macOS Sequoia | What’s New in Privacy and Security for Enterprise

Monday September 17th saw Apple release the newest version of its Mac operating system, macOS 15 Sequoia, and SentinelOne was delighted to announce support for this version of macOS on the day of release.

While the original announcement of Sequoia at WWDC 2024 focused heavily on a raft of "AI" features - largely absent so far - less attention was given to the privacy and security changes in macOS 15. In this post, we bring you a quick roundup of the features in Sequoia that enterprise security teams should be aware of before upgrading.

Mac Devices Dropped

As always, the first thing with any new OS release is to determine which enterprise assets will need to be added to the sunset list. With Sequoia, only two models that currently run macOS 14 Sonoma will be unable to upgrade to macOS 15 Sequoia: MacBook Air 2018 and MacBook Air 2019.

The full list of macOS Sequoia compatible models is:

Mac devices compatible with macOS Sequoia (Source: Apple)

Passwords in the Dock | Don't Give Up Your Password Manager Just Yet

macOS Sequoia brings with it a full, standalone GUI version of the passwords that have up to now been locked inside Safari and System Preferences, both of which are really just (partial) front ends for the macOS and iCloud Keychain technology.

The new passwords application looks like a traditional password manager application but with not quite all the functionality you get from commercial password managers.

Passwords.app supports both passwords and passkeys and contains "Authenticator" style functionality for generating verification codes. A security pane offers recommendations about weak, compromised and reused passwords. Passwords from other apps can be imported via a CSV file exported from the other application.

macOS Sequoia's Passwords app

So is it time to wave goodbye to 1Password and the like? We wouldn't be so hasty, but at least you can now have Apple's password/passkeys functionality sitting in the Dock or in the status bar. For our part, a major security advantage of external password managers is that the master password to unlock them isn't by default the same as the user/admin password for the Mac (and if you are using the same for both, well…don't!).

As we have reported on throughout the last year or so, macOS malware and particularly infostealers go after the admin password as a matter of routine. That global password is so commonly required by software installers and other processes seeking limited privileges that it has become a security risk in itself. It is possible to use different keychains and therefore passwords with macOS, but it is far from convenient. A separate password manager with its own unique master password is far better protection than having all your passwords locked in an app that uses the same ubiquitous password as everything else on your device; tldr; stick with your external password manager for better security.

KeyChain Access.app Gets a New Home

Since we mentioned Keychain, a note to administrators: If you have a script that's looking for the KeyChain Access.app, note that on Sequoia it can now be found at /System/Library/CoreServices/Applications/Keychain Access.app instead of /System/Applications/Utilities/Keychain Access.app.

Keychain Access has moved in Sequoia

Changes to Gatekeeper and XProtect

We rarely see architectural changes in macOS security in OS upgrades, but Sequioa brings some interesting developments to both Gatekeeper and XProtect.

Admins may be relieved to see that Gatekeeper's underlying command line tool, spctl, has lost its -master-disable command, meaning malware can no longer abuse the command line to try to circumvent the system security assessment policy. Similarly, the Finder can no longer be used to override Gatekeeper through right-clicking and choosing 'open' - a method that much malware and adware has abused over the years.

An Atomic Stealer installer instructing the victim to override Gatekeeper control

Now, user's will be required to take a more cognitively taxing trip to System Settings (neé System Preferences) to override the Gatekeeper policy and allow something blocked by Gatekeeper to run.

Meanwhile, the command line has gained a new 'xprotect' tool at /usr/bin/xprotect. This can be used to invoke XProtect functionality.

The options as shown in the man page are fairly limited and do require to be run as sudo (requiring that ubiquitous admin password mentioned earlier).

What's New in TCC with macOS Sequoia?

Transparency, Consent and Control is, at least in Apple's hands, a somewhat controversial mechanism for protecting user privacy from overreaching processes and applications. With each release of macOS, we usually see some existing features fall under its umbrella.

With macOS 15 Sequoia, the headline acts are screen recording apps, which will now throw a prompt to users for TCC permissions not once but monthly, and any apps that require local network access; that's including any peripheral disks plugged in to USB as well as devices on the same local area network. More details on both of these can be found in Apple's video 'What's new in privacy'.

