Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

System protection bypass does not work in MacOS 15.1 #65

Open
shadowhand opened this issue Nov 2, 2024 · 12 comments
Open

System protection bypass does not work in MacOS 15.1 #65

shadowhand opened this issue Nov 2, 2024 · 12 comments

Comments

@shadowhand
Copy link

shadowhand commented Nov 2, 2024

It seems that Apple no longer allows spctl --add ... at all; this is the documentation from man spctl in MacOS 15.1.0:

DEPRECATED OPTIONS
     As of MacOS 15.0, operations that modify the rule database or the global state of the assessment subsystem will no longer be supported.

     To add rules with configuration profiles, please see https://developer.apple.com/documentation/devicemanagement/systempolicyrule

     To modify the global state with configuration profiles, please see https://developer.apple.com/documentation/devicemanagement/systempolicycontrol

     --add    Add rule(s) to the system-wide assessment rule database.

And indeed, checking the assessment fails:

% spctl --assess /usr/local/bin/7777
/usr/local/bin/7777: rejected

This does not appear to impact users who already have SP bypassed for 7777, but it will likely impact new installations.

@shadowhand
Copy link
Author

shadowhand commented Nov 2, 2024

It seems the only way to allow 7777 to run is to allow applications from anywhere. This is a two step process:

  1. In the command line, run spctl --global-disable, which will enable the hidden "Anywhere" option for allowed apps.
  2. Open Settings.app > Privacy & Security > Security > Allow applications from: Anywhere.
image

Once this change is made spctl --assess /usr/local/bin/7777 exits cleanly.

@mnapoli
Copy link
Member

mnapoli commented Nov 2, 2024

Can you clarify what runs spctl?

I upgraded macOS too and things run fine:

Screen-002115

@mnapoli
Copy link
Member

mnapoli commented Nov 2, 2024

@shadowhand I don't have that set to anywhere though 🤔

Screen-002116

I'll try to upgrade to the latest version, just in case…

@mnapoli
Copy link
Member

mnapoli commented Nov 2, 2024

It is still working fine with the latest version:

Screen-002117

@shadowhand
Copy link
Author

@mnapoli I think if you have previously bypassed SP for 7777 then it remembers the setting. I suspect that new installations of MacOS and/or 7777 will run into this.

@mnapoli
Copy link
Member

mnapoli commented Nov 2, 2024

OK that could be it. Could you explain what the problem is exactly? I don't know what it means to run spctl --add and why one would run that command.

@shadowhand shadowhand changed the title Unable to run 7777 in MacOS 15.1 Security protection recommendation does not work in MacOS 15.1 Nov 2, 2024
@shadowhand shadowhand changed the title Security protection recommendation does not work in MacOS 15.1 System protection bypass does not work in MacOS 15.1 Nov 2, 2024
@shadowhand
Copy link
Author

shadowhand commented Nov 2, 2024

@mnapoli spctl used to allow specific unsigned apps to be executed. Now it seems that Apple has done away with that, only allowing Configuration Profiles to modify the SP database, so if users get an error saying that 7777 is unsigned and cannot be opened, they will need to allow applications from Anywhere, per my screenshots above. (See also this repo README. 😉 )

I have updated the title/description based on the exchange.

@shadowhand
Copy link
Author

shadowhand commented Nov 3, 2024

Ah-ha, while reading through some commentary from people smarter than me, I came across this comment:

Not unsigned apps, it flags “quarantined” apps that have been downloaded from arbitrary websites. Apps that don’t have the “mark of the web” quarantine flag will run just fine.

You can remove this flag from CLI too:

xattr -d com.apple.quarantine $FILE

As such, the recommended method of installing 7777 (via curl) should continue to work as expected for everyone. However, if someone tries to use download 7777 via a browser, it may not work.

@mnapoli
Copy link
Member

mnapoli commented Nov 3, 2024

See also this repo README. 😉

Doh! 🤦

Thanks for taking the time to add the details!

OK I'll clarify that explicitly in the README, thanks a lot. Between this app and the Bref Dashboard, I really hate distributing desktop or CLI apps 🥲 Working in the web is much more fun!

mnapoli added a commit that referenced this issue Nov 3, 2024
@victormacko
Copy link

victormacko commented Dec 8, 2024

I also had ths problem when trying to install 7777 via brew - the instructions on the README didn't work unfortunately;

% spctl --add /opt/homebrew/bin/7777
This operation is no longer supported. Please see the man page for more information.

I also tried the following, which also failed;
% run xattr -d com.apple.quarantine 7777
zsh: command not found: run

In the end I uninstalled via brew, and downloaded it via curl which didn't have any issues at all in terms of security/running.

That's on a new Macbook Pro, on the latest MacOS

@mnapoli
Copy link
Member

mnapoli commented Dec 10, 2024

% run xattr -d com.apple.quarantine 7777
zsh: command not found: run

The word "run" is not part of the command, i.e. this is what should be executed:

xattr -d com.apple.quarantine 7777

Good to know about homebrew vs curl though!

@victormacko
Copy link

Lol - good to know ... I probably needed more sleep at that point!
Thanks for the quick reply :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants