Tuesday saw Apple drop the first public release of macOS Catalina, a move which has caught out a number of developers, including some offering security solutions, as well as organizations and ordinary macOS users. While SentinelOne is already Catalina-compatible (more details below), Apple's unannounced release date has left some scrambling to catch up as macOS 10.15 introduces some major changes under the hood, undoubtedly the biggest we've seen in some time. Anyone considering a Catalina upgrade should be aware of how these changes could affect current enterprise workflows, whether further updates for dependency code are required and are available, and whether the new version of macOS is going to necessitate a shift to new software or working practices. In this post, we cover the major changes and challenges that Catalina brings to enterprise macOS fleets.
R2018b / R2019a runs very slow on macOS 10.14. Learn more about r2018b, mac, macos, bug MATLAB. Browse the newest, top selling and discounted macOS supported games.
Does SentinelOne Work With macOS Catalina?
First things first: Yes, it does. SentinelOne macOS Agent version 3.2.1.2800 was rolled out on the same day that Apple released macOS 10.15 Catalina. This Agent is supported with Management Consoles Grand Canyon & Houston. Ideally, you should update your SentinelOne Agent version before updating to Catalina to ensure the smoothest upgrade flow.
MacOS Catalina runs in its own read-only volume, so it's separate from all other data on your Mac, and nothing can accidentally overwrite your system files. And Gatekeeper ensures that new apps you install have been checked for known security issues before you run them, so you're always using good software. Magnet is a workspace organizer for Mac. This is a paid App located in the App Store. The download link on the site will direct you. I recommend it over Spectacle. Pocket is a save for later application. Insert articles, videos, notes, and pretty much anything else. Parcel is the best delivery tracker. Dashlane is my password manager of choice.
Developers Play Catalina Catch-up
Contrary to popular (mis)belief, kexts or kernel extensions are still alive and well in Catalina, and the move to a new 'kextless' future with Apple's SystemExtensions framework remains optional at least for the time being. However, that doesn't mean your current array of kernel extensions from other developers are necessarily going to be unproblematic during an upgrade.
New rules for kexts mean developers at a minimum have to notarize them, and users will have to restart the Mac after approving them. On top of that, developers – particularly those distributing security software – will need to update their kexts and solutions to be compatible with Catalina's new TCC and user privacy rules, changes in partition architecture and discontinued support for 32-bit apps (see below), among other things.
Upgrading a Mac to 10.15 with incompatible kexts already installed could lead to one or more kernel panics.
The safest bet is to contact vendors to check on their Catalina support before you pull the trigger on the Catalina upgrade. If for some reason that's not possible or you have legacy kexts installed which are out of support, the best advice is to remove those before you upgrade a test machine, then immediately test for compatibility as part of your post-install routine.
Bye Bye, 32-Bit Applications
Apple called time on 32-bit applicationsseveral releases ago, offering increasingly urgent warnings of their impending doom through High Sierra and Mojave. However, in macOS Mojave these would still run after users dismissed the one-time warning alert, but Catalina finally drops the axe on 32-bit applications.
Before upgrading, check what legacy applications you have installed. From the command line, you can output a report with:
system_profiler SPLegacySoftwareDataType
For GUI users, you can take a trip to Apple > About This Mac and click the System Report… button.
Scroll down the sidebar to 'Legacy Apps' and click on it. Here you'll see a list of all the apps that won't run on Catalina. macOS 10.15 itself will also list any legacy apps during the upgrade process, but it's wise to be prepared before you get that far.
VPP & Apple School/Business Manager Support
Catalina continues to allow various enterprise upgrade paths through its Mobile Device Management (MDM) framework, Device Enrollment Program (DEP) and Apple Configurator. For organizations enrolled in Apple's Volume Purchase Program or with Apple Business Manager or Apple School Manager licensing, Catalina is supported right out of the door, saving you the bother of having to manually download, package and then install multiple instances of 10.15.
New in Catalina are Managed Apple IDs for Business, which attempt to separate the user's work identity from their personal identity, allowing them to use separate accounts for things like iCloud Notes, iCloud Drive, Mail, Contacts and other services.
There is a plus here for user privacy, but for admins used to having total control over managed endpoints, be aware that a device with an enrollment profile and managed Apple ID means the business loses power over things like remote wipe and access to certain user data. Effectively, the device is separated in to 'personal' and 'managed' (i.e., business use), with a separate APFS volume for the managed accounts, apps and data.
Privacy Controls Reach New Heights
That's not the only thing to be aware of with regards user data. The biggest change that end users are going to notice as they get to work on a newly upgraded macOS 10.15 Catalina install is Apple's extended privacy control policies, which will manifest themselves in a number of ways.
