Skip to content

The Eclectic Light Company

Macs, painting, and more
Main navigation
  • Downloads
  • M1 & M2 Macs
  • Mac Problems
  • Mac articles
  • Art
  • Macs
  • Painting
hoakley March 6, 2023 Macs, Technology

How troubleshooting has changed with macOS security

Changes in macOS security since Mojave have been deep and extensive, but their impact on troubleshooting isn’t often appreciated. Most of us continue to use techniques and solutions that ignore those profound changes, only to become frustrated that they no longer work as they used to. This article briefly reviews the consequences of Secure Boot, the Sealed System Volume (SSV), code signing requirements on Apple silicon, and Gatekeeper checks in Ventura on how we tackle problems.

This also depends greatly on which type of Mac we are dealing with: plain Intel Macs (which I’ll refer to as Intel), Intel Macs with T2 chips (IT2), and Apple silicon Macs (AS) differ in their security features, which in turn determine how we should tackle their problems.

Secure Boot and the SSV

Since Big Sur, the great majority of macOS has effectively been locked away as if in ROM, and can’t be changed even by accident, except on Intel.

During Secure Boot on IT2 and AS, each stage of the boot process now verifies the integrity of the code for the next stage. The fact that a Mac can boot normally therefore guarantees that the kernel, firmware and software are exactly as intended. This is extended to the entire contents of the System volume by the SSV, using a tree of cryptographic hashes to verify them down to the last bit. Apple details this here for IT2, here for AS, and here for the SSV on both. There is no such thing as Secure Boot on Intel (without T2), though, and Apple doesn’t explain whether or how those older Macs verify the SSV.

Some of macOS is still stored outside the SSV, on the Data volume of all Macs running Big Sur and later, including most notably Safari and its supporting components. These are now protected within cryptexes, and as immutable as the contents of the SSV.

With the guaranteed integrity of the SSV and cryptexes on IT2 and AS models, reinstalling the same version of macOS has no effect on the great majority of macOS. Similarly, installing an older version and updating it to the current one can only produce exactly the same result as installing the current version directly.

Two procedures might be worth considering, though: replacing the latest version of macOS with an older one, in an attempt to clear new problems, and installing macOS and migrating to it from backups. Both of these can also make problems worse as they rely on migration, which could restore other components responsible for a problem, or those incompatible with the version of macOS being installed. Unless you have identified which items in the backup shouldn’t be installed in the new macOS, and exclude them from migration, neither procedure has much chance of solving a problem.

Intel Macs (without a T2) could be different, but there’s insufficient knowledge about how thoroughly they verify the integrity of the SSV to assess whether reinstalling macOS could be any more purposeful.

Code signing and Gatekeeper

All third-party software is installed on the Data volume, making it susceptible to accidental or deliberate change, just as it has been in the past. What has changed is that all Universal executable code is required to be signed, and signing and integrity are now checked whenever an app is opened, rather just when it’s first run. As a result of this change, I am removing the signature-checking code from all my apps, as that’s now superfluous.

Just as successfully booting macOS is verification of its integrity, so launching an app without a code signature error verifies the code within that app. That applies to all Macs running Ventura, where replacing a misbehaving app with a fresh copy is likely to be pointless. The most important exception to this is when the app crashes when it’s launched. Two significant causes for that are:

  • The app is being run in translocation, because it hasn’t been moved from within the folder it was originally located in. The solution is then to move the app without its enclosing folder to a standard location such as the main Applications folder, and run it from there.
  • The app has been updated or otherwise modified without it being signed correctly again. Downloading and installing a complete updated version of the app should solve that.

Login and Background Items

Many apps now rely on Login and Background Items to perform privileged tasks or provide services. Previously no accessible control has been provided over these, and third-party utilities have been required. Ventura’s new Login Items settings are an important improvement here, in listing LaunchAgents and LaunchDaemons previously only accessible through their installed property lists.

Apps developed for Ventura may opt to use its new architecture, in which those property lists remain inside the app’s bundle. Although this can make them harder to track down, because they’re protected by the app’s code signature, in the long run this should simplify troubleshooting: any change to those property lists will break the app’s signature, and prevent it from being opened.

Examining Login and Background Items settings are now an important step in diagnosing many otherwise elusive problems. This is explained in this article, which recommends obtaining a BTM dump using the command
sudo sfltool dumpbtm > ~/Documents/btmdump.text
to write it to the text file btmdump.text in your Documents folder.

