Silent Mojave night: security settings files in macOS Mojave

In amongst the hundreds of thousands of files which together make macOS Mojave work, there are security and other settings files which Apple normally updates silently. These are almost completely undocumented, but can sometimes cause problems, by disabling an old version of Flash, Java, or Silverlight, or even breaking your network connection. Here’s a quick roundup of those which you are most likely to come across.

Core Suggestions Configuration Data
Latest version: 1.0 680.111, 18 August 2018.
These are support data for /System/Library/PrivateFrameworks/CoreSuggestions.framework, to be used in various app features.

CoreLSKD Configuration Data
Latest version: 10.5.0, 17 August 2018.
These are support data for /System/Library/PrivateFrameworks/CoreLSKD.framework and go into /usr/share/kdrl.bundle for internal use.

EFI Allow List
No version given. 23 August 2018.
A bundle containing files listing all the allowed versions (and signatures?) of EFI firmware for Macs running Mojave. Stored in /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle and used by the eficheck tool for its weekly EFI firmware checks. Introduced in High Sierra, as detailed here.

Gatekeeper Configuration Data
Latest version: 155, 24 September 2018.
This is an SQLite database which is placed in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db to provide blacklists and whitelists for Gatekeeper’s security system, which checks the code signatures of apps.

Gatekeeper Disk Image Configuration Data
Latest version: 7.2, 17 August 2018.
This provides data for checking signed disk images, which is kept in /var/db/gke.bundle/Contents/Resources/gke.auth It remains unchanged from Sierra.

Incompatible Kernel Extension Configuration Data
Latest version: 14.0.3, 17 August 2018.
This is a list of kernel extensions (KEXTs) which will be excluded at startup, and is stored in /System/Library/Extensions/AppleKextExcludeList.kext. This is a new version, different from that in High Sierra, reflecting Mojave’s updated policies.

MRT Configuration Data
Latest version: 1.35, 19 June 2018.
These are the settings for Apple’s Malware Removal Tool /System/Library/CoreServices/MRT.app and go into that app, so that it can remove any malware which macOS detects.

TCC Compatibility Bundle
Latest version: 14.0, undated (macOS 10.14 release)
This is a signed bundle at /System/Library/Sandbox/TCC_Compatibility.bundle which contains AllowApplications.plist, which appears to be a global whitelist pushed by Apple for privacy overrides whenever TCC starts up. This is essentially new for Mojave, and only checked in LockRattler version 4.12 and later.

XProtectPlistConfigData
Latest version: 1.0 2100, 28 September 2018.
These are the whitelists and blacklists used by XProtect, as detailed here. They go into /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist,
/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist and /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara.

IncompatibleAppList
Latest version: 1189, 21 September 2018
These settings are placed in /System/Library/PrivateFrameworks/SystemMigration.framework for use by Migration Manager.

Details last updated 14 October 2018.