In the earlier, macOS 10.14 Mojave, there are 12 items listed in the Privacy tab of the Security & Privacy pane in System Preferences. Catalina adds five more, with Speech Recognition, Input Monitoring, Files and Folders, Screen Recording, and Developer Tools added in the new version of macOS.
Here's what the first three control:
Importantly, the three items above can only be allowed at the specific time when applications try to touch any of these services. Although applications can be pre-denied by MDM provisioning and configuration profiles, they cannot be pre-allowed. That has important implications for your workflows since any software in the enterprise that requires these permissions must obtain user approval in the UI in order to function correctly, or indeed at all. Be aware that Catalina's implementation of Transparency, Consent and Control is not particularly forthcoming with feedback. Applications may simply silently fail when permission is denied.
The most obvious, but certainly not only, place where privacy controls are going to cause issue is with video meeting/conferencing software like Zoom, Skype and similar. Prompts from the OS that suggest applications must be restarted after permission has been granted for certain services like Screen Recording have raised fears that clicking ‘Allow' during a meeting might kick users out of the conference while the app re-launches. Optimal craps strategy. Conversely, users who inadvertently click ‘Don't Allow' may wonder why later attempts to use the software continue to fail.
What all this means is that with macOS Catalina, there is a greater onus on sysadmins to engage in user education to preempt these kinds of issues before they arise. Thoroughly test how the apps you rely on are going to behave and what workflow users need to follow to ensure minimal interruption to their daily activities.
The remaining two additional items are:
These last two can both be pre-approved. The first grants access to user files in places like Desktop, Downloads, and Documents folders. The second allows developers to run their own software that isn't yet notarized, signed or ready to be distributed (and thus subject to macOS's full system policy).
And New Lows…
Here's a good example of what all this might mean in practice. Let's take as destination a user's machine on which File Sharing, Remote Management (which allows Screen Sharing) and Remote Login (for SSH) have been enabled.
Suppose, as admin, I choose to both Screen Share and File Share from my source machine into this user's computer. These two different services only require the same credentials – user name and password for a registered user on the destination device – to be entered a single time per session to simultaneously enable both services, but they have confusingly different restrictions.
Download mac data recovery guru 4 0 3. Trying to navigate to the destination's Desktop folder via File Sharing in the Finder from the source indicates that the user's Desktop folder is empty rather than inaccessible.
If I persist in trying to access any of these protected folders, the misleading Finder display is eventually replaced with a permission denied alert.
While Screen Sharing in the same session, however, I can see the Desktop folder's contents without a problem; in fact, in this case it contains 17 items. Indeed, via Screen Sharing, I can move these items from the Desktop folder to any other folder that is accessible through File Sharing, such as the ~/Public
folder. That, in a roundabout and inconvenient way, means I can get past the permission denial thrown above. Further, because I can enable other services in the Privacy pane from my Screen Sharing session, such as Full Disk Access, I can also use those to grant myself SSH access, with which I am similarly also able to work around the File Share permission denied problem.
This kind of inconsistency and complexity is unfortunate. Aside from making legitimate users jump through these hoops for no security pay-off, it raises this question: what does a legitimate user need to do to make File Sharing work properly? It seems we should go to the Files and Folders pane in System preferences and add the required process. But what process needs to be added? There's simply no help here for those trying to figure out how to manage Apple's user privacy controls. As it turns out, there also appears to be a bug in the UI that prevents anything at all being added to Files and Folders, so at the moment we can't answer that question for you either.
Catalina's Vista of Alerts: Cancel or Allow?
This expansion of user privacy controls has one very significant and obvious consequence for everyone using macOS 10.15 Catalina, graphically portrayed in this tweet by Tyler Hall.
The spectacle of numerous alerts has made some liken Apple's investment in user privacy through consent to Microsoft's much-maligned Windows Vista release, which had a similarly poor reputation for irritating users with an array of constant popups and dialogs, many of which seemed quite unnecessary.
Yes, your macOS users are going to be hit by a plethora of authorization requests, alerts and notifications. While Tyler Hall's image was undoubtedly designed to illustrate the effect in dramatic fashion, there's no doubt that Catalina's insistence on popping alerts is going to cause a certain amount of irritation among many users after they upgrade, and who then try getting down to some work only to be interrupted multiple times. However, if the trade-off for a bit of disruption to workflows is improved security, then that's surely not such a bad thing?
The question is whether security is improved in this way or not. Experience has taught malware authors that users are easily manipulated, a well-recognized phenomenon that led to the coining of the phrase 'social engineering' and the prevalence of phishing and spearphishing attacks as the key to business compromise.
On the one hand, some will feel that these kinds of alerts and notifications help educate users about what applications are doing – or attempting to do – behind the scenes, and user education is always a net positive in terms of security.
On the other hand, the reality is that most users are simply trying to use a device to get work done. Outside of admins, IT and security folk, the overwhelming majority of users have no interest in how devices work or what applications are doing, as much as we ‘tech people' would like it to be otherwise. What users want is to be productive, and they expect technology and policy to ensure that they are productive in a safe environment rather than harangued by lots of operating system noise.
The alert shown above illustrates the point. How informative would that really be to most users, who are unlikely to have even heard of System Events.app or understand the consequences adumbrated in the message text?
Critically, consent dialogs rely on the user making an immediate decision about security for which they are not sufficiently informed, at a time when it's not convenient, and by an 'actor' – the application that's driving the alert and whose developer writes the alert message text – whose interests lie in the user choosing to allow.
As the user has opened the application with the intent to do something productive, their own interests lie in responding quickly and taking the path that will cause least further interruption. In that context, it seems that users are overwhelmingly likely to choose to allow the request regardless of whether that's the most secure thing to do or not.
system_profiler SPLegacySoftwareDataType
For GUI users, you can take a trip to Apple > About This Mac and click the System Report… button.
Scroll down the sidebar to 'Legacy Apps' and click on it. Here you'll see a list of all the apps that won't run on Catalina. macOS 10.15 itself will also list any legacy apps during the upgrade process, but it's wise to be prepared before you get that far.
VPP & Apple School/Business Manager Support
Catalina continues to allow various enterprise upgrade paths through its Mobile Device Management (MDM) framework, Device Enrollment Program (DEP) and Apple Configurator. For organizations enrolled in Apple's Volume Purchase Program or with Apple Business Manager or Apple School Manager licensing, Catalina is supported right out of the door, saving you the bother of having to manually download, package and then install multiple instances of 10.15.
New in Catalina are Managed Apple IDs for Business, which attempt to separate the user's work identity from their personal identity, allowing them to use separate accounts for things like iCloud Notes, iCloud Drive, Mail, Contacts and other services.
There is a plus here for user privacy, but for admins used to having total control over managed endpoints, be aware that a device with an enrollment profile and managed Apple ID means the business loses power over things like remote wipe and access to certain user data. Effectively, the device is separated in to 'personal' and 'managed' (i.e., business use), with a separate APFS volume for the managed accounts, apps and data.
Privacy Controls Reach New Heights
That's not the only thing to be aware of with regards user data. The biggest change that end users are going to notice as they get to work on a newly upgraded macOS 10.15 Catalina install is Apple's extended privacy control policies, which will manifest themselves in a number of ways.
In the earlier, macOS 10.14 Mojave, there are 12 items listed in the Privacy tab of the Security & Privacy pane in System Preferences. Catalina adds five more, with Speech Recognition, Input Monitoring, Files and Folders, Screen Recording, and Developer Tools added in the new version of macOS.
Here's what the first three control:
Importantly, the three items above can only be allowed at the specific time when applications try to touch any of these services. Although applications can be pre-denied by MDM provisioning and configuration profiles, they cannot be pre-allowed. That has important implications for your workflows since any software in the enterprise that requires these permissions must obtain user approval in the UI in order to function correctly, or indeed at all. Be aware that Catalina's implementation of Transparency, Consent and Control is not particularly forthcoming with feedback. Applications may simply silently fail when permission is denied.
The most obvious, but certainly not only, place where privacy controls are going to cause issue is with video meeting/conferencing software like Zoom, Skype and similar. Prompts from the OS that suggest applications must be restarted after permission has been granted for certain services like Screen Recording have raised fears that clicking ‘Allow' during a meeting might kick users out of the conference while the app re-launches. Optimal craps strategy. Conversely, users who inadvertently click ‘Don't Allow' may wonder why later attempts to use the software continue to fail.
What all this means is that with macOS Catalina, there is a greater onus on sysadmins to engage in user education to preempt these kinds of issues before they arise. Thoroughly test how the apps you rely on are going to behave and what workflow users need to follow to ensure minimal interruption to their daily activities.
The remaining two additional items are:
These last two can both be pre-approved. The first grants access to user files in places like Desktop, Downloads, and Documents folders. The second allows developers to run their own software that isn't yet notarized, signed or ready to be distributed (and thus subject to macOS's full system policy).