Example: File sharing in Ventura

Many users have reported problems in recent versions of Ventura with network shares failing to mount. The most common attempted solution seems to be re-installing that version of macOS, typically 13.2 or 13.2.1. Some have even gone to the lengths of reformatting their Mac’s internal SSD, installing a fresh copy of macOS, and migrating from backups. So far, I haven’t heard of a single success using those approaches.

All evidence points to this problem being a bug or new feature in macOS. Currently the most likely reason for this occurring is that Ventura has become incompatible with custom icons for such shares, and those who have removed all custom icons are most likely to report success. If this does turn out to be the cause, it demonstrates how the traditional panacea of re-installing macOS is now so often ineffective.

Summary

  • For Intel Macs with T2 chips and Apple silicon Macs, reinstalling macOS seldom solves problems. Intel Macs without T2 chips might still be amenable, though, because they don’t have Secure Boot and may perform more limited checks on the SSV.
  • Anyone advocating reinstalling macOS as a solution should explain how that might solve the problem.
  • Macs running Ventura now perform code signature checks whenever an app is launched. Successful launch thus confirms the integrity of that app.
  • Login and Background Items settings in Ventura are an important tool in troubleshooting, and a BTM dump can be invaluable.
  • Careful observation, panic or crash logs, Unified log extracts and analysis are more important than ever.
  • Remove and re-install usually isn’t a successful strategy.

Share this:

  • Twitter
  • Facebook
  • Reddit
  • Pinterest
  • Email
  • Print

Like this:

Like Loading...

Related

Posted in Macs, Technology and tagged Apple silicon, Gatekeeper, Intel, Login Item, macOS, macOS 13, Secure Boot, SSV, T2, troubleshooting, Ventura. Bookmark the permalink.

26Comments

Add yours
  1. 1
    EcleX on March 6, 2023 at 7:51 am
    Reply

    Thanks for the interesting and useful article. What does BTM stand for? On the other hand, since Login and Background Items settings in Ventura are an important tool in troubleshooting, I guess that a utility to turn them off when booting (50% each time, and then asking the user if the issue was fixed or not) would be great to find possible culprits, much as Conflict Catcher did in Mac OS 9 (Classic). Is such utility available?

    LikeLiked by 1 person

    • 2
      hoakley on March 6, 2023 at 8:52 am
      Reply

      Thank you.
      “What does BTM stand for?” I don’t know. Apple doesn’t explain it, I’m afraid.
      There’s a great tool for turning off and on Login and Background Items – the Login Items settings, now in Ventura’s System Settings. That’s why I suggest using it, supplemented by the additional data in the BTM dump.
      Howard.

      LikeLike

      • 3
        EcleX on March 6, 2023 at 10:03 am
        Reply

        Thanks. Yes, but I meant to do it automatically, much as Conflict Catcher did, which is much quicker, convenient and prevents human errors. In short, half of them are turned off, the Mac rebooted and the user asked if the problem persists or has been fixed. And so on, to find the culprit in just a few reboots.

        LikeLiked by 1 person

        • 4
          hoakley on March 6, 2023 at 12:13 pm

          Cast your mind back to the days of Conflict Catcher. I suppose there were a few dozen widely used INITs, with no more than a few hundred in total.
          The number of different Background Items is almost infinite: I can and do create my own, as any user can. So how do you suggest any tool could even hazard a guess as to what to change?
          A further problem is that there doesn’t appear to be any means of controlling those items except in System Settings. The sfltool is essentially undocumented, and doesn’t appear able to change individual settings, just to remove everything in the list, which isn’t at all helpful.
          This is very different indeed from the days of Conflict Catcher.
          Howard.

          LikeLike

    • 5
      andynormancx on March 6, 2023 at 1:04 pm
      Reply

      Ah, good old Conflict Catcher.

      I remember the bad old days of MSDOS where third parties wrote similar software to Conflict Catcher. Not only would they reorder your mouse/memory/cdrom/soundcard/diskcache drivers to find an order that didn’t crash, but they’d also automatically try different load orders of all the drivers to find the order that maximised available memory.

      I can’t say I miss the days of AUTOEXE.BAT, CONFIG.SYS or Classic Mac OS.

