AFP548 Site News,OS X September 28, 2015 at 8:32 am

Challenges My Organization Faces Upgrading to OS X 10.11, El Capitan

As if you haven’t heard, there’s something new this month to cause drama on the Apple upgrade treadmill (just as nefarious as Slack dragging everyone’s communication watering hole into the future). This time it’s the coming System Integrity Protection and other tightening restrictions we’re all dealing with. I wanted to share our current blockers to replicating the workflow we support for customers on 10.10, which comes down to two attitudes displayed by one vendor in particular (that will remain nameless): apathy, and ignorance

Everything's going to be alright. via http://gph.is/13hgXMD

‘I don’t know’

The vendor could have corrected course or known to not write to certain paths that the impending SIPocalypse will disable by relocating errant files from, and will fail for new installs. This one vendor in question bundles a whole bunch of packages as one, so if I wanted to deploy the parts of it that CAN run while waiting for other components to be revised, I’d have to use ChoiceChangesXML to avoid repackaging. From the very beginning they could have taken the hint that /Applicatons, /Library and /usr/local are legit paths to write to. (Or heck, even /opt is mostly fine if they figured out how to run setfile on it to hide it from the OS after writing…coughCiscocough and if they need to run out of the home folder, well, ಠ_ಠ. I’m looking at you, GoToMeeting…)

‘I don’t care’

How many WWDC’s has it been where they’ve been warning developers about unsigned kexts? Not that the signature validation process doesn’t have various issues with enforcement, allowing rootkits to stay persistent and undetected, but to get back on track… It shows a lack of concern with their products actually, y’know, working, that vendors who require kernel-level extensions can’t get them signed. But I can’t say I’m upset that their installation attempts will now be fruitless, since crappy drivers end up being the primary cause of crashes and kernel panics.

Like a good security stance, we serve ourselves and our customers best when we assume there will be incompetence and obliviousness will cause mistakes to be made. Here’s hoping your mitigation techniques and workarounds, especially if they can’t avoid a delay for your customers ability to upgrade, don’t cause too much friction in your environment.

Tags:

Leave a reply

You must be logged in to post a comment.