And New Lows…
Here's a good example of what all this might mean in practice. Let's take as destination a user's machine on which File Sharing, Remote Management (which allows Screen Sharing) and Remote Login (for SSH) have been enabled.
Suppose, as admin, I choose to both Screen Share and File Share from my source machine into this user's computer. These two different services only require the same credentials – user name and password for a registered user on the destination device – to be entered a single time per session to simultaneously enable both services, but they have confusingly different restrictions.
Download mac data recovery guru 4 0 3. Trying to navigate to the destination's Desktop folder via File Sharing in the Finder from the source indicates that the user's Desktop folder is empty rather than inaccessible.
If I persist in trying to access any of these protected folders, the misleading Finder display is eventually replaced with a permission denied alert.
While Screen Sharing in the same session, however, I can see the Desktop folder's contents without a problem; in fact, in this case it contains 17 items. Indeed, via Screen Sharing, I can move these items from the Desktop folder to any other folder that is accessible through File Sharing, such as the ~/Public
folder. That, in a roundabout and inconvenient way, means I can get past the permission denial thrown above. Further, because I can enable other services in the Privacy pane from my Screen Sharing session, such as Full Disk Access, I can also use those to grant myself SSH access, with which I am similarly also able to work around the File Share permission denied problem.
This kind of inconsistency and complexity is unfortunate. Aside from making legitimate users jump through these hoops for no security pay-off, it raises this question: what does a legitimate user need to do to make File Sharing work properly? It seems we should go to the Files and Folders pane in System preferences and add the required process. But what process needs to be added? There's simply no help here for those trying to figure out how to manage Apple's user privacy controls. As it turns out, there also appears to be a bug in the UI that prevents anything at all being added to Files and Folders, so at the moment we can't answer that question for you either.
Catalina's Vista of Alerts: Cancel or Allow?
This expansion of user privacy controls has one very significant and obvious consequence for everyone using macOS 10.15 Catalina, graphically portrayed in this tweet by Tyler Hall.
The spectacle of numerous alerts has made some liken Apple's investment in user privacy through consent to Microsoft's much-maligned Windows Vista release, which had a similarly poor reputation for irritating users with an array of constant popups and dialogs, many of which seemed quite unnecessary.
Yes, your macOS users are going to be hit by a plethora of authorization requests, alerts and notifications. While Tyler Hall's image was undoubtedly designed to illustrate the effect in dramatic fashion, there's no doubt that Catalina's insistence on popping alerts is going to cause a certain amount of irritation among many users after they upgrade, and who then try getting down to some work only to be interrupted multiple times. However, if the trade-off for a bit of disruption to workflows is improved security, then that's surely not such a bad thing?
The question is whether security is improved in this way or not. Experience has taught malware authors that users are easily manipulated, a well-recognized phenomenon that led to the coining of the phrase 'social engineering' and the prevalence of phishing and spearphishing attacks as the key to business compromise.
On the one hand, some will feel that these kinds of alerts and notifications help educate users about what applications are doing – or attempting to do – behind the scenes, and user education is always a net positive in terms of security.
On the other hand, the reality is that most users are simply trying to use a device to get work done. Outside of admins, IT and security folk, the overwhelming majority of users have no interest in how devices work or what applications are doing, as much as we ‘tech people' would like it to be otherwise. What users want is to be productive, and they expect technology and policy to ensure that they are productive in a safe environment rather than harangued by lots of operating system noise.
The alert shown above illustrates the point. How informative would that really be to most users, who are unlikely to have even heard of System Events.app or understand the consequences adumbrated in the message text?
Critically, consent dialogs rely on the user making an immediate decision about security for which they are not sufficiently informed, at a time when it's not convenient, and by an 'actor' – the application that's driving the alert and whose developer writes the alert message text – whose interests lie in the user choosing to allow.
As the user has opened the application with the intent to do something productive, their own interests lie in responding quickly and taking the path that will cause least further interruption. In that context, it seems that users are overwhelmingly likely to choose to allow the request regardless of whether that's the most secure thing to do or not.
The urgency of time, the paucity of information and the combined interests of the user and the developer to get the app up and running conspire to make these kinds of controls a poor choice for a security mechanism. We talk a lot about 'defense in depth', but when a certain layer of that security posture relies on annoying users with numerous alerts, it could be argued that technology is failing the user. Security needs to be handled in a better way that leaves users to get on with their work and lets automated security solutions take care of the slog of deciding what's malicious and what's not.
Conclusion
If you are an enterprise invested in a Mac fleet, then upgrading to Catalina is a question of 'when' rather than 'if'. Given the massive changes presented by Catalina – from dropping support for 32-bit apps and compatibility issues with existing kernel extensions to new restrictions on critical business software like meeting apps and user consent alerts – there's no doubt that that's a decision not to be rushed into. Test your workflows, look at your current dependencies and roll out your upgrades with caution.