      LikeLiked by 1 person

      • 6
        hoakley on March 6, 2023 at 5:51 pm
        Reply

        Thank you. Yes, and we used to complain how complicated things were then. Little did we know!
        Howard.

        LikeLiked by 1 person

  2. 7
    andynormancx on March 6, 2023 at 9:13 am
    Reply

    Curiously, after me complaining the other week about being bagged over login items, it seems to have stopped. I’ve not changed anything but I can’t remember it nagging me for a fair few days now.

    LikeLiked by 1 person

    • 8
      hoakley on March 6, 2023 at 12:14 pm
      Reply

      Well done! It does help to complain after all.
      Howard.

      LikeLiked by 1 person

      • 9
        andynormancx on March 6, 2023 at 12:57 pm
        Reply

        Hmmm

        Is that a Howard Oakley guarantee that if I whinge about something here that it will magically fix itself in a few days? 😉

        If so, I should mention my right shoulder is very stiff at the moment and I’m not happy about it.

        I’ll report back on any miraculous injury recoveries…

        LikeLiked by 1 person

        • 10
          hoakley on March 6, 2023 at 5:51 pm

          Everything here comes with a money-back guarantee. Indeed, you can have your money back before claiming.
          Howard.

          LikeLiked by 1 person

  3. 11
    jpruden on March 6, 2023 at 3:56 pm
    Reply

    On the note about reinstalling macOS:

    I had an interesting problem with my M1 14″ MBP where it would not install the latest Ventura (13.2.1) update… after running the update through Software Update 3 times with no effect (basically, the updater would run then the system wouldn’t be updated), I ran SilentKnight which indicated that the firmware on the laptop needed to be updated. Updating through the utility still wouldn’t run, so I booted into System Options and reinstalled Ventura, which fixed the problem entirely.

    Many thanks for your utility which identified the issue instantly. Still learning after almost 40 years of the Mac Life™…

    LikeLiked by 1 person

    • 12
      hoakley on March 6, 2023 at 6:00 pm
      Reply

      Thank you. Yes, this appears to have been a problem with that particular update.
      Should you have a similar problem again, try restarting your Mac, wait a couple of minutes, and try Software Update again. If that doesn’t work, start it up in Safe mode and try there – it’s one of the reasons for Safe mode.
      Howard.

      LikeLiked by 1 person

  4. 13
    amelchi on March 6, 2023 at 4:06 pm
    Reply

    Something strange happens to me… after upgrading to Ventura 13.2.1 I am no more able to boot from my external SSD whereas until I was on Ventura 13.2 beta it was possible… any idea?

    LikeLiked by 1 person

    • 14
      hoakley on March 6, 2023 at 6:01 pm
      Reply

      I’m sorry, I haven’t come across that. Which model of Mac is this?
      Howard.

      LikeLike

      • 15
        amelchi on March 6, 2023 at 8:37 pm
        Reply

        IMac24,M1

        LikeLiked by 1 person

        • 16
          hoakley on March 6, 2023 at 9:25 pm

          What happens when you try to select the external disk in Startup Disk or Recovery? Does it report an error and refuse, or try to boot from it and fail?
          Howard.

          LikeLike

        • 17
          Alessandro on March 6, 2023 at 10:22 pm

          it is shown in the startup manager but the booting process is not able to start… whereas the same disk starts with no problem from my Intel MacBookAir

          LikeLiked by 1 person

        • 18
          hoakley on March 6, 2023 at 10:54 pm

          Has the disk booted both Macs before? I never even tried booting M1-bootable disks from Intel Macs. I just thought the risk of one boot system damaging the boot disk was too great, although I’ve moved boot disks between different Apple silicon Macs quite happily.
          So I’m not sure what to suggest, other than installing 13.2.1 on the disk from your Apple silicon Mac.
          Howard.

          LikeLike

  5. 19
    amelchi on March 7, 2023 at 7:18 am
    Reply

    “installing 13.2.1 on the disk from your Apple silicon Mac.” is exactly what i did, no way…

    LikeLiked by 1 person

  6. 20
    amelchi on March 7, 2023 at 8:38 am
    Reply

    now: error SDErrorDomain 108

    LikeLiked by 1 person

    • 21
      hoakley on March 7, 2023 at 9:28 am
      Reply

      That’s typical of a failure with LocalPolicy for that external boot volume group.
      Perhaps if you could explain a little more about what you’re doing, I could provide better-informed suggestions. Which Mac did you use to create that external bootable disk in the first place? Has it booted successfully before from your Apple silicon Mac? What changes to its system have been made since that previous boot from the AS Mac?
      As I’ve said, I haven’t tried cross-architecture external bootable disks, and I’m not aware of anyone with much experience of them.
      Howard.

