail, or fail loudly with totally inscrutable error messages that say nothing as to what the actual problem is. It so happened I was plugged into that port.

This is kind of crap that didn't happen on intel macs, or PPC macs for that matter. It used to not matter what port you plugged things into. It also used to be that macs weren't so overburdened with pointless half-baked half-broken security that you could expect things like csrutil to work as expected, without there having to be an elaborate puzzle of data and features aligned *exactly right* in order for them to function, and if anything is slightly off, it all flies apart at the seams. It distresses me to no end that this is becoming the typical experience of using a mac.


I can't help but perceive this to be a deliberate tactic to slowly turn macOS into something like iOS where Apple's goal is to be ultimately in control regarding what App you are allowed to launch, and what telemetry they want on this process. With the long list of things that Apple is doing to the platform that I find totally off putting, I am slowly asking myself when it is enough. If this does not get fixed, maybe this is it.


Thomas, like the story with the frog, they are boiling you so slowly, that you’ll just accept it as easier than changing platforms.


I really like my m-series Macs but I have to confess that I have concerns over the direction of some things with the new hardware.

Examples: complexity of the hard drive layout, a true clean install of MacOS requires a second Mac, and "erase and reset" require an online authorization from Apple. I also feel that backups are now more critical than ever because there is no way to remove the hard drive and recover data from it.


I've already decided that my next main computer is going to run Linux. I'm not at all happy with that decision, because even Linux now in 2024 can't compete with the ease, good design and capabilities that OS X had in, say 2012 or so. But I simply can't abide having a computer where I'm not the one in control.

The trouble will be that my professional work involves doing lots of macOS and Windows development, so I'm going to need some way of working in all three. And virtualization is no longer an option! It's a puzzle I've yet to solve.


@Bri Have you considered getting a Mac? It will run all three operating systems ...

Linux is more urgently needed than ever, but it can only cover the 90 % of use cases; the other 10 % aren't important to geeks scratching their own itch, which unfortunately are quite important, in my case including genuinely usable screen reader in a graphical environment. So that in the end the choice is twixt macOS and Doze, with Linux as a VM, and we all know which one of those we'd rather have, when you come right down to it. Especially now that Apple Silicon really is a selling point that is very hard to resist, and you simply can't run macOS anywhere else.


The work I do requires me to be on x86_64 Windows, so a mac won't help me. That is, unless an Apple Silicon mac can emulate a Windows system with good performance and graphical acceleration. As far as I'm aware, though, there isn't an x86_64 emulator that can do that.


I'm trying to open an application and it's giving me this problem: Globally disabling the assessment

I don't know what to do.

Mac Sequoia


"That is, unless an Apple Silicon mac can emulate a Windows system with good performance"

It can do that, but it'll be the ARM version of Windows, which can then itself run x86 code in emulation at somewhat acceptable speeds, depending on your requirements.

"there isn't an x86_64 emulator that can do that"

x86 emulation on the Apple Silicon Macs is atrocious. I'd rather run VirtualPC on a Performa 5200.


I wonder why x86_64 emulation is so bad? Am we just used to virtualization after having used Intel macs for so long, and there's really just a limit to how fast it can go? Or has no one made a really good one yet that fully utilizes the power of Apple Silicon?

Sadly running a virtualized ARM Windows is not an option for me. :-( So going into the future I'll need at minimum two computers, one Apple Silicon mac and one x86_64 system to run Windows. In reality I'll probably have three, with the third running Linux and being my main computer with *some* kind of way of interacting with the other two systems when needed. (KVM switch? Screen streaming? Mouse / keyboard sharing? Haven't decided yet!)


@Bri Is it that the Apple Silicon marketing was too successful? My understanding is that it’s mostly not much faster than equivalent Intel processors, just more efficient. They don’t have higher clock rates or do more per instruction. Rosetta 2 is faster than Intel Macs because those Macs used older processors and because it does AOT. ARM Windows uses a JIT. General-purpose emulation probably is harder.


@Michael Tsai Regarding the marketing, perhaps so! I was under the impression that they did crunch numbers faster than the competition, but I've never run the benchmarks myself, and naturally it is more complicated than that. And of course processors well suited for one kind of use case aren't necessarily going to perform as well on another.


"In reality I'll probably have three, with the third running Linux and being my main computer with *some* kind of way of interacting with the other two systems when needed."

Screen sharing seems like the best option. Put them in the basement and access via fast network connection.


@Michael Ever since I got my M1 Mini and the benchmarks bore out the reality that it was only slightly faster than my 2020 iMac in multicore, at best, I've felt that the marketing overhyped Apple Silicon. Of course the same isn't true of my M3 Pro MBP but clearly everyday use is as much about storage and RAM, and of course the M1 machines didn't have that much of either, and the fast storage greatly facilitated the use of swap to compensate for the RAM. Still, underwhelmed as I was by the actual performance, the transition and technology is impressive, especially for its energy efficiency, and there's no question that AS has put Apple in a good place there (fixed-size RISC instructions, aggressive pipelining and OOO execution, two-tiered big/little cores, etc). I certainly intend to convert my living-room to all-ARM in future but for the iMac; I use the iMac because it's still plenty fast enough and because it runs x86 Windows. On which ...

@Bri I do feel your pain. I have some x86 Windows software that can't run entirely in userspace too, but I'm able to wean myself off most of it and run the rest under the ARM version of Windows with their x86 emulator. Running x86_64 Windows, itself, under emulation will definitely be intolerably slow (XP is only just about usable) and will moreover not have GPU acceleration. I'm afraid your right that you're looking at multiple computers.

Leave a Comment