Under-the-hood changes tend to have a bigger impact for organizations than for home users. Many points tend to be forgotten by conventional news, we point out.
With macOS Mojave and iOS 12, Apple is tightening security regulations. Not only will Apple put more emphasis on privacy, but 32bit applications will be slowly phased out as well. macOS Mojave warns at least of the processes that still use 32bit architecture.
Symantec is no longer trusted
Symantec is one of the oldest institutions when it comes to security certificates. With macOS Mojave, Apple will block Symantec’s certificates resp. Classify as “Untrustworthy. By the way, this also applies to iOS 12.
So if you play out certificates of this type on the corporate network, they have to be issued between the 1.June 2016 and 1.December 2017 will be issued. However, Apple is only giving a grace period here and will distrust all Symantec certificates later in 2018.
Not only Apple goes this way. Mozilla (with Firefox) and Google with its own Chrome browser also classify the certificates as untrusted. This comes in the wake of a prolonged dispute. Already since December 2013, Mozilla has been pointing out the danger of Symantec certificates that no longer comply with the general rules.
Other limitations
Apple also takes certificates of the type “Federal Common Policy Root CA” as its so-called Trust Store. The reason for this is that WoSign, which issues these certificates, has taken over the company StartCom without mentioning it. StartCom is also a certificate issuer. Apple probably suspects collusion here that could harm users.
So if your organization has purchased certificates from these vendors, Apple describes a detailed procedure on how to deal with them with the launch of macOS Mojave and iOS 12. Apple also does not rule out further action here, and is in the process of investigating the matter more closely.
Configuring devices via PAC
With the Proxt Automatic Configuration (PAC) service, Apple allows configuration files to be downloaded to devices, which can then be configured. Company settings can be automatically applied to multiple devices in this way.
For security reasons macOS Mojave disables the possibility to play FTP and file URLs. All links must now be accessed via HTTP or HTTPS. So here you have to change your server settings so that this can access other ports or. Protocols can respond. This change also applies to iOS 12.
Kickstart now only allows watching
System administrators have had an easy time with the kickstart application so far. This command line utility can be used to control other Macs in the network and thus help the user faster.
Here, however, Mojave puts a stop to it. With Kickstart, it is now only possible to track user activity without being able to intervene directly. If you want to keep the right to do it yourself, the requesting users must activate the remote management in the system preferences.
Single-user mode changes
Newer Macs, more specifically the 2018 iMac Pro and MacBook Pro models, have the T2 chip built in. This allows a granular security setting. The consequence is that the Mac cannot be booted into single user mode as usual. These models must be booted into “recovery mode” instead.
File access for applications
If your own company applications under macOS need access to certain data such as calendars or others, to which actually only system administrators have access, then the configuration files under Mojave can help. Here you can now fine-tune which applications have access to which file areas.