      LikeLike

      • 22
        amelchi on March 7, 2023 at 9:51 am
        Reply

        Thanks first of all!
        I need an external SSD for space reasons and because in this way I can boot with my data at home (MacBook Air Intel, Ventura 13.2.1) and office (Mac24 M1, Ventura 13.2.1); up until now I had a beta version of Ventura 13.2 on both computer… when I upgraded to Ventura 13.2.1 the home Intel computer had no problem in booting from my external SSD the office M1 computer; first formattted on M1

        LikeLiked by 1 person

        • 23
          hoakley on March 7, 2023 at 12:12 pm

          Thank you.
          One thought – have you fully unenrolled both Macs from the beta programme? Some time ago, I had problems when I hadn’t fully unenrolled, and couldn’t install release macOS.
          Otherwise, the only solution I know of is to reformat the external disk, and install a fresh copy of macOS, migrating the data from a backup. Sorry.
          Howard.

          LikeLike

        • 24
          amelchi on March 7, 2023 at 3:35 pm

          yes I did a full unenroll, yes I reformatted and installed a fresh copy… nothing changes (it boots on Intel refuse to boot on M1…).
          At this point do you know if the different computer hardwares include a different hidden boot disk sector or the like…?

          LikeLiked by 1 person

        • 25
          hoakley on March 7, 2023 at 4:29 pm

          There’s no hidden boot sector, but Apple silicon Macs boot quite differently from external drives. They first proceed through Secure Boot on the internal SSD, during which the intended (later) boot disk is identified, and its LocalPolicy is found and checked. What is happening, I think, with your external boot disk is that that process is failing – the LocalPolicy is missing or damaged, or doesn’t match the external boot volume group.
          Normally the only way to fix that is, using an Apple silicon Mac, to completely erase that disk and reformat it in APFS, then install macOS on it using the regular installer app. At the end of that, the Mac should reboot from the external disk, and LocalPolicy is then saved properly to its internal SSD. If your M1 Mac is failing to do that, then I know of no trick to persuade it to, I’m afraid. I’m puzzled that you say that it did previously, but can’t do so now, as it something has changed on it.
          Howard.

          LikeLike

  7. 26
    Michael Tsai - Blog - How Troubleshooting Has Changed With macOS Security on March 7, 2023 at 7:51 pm
    Reply

    […] Howard Oakley: […]

    LikeLike

Leave a Reply Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. ( Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. ( Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Quick Links

  • Downloads
  • Mac Troubleshooting Summary
  • M1 & M2 Macs
  • Mac problem-solving
  • Painting topics
  • Painting
  • Long Reads

