hoakley December 24, 2019 Macs, Technology

Network security can block updates, notifications, and more

Users are increasingly deploying network security measures to combat malware and attacks from bad actors. Although these have traditionally been used by larger organisations, some individuals are now adopting them. Unfortunately, they can have untoward side effects: if you’re not careful, you could end up blocking software updates and even checks on software signatures and notarization.

The most basic protection has traditionally been a firewall between your local network and the Internet, configured to block all incoming and allow all outgoing connections. This remains a safe measure which shouldn’t interfere with any services required by macOS.

That doesn’t, of course, provide any protection against malware running within your network which tries to ‘phone home’, so many users are now using software firewalls such as Little Snitch or Lulu. As I have explained, you must configure those so that they don’t block essential services required by macOS. To do that, you’ll need to permit some outgoing connections to support the services your Mac relies on: that article has links to help you do that. For example, to permit all macOS services you’ll need to allow all outbound connections to *.apple.com or 17.0.0.0/8.

Another measure which is becoming increasingly popular is SSL Inspection (also known as HTTPS Inspection). Some security researchers estimate that around half of all network traffic generated by malware uses encrypted sessions such as HTTPS. SSL Inspection normally uses a proxy to unlock encrypted sessions, check the packets being transferred, and try to identify and block any abuse or malicious activity. Although this might appear to be transparent to services using encrypted connections, it isn’t: those services can detect when SSL Inspection occurs.

Many of Apple’s services now detect SSL Inspection and, because they could themselves be offensive in purpose, they will fail such connections, and the affected service will stop working, possibly in complete silence. Among the services affected are:

device setup for all Apple OSes
device management using MDM
software updates for all Apple OSes, including update catalogs
macOS Recovery mode
App Store and app updates from Apple’s stores
content caching
softare notarization (ticket delivery)
certificate validation.

Apple provides full details of these services and their requirements in this recent article.

I’m very grateful to Matthew for drawing my attention to this growing problem.

10Comments

Add yours

1

James on December 24, 2019 at 8:03 am

Unfortunately Apple’s Enterprise document doesn’t include all endpoints required to successfully manage macOS devices in the Enterprise. We continue to find new hosts and raise this through ACE.

LikeLiked by 1 person
- 2
  
  hoakley on December 24, 2019 at 9:34 am
  
  Thank you.
  Now why doesn’t that surprise me?! It must be that pesky D word again…
  Howard.
  
  LikeLike
3

Prior... on December 24, 2019 at 2:50 pm

Thank you for this tip and for your posts this year – have enjoyed learning
And wishing you a happy holiday season

LikeLiked by 1 person
- 4
  
  hoakley on December 24, 2019 at 10:56 pm
  
  Thank you – happy holidays too!
  Howard.
  
  LikeLiked by 1 person
5

Valdo on December 25, 2019 at 8:48 am

The LuLu is the most user friendly app; allow all Apple connections, eventually block Spotlight as this is using Google outside of Mac. All other can be selected as you like.

LikeLiked by 1 person
6

Sebby on December 26, 2019 at 4:43 am

Hmmm. The company that makes so much capital from respecting privacy prevents you from inspecting communication to Apple servers that is mandatory. Another win for public relations, I think. Windows 10 traffic can be inspected, by contrast. Even though I agree TLS interception is bad, I don’t think Apple should be doing this–if the device is trusted by the end user because she has guaranteed the root certificate trust store and there are no added certificates, then I see no reason why additional restrictions are needed; enterprises that modified their devices have every right to inspect the traffic, provided the ultimate user is made aware of this.

LikeLiked by 1 person
- 7
  
  hoakley on December 26, 2019 at 3:40 pm
  
  Thank you.
  I suspect that Apple does this to prevent people from reverse-engineering its sensitive protocols and security measures. Given the amount of traffic for processes such as certificate and notarization verification, I can’t think for a moment that Apple collects or even analyses any of the data, so I don’t think that privacy comes into this.
  As for rights to inspect traffic, I think if you read the lawyer’s words in Apple licences etc. you abandon those the moment that you start using Apple software, unless you have agreed something different with Apple. It always amuses me how little Apple’s (and others) actually agree to do in licences – for example, with respect to maintaining macOS.
  Howard.
  
  LikeLike
  - 8
    
    Sebby on December 26, 2019 at 3:58 pm
    
    I daresay you’re right. It’s probably in all of our futures, anyway, and as you say it suits Apple’s purposes down to the ground. But it’s a bitter pill to swallow for anybody who cares about data sovereignty, particularly in very closed networks where border security is absolutely paramount and even leaking of metadata about application use (such as might be derived from the push notification connections) would be considered risky.
    
    I hope you’re enjoying your holidays.
    
    LikeLiked by 1 person
    - 9
      
      hoakley on December 26, 2019 at 4:14 pm
      
      Thanks, yes – I upgraded my main Mac, an iMac Pro with an ancient Promise Pegasus T4 RAID, to Catalina today, whilst everything was quiet. It’s just in the throes of its first backup. Fingers crossed.
      Closed networks are a real challenge, of course. It would be interesting to know how some of the major users cope. I once worked on systems inside a Faraday Cage – but that was in the days when always-on remote network connections were still relatively unusual.
      Howard.
      
      LikeLike
10

Sebby on December 26, 2019 at 4:58 pm

I will (probably have to) eventually surrender to Catalina … just not today. A couple of outstanding 32-bit apps (actually, WineSkin ports in urgent need of redoing and the excellent PortMap utility for which there are command-line alternatives) and iTunes are the chief reasons for my holding off. The new apps, particularly Podcasts, make me very unhappy, but as I do much of my listening nowadays on headphones with built-in equalisation, I could probably live with the worst of it. The big challenge is going to be moving my audiobook library on to my internal drives (research indicates that Books does not support iCloud for audiobooks, perhaps unsurprisingly).

As to restrictive networks, I think “surrender” has been the predominant theme there also. I mean, ultimately, there is no other way to do MDM, and the only API that supported persistent connections, VoIPKit, was obsoleted by the iOS 10 SDK and now VoIP apps also require push with PushKit. So, inevitably, you must talk to Apple servers either directly or indirectly through an explicitly configured HTTP proxy server. It would be interesting, indeed, to get a general feel for the sentiment on this, but I don’t suppose the balance of power leaves much in the way of choice for admins.

Cheers.

LikeLike

·Comments are closed.

Share this:

Related