On the command line, it's the turn of dscl (aka/usr/bin/dscl) - the Directory Service command line utility. This tool is widely used by Mac admins to query
and authenticate users and generally to create, read, and manage Directory Service data. Now, use of dscl to change home directory of a user will trigger a TCC prompt for consent. The same also applies to the dsimport (/usr/bin/dsimport) tool.

Rotating Wi-Fi Addresses

MAC addresses - absolutely nothing to do with Macs, in particular - are unique hardware identifiers that can be used to track devices on a network, both wireless and wired. As of Sequoia, macOS can now rotate these addresses over time. Apple suggests this will happpen roughly on a 2-week basis.

Apple says that using a rotating address helps reduce tracking by Wi-fi network operators.

Rotating Wi-Fi Address

Use iCloud with macOS Virtual Machines

Everybody needs a virtual machine or two…well, security researchers, developers and quite a few administrators do, anyway. Virtualization was supposed to be made easy with Apple silicon thanks to a new, native virtualization framework, but the reality has been anything but. Aside from a lack of x86 emulation and the inability to run versions of macOS older than the host, Apple silicon virtual machines have also been unable to use any iCloud services. These restrictions have meant that while it is easy to spin up a macOS VM of a current host even without 3rd party software, the lack of features available preclude most of the reasons anyone might want to do so.

With Sequoia, iCloud services are now reachable from within a VM client, meaning that admins and other users can now use a virtualized environment to access certain Apple features that they might otherwise want to keep isolated from the host. Apple says that:

On a virtual machine running macOS 15, users can do the following:

• Sign in to iCloud (using a personal Apple Account or Managed Apple Account) after
  their account has already signed in on a physical Apple device. This allows users to access iCloud services and apps associated with iCloud on the virtual machine.
• Use Erase All Contents and Settings

There is still a long way to go before Apple reclaim their once coveted mantle of being able to run almost any OS from the a single piece of hardware (whether that was by dual booting, bootcamp, virtualization or emulation), and the pessimists among us tend to think that this is no longer even part of Apple's ambition, but we are at least one step better off in this regard with Sequoia than the we were with Sonoma.

AI and the Enterprise | Will MDM Rein It In?

Although we're still waiting for the features to drop, all the talk about "Apple Intelligence" has excited users, but many Mac admins and security teams have been wondering: "how will we control this in our environments?". Apple says that new features like Math Notes and Writing Tools will have MDM controls for use in organizations, businesses and educational institutions.

These controls should include the ability for organizations to limit access to both external integrations like ChatGPT in Siri and Writing Tools as well as MDM and AAC controls for Math Notes, Smart Script, Image Playground and Writing Tools. Sounds good, but we'll have to wait and see to test these tools and their controls to fully understand the security implications for enterprises.

No More Apple ID? It's Just a Name Change

Across Sequoia, Apple has continued to make changes to align macOS more closely with iOS and iPadOS. As part of that trend, Apple ID has been renamed to Apple Account "for a consistent sign-in experience across Apple services and devices." The service remains the same and relies on a user's existing credentials. Similarly, Managed Apple IDs (MAID) are now known as Managed Apple Accounts (MAA).

Say Farewell to Periodics

The venerable Unix maintenance mechanism Periodics has been redundant on macOS for a long time, but it was always a nice sneaky red team way to persist that few people (including malware authors, it seems!) were aware of, but no longer. Like emond before it, Apple is slowly whittling out these arcane bits of code that are of little relevance now but could still be abused by threat actors.

That said, in the event that you're an admin making use of these on an existing install, upgrading to Sequoia appears not to delete existing user Periodic scripts located in /etc/periodic/; however, such scripts will no longer run as the binary at /usr/sbin/periodic no longer exists. At least, though, you can review your script and implement the logic in a Launch Daemon or some other existing scheduling mechanism if appropriate.

SentinelOne Supports macOS Sequoia 15.0

Our engineering teams have been working hard over the summer to ensure that SentinelOne was ready to support macOS 15 on the day of release. Our extensive beta testing has resulted in support with macOS Agent version 24.2.2.

Customers are reminded that, as always, it is vital to update the agent to the supported version prior to upgrading the OS. Further recommendations and advice are available on the Customer Portal and admins are recommended to read the documentation before upgrading to macOS Sequoia.

Public link

Please use the above public link if you want to share this noodl on another website.