Search

Monthly archives

  • March 2023 (48)
  • February 2023 (68)
  • January 2023 (74)
  • December 2022 (74)
  • November 2022 (72)
  • October 2022 (76)
  • September 2022 (72)
  • August 2022 (75)
  • July 2022 (76)
  • June 2022 (73)
  • May 2022 (76)
  • April 2022 (71)
  • March 2022 (77)
  • February 2022 (68)
  • January 2022 (77)
  • December 2021 (75)
  • November 2021 (72)
  • October 2021 (75)
  • September 2021 (76)
  • August 2021 (75)
  • July 2021 (75)
  • June 2021 (71)
  • May 2021 (80)
  • April 2021 (79)
  • March 2021 (77)
  • February 2021 (75)
  • January 2021 (75)
  • December 2020 (77)
  • November 2020 (84)
  • October 2020 (81)
  • September 2020 (79)
  • August 2020 (103)
  • July 2020 (81)
  • June 2020 (78)
  • May 2020 (78)
  • April 2020 (81)
  • March 2020 (86)
  • February 2020 (77)
  • January 2020 (86)
  • December 2019 (82)
  • November 2019 (74)
  • October 2019 (89)
  • September 2019 (80)
  • August 2019 (91)
  • July 2019 (95)
  • June 2019 (88)
  • May 2019 (91)
  • April 2019 (79)
  • March 2019 (78)
  • February 2019 (71)
  • January 2019 (69)
  • December 2018 (79)
  • November 2018 (71)
  • October 2018 (78)
  • September 2018 (76)
  • August 2018 (78)
  • July 2018 (76)
  • June 2018 (77)
  • May 2018 (71)
  • April 2018 (67)
  • March 2018 (73)
  • February 2018 (67)
  • January 2018 (83)
  • December 2017 (94)
  • November 2017 (73)
  • October 2017 (86)
  • September 2017 (92)
  • August 2017 (69)
  • July 2017 (81)
  • June 2017 (76)
  • May 2017 (90)
  • April 2017 (76)
  • March 2017 (79)
  • February 2017 (65)
  • January 2017 (76)
  • December 2016 (75)
  • November 2016 (68)
  • October 2016 (76)
  • September 2016 (78)
  • August 2016 (70)
  • July 2016 (74)
  • June 2016 (66)
  • May 2016 (71)
  • April 2016 (67)
  • March 2016 (71)
  • February 2016 (68)
  • January 2016 (90)
  • December 2015 (96)
  • November 2015 (103)
  • October 2015 (119)
  • September 2015 (115)
  • August 2015 (117)
  • July 2015 (117)
  • June 2015 (105)
  • May 2015 (111)
  • April 2015 (119)
  • March 2015 (69)
  • February 2015 (54)
  • January 2015 (39)

Tags

APFS Apple AppleScript Apple silicon backup Big Sur Blake bug Catalina Consolation Console diagnosis Disk Utility Doré El Capitan extended attributes Finder firmware Gatekeeper Gérôme HFS+ High Sierra history of painting iCloud Impressionism iOS landscape LockRattler log logs M1 Mac Mac history macOS macOS 10.12 macOS 10.13 macOS 10.14 macOS 10.15 macOS 11 macOS 12 macOS 13 malware Mojave Monet Monterey Moreau MRT myth narrative OS X Ovid painting Pissarro Poussin privacy realism Renoir riddle Rubens Sargent scripting security Sierra SilentKnight SSD Swift symbolism Time Machine Turner update upgrade Ventura xattr Xcode XProtect

Statistics

  • 14,160,071 hits
Blog at WordPress.com.
Footer navigation
  • About & Contact
  • Macs
  • Painting
  • Language
  • Tech
  • Life
  • General
  • Downloads
  • Mac problem-solving
  • Extended attributes (xattrs)
  • Painting topics
  • Hieronymus Bosch
  • English language
  • LockRattler: 10.12 Sierra
  • LockRattler: 10.13 High Sierra
  • LockRattler: 10.11 El Capitan
  • Updates: El Capitan
  • Updates: Sierra, High Sierra, Mojave, Catalina, Big Sur
  • LockRattler: 10.14 Mojave
  • SilentKnight, silnite, LockRattler, SystHist & Scrub
  • DelightEd & Podofyllin
  • xattred, Metamer, Sandstrip & xattr tools
  • 32-bitCheck & ArchiChect
  • T2M2, Ulbow, Consolation and log utilities
  • Cirrus & Bailiff
  • Taccy, Signet, Precize, Alifix, UTIutility, Sparsity, alisma
  • Revisionist & DeepTools
  • Text Utilities: Nalaprop, Dystextia and others
  • PDF
  • Keychains & Permissions
  • LockRattler: 10.15 Catalina
  • Updates
  • Spundle, Cormorant, Stibium, Dintch, Fintch and cintch
  • Long Reads
  • Mac Troubleshooting Summary
  • LockRattler: 11.0 Big Sur
  • M1 & M2 Macs
  • Mints: a multifunction utility
  • LockRattler: 12.x Monterey
  • VisualLookUpTest
  • Virtualisation on Apple silicon
  • LockRattler: 13.x Ventura
Secondary navigation
  • Search

Post navigation

A Weekend in Algeria: People
Solutions to Saturday Mac riddles 193

Begin typing your search above and press return to search. Press Esc to cancel.

  • Follow Following
    • The Eclectic Light Company
      • Join 3,176 other followers
    • Already have a WordPress.com account? Log in now.
    • The Eclectic Light Company
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
%d bloggers like this: