Silent Mojave night: security settings files in macOS Mojave

In amongst the hundreds of thousands of files which together make macOS Mojave work, there are security and other settings files which Apple normally updates silently. These are almost completely undocumented, but can sometimes cause problems, by disabling an old version of Flash, Java, or Silverlight, or even breaking your network connection. Here’s a quick roundup of those which you are most likely to come across.

Core Suggestions Configuration Data
Latest version: 1.0 680.111, 18 August 2018.
These are support data for /System/Library/PrivateFrameworks/CoreSuggestions.framework, to be used in various app features.

CoreLSKD Configuration Data
Latest version: 10.5.0, 17 August 2018.
These are support data for /System/Library/PrivateFrameworks/CoreLSKD.framework and go into /usr/share/kdrl.bundle for internal use.

EFI Allow List
No version given. 23 August 2018.
A bundle containing files listing all the allowed versions (and signatures?) of EFI firmware for Macs running Mojave. Stored in /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle and used by the eficheck tool for its weekly EFI firmware checks. Introduced in High Sierra, as detailed here.

Gatekeeper Configuration Data
Latest version: 181, 26 August 2019.
This is an SQLite database which is placed in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db to provide blacklists and whitelists for Gatekeeper’s security system, which checks the code signatures of apps.

Gatekeeper Disk Image Configuration Data
Latest version: 7.2, 17 August 2018.
This provides data for checking signed disk images, which is kept in /var/db/gke.bundle/Contents/Resources/gke.auth It remains unchanged from Sierra.

Incompatible Kernel Extension Configuration Data
Latest version: 14.5.1, 13 May 2019.
This is a list of kernel extensions (KEXTs) which will be excluded at startup, and is stored in /System/Library/Extensions/AppleKextExcludeList.kext. This is a new version, different from that in High Sierra, reflecting Mojave’s updated policies.

MRT Configuration Data
Latest version: 1.93, 29 April 2022.
These are the settings for Apple’s Malware Removal Tool /System/Library/CoreServices/ and go into that app, so that it can remove any malware which macOS detects.

TCC Compatibility Bundle
Latest version: 140.18, 2020-002 Security Update 24 March 2020
This is a signed bundle at /System/Library/Sandbox/TCC_Compatibility.bundle which contains AllowApplications.plist, which appears to be a global whitelist pushed by Apple for privacy overrides whenever TCC starts up. This is essentially new for Mojave, and only checked in LockRattler version 4.12 and later.

Latest version: 1.0 2167, 30 March 2023.
These are the whitelists and blacklists used by XProtect, as detailed here. They go into /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist,
/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist and /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara.

Latest version: 1190, 29 October 2018
These settings are placed in /System/Library/PrivateFrameworks/SystemMigration.framework for use by Migration Manager.

Currently, Catalina offers most of these with the same version numbers, but not the Incompatible Kernel Extension Configuration Data, which is replaced by a different mechanism altogether.

Details last updated 30 March 2023.