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.
Read more about Cyber Security
Announced in June 2019 at WWDC, the long-awaited macOS Catalina will be the 16th major release for Apple's operating system. There are tons of new features to be shipped, covering everything from iPad compatibility (Catalyst makes it easy to port iPad apps to Mac) to security (Gatekeeper will require Apple-notarized Developer ID for apps) to entertainment (new apps for Podcasts, TV, and Music), besides the usual improvements to all the native software.
While macOS Catalina is scheduled to be released sometime around September, the public beta is already available, so everyone can try all the new functionality without the wait. Read through our step-by-step guide to learn how to install macOS Catalina public beta.
Is My Mac Compatible With macOS Catalina?
Regardless of whether you want to install the beta or wait for the official public release, one question will inevitably pop up in your head — is my Mac compatible with macOS Catalina? Good question! Let's look at the Mac OS Catalina compatibility chart to find out.
List of macOS Catalina supported Macs
Overall, due to the numerous efficiency improvements under the hood, macOS Catalina supported Macs are nearly identical to those of macOS Mojave:
- MacBook (2015 or later)
- MacBook Air (2012 or later)
- MacBook Pro (2012 or later)
- iMac (2012 or later)
- iMac Pro (2017 or later)
- Mac Pro (2013 or later)
- Mac mini (2012 or later)
The only difference you might find is the new Mac OS Catalina requirements not covering Mac Pros ranging from 2010 to 2012. So unless you have that specific Mac Pro model you should be able to try the new operating system.
However, in case your Mac is on the older side, barely managing to load the macOS won't result in a pleasant experience. For example, Apple specifies that running 4K as well as Dolby Atmos content will only be possible with Macs introduced in 2018 or later that boast 4K screens.
But don't hurry to the Apple Store just yet. If watching videos in 4K is not an absolute necessity, you could simply optimize the Mac you have for faster performance and run macOS Catalina without a problem.
What are macOS Catalina storage requirements?
To run properly, macOS Catalina needs a considerable amount of disk space. It's generally recommended to keep at least 15% of your main drive free. But remember, you'll also need space for future macOS updates and all the new software that goes with Catalina. So you should think of freeing up storage way beforehand, while you're still on Mojave or other older OS.
The general space goals to aim for here:
- 15–20 GB of free storage.
- 4 GB of RAM.
Upgrade smoothly: remove outdated system files
The best way to rise above the basic Mac OS Catalina requirements is to do a thorough scan of your Mac and purge all the useless data that you've accumulated over the years. Quite a hefty task if you choose to do it manually: your Mac has a ton of system files and invisible folders that require the use of Terminal to get to. Luckily, there's a software designed to take care of it all automatically. https://sxteu.over-blog.com/2021/02/steam-app-download.html.
CleanMyMac X is the easiest and the most thorough way to bring your Mac back to its pristine original state. In fact, the app is so helpful and intuitive that it was recognized as the '#1 Product of the Month' by Product Hunt.
Here are the kind of files you should try to get rid of:
- User and system cache files.
- System and user log files.
- Language files.
- Broken login items.
To do so with CleanMyMac X, simply:
- Download the free version of the app.
- In the sidebar, navigate to System Junk and hit Scan.
- Review Details and then Clean anything you don't need.
Even though I've been using CleanMyMac X on a regular basis, the System Junk scan has revealed over 11 GB of files I no longer need. Imagine how much dead weight your Mac can carry!
Maximize your storage space
Spectacle Mac Catalina Beach
Once you clean your Mac from all the system and user-generated junk, you'll notice improvements in responsiveness and speed right away. But it's not only outdated files that slow your Mac down.
To hit all macOS Catalina system requirements, you need to have as much of your hard drive free as possible. This might include, for example, legitimate but long-forgotten documents you haven't opened in years.
The good news is you can see what's taking up your hard drive capacity with a new feature in CleanMyMac X called Space Lens, which creates an interactive visual map of all your files and folders:
- Open up CleanMyMac X (or download for free here).
- Go to Space Lens under the Files tab.
- Hit Scan and wait for the process to finish.
- Explore all the interactive bubbles and remove the folders you no longer need.
Spectacle App For Mac
With no extra system files or unused heavy folders dragging you down, your older Mac will become brand new again, agile enough to take on the new macOS Catalina as it becomes available this fall. Best of all, just one app — CleanMyMac X — can do it all for you.
These